Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Worm.Win32.NetSky AND Trojan SPM/LX virus HELP


  • This topic is locked This topic is locked
12 replies to this topic

#1 rollie69

rollie69

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 15 January 2010 - 08:23 PM

Last night I opened an e-mail. It was labeled as coming from UPS and that our parcel could be picked up from there depot.

As a result I cannot open Outlook Express.

I have completed full system scans with Malwarebytes, Spybot Search & Destroy, Avira Antivirus Personal (free) and CCleaner.

My desktop picture has changed to a black box with YOUR SYSTEM IS INFECTED! (in big red letters).
System has been stopped due to a serious malfunction.
Spyware activity has been detected.
It is recommended to use spyware removal tool to prevent data loss.
Do not use the computer before spyware removed.
Also the background has changed colour 4 times so far and all Icons are highlighted.

The taskbar has a red circle with a cross and in the pop-up balloon it reads: Click here to protect your computer from Spyware! Your computer is infected! Windows has detected an infection of spyware! It is recommended to use special antispyware tools to prevent data loss. Windows will now download and install the most up to date spyware for you.

A window comes up in the middle of the screen reading: WARNING Attention! System detected a potential hazard (Trojan SPM/LX) on your computer that may infect executable files. You private information and PC safety is at risk. To get rid of unwanted spyware and keep your computer safe you need update your current security software. Click ok to download official intrusion detection system (IDS system).
Note the unusual English of the wording.

When the computer was turned back on, before any icons appeared a window was present with: Spyware Alert! Security Warning Worm.Win32.Netsky detected on your machine. This Virus is distributed via the internet through e-mail and Active X objects. The worm has its own SMTP engine which means it gathers e-mails from your local computer and redistributes itself. In worst cases this worm can allow attachers to access your computer, stealing passwords and personal data. Viruses can damage your confidential data and work on your computer. Continue working in unprotected mode is very dangerous.
Type: Virus
System Affected: Windows 2000, NT, ME, XP, Vista, 7
Security Risk (0-5): 5
Recommendations: It is necessary to perform a full system scan
OK

This is my HighjackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:56 AM, on 16/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\smss32.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Geoff Lloyd\Desktop\HiJackThis(2).exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [VetStart] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe" -r
O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 - HKLM\..\Run: [Vtuparukur] rundll32.exe "C:\WINDOWS\igotiwuv.dll",Startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: rarype32.exe
O4 - Startup: RemoteScan Server.lnk = C:\Program Files\RemoteScan Server\RemoteScanServer.exe
O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - Global Startup: Nokia Nseries PC Suite.lnk = E:\Program Files\Nokia\NNPCS\RunLauncher.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file:///E:/Program%20Files/AutoCad%202002/AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file:///E:/Program%20Files/AutoCad%202002/InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file:///E:/Program%20Files/AutoCad%202002/InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file:///E:/Program%20Files/AutoCad%202002/AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FF17AC9-7309-435F-924C-3F86EE9E6389}: NameServer = 192.168.1.1,203.22.70.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{2FF17AC9-7309-435F-924C-3F86EE9E6389}: NameServer = 192.168.1.1,203.22.70.2
O17 - HKLM\System\CS3\Services\Tcpip\..\{2FF17AC9-7309-435F-924C-3F86EE9E6389}: NameServer = 192.168.1.1,203.22.70.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: ServiceLayer - Nokia. - E:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8956 bytes


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:45 AM

Posted 16 January 2010 - 01:56 AM

Hi, rollie69 smile.gif

Welcome.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  2. During the download, rename Combofix to Combo-Fix as follows:





  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    -----------------------------------------------------------
  7. Double click on combo-Fix.exe & follow the prompts.
  8. Install the Recovery Console if prompted.
  9. When finished, it will produce a report for you.
  10. Please post the "C:\Combo-Fix.txt" .
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 rollie69

rollie69
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 16 January 2010 - 05:26 AM

Hi JSntqRvr,

Thank you for your help. As soon as i get home tonight I'll post the results for you.

