Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AdvancedVirusRemover/ Trojan.Win32.Generic!SB0/ etc.


  • Please log in to reply
15 replies to this topic

#1 minmaz

minmaz

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 26 January 2010 - 09:40 PM

Hi there,

This one is pretty tough...had to repair my operating system via the repair function that came with the OS disk just to be able to log in. The virus is continually trying to give me windows updates and internet explorer is no longer working (I had to burn Firefox onto a CD and load it that way). Thanks for your help!

Sue

DDS (Ver_09-12-01.01) - NTFSx86
Run by Sue M at 21:06:56.85 on Tue 01/26/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.132 [GMT -5:00]

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\SCANJET\PrecisionScanLT\hppwrsav.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sue M\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
mRun: [Drag'n'Drop_Autolaunch] "c:\program files\iomega hotburn pro\Autolaunch.exe"
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver2\LVCOMS.EXE
mRun: [hppwrsav] c:\scanjet\precisionscanlt\hppwrsav.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SBAMTray] c:\program files\sunbelt software\counterspy\SBAMTray.exe
dRun: [asg984jgkfmgasi8ug98jgkfgfb] c:\windows\temp\win16.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\paloal~1.lnk - c:\program files\common files\palo alto software\8.0\PAS8_Update.exe
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} - hxxp://host-d.oddcast.com/hostClientIE.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} - hxxps://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - hxxp://www.trendmicro.com/spyware-scan/as4web.cab
DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} - hxxp://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://207.5.168.68/activex/AMC.cab
TCP: {4835DB3C-4B48-4B23-8734-3206634C22CB} = 193.104.110.38,4.2.2.1,209.18.47.61 209.18.47.62
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\kbdsock.dll,c:\windows\system32\fuyizeve.dll,nabukeyu.dll
SSODL: seroguhob - {3ffd0598-93a1-4d72-96eb-0f137bc15d1c} - c:\windows\system32\senuvina.dll
STS: mujuzedij: {3ffd0598-93a1-4d72-96eb-0f137bc15d1c} - c:\windows\system32\senuvina.dll
LSA: Notification Packages = scecli tasurizo.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\suem~1\applic~1\mozilla\firefox\profiles\ij4few13.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2010-1-26 13360]
R2 SBAMSvc;CounterSpy Antispyware;c:\program files\sunbelt software\counterspy\SBAMSvc.exe [2010-1-4 1012080]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-1-26 69936]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2005-12-31 1247600]
S2 PPSCAN;PPSCAN;c:\windows\system32\drivers\ppscan.sys [2007-6-20 91520]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-12-12 38224]
S3 ndisdrv;ndisdrv;\??\c:\windows\system32\ndisdrv.sys --> c:\windows\system32\ndisdrv.sys [?]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-10-13 95024]

