Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Intrusion Attempt, AV disabled


  • This topic is locked This topic is locked
13 replies to this topic

#1 abc12345xyz

abc12345xyz

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:30 AM

Posted 27 May 2009 - 04:55 AM

BACKGROUND SUMMARY:
On April 30, 2009, Norton AV 2005 blocked intrusion attempt (first it was attacked on port# 55104 and after that is was on port# 57935). Hence I was asked by garmanma to scan with Mbam, Dr.Web CureIt and SAS, also asked to run ATF Cleaner and Disk Cleanup. Reports/Logs and full details can be found here on this link: http://www.bleepingcomputer.com/forums/t/223420/intrusion-attempt-blocked/

According to my understandings no serious treat/virus found on my machine by garmanma and quietman7. But now whenever I starts my computer, Norton AV is disabled, even though following two options are already checked marked:
(1) Enable Auto Protect (recommended)
(2) Start Auto Protect when windows starts up (recommended)

Hence, I was asked to post Pseudo HJT Report created by DDS.

DDS Report:
DDS (Ver_09-05-14.01) - NTFSx86
Run by user at 12:46:14.96 on Tue 05/26/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.232 [GMT -4:00]

AV: Norton AntiVirus 2005 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\akl_svc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Athan\Athan.exe
C:\Program Files\Anti-keylogger\Anti-keylogger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [CeEKEY] c:\program files\toshiba\e-key\CeEKey.exe
mRun: []
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [TPNF] c:\program files\toshiba\touchpad\TPTray.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [ZoomingHook] ZoomingHook.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [HWSetup] c:\program files\toshiba\toshiba applet\HWSetup.exe hwSetUP
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [SVPWUTIL] c:\program files\toshiba\windows utilities\SVPWUTIL.exe SVPwUTIL
mRun: [LtMoh] c:\\program files\\ltmoh\\Ltmoh.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [TCtryIOHook] TCtrlIOHook.exe
mRun: [TFncKy] TFncKy.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer
mRun: [Athan] c:\program files\athan\Athan.exe
mRun: [Anti-keylogger] c:\program files\anti-keylogger\Anti-keylogger.exe /autorun
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
TCP: {9FC7E33C-DDDB-49A1-827C-AD210D8861BB} = 195.226.228.72 195.226.228.74
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\obng2qqp.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage -

============= SERVICES / DRIVERS ===============

R1 krnl_akl;krnl_akl;c:\windows\system32\drivers\krnl_akl.sys [2009-5-18 360448]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-4-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 72944]
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton antivirus\SAVRTPEL.SYS [2004-7-23 50312]
R2 akl_svc;Anti-keylogger Service;c:\windows\system32\akl_svc.exe [2008-12-26 59904]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2004-8-13 197992]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2004-8-13 181608]
R3 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton antivirus\NAVAPSVC.EXE [2004-8-17 177264]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090520.003\NAVENG.Sys [2006-5-26 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090520.003\NavEx15.Sys [2006-5-26 876144]
R3 SAVRT;SAVRT;c:\program files\norton antivirus\SAVRT.SYS [2004-7-23 338056]
R3 SAVScan;SAVScan;c:\program files\norton antivirus\SAVSCAN.EXE [2004-7-23 198368]
S2 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2004-8-18 67184]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2004-8-13 79208]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys --> c:\windows\system32\drivers\npf.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 7408]

=============== Created Last 30 ================

2009-05-23 10:42 --d----- c:\docume~1\user\applic~1\Xilisoft Corporation
2009-05-23 10:40 --d----- c:\program files\Xilisoft
2009-05-20 12:12 --d----- c:\program files\SUPERAntiSpyware
2009-05-20 12:12 --d----- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2009-05-19 12:59 --d----- c:\documents and settings\user\DoctorWeb
2009-05-19 10:57 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-19 10:57 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-19 10:56 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-18 12:36 360,448 a------- c:\windows\system32\drivers\krnl_akl.sys
2009-05-18 12:36 --d----- c:\program files\Anti-keylogger

==================== Find3M ====================

2009-03-12 11:36 3,452 a------- c:\windows\system32\tmp.reg

============= FINISH: 12:47:02.26 ===============

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:30 PM

Posted 27 May 2009 - 05:44 AM

Hi abc12345xyz,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

I see from the DrWeb report that you have previously been infected with a Backdoor trojan and a password stealer trojan. They were in the Norton quarantine folder and also in the System Volume Information folder where the restore points are saved.