Thank you

Geoff

#4 rollie69

rollie69
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 16 January 2010 - 10:49 AM

Below is the log after the scan. The computer seems to be ok so far. It CA anti-virus & COMODO are still enabled, though I removed them a while ago (about a year ago for COMODO and only 2 months ago CA). How can I be sure their gone??

Could there be anything that could be a problem in the future as a result of this virus issue,like a backdoor virus or something?

Thank you for your time.

Geoff

ComboFix 10-01-15.05 - Geoff Lloyd 17/01/2010 1:02.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.991.443 [GMT 10:00]
Running from: c:\documents and settings\Geoff Lloyd\Desktop\Combo-Fix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Geoff Lloyd\Application Data\avdrn.dat
c:\documents and settings\Geoff Lloyd\Start Menu\Programs\Startup\rarype32.exe
c:\recycler\S-1-5-21-2940985478-958952436-24389365-500
c:\recycler\S-1-5-21-515967899-1547161642-725345543-500
c:\recycler\S-1-5-21-827064777-293402137-452776510-500
c:\windows\Install.txt
c:\windows\kmobrmst.dll
c:\windows\system\oeminfo.ini
c:\windows\system32\10883.exe
c:\windows\system32\11478.exe
c:\windows\system32\12289.exe
c:\windows\system32\12734.exe
c:\windows\system32\15724.exe
c:\windows\system32\16490.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\21559.exe
c:\windows\system32\24825.exe
c:\windows\system32\25608.exe
c:\windows\system32\25719.exe
c:\windows\system32\26338.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\27031.exe
c:\windows\system32\2863.exe
c:\windows\system32\29358.exe
c:\windows\system32\31456.exe
c:\windows\system32\3572.exe
c:\windows\system32\4063.exe
c:\windows\system32\41.exe
c:\windows\system32\5892.exe
c:\windows\system32\6334.exe
c:\windows\system32\7367.exe
c:\windows\system32\7498.exe
c:\windows\system32\8353.exe
c:\windows\system32\8762.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\helper32.dll
c:\windows\system32\images
c:\windows\system32\images\ccstyle.css
c:\windows\system32\images\green_bg.gif
c:\windows\system32\images\header_r1_c2.gif
c:\windows\system32\images\header_r1_c3.gif
c:\windows\system32\images\header_r2_c1.gif
c:\windows\system32\images\header_r2_c3.gif
c:\windows\system32\images\header_r4_c2.gif
c:\windows\system32\images\header_r4_c3.gif
c:\windows\system32\images\Intel%20P4%20Graphic.gif
c:\windows\system32\images\menu_r1_c1.gif
c:\windows\system32\images\menu_r2_c1.gif
c:\windows\system32\images\menu_r2_c11.gif
c:\windows\system32\images\menu_r2_c3.gif
c:\windows\system32\images\menu_r2_c5.gif
c:\windows\system32\images\menu_r2_c7.gif
c:\windows\system32\images\menu_r2_c9.gif
c:\windows\system32\images\misc.js
c:\windows\system32\images\spacer.gif
c:\windows\system32\images\Thumbs.db
c:\windows\system32\IS15.exe
c:\windows\system32\smss32.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\Thumbs.db
c:\windows\system32\tmp.reg
c:\windows\system32\tmp0_518092122664.bk
c:\windows\system32\warning.html
c:\windows\system32\winlogon32.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NOYTCYR
-------\Legacy_PERFMONS


((((((((((((((((((((((((( Files Created from 2009-12-16 to 2010-01-16 )))))))))))))))))))))))))))))))
.