=============== Created Last 30 ================

2010-01-27 01:15:02 0 d-----w- C:\2d21bb17fecbbecb17c41b6400aa
2010-01-26 08:14:52 0 d-----w- c:\program files\MSXML 6.0
2010-01-26 07:26:26 0 d-----w- C:\597ee40065efe3759c70
2010-01-26 07:05:14 0 d-----w- c:\windows\system32\CatRoot_bak
2010-01-26 06:57:33 118 ----a-w- c:\windows\system32\MRT.INI
2010-01-26 06:57:30 0 d-----w- c:\windows\system32\MpEngineStore
2010-01-26 06:34:28 453632 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-01-26 06:33:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-26 06:30:41 2136064 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-01-26 06:30:38 2180352 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-01-26 06:30:37 2015744 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-01-26 06:30:35 2057728 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-01-26 05:46:44 69936 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2010-01-26 05:45:23 13360 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2010-01-26 05:28:17 163840 ----a-w- c:\windows\system32\igfxres.dll
2010-01-26 05:17:24 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll
2010-01-26 05:17:24 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys
2010-01-26 05:17:20 48256 -c--a-w- c:\windows\system32\dllcache\w32.dll
2010-01-26 05:17:00 14336 -c--a-w- c:\windows\system32\dllcache\tsprof.exe
2010-01-26 05:15:47 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2010-01-26 05:15:36 111104 -c--a-w- c:\windows\system32\dllcache\mtstocom.exe
2010-01-26 05:15:11 7680 -c--a-w- c:\windows\system32\dllcache\migregdb.exe
2010-01-26 05:15:10 92416 -c--a-w- c:\windows\system32\dllcache\mga.sys
2010-01-26 05:15:10 92032 -c--a-w- c:\windows\system32\dllcache\mga.dll
2010-01-26 05:15:09 65536 -c--a-w- c:\windows\system32\dllcache\EXCH_mailmsg.dll
2010-01-26 05:15:08 18944 -c--a-w- c:\windows\system32\dllcache\lprmon.dll
2010-01-26 05:15:07 22528 -c--a-w- c:\windows\system32\dllcache\lpdsvc.dll
2010-01-26 05:15:06 33792 -c--a-w- c:\windows\system32\dllcache\lmmib2.dll
2010-01-26 05:13:50 18944 -c--a-w- c:\windows\system32\dllcache\cprofile.exe
2010-01-26 05:12:50 5632 -c--a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll
2010-01-26 05:09:32 488 ---ha-r- c:\windows\system32\logonui.exe.manifest
2010-01-26 05:09:23 749 ---ha-r- c:\windows\WindowsShell.Manifest
2010-01-26 05:09:23 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest
2010-01-26 05:09:23 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest
2010-01-26 05:09:23 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest
2010-01-26 05:08:51 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-01-26 05:08:10 32768 -c--a-w- c:\windows\system32\dllcache\icwdl.dll
2010-01-26 05:08:09 20480 -c--a-w- c:\windows\system32\dllcache\inetwiz.exe
2010-01-26 05:08:08 86016 -c--a-w- c:\windows\system32\dllcache\icwconn2.exe
2010-01-26 05:08:08 214528 -c--a-w- c:\windows\system32\dllcache\icwconn1.exe
2010-01-26 04:45:10 480256 -c--a-w- c:\windows\system32\dllcache\cintsetp.exe
2010-01-26 04:45:10 21504 -c--a-w- c:\windows\system32\dllcache\cintlgnt.ime
2010-01-26 04:45:10 21504 ----a-w- c:\windows\system32\CINTLGNT.IME
2010-01-26 04:45:10 198656 -c--a-w- c:\windows\system32\dllcache\cintime.dll
2010-01-26 04:45:09 97792 -c--a-w- c:\windows\system32\dllcache\chtmbx.dll
2010-01-26 04:45:09 56320 -c--a-w- c:\windows\system32\dllcache\chtskdic.dll
2010-01-26 04:45:09 455168 -c--a-w- c:\windows\system32\dllcache\tintsetp.exe
2010-01-26 04:45:09 44032 -c--a-w- c:\windows\system32\dllcache\tintlphr.exe
2010-01-26 04:45:09 173568 -c--a-w- c:\windows\system32\dllcache\chtskf.dll
2010-01-26 04:45:09 10240 -c--a-w- c:\windows\system32\dllcache\tmigrate.dll
2010-01-26 04:45:08 571392 -c--a-w- c:\windows\system32\dllcache\tintlgnt.ime
2010-01-26 04:45:08 571392 ----a-w- c:\windows\system32\TINTLGNT.IME
2010-01-26 04:44:57 70144 -c--a-w- c:\windows\system32\dllcache\pintlphr.exe
2010-01-26 04:44:57 67584 -c--a-w- c:\windows\system32\dllcache\pmigrate.dll
2010-01-26 04:44:57 59392 -c--a-w- c:\windows\system32\dllcache\imscinst.exe
2010-01-26 04:44:57 482304 -c--a-w- c:\windows\system32\dllcache\pintlgnt.ime
2010-01-26 04:44:57 482304 ----a-w- c:\windows\system32\PINTLGNT.IME
2010-01-26 04:44:45 10096640 -c--a-w- c:\windows\system32\dllcache\hwxcht.dll
2010-01-26 04:44:43 16254 ----a-w- c:\windows\system32\PINTLPAE.HLP
2010-01-26 04:44:43 14821 ----a-w- c:\windows\system32\PINTLPAD.HLP
2010-01-26 04:44:01 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-01-26 04:44:01 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-01-26 04:44:01 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-01-26 04:44:01 13312 ----a-w- c:\windows\system32\irclass.dll
2010-01-04 22:02:22 27984 ----a-w- c:\windows\system32\sbbd.exe
2009-12-30 04:27:09 0 ----a-w- c:\windows\system32\AVR10.exe
2009-12-30 04:26:08 419 ----a-w- c:\windows\system32\uses32.dat
2009-12-30 04:26:08 100 ----a-w- c:\windows\system32\flags.ini
2009-12-30 04:25:38 46 ----a-w- C:\p2hhr.bat