A backdoor Trojan can allow an attacker to gain control of the system, log keystrokes, steal passwords, access personal data, send malevolent outgoing traffic, and close the security warning messages displayed by some anti-virus and security programs.

If the infection is recent I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

It is possible that your PC is compromised and there is no way to be sure your computer can ever again be trusted. Some experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still try to find out if the machine could be cleaned but I can't guarantee that it will be 100% secure afterwards. If you decide to remove the possible infection please go on with the following steps.

Please tell me if you are living in Kuwait or if this is your ISP:

netname: AYJAMAL-NET
descr: Ahmad Yousef Jamal Company
address: Kuwait


#3 abc12345xyz

abc12345xyz
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:30 AM

Posted 27 May 2009 - 06:54 AM

Yes, I reside in Kuwait, but I don't know why it is showing AYJAMAL-NET and Ahmad Yousef Jamal Company. I have dial-up internet from QualityNet. I really want to change all the passwords, but I don't know which computer to trust.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:30 PM

Posted 27 May 2009 - 08:02 AM

I have dial-up internet from QualityNet

QualityNet could be a smaller company that uses a part of the domains from the one I mentioned. I don't think it is unsafe, just wanted to make sure.

I really want to change all the passwords, but I don't know which computer to trust.

In any case not this one, and not right now. You may run DRWeb on one of the other computers (how many computers do you have?) and see if it detect any of the mentioned Trojans.

Your logs and the scan results don't show any running overt malware. We might have to do some scans to make sure of any hidden malware.
  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

  • Also after ComboFix gave you the log please go to start => Run => Copy and paste the following text in the run box and click OK:

    "C:\Qoobox\Add-Remove Programs.txt"

    A text file will open, copy and paste the content of it to your reply.


#5 abc12345xyz

abc12345xyz
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:30 AM

Posted 28 May 2009 - 11:55 AM

QualityNet could be a smaller company that uses a part of the domains from the one I mentioned. I don't think it is unsafe, just wanted to make sure.

There are two main internet companies, QualityNet and Fasttelco, and one small company named KEMS. Infact QualityNet is biggest among all (atleast by name). I and my friends never heard that Ahmad Yousef Jamal Company. Anyway I will check with QualityNet. As I mentioned that I have dialup internet, I also want to mention that I use pre-paid internet cards. Sometimes from QualityNet and sometimes from Fasttelco.

how many computers do you have?

In home, 2 laptops (1 my personal which is infected) and 1 Desktop Computer (the one I am using right now) and at my workplace I have my personal desktop computer (DSL) . Sometimes I also used my friends or other colleagues computers. But from now on I will limit myself to my home computers and my personal computer at workplace. I will run Dr. Web as soon as possible on all my home computers as well as on my workplace computer. I will let you know if there is anything wrong.

ComboFix:
I didn't able to install Microsoft Windows Recovery Console, because of slow internet connection. Tell me other way to download, so that I can install it on my computer. I will use workplace DSL. I have scanned the computer without installing. Below is the report.

ComboFix.txt
ComboFix 09-05-26.05 - user 05/28/2009 10:46.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.67 [GMT -4:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-28 )))))))))))))))))))))))))))))))
.