2010-01-15 11:32 . 2010-01-15 11:32 0 ----a-w- c:\windows\Hsahey.bin
2010-01-15 11:31 . 2010-01-15 11:31 120 ----a-w- c:\windows\Wwabaf.dat
2010-01-15 11:31 . 2010-01-15 11:31 -------- d-----w- c:\documents and settings\Geoff Lloyd\Local Settings\Application Data\{0A6E071F-6FCB-44F8-AEE3-CCD6928E76F5}
2010-01-14 00:47 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-07 07:38 . 2010-01-07 07:38 -------- d-----w- c:\documents and settings\Geoff Lloyd\Application Data\CheckPoint
2010-01-07 07:38 . 2010-01-07 07:38 -------- d-----w- c:\program files\CheckPoint
2010-01-07 07:38 . 2009-11-22 05:42 69000 ----a-w- c:\windows\system32\zlcomm.dll
2010-01-07 07:38 . 2009-11-22 05:42 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2010-01-07 07:38 . 2009-11-22 05:42 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2010-01-07 07:38 . 2010-01-07 07:38 -------- d-----w- c:\windows\system32\ZoneLabs
2010-01-07 05:18 . 2010-01-07 05:18 -------- d-----w- c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-16 15:20 . 2009-04-03 07:22 4024795 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-01-16 14:55 . 2007-06-11 01:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-15 11:28 . 2010-01-15 11:28 16 ----a-w- c:\windows\system32\config\systemprofile\Application Data\mvhgkr.dat
2010-01-07 07:38 . 2008-10-19 00:52 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-01-07 05:51 . 2008-09-13 06:11 -------- d-----w- c:\documents and settings\Geoff Lloyd\Application Data\Skype
2010-01-07 05:50 . 2008-09-13 06:13 -------- d-----w- c:\documents and settings\Geoff Lloyd\Application Data\skypePM
2009-12-15 10:52 . 2008-09-02 10:03 -------- d-----w- c:\documents and settings\Geoff Lloyd\Application Data\TravelerSafe+
2009-12-15 07:51 . 2007-06-09 23:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-14 10:44 . 2009-12-14 10:44 48304 ----a-w- c:\windows\Internet Logs\zlclient_2nd_2009_12_14_17_12_45_small.dmp.zip
2009-12-14 10:33 . 2009-12-14 10:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-12-14 09:51 . 2009-12-14 09:51 -------- d-----w- c:\documents and settings\Geoff Lloyd\Application Data\Malwarebytes
2009-12-14 09:50 . 2009-12-14 09:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-19 01:48 . 2009-12-02 07:47 872960 ----a-w- c:\documents and settings\Geoff Lloyd\Application Data\Mozilla\Firefox\Profiles\avuw7if8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-11-19 01:48 . 2009-12-02 07:47 43008 ----a-w- c:\documents and settings\Geoff Lloyd\Application Data\Mozilla\Firefox\Profiles\avuw7if8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-11-19 01:48 . 2009-12-02 07:47 340480 ----a-w- c:\documents and settings\Geoff Lloyd\Application Data\Mozilla\Firefox\Profiles\avuw7if8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-11-19 01:48 . 2009-12-02 07:47 346624 ----a-w- c:\documents and settings\Geoff Lloyd\Application Data\Mozilla\Firefox\Profiles\avuw7if8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-10-29 07:46 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2007-11-25 02:05 . 2007-11-25 02:04 9216 --sha-w- c:\program files\Thumbs.db
2005-03-31 12:17 . 2005-11-21 02:34 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2008-02-03 13:04 . 2008-02-03 13:04 56 --sh--r- c:\windows\system32\95ECC42AFC.sys
2008-02-03 13:04 . 2008-02-03 13:04 1682 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="e:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-03-25 615696]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-08-26 236016]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-04 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2009-10-14 730480]

c:\documents and settings\Geoff Lloyd\Start Menu\Programs\Startup\
RemoteScan Server.lnk - c:\program files\RemoteScan Server\RemoteScanServer.exe [2004-4-8 266240]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]
Nokia Nseries PC Suite.lnk - e:\program files\Nokia\NNPCS\RunLauncher.exe [2008-5-8 943568]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~1\DVDShell.dll" [2004-10-09 49152]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\RemoteScan Server\\RemoteScanServer.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 SiSRaid1;SiSRaid1;c:\windows\system32\drivers\SiSRaid1.sys [18/11/2005 12:45 PM 46464]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [14/12/2009 8:33 PM 108289]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [14/10/2009 11:30 PM 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [14/10/2009 11:30 PM 476528]
S3 FWL;Fwl Packet Filter; [x]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [26/12/2008 5:57 PM 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [26/12/2008 5:57 PM 8320]
.
Contents of the 'Scheduled Tasks' folder