==================== Find3M ====================

2010-01-26 05:07:29 23428 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-30 05:17:06 107 ----a-w- c:\docume~1\suem~1\applic~1\netstat.bat
2009-12-22 05:42:49 662016 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:42:45 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-12 18:01:11 2713 --sha-w- c:\windows\system32\lenisako.exe
2009-12-12 18:01:11 2713 --sha-w- c:\windows\system32\kitejiru.exe
2009-12-10 19:27:34 57 ----a-w- C:\xcrashdump.dat
2009-12-03 21:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2008-11-15 03:46:26 14394041 ----a-w- c:\program files\Jalbum-install.exe
2008-10-03 04:48:29 112000 -c--a-w- c:\program files\blkmagic.exe
2008-09-02 17:00:20 7499056 ----a-w- c:\program files\Firefox Setup 3.0.1.exe
2007-12-15 05:17:25 15452536 -c--a-w- c:\program files\IE7-WindowsXP-x86-enu.exe
2007-12-14 04:15:43 13330224 -c--a-w- c:\program files\avinstall.exe
2007-12-14 03:14:45 7467056 -c--a-w- c:\program files\spybotsd15.exe
2007-10-16 05:09:27 1448229 -c--a-w- c:\program files\avatar_setup.exe
2005-10-17 07:29:15 11012006 -c--a-w- c:\program files\ysitebuilder.exe

============= FINISH: 21:07:48.15 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 27 January 2010 - 07:34 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:






It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 minmaz

minmaz
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 27 January 2010 - 08:42 PM

Here is the combofix file...by the way, I don't now what the "Norton Internet Worm Protection" thing is. I don't have Norton. Thanks!