2009-05-23 14:42 . 2009-05-23 14:42 -------- d-----w c:\documents and settings\user\Application Data\Xilisoft Corporation
2009-05-23 14:40 . 2009-05-23 14:40 -------- d-----w c:\program files\Xilisoft
2009-05-20 16:46 . 2009-05-20 17:10 117760 ----a-w c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-20 16:12 . 2009-05-20 16:12 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-20 16:12 . 2009-05-20 16:12 -------- d-----w c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2009-05-19 16:59 . 2009-05-19 16:59 -------- d-----w c:\documents and settings\user\DoctorWeb
2009-05-19 14:57 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-19 14:57 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-19 14:56 . 2009-05-19 14:57 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-18 16:36 . 2009-05-18 16:36 -------- d-----w c:\program files\Anti-keylogger
2009-05-18 16:36 . 2008-11-17 20:28 360448 ----a-w c:\windows\system32\drivers\krnl_akl.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-20 16:57 . 2005-12-18 17:06 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-20 16:11 . 2007-05-20 08:42 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-05 16:50 . 2006-05-27 02:23 -------- d-----w c:\documents and settings\user\Application Data\Skype
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2006-05-19 18577448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2005-08-26 671744]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2005-08-26 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 73728]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-07-15 1077322]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]
"LtMoh"="c:\\Program Files\\ltmoh\\Ltmoh.exe" [2003-09-06 184320]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 58728]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2007-04-07 100056]
"Athan"="c:\program files\Athan\Athan.exe" [2005-09-12 937984]
"Anti-keylogger"="c:\program files\Anti-keylogger\Anti-keylogger.exe" [2008-11-17 436224]
"NDSTray.exe"="NDSTray.exe" [BU]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-06-01 282624]
"ZoomingHook"="ZoomingHook.exe" - c:\windows\system32\ZoomingHook.exe [2005-06-06 24576]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2004-12-21 88358]
"TCtryIOHook"="TCtrlIOHook.exe" - c:\windows\system32\TCtrlIOHook.exe [2005-08-22 28672]
"TFncKy"="TFncKy.exe" [BU]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Sawa2Call\\Dialer\\Resources\\iaxdialer.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 krnl_akl;krnl_akl;c:\windows\system32\drivers\krnl_akl.sys [5/18/2009 12:36 PM 360448]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R2 akl_svc;Anti-keylogger Service;c:\windows\system32\akl_svc.exe [12/26/2008 1:20 PM 59904]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4CD4A9E5-A6F1-4316-6C66-2D7B10146137}]
c:\windows\system32\rundl32.exe
.
Contents of the 'Scheduled Tasks' folder

2007-04-21 c:\windows\Tasks\Norton AntiVirus - Scan my computer - user.job
- c:\progra~1\NORTON~1\Navw32.exe [2004-08-17 17:54]

2005-12-18 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-08-31 12:00]

2005-12-18 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-08-31 12:00]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\obng2qqp.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-28 10:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1836)
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Norton AntiVirus\IWP\NPFMNTOR.EXE
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\program files\ltmoh\ltmoh.exe
c:\program files\Apoint2K\ApntEx.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
c:\windows\system32\RAMASST.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-05-28 10:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-28 14:56

Pre-Run: 25,361,575,936 bytes free
Post-Run: 25,387,405,312 bytes free

175 --- E O F --- 2009-01-18 14:46


Add-Remove Programs
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.9
AiO_Scan
ALPS Touch Pad Driver
Anti-keylogger
Athan Basic 3.0
AutoUpdate
ccCommon
CD/DVD Drive Acoustic Silencer
DivX
DivX Player
DVD-RAM Driver
Enterprise
Hotfix for Windows XP (KB894871)
Hotfix for Windows XP (KB895200)
Hotfix for Windows XP (KB952287)
HP PSC & Officejet 4.2 Corporate Edition
Intel® Graphics Media Accelerator Driver for Mobile
Internet Worm Protection
InterVideo WinDVD Creator 2
InterVideo WinDVD for TOSHIBA
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 3
Java™ 6 Update 5
Java™ SE Runtime Environment 6 Update 1
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Office OneNote 2003
Microsoft Office Professional Edition 2003
Mozilla Firefox (3.0.10)
MSN
Norton AntiVirus 2005
Norton AntiVirus 2005 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton WMI Update
QFolder
RealPlayer
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
Sawa2Call Dialer
Scan
SD Secure Module
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Skype 2.0
Sonic DLA
Sonic RecordNow!
SPBBC
SUPERAntiSpyware Free Edition
Symantec
Symantec Network Drivers Update
Symantec Script Blocking Installer
SymNet
Texas Instruments PCIxx21/x515 drivers.
TIxx21/x515
TOSHIBA Accessibility
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Controls
TOSHIBA Fn-esse
TOSHIBA Hardware Setup
TOSHIBA Hotkey Utility
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
Toshiba Tbiosdrv Driver
TOSHIBA Virtual Sound
TOSHIBA Zooming Utility
Touch and Launch
TouchPad On/Off Utility
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Utility Common Driver
VideoLAN VLC media player 0.8.6h
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB884018
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893056
Windows XP Hotfix - KB893086
WinRAR archiver
Xilisoft MKV Converter
Yahoo! Messenger