2009-10-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 02:34]

2010-01-16 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 01:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
mSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
TCP: {2FF17AC9-7309-435F-924C-3F86EE9E6389} = 192.168.1.1,203.22.70.2
FF - ProfilePath - c:\documents and settings\Geoff Lloyd\Application Data\Mozilla\Firefox\Profiles\avuw7if8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\Geoff Lloyd\Application Data\Mozilla\Firefox\Profiles\avuw7if8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {0A6E071F-6FCB-44F8-AEE3-CCD6928E76F5} - c:\documents and settings\Geoff Lloyd\Local Settings\Application Data\{0A6E071F-6FCB-44F8-AEE3-CCD6928E76F5}\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-VetStart - c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
HKLM-Run-Vtuparukur - c:\windows\igotiwuv.dll
AddRemove-HijackThis - c:\documents and settings\Geoff Lloyd\Desktop\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-17 01:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'lsass.exe'(776)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'explorer.exe'(2720)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Belkin\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\SearchIndexer.exe
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2010-01-17 01:29:21 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-16 15:29

Pre-Run: 130,423,070,720 bytes free
Post-Run: 130,493,304,832 bytes free

- - End Of File - - 29F4EF2097488655397946ED09541BB7


#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:45 AM

Posted 16 January 2010 - 11:25 AM

Lets scan for remnants:

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instructions below under Upgrading Java, to download and install the latest version.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure the following is checked.
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.
Attention! Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0.

Upgrading Java :
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 18.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u18-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u18-windows-i586.exe and select "Run as an Administrator.")

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:45 AM

Posted 16 January 2010 - 11:38 AM

QUOTE
Below is the log after the scan. The computer seems to be ok so far. It CA anti-virus & COMODO are still enabled, though I removed them a while ago (about a year ago for COMODO and only 2 months ago CA). How can I be sure their gone??


Try the Windows Installer CleanUp Utility to remove any remnants.


QUOTE
Could there be anything that could be a problem in the future as a result of this virus issue,like a backdoor virus or something?


Your computer was infected with Trojan Netsky (computer worm). Despite our efforts, we can't be 100% sure of what the future may bring. I would suggest you change all your passwords from another computer after the cleaning. That should increase your security.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 rollie69

rollie69
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 16 January 2010 - 11:27 PM


I forgot to mention when I did the ComboFix it couldn't do the "Install the Recovery Console if prompted". It said their where files missing or something.

I've downloaded the Windows Installer CleanUp Utility, but am unsure what to select for the scan, and am concerned about what will work properly after the scan as I don't know where my install discs are for most programs.

Here is the Kaspersky report.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, January 17, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, January 17, 2010 01:02:17
Records in database: 3321381
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Objects scanned: 101811
Threats found: 5
Infected objects found: 7
Suspicious objects found: 0
Scan duration: 02:48:16


File name / Threat / Threats count
C:\Documents and Settings\Geoff Lloyd\Local Settings\Application Data\Identities\{069E3452-B143-499F-B51D-8C996F11808A}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Backdoor.Win32.Bredolab.aue 1
C:\Documents and Settings\Geoff Lloyd\Local Settings\Application Data\Identities\{069E3452-B143-499F-B51D-8C996F11808A}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Downloader.Win32.Piker.brn 1
C:\Documents and Settings\Geoff Lloyd\Local Settings\Application Data\Identities\{069E3452-B143-499F-B51D-8C996F11808A}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Backdoor.Win32.Bredolab.bts 1
C:\Qoobox\Quarantine\C\Documents and Settings\Geoff Lloyd\Start Menu\Programs\Startup\_rarype32_.exe.zip Infected: Trojan-Downloader.Win32.Piker.brn 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\smss32.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.gjq 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon32.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.gjq 1
C:\WINDOWS\system32\stsycod.sys Infected: Trojan.Win32.Delf.djl 1

Selected area has been scanned.