ComboFix 10-01-26.06 - Sue M 01/27/2010 8:58.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.200 [GMT -5:00]
Running from: c:\documents and settings\Sue M\Desktop\Combo-Fix.exe
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jeff Minemier\Local Settings\Temporary Internet Files\CSC2.5U-EN-733-F.sbr.sgn
c:\documents and settings\Jeff Minemier\Local Settings\Temporary Internet Files\ENCounterSpyConsumer.2.5.1043.0.exe
c:\documents and settings\Sue M\Local Settings\Temporary Internet Files\CSC2.5U-EN-733-F.sbr.sgn
c:\documents and settings\Sue M\Local Settings\Temporary Internet Files\CSC2.5U-EN-743-F.sbr.sgn
c:\documents and settings\Sue M\Local Settings\Temporary Internet Files\CSC2.5U-EN-744-I.sbr.sgn
c:\documents and settings\Sue M\Local Settings\Temporary Internet Files\CSC2.5U-EN-748-F.sbr.sgn
c:\documents and settings\Sue M\Local Settings\Temporary Internet Files\CSC2.5U-EN-749-F.sbr.sgn
c:\documents and settings\Sue M\Local Settings\Temporary Internet Files\CSC2.5U-EN-750-F.sbr.sgn
c:\documents and settings\Sue M\Local Settings\Temporary Internet Files\CSC2.5U-EN-752-F.sbr.sgn
c:\documents and settings\Sue M\Local Settings\Temporary Internet Files\CSC2.5U-EN-753-F.sbr.sgn
c:\documents and settings\Sue M\Local Settings\Temporary Internet Files\CSC2.5U-EN-758-F.sbr.sgn
c:\documents and settings\Sue M\Local Settings\Temporary Internet Files\CSC2.5U-EN-764-F.sbr.sgn
c:\documents and settings\Sue M\Local Settings\Temporary Internet Files\CSC2.5U-EN-765-F.sbr.sgn
c:\documents and settings\Sue M\Local Settings\Temporary Internet Files\CSC2.5U-EN-767-F.sbr.sgn
c:\documents and settings\Sue M\Local Settings\Temporary Internet Files\CSC2.5U-EN-800-F.sbr.sgn
c:\documents and settings\Sue M\Local Settings\Temporary Internet Files\CSC2.5U-EN-808-I.sbr.sgn
c:\documents and settings\Sue M\Local Settings\Temporary Internet Files\CSC2.5U-EN-808-I.sbr.sgn.unsgn
c:\documents and settings\Sue M\Local Settings\Temporary Internet Files\CSC2.5U-EN-824-F.sbr.sgn
c:\documents and settings\Sue M\Local Settings\Temporary Internet Files\CSC2.5U-EN-848-F.sbr.sgn
c:\documents and settings\Sue M\Local Settings\Temporary Internet Files\CSC2.5U-EN-849-F.sbr.sgn
c:\documents and settings\Sue M\Local Settings\Temporary Internet Files\CSC2.5U-EN-878-F.sbr.sgn
c:\documents and settings\Sue M\Local Settings\Temporary Internet Files\EN CounterSpyConsumer UpGrade-Signed.exe
c:\documents and settings\Sue M\Local Settings\Temporary Internet Files\ENCounterSpyConsumer.2.5.1043.0.exe
c:\documents and settings\Sue M\My Documents\ZbThumbnail.info
C:\p2hhr.bat
c:\recycler\S-1-5-21-1708537768-308236825-839522115-1003
c:\recycler\S-1-5-21-3288127050-197847358-126776011-1003
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\AVR10.exe
c:\windows\system32\flags.ini
c:\windows\system32\Install.txt
c:\windows\system32\kitejiru.exe
c:\windows\system32\lenisako.exe
c:\windows\system32\uninstall.exe
c:\windows\system32\uses32.dat
c:\windows\Tasks\ybawltep.job
c:\windows\Temp\223619622.exe
c:\windows\Temp\437682122.exe
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IAS
-------\Legacy_WINSTS


((((((((((((((((((((((((( Files Created from 2009-12-27 to 2010-01-27 )))))))))))))))))))))))))))))))
.