There are some programs that I make it red. What are those? Are those safe? I have this toshiba laptop since Dec 2006. At that time, it was very fast, but from last 7-8 months it has slowed down. And I think there are alot of unused and unnecessary programs in the taskbar that I even don't use (for example, TOSHIBA ConfigFree, Hotkey Utility, etc). Do I really need these to start windows?

About Anti-Keylogger:
When Intrusion attempt was blocked by Norton, I installed this program. But I don't think it helped me in anyway. Should I uninstall?

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:30 PM

Posted 28 May 2009 - 04:50 PM

I don't see anything wrong with the programs you have mentioned. The antikeylogger I don't know and I don't believe it is doing much.
As you mention there are a lot of programs running at startup. they are:

[u] uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
[N] uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
[N] uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
[N] mRun: [igfxtray] c:\windows\system32\igfxtray.exe
[U] mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
[N] mRun: [igfxpers] c:\windows\system32\igfxpers.exe
[U] mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
[N] mRun: [TPNF] c:\program files\toshiba\touchpad\TPTray.exe
[U] mRun: [NDSTray.exe] NDSTray.exe
[N] mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
[N] mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
[N] mRun: [TPSMain] TPSMain.exe
[N] mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
[N] mRun: [HWSetup] c:\program files\toshiba\toshiba applet\HWSetup.exe hwSetUP
[N] mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
[N] mRun: [SVPWUTIL] c:\program files\toshiba\windows utilities\SVPWUTIL.exe SVPwUTIL
[U] mRun: [LtMoh] c:\\program files\\ltmoh\\Ltmoh.exe
[Y] mRun: [AGRSMMSG] AGRSMMSG.exe
[U] mRun: [TCtryIOHook] TCtrlIOHook.exe
[U] mRun: [TFncKy] TFncKy.exe
[Y] mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
[U] mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer
[U] mRun: [Athan] c:\program files\athan\Athan.exe

N= Not reqiuered.
U= User choice
  • Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below

    into it:

    DDS::
    BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
    TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
    mRun: [<NO NAME>] 
    SkipFix::

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your

    reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of

      Java Runtime Environment (JRE) Version

      6
      and save it to your desktop.
    • Look for "Java Runtime Environment (JRE)" JRE 6 Update 13.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java, that would be:

      J2SE Runtime Environment 5.0 Update 3
      J2SE Runtime Environment 5.0 Update 6
      J2SE Runtime Environment 5.0 Update 9
      Java™ 6 Update 3
      Java™ 6 Update 5
      Java™ SE Runtime Environment 6 Update 1

    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java

      uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.


    -- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
    -- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


    Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

  • Tell me how is your computer running.