Thanks for your time

Geoff


#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:45 AM

Posted 16 January 2010 - 11:42 PM

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
QUOTE
File::
C:\WINDOWS\system32\stsycod.sys




Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report. Never mind about the Recovery Console. If ever needed we will be able to obtain an alternate way.

In regard to the entries for COMODO and CA Anti-Virus, lets take a deeper look:

Download OTS.exe by OldTimer to your Desktop.
  1. Close any open browsers.
  2. Double-click on OTS.exe to start the program.
  3. Leave all settings as they appear as default, except for the following:
    • Under Drivers, select "All".
    • Under Additional Scans, click on the "Extra" button.
  4. Now click the Run Scan button on the toolbar.
  5. The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  6. When the scan is complete Notepad will open with the report file loaded in it.
  7. Save that notepad file
Use the Reply button and attach the notepad file here (Do not copy and paste in a reply, rather attach it to it).

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 rollie69

rollie69
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 17 January 2010 - 01:15 AM

Here is the latest ComboFix log.

ComboFix 10-01-15.05 - Geoff Lloyd 17/01/2010 15:20:19.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.991.484 [GMT 10:00]
Running from: c:\documents and settings\Geoff Lloyd\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Geoff Lloyd\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\windows\system32\stsycod.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Geoff Lloyd\Local Settings\Application Data\{0A6E071F-6FCB-44F8-AEE3-CCD6928E76F5}
c:\documents and settings\Geoff Lloyd\Local Settings\Application Data\{0A6E071F-6FCB-44F8-AEE3-CCD6928E76F5}\chrome.manifest
c:\documents and settings\Geoff Lloyd\Local Settings\Application Data\{0A6E071F-6FCB-44F8-AEE3-CCD6928E76F5}\chrome\content\_cfg.js
c:\documents and settings\Geoff Lloyd\Local Settings\Application Data\{0A6E071F-6FCB-44F8-AEE3-CCD6928E76F5}\chrome\content\overlay.xul
c:\documents and settings\Geoff Lloyd\Local Settings\Application Data\{0A6E071F-6FCB-44F8-AEE3-CCD6928E76F5}\install.rdf
c:\windows\system32\stsycod.sys

.
((((((((((((((((((((((((( Files Created from 2009-12-17 to 2010-01-17 )))))))))))))))))))))))))))))))
.