2010-01-27 13:53 . 2010-01-27 13:55 -------- d-----w- C:\Combo-Fix
2010-01-27 03:26 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-01-27 02:58 . 2010-01-27 02:58 40960 ----a-w- c:\windows\vsnpstd.exe
2010-01-27 01:41 . 2010-01-27 01:41 -------- d-----w- c:\documents and settings\Sue M\Local Settings\Application Data\Western Digital
2010-01-27 01:15 . 2010-01-27 01:18 -------- d-----w- C:\2d21bb17fecbbecb17c41b6400aa
2010-01-26 08:14 . 2010-01-26 08:14 -------- d-----w- c:\program files\MSXML 6.0
2010-01-26 07:26 . 2010-01-26 07:40 -------- d-----w- C:\597ee40065efe3759c70
2010-01-26 07:05 . 2010-01-27 01:38 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-01-26 06:57 . 2010-01-26 06:57 -------- d-----w- c:\windows\system32\MpEngineStore
2010-01-26 06:34 . 2008-10-24 11:10 453632 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-01-26 06:33 . 2010-01-26 06:33 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-26 06:30 . 2009-08-04 13:58 2136064 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-01-26 06:30 . 2009-08-04 14:00 2180352 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-01-26 06:30 . 2009-08-04 13:13 2015744 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-01-26 06:30 . 2009-08-04 13:13 2057728 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-01-26 05:46 . 2009-08-11 00:06 69936 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2010-01-26 05:45 . 2009-05-13 21:30 13360 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2010-01-26 05:28 . 2005-01-22 18:30 163840 ----a-w- c:\windows\system32\igfxres.dll
2010-01-26 05:17 . 2004-08-04 12:00 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll
2010-01-26 05:17 . 2004-08-04 12:00 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys
2010-01-26 05:17 . 2004-08-04 12:00 48256 -c--a-w- c:\windows\system32\dllcache\w32.dll
2010-01-26 05:17 . 2004-08-04 12:00 14336 -c--a-w- c:\windows\system32\dllcache\tsprof.exe
2010-01-26 05:15 . 2001-08-18 03:36 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2010-01-26 05:15 . 2004-08-04 12:00 111104 -c--a-w- c:\windows\system32\dllcache\mtstocom.exe
2010-01-26 05:15 . 2004-08-04 12:00 7680 -c--a-w- c:\windows\system32\dllcache\migregdb.exe
2010-01-26 05:15 . 2004-08-04 12:00 92416 -c--a-w- c:\windows\system32\dllcache\mga.sys
2010-01-26 05:15 . 2004-08-04 12:00 92032 -c--a-w- c:\windows\system32\dllcache\mga.dll
2010-01-26 05:15 . 2001-08-18 03:36 65536 -c--a-w- c:\windows\system32\dllcache\EXCH_mailmsg.dll
2010-01-26 05:15 . 2004-08-04 12:00 18944 -c--a-w- c:\windows\system32\dllcache\lprmon.dll
2010-01-26 05:15 . 2004-08-04 12:00 22528 -c--a-w- c:\windows\system32\dllcache\lpdsvc.dll
2010-01-26 05:15 . 2004-08-04 12:00 33792 -c--a-w- c:\windows\system32\dllcache\lmmib2.dll
2010-01-26 05:13 . 2004-08-04 12:00 18944 -c--a-w- c:\windows\system32\dllcache\cprofile.exe
2010-01-26 05:13 . 2004-08-04 12:00 9728 -c--a-w- c:\windows\system32\dllcache\change.exe
2010-01-26 05:13 . 2004-08-04 12:00 15872 -c--a-w- c:\windows\system32\dllcache\chgport.exe
2010-01-26 05:13 . 2004-08-04 12:00 14336 -c--a-w- c:\windows\system32\dllcache\chgusr.exe
2010-01-26 05:13 . 2004-08-04 12:00 13312 -c--a-w- c:\windows\system32\dllcache\chglogon.exe
2010-01-26 05:13 . 2004-08-04 12:00 54528 -c--a-w- c:\windows\system32\dllcache\cap7146.sys
2010-01-26 05:13 . 2004-08-04 12:00 331264 -c--a-w- c:\windows\system32\dllcache\aqueue.dll
2010-01-26 05:13 . 2001-08-18 03:36 45056 -c--a-w- c:\windows\system32\dllcache\EXCH_aqadmin.dll
2010-01-26 05:08 . 2004-08-04 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-01-26 05:08 . 2004-08-04 12:00 32768 -c--a-w- c:\windows\system32\dllcache\icwdl.dll
2010-01-26 05:08 . 2004-08-04 12:00 20480 -c--a-w- c:\windows\system32\dllcache\inetwiz.exe
2010-01-26 05:08 . 2004-08-04 12:00 86016 -c--a-w- c:\windows\system32\dllcache\icwconn2.exe
2010-01-26 05:08 . 2004-08-04 12:00 214528 -c--a-w- c:\windows\system32\dllcache\icwconn1.exe
2010-01-26 04:45 . 2004-08-04 12:00 480256 -c--a-w- c:\windows\system32\dllcache\cintsetp.exe
2010-01-26 04:45 . 2004-08-04 12:00 198656 -c--a-w- c:\windows\system32\dllcache\cintime.dll
2010-01-26 04:45 . 2004-08-04 12:00 97792 -c--a-w- c:\windows\system32\dllcache\chtmbx.dll
2010-01-26 04:45 . 2004-08-04 12:00 56320 -c--a-w- c:\windows\system32\dllcache\chtskdic.dll
2010-01-26 04:45 . 2004-08-04 12:00 455168 -c--a-w- c:\windows\system32\dllcache\tintsetp.exe
2010-01-26 04:45 . 2004-08-04 12:00 44032 -c--a-w- c:\windows\system32\dllcache\tintlphr.exe
2010-01-26 04:45 . 2004-08-04 12:00 173568 -c--a-w- c:\windows\system32\dllcache\chtskf.dll
2010-01-26 04:45 . 2004-08-04 12:00 10240 -c--a-w- c:\windows\system32\dllcache\tmigrate.dll
2010-01-26 04:44 . 2004-08-04 12:00 70144 -c--a-w- c:\windows\system32\dllcache\pintlphr.exe
2010-01-26 04:44 . 2004-08-04 12:00 67584 -c--a-w- c:\windows\system32\dllcache\pmigrate.dll
2010-01-26 04:44 . 2004-08-04 12:00 59392 -c--a-w- c:\windows\system32\dllcache\imscinst.exe
2010-01-26 04:44 . 2004-08-04 12:00 10096640 -c--a-w- c:\windows\system32\dllcache\hwxcht.dll