#7 abc12345xyz

abc12345xyz
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:30 AM

Posted 30 May 2009 - 11:19 AM

As you mention there are a lot of programs running at startup. they are:

[u] uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
[N] uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
[N] uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
[N] mRun: [igfxtray] c:\windows\system32\igfxtray.exe
[U] mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
[N] mRun: [igfxpers] c:\windows\system32\igfxpers.exe
[U] mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
[N] mRun: [TPNF] c:\program files\toshiba\touchpad\TPTray.exe
[U] mRun: [NDSTray.exe] NDSTray.exe
[N] mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
[N] mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
[N] mRun: [TPSMain] TPSMain.exe
[N] mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
[N] mRun: [HWSetup] c:\program files\toshiba\toshiba applet\HWSetup.exe hwSetUP
[N] mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
[N] mRun: [SVPWUTIL] c:\program files\toshiba\windows utilities\SVPWUTIL.exe SVPwUTIL
[U] mRun: [LtMoh] c:\\program files\\ltmoh\\Ltmoh.exe
[Y] mRun: [AGRSMMSG] AGRSMMSG.exe
[U] mRun: [TCtryIOHook] TCtrlIOHook.exe
[U] mRun: [TFncKy] TFncKy.exe
[Y] mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
[U] mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer
[U] mRun: [Athan] c:\program files\athan\Athan.exe

N= Not reqiuered.
U= User choice

So how can I delete above programs? Y= Yes, and means required?

Combo Log Report:
ComboFix 09-05-26.05 - user 05/30/2009 10:57.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.111 [GMT -4:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
AV: Norton AntiVirus 2005 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-30 )))))))))))))))))))))))))))))))
.

2009-05-23 14:42 . 2009-05-23 14:42 -------- d-----w c:\documents and settings\user\Application Data\Xilisoft Corporation
2009-05-23 14:40 . 2009-05-23 14:40 -------- d-----w c:\program files\Xilisoft
2009-05-20 16:46 . 2009-05-20 17:10 117760 ----a-w c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-20 16:12 . 2009-05-20 16:12 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-20 16:12 . 2009-05-20 16:12 -------- d-----w c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2009-05-19 16:59 . 2009-05-19 16:59 -------- d-----w c:\documents and settings\user\DoctorWeb
2009-05-19 14:57 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-19 14:57 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-19 14:56 . 2009-05-19 14:57 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-18 16:36 . 2009-05-18 16:36 -------- d-----w c:\program files\Anti-keylogger
2009-05-18 16:36 . 2008-11-17 20:28 360448 ----a-w c:\windows\system32\drivers\krnl_akl.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-30 14:53 . 2005-12-18 17:06 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-20 16:11 . 2007-05-20 08:42 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-05 16:50 . 2006-05-27 02:23 -------- d-----w c:\documents and settings\user\Application Data\Skype
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2006-05-19 18577448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2005-08-26 671744]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-23 196608]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2005-08-26 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 73728]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-07-15 1077322]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]
"LtMoh"="c:\\Program Files\\ltmoh\\Ltmoh.exe" [2003-09-06 184320]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 58728]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2007-04-07 100056]
"Athan"="c:\program files\Athan\Athan.exe" [2005-09-12 937984]
"Anti-keylogger"="c:\program files\Anti-keylogger\Anti-keylogger.exe" [2008-11-17 436224]
"NDSTray.exe"="NDSTray.exe" [BU]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-06-01 282624]
"ZoomingHook"="ZoomingHook.exe" - c:\windows\system32\ZoomingHook.exe [2005-06-06 24576]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2004-12-21 88358]
"TCtryIOHook"="TCtrlIOHook.exe" - c:\windows\system32\TCtrlIOHook.exe [2005-08-22 28672]
"TFncKy"="TFncKy.exe" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-8-31 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Sawa2Call\\Dialer\\Resources\\iaxdialer.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 krnl_akl;krnl_akl;c:\windows\system32\drivers\krnl_akl.sys [5/18/2009 12:36 PM 360448]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R2 akl_svc;Anti-keylogger Service;c:\windows\system32\akl_svc.exe [12/26/2008 1:20 PM 59904]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4CD4A9E5-A6F1-4316-6C66-2D7B10146137}]
c:\windows\system32\rundl32.exe
.
Contents of the 'Scheduled Tasks' folder

2007-04-21 c:\windows\Tasks\Norton AntiVirus - Scan my computer - user.job
- c:\progra~1\NORTON~1\Navw32.exe [2004-08-17 17:54]

2005-12-18 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-08-31 12:00]

2005-12-18 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-08-31 12:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\obng2qqp.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-30 10:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2972)
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
Completion time: 2009-05-30 11:00
ComboFix-quarantined-files.txt 2009-05-30 15:00
ComboFix2.txt 2009-05-28 14:56

Pre-Run: 25,261,531,136 bytes free
Post-Run: 25,251,553,280 bytes free

150 --- E O F --- 2009-01-18 14:46

What CFScript contains and what it did?