2010-01-17 04:12 . 2010-01-17 04:12 3584 ----a-r- c:\documents and settings\Geoff Lloyd\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-01-17 04:12 . 2010-01-17 04:12 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-01-17 04:11 . 2010-01-17 04:11 -------- d-----w- c:\program files\MSECACHE
2010-01-15 11:32 . 2010-01-15 11:32 0 ----a-w- c:\windows\Hsahey.bin
2010-01-15 11:31 . 2010-01-15 11:31 120 ----a-w- c:\windows\Wwabaf.dat
2010-01-14 00:47 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-07 07:38 . 2010-01-07 07:38 -------- d-----w- c:\documents and settings\Geoff Lloyd\Application Data\CheckPoint
2010-01-07 07:38 . 2010-01-07 07:38 -------- d-----w- c:\program files\CheckPoint
2010-01-07 07:38 . 2009-11-22 05:42 69000 ----a-w- c:\windows\system32\zlcomm.dll
2010-01-07 07:38 . 2009-11-22 05:42 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2010-01-07 07:38 . 2009-11-22 05:42 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2010-01-07 07:38 . 2010-01-07 07:38 -------- d-----w- c:\windows\system32\ZoneLabs
2010-01-07 05:18 . 2010-01-07 05:18 -------- d-----w- c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-16 23:27 . 2010-01-16 23:27 61440 ----a-w- c:\documents and settings\Geoff Lloyd\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-289fea53-n\decora-sse.dll
2010-01-16 23:27 . 2010-01-16 23:27 503808 ----a-w- c:\documents and settings\Geoff Lloyd\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-289fea53-n\msvcp71.dll
2010-01-16 23:27 . 2010-01-16 23:27 499712 ----a-w- c:\documents and settings\Geoff Lloyd\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-289fea53-n\jmc.dll
2010-01-16 23:27 . 2010-01-16 23:27 348160 ----a-w- c:\documents and settings\Geoff Lloyd\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-289fea53-n\msvcr71.dll
2010-01-16 23:27 . 2010-01-16 23:27 12800 ----a-w- c:\documents and settings\Geoff Lloyd\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-289fea53-n\decora-d3d.dll
2010-01-16 23:27 . 2010-01-16 23:27 315392 ----a-w- c:\documents and settings\Geoff Lloyd\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\6baea4fe-1754ed7f-n\jogl.dll
2010-01-16 23:27 . 2010-01-16 23:27 20480 ----a-w- c:\documents and settings\Geoff Lloyd\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\6baea4fe-1754ed7f-n\jogl_awt.dll
2010-01-16 23:27 . 2010-01-16 23:27 20480 ----a-w- c:\documents and settings\Geoff Lloyd\Application Data\Sun\Java\Deployment\SystemCache\6.0\45\4f710eed-6d88c2ae-n\gluegen-rt.dll
2010-01-16 23:27 . 2010-01-16 23:27 114688 ----a-w- c:\documents and settings\Geoff Lloyd\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\6baea4fe-1754ed7f-n\jogl_cg.dll
2010-01-16 23:27 . 2005-12-08 12:40 -------- d-----w- c:\program files\Common Files\Java
2010-01-16 23:26 . 2010-01-16 23:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-16 23:26 . 2005-12-08 12:46 -------- d-----w- c:\program files\Java
2010-01-16 23:22 . 2009-04-03 07:22 4710951 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-01-16 14:55 . 2007-06-11 01:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-15 11:28 . 2010-01-15 11:28 16 ----a-w- c:\windows\system32\config\systemprofile\Application Data\mvhgkr.dat
2010-01-07 07:38 . 2008-10-19 00:52 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-01-07 05:51 . 2008-09-13 06:11 -------- d-----w- c:\documents and settings\Geoff Lloyd\Application Data\Skype
2010-01-07 05:50 . 2008-09-13 06:13 -------- d-----w- c:\documents and settings\Geoff Lloyd\Application Data\skypePM
2009-12-15 10:52 . 2008-09-02 10:03 -------- d-----w- c:\documents and settings\Geoff Lloyd\Application Data\TravelerSafe+
2009-12-15 07:51 . 2007-06-09 23:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-14 10:44 . 2009-12-14 10:44 48304 ----a-w- c:\windows\Internet Logs\zlclient_2nd_2009_12_14_17_12_45_small.dmp.zip
2009-12-14 10:33 . 2009-12-14 10:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-12-14 09:51 . 2009-12-14 09:51 -------- d-----w- c:\documents and settings\Geoff Lloyd\Application Data\Malwarebytes
2009-12-14 09:50 . 2009-12-14 09:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-19 01:48 . 2009-12-02 07:47 872960 ----a-w- c:\documents and settings\Geoff Lloyd\Application Data\Mozilla\Firefox\Profiles\avuw7if8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-11-19 01:48 . 2009-12-02 07:47 43008 ----a-w- c:\documents and settings\Geoff Lloyd\Application Data\Mozilla\Firefox\Profiles\avuw7if8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-11-19 01:48 . 2009-12-02 07:47 340480 ----a-w- c:\documents and settings\Geoff Lloyd\Application Data\Mozilla\Firefox\Profiles\avuw7if8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-11-19 01:48 . 2009-12-02 07:47 346624 ----a-w- c:\documents and settings\Geoff Lloyd\Application Data\Mozilla\Firefox\Profiles\avuw7if8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-10-29 07:46 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2007-11-25 02:05 . 2007-11-25 02:04 9216 --sha-w- c:\program files\Thumbs.db
2005-03-31 12:17 . 2005-11-21 02:34 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2008-02-03 13:04 . 2008-02-03 13:04 56 --sh--r- c:\windows\system32\95ECC42AFC.sys
2008-02-03 13:04 . 2008-02-03 13:04 1682 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="e:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-03-25 615696]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-08-26 236016]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-04 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2009-10-14 730480]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