2010-01-26 04:44 . 2004-08-04 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-01-26 04:44 . 2004-08-04 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-01-26 04:44 . 2004-08-04 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-01-26 04:44 . 2004-08-04 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-01-04 22:02 . 2010-01-04 22:02 27984 ----a-w- c:\windows\system32\sbbd.exe
2009-12-30 04:26 . 2009-12-30 04:26 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-27 01:42 . 2006-06-07 19:29 65752 -c--a-w- c:\documents and settings\Sue M\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-26 06:32 . 2005-04-10 09:34 -------- d-----w- c:\program files\Java
2010-01-26 06:31 . 2010-01-26 06:31 152576 ----a-w- c:\documents and settings\Sue M\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-26 06:30 . 2010-01-26 06:30 79488 ----a-w- c:\documents and settings\Sue M\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-26 05:07 . 2004-08-07 12:54 23428 ----a-w- c:\windows\system32\emptyregdb.dat
2010-01-02 02:06 . 2006-05-16 13:52 -------- d-----w- c:\program files\Trend Micro
2009-12-30 05:17 . 2009-12-27 14:45 107 ----a-w- c:\documents and settings\Sue M\Application Data\netstat.bat
2009-12-30 05:17 . 2009-12-27 14:45 107 ----a-w- c:\documents and settings\Sue M\Application Data\netstat.bat
2009-12-30 04:25 . 2009-12-12 17:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-30 03:42 . 2009-12-27 01:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-30 03:41 . 2007-05-15 16:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-28 04:41 . 2005-10-09 18:19 -------- d-----w- c:\program files\Canon
2009-12-27 01:33 . 2009-12-27 01:33 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-12-27 01:33 . 2009-12-27 01:33 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-12-27 01:33 . 2009-12-27 01:33 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-12-27 01:33 . 2009-12-27 01:33 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-12-25 05:46 . 2009-12-25 05:46 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-12-24 03:22 . 2009-12-24 03:22 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-22 05:42 . 2004-08-04 12:00 662016 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:42 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-12 17:54 . 2009-12-12 17:54 -------- d-----w- c:\documents and settings\Sue M\Application Data\Malwarebytes
2009-12-12 17:54 . 2009-12-12 17:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-10 13:25 . 2007-05-10 03:34 -------- d-----w- c:\documents and settings\Sue M\Application Data\ZoomBrowser EX
2009-12-10 13:24 . 2009-07-09 13:35 -------- d-----w- c:\documents and settings\Sue M\Application Data\CameraWindowDC
2009-12-06 04:57 . 2005-12-05 21:04 66136 -c--a-w- c:\documents and settings\Jeff Minemier\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-06 01:25 . 2007-11-10 21:43 -------- d-----w- c:\program files\Full Tilt Poker
2009-12-03 21:14 . 2009-12-12 17:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13 . 2009-12-12 17:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-21 16:36 . 2004-08-04 12:00 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2008-11-15 03:46 . 2008-11-15 03:46 14394041 ----a-w- c:\program files\Jalbum-install.exe
2008-10-03 04:48 . 2008-10-03 04:48 112000 -c--a-w- c:\program files\blkmagic.exe
2008-09-02 17:00 . 2008-09-02 17:00 7499056 ----a-w- c:\program files\Firefox Setup 3.0.1.exe
2007-12-15 05:17 . 2007-12-15 05:17 15452536 -c--a-w- c:\program files\IE7-WindowsXP-x86-enu.exe
2007-12-14 04:15 . 2007-12-14 04:15 13330224 -c--a-w- c:\program files\avinstall.exe
2007-12-14 03:14 . 2007-12-14 03:14 7467056 -c--a-w- c:\program files\spybotsd15.exe
2007-10-16 05:09 . 2007-10-16 05:09 1448229 -c--a-w- c:\program files\avatar_setup.exe
2005-10-17 07:29 . 2005-10-17 07:29 11012006 -c--a-w- c:\program files\ysitebuilder.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-22 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-22 126976]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-04-10 98304]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"hpWirelessAssistant"="c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-01-21 790528]
"Drag'n'Drop_Autolaunch"="c:\program files\Iomega HotBurn Pro\Autolaunch.exe" [2002-10-15 86016]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver2\LVCOMS.EXE" [2002-09-20 90112]
"hppwrsav"="c:\scanjet\PrecisionScanLT\hppwrsav.exe" [1999-06-07 23552]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-11-05 185632]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-26 149280]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SBAMTray"="c:\program files\Sunbelt Software\CounterSpy\SBAMTray.exe" [2010-01-04 685392]
"SNPSTD"="c:\windows\vsnpstd.exe" [2010-01-27 40960]
"LSBWATCHER"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2010-01-27 253952]
"CPQSET"="c:\program files\HPQ\Default Settings\cpqset.exe" [2010-01-27 233534]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Palo Alto Software Update Manager 8.0.lnk - c:\program files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe [2005-6-8 122880]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Jalbum8.1\\Jalbum.exe"=
"c:\\Program Files\\Sunbelt Software\\CounterSpy\\SBAMTray.exe"=