I uninstall all the Java programs (as well as anti-keylogger) and installed JRE 6 update 14.

Tell me how is your computer running

I don't see/feel much difference.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:30 PM

Posted 30 May 2009 - 02:39 PM

So how can I delete above programs? Y= Yes, and means required?


You don't need to delete those progras. They are programs you have installed on your computer. Either they can be configured within those programs or you have to find a program to do that.

The computer seems free from infection.

Go to start > run and copy and paste or type next command in the field then hit enter:

ComboFix /u

Note: There's a space between Combofix and /

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.


Happy Surfing.

#9 abc12345xyz

abc12345xyz
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:30 AM

Posted 31 May 2009 - 11:50 AM

You don't need to delete those progras. They are programs you have installed on your computer. Either they can be configured within those programs or you have to find a program to do that.

Some of the programs I can't configured, then do I have to remove these from msconfig>startup list? and do I also need to disable them or just to remove from the list?

The computer seems free from infection.

Is it 100% free? Can I change the passwords without any worries and without being hacked?

Another question: Should I scan other computers with Dr. Web or ComboFix?

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:30 PM

Posted 31 May 2009 - 01:12 PM

Some of the programs I can't configured, then do I have to remove these from msconfig>startup list? and do I also need to disable them or just to remove from the list?


You may just disable the startup entry to do that you may use Startup Inspector for Windows for both novice and expert user: http://www.windowsstartup.com/startupinspector.php : It helps manage Windows® startup applications.

Is it 100% free? Can I change the passwords without any worries and without being hacked?


Who can say 100% free? :thumbup2:
But yes it is safe to change the passwords. What you should know is that intrusion attempts take place all the time. There are always random attempt of intrusion. The firewall can prevent those intrusions.

Should I scan other computers with Dr. Web or ComboFix?

I don't recommend running ComboFix without supervision of a trained helper. But you may run other scanners. In case something worries you you may start a topic for the other computer too.

Do you have any question before closing the topic?

#11 abc12345xyz

abc12345xyz
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:30 AM

Posted 03 June 2009 - 06:28 AM

Yesterday, I scanned with Dr. Web again, and there were 46 infected errors. I deleted all the previous restore points, SmitFraudfix files, and empty quarantine folders of Norton and Dr. Web. Then I don't know why I still have these errors.