c:\documents and settings\Geoff Lloyd\Start Menu\Programs\Startup\
RemoteScan Server.lnk - c:\program files\RemoteScan Server\RemoteScanServer.exe [2004-4-8 266240]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]
Nokia Nseries PC Suite.lnk - e:\program files\Nokia\NNPCS\RunLauncher.exe [2008-5-8 943568]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~1\DVDShell.dll" [2004-10-09 49152]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\RemoteScan Server\\RemoteScanServer.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 SiSRaid1;SiSRaid1;c:\windows\system32\drivers\SiSRaid1.sys [18/11/2005 12:45 PM 46464]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [14/12/2009 8:33 PM 108289]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [14/10/2009 11:30 PM 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [14/10/2009 11:30 PM 476528]
S3 FWL;Fwl Packet Filter; [x]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [26/12/2008 5:57 PM 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [26/12/2008 5:57 PM 8320]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE
.
Contents of the 'Scheduled Tasks' folder

2009-10-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 02:34]

2010-01-17 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 01:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
mSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
TCP: {2FF17AC9-7309-435F-924C-3F86EE9E6389} = 192.168.1.1,203.22.70.2
FF - ProfilePath - c:\documents and settings\Geoff Lloyd\Application Data\Mozilla\Firefox\Profiles\avuw7if8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\Geoff Lloyd\Application Data\Mozilla\Firefox\Profiles\avuw7if8.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-17 15:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'lsass.exe'(768)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
Completion time: 2010-01-17 15:30:02
ComboFix-quarantined-files.txt 2010-01-17 05:29
ComboFix2.txt 2010-01-16 15:29

Pre-Run: 129,858,007,040 bytes free
Post-Run: 129,891,127,296 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 2129A21FE44375B1C03C4CCF5B7C6476





I've completed the OTS scan, but i'm not sure how to attach it the way it says below. I did attach it as I file though I'm unsure if it's the correct way.

CODE
6. When the scan is complete Notepad will open with the report file loaded in it.
   7. Save that notepad file

Use the Reply button and attach the notepad file here (Do not copy and paste in a reply, rather attach it to it).


Thanks

Geoff

Attached Files

  • Attached File  OTS.Txt   195.05KB   7 downloads


#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:45 AM

Posted 17 January 2010 - 02:47 AM

In regard to CA Anti-Virus and COMODO Firewall Pro, there are no entries running in the system's processes. Chances are these are remnants, but I am unable to determine why Combofix detects these as active.

Start OTS. Copy/Paste the information in the Quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.


QUOTE
[Registry - Safe List]
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 5348 domain(s) found.
YN -> 49 domain(s) and sub-domain(s) not assigned to a zone. ->
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\
YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 36 range(s) found.
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 5394 domain(s) found.
YN -> 51 domain(s) and sub-domain(s) not assigned to a zone. ->
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 95 range(s) found.




The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

I will review the information when it comes back in.

Please let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 rollie69

rollie69
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 17 January 2010 - 02:56 AM

Done. WOW that was a quick one smile.gif

You have been very helpful in fixing these problems. Thank you very much for your time and help.

[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ created successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ created successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ created successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ created successfully.
< End of fix log >
OTS by OldTimer - Version 3.1.19.1 fix logfile created on 01172010_175303


#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:45 AM

Posted 17 January 2010 - 10:43 AM

Hi, rollie69. smile.gif

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now copy and paste "c:\documents and settings\Geoff Lloyd\Desktop\Combo-Fix.exe" /Uninstall in the runbox (including the quotation marks) and click OK. Note the space between the " and the /Uninstall, it needs to be there.
Launch OTS and click on the Cleanup button. Follow the prompts.

Create a Restore point:
  1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  2. In the System Restore dialog box, click Create a restore point, and then click Next.
  3. Type a description for your restore point, such as "After Cleanup", then click Create.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  3. SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  4. ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  5. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  6. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  7. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  8. ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  9. Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein and this one by Miekiemoes.

Best wishes!

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:45 AM

Posted 25 January 2010 - 06:55 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users