Dr. Web Report:
A0029369.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029369.exe;Tool.Prockill;;
A0029369.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029369.exe;Tool.ShutDown.14;;
A0029369.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129;Archive contains infected objects;Moved.;
A0029370.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029370.exe;Tool.Prockill;;
A0029370.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029370.exe;Tool.ShutDown.14;;
A0029370.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129;Archive contains infected objects;Moved.;
A0029371.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029371.exe;Tool.Prockill;;
A0029371.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029371.exe;Tool.ShutDown.14;;
A0029371.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129;Archive contains infected objects;Moved.;
A0029372.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029372.exe;Tool.Prockill;;
A0029372.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029372.exe;Tool.ShutDown.14;;
A0029372.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129;Archive contains infected objects;Moved.;
A0029373.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029373.exe;Tool.Prockill;;
A0029373.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029373.exe;Tool.ShutDown.14;;
A0029373.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129;Archive contains infected objects;Moved.;
A0029374.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029374.exe;Tool.Prockill;;
A0029374.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029374.exe;Tool.ShutDown.14;;
A0029374.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129;Archive contains infected objects;Moved.;
A0029375.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029375.exe;Tool.Prockill;;
A0029375.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029375.exe;Tool.ShutDown.14;;
A0029375.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129;Archive contains infected objects;Moved.;
A0029376.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029376.exe;Tool.Prockill;;
A0029376.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029376.exe;Tool.ShutDown.14;;
A0029376.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129;Archive contains infected objects;Moved.;
A0029377.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029377.exe;Tool.Prockill;;
A0029377.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029377.exe;Tool.ShutDown.14;;
A0029377.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129;Archive contains infected objects;Moved.;
A0029378.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029378.exe;Tool.Prockill;;
A0029378.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029378.exe;Tool.ShutDown.14;;
A0029378.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129;Archive contains infected objects;Moved.;
A0029379.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029379.exe;Tool.Prockill;;
A0029379.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029379.exe;Tool.ShutDown.14;;
A0029379.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129;Archive contains infected objects;Moved.;
A0029382.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029382.exe;Tool.Prockill;;
A0029382.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029382.exe;Tool.ShutDown.14;;
A0029382.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129;Archive contains infected objects;Moved.;
A0029383.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129;Tool.Prockill;Incurable.Moved.;
A0029384.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029384.exe;Tool.Prockill;;
A0029384.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029384.exe;Tool.ShutDown.14;;
A0029384.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129;Archive contains infected objects;Moved.;
A0029385.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029385.exe;Tool.Prockill;;
A0029385.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029385.exe;Tool.ShutDown.14;;
A0029385.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129;Archive contains infected objects;Moved.;
A0029386.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029386.exe;Tool.Prockill;;
A0029386.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029386.exe;Tool.ShutDown.14;;
A0029386.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129;Archive contains infected objects;Moved.;
A0029387.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029387.exe;Tool.Prockill;;
A0029387.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029387.exe;Tool.ShutDown.14;;
A0029387.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129;Archive contains infected objects;Moved.;
A0029388.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029388.exe;Tool.Prockill;;
A0029388.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029388.exe;Tool.ShutDown.14;;
A0029388.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129;Archive contains infected objects;Moved.;
A0029389.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029389.exe;Tool.Prockill;;
A0029389.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029389.exe;Tool.ShutDown.14;;
A0029389.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129;Archive contains infected objects;Moved.;
A0029390.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029390.exe;Tool.Prockill;;
A0029390.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029390.exe;Tool.ShutDown.14;;
A0029390.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129;Archive contains infected objects;Moved.;
A0029391.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029391.exe;Tool.Prockill;;
A0029391.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029391.exe;Tool.ShutDown.14;;
A0029391.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129;Archive contains infected objects;Moved.;
A0029392.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029392.exe;Tool.Prockill;;
A0029392.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029392.exe;Tool.ShutDown.14;;
A0029392.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129;Archive contains infected objects;Moved.;
A0029393.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029393.exe;Tool.Prockill;;
A0029393.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129\A0029393.exe;Tool.ShutDown.14;;
A0029393.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129;Archive contains infected objects;Moved.;
A0029394.exe;C:\System Volume Information\_restore{BEF1E788-B95B-4F2A-8EA8-408591345474}\RP129;Tool.ShutDown.14;Incurable.Moved.;

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:30 PM

Posted 03 June 2009 - 07:00 AM

As you see these are all related to SmitfraudFix and it is the same file (Process.exe) detected again and again. There is nothing on the log you should worry about. DrWeb is known to have many false positive. All the tools we use to remove malware are flagged by DrWeb as risk tool or something like that.

Empty System Volume Information. To do that:
Go to start => Right-click My Computer and select Properties => under System Restore tab check Turn off System Restore on all drives. Click apply.
By doing this you loose all your restore points. Reboot and don't forget to uncheck “Turn off System Restore on all drives" to create a clean restore point.

Could we close the topic? :thumbup2:

#13 abc12345xyz

abc12345xyz
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:30 AM

Posted 04 June 2009 - 02:29 AM

Could we close the topic?

Yes and thank you very much for helping me out. Really appreciate your help. Thanks.

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:30 PM

Posted 04 June 2009 - 03:20 AM

YOu are very welcome, glad I could help.

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users