R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [1/26/2010 12:45 AM 13360]
R2 SBAMSvc;CounterSpy Antispyware;c:\program files\Sunbelt Software\CounterSpy\SBAMSvc.exe [1/4/2010 5:02 PM 1012080]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [1/26/2010 12:46 AM 69936]
S2 PPSCAN;PPSCAN;c:\windows\system32\drivers\ppscan.sys [6/20/2007 9:53 AM 91520]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [12/12/2009 12:54 PM 38224]
S3 ndisdrv;ndisdrv;\??\c:\windows\system32\ndisdrv.sys --> c:\windows\system32\ndisdrv.sys [?]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/13/2009 8:22 AM 95024]

--- Other Services/Drivers In Memory ---

*Deregistered* - dnbudf
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
TCP: {4835DB3C-4B48-4B23-8734-3206634C22CB} = 193.104.110.38,4.2.2.1,209.18.47.61 209.18.47.62
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://207.5.168.68/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\Sue M\Application Data\Mozilla\Firefox\Profiles\ij4few13.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-LDM - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
SharedTaskScheduler-{3ffd0598-93a1-4d72-96eb-0f137bc15d1c} - c:\windows\system32\senuvina.dll
SSODL-seroguhob-{3ffd0598-93a1-4d72-96eb-0f137bc15d1c} - c:\windows\system32\senuvina.dll
AddRemove-SLABCOMM - c:\windows\system32\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-27 09:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CPQSET = c:\program files\HPQ\Default Settings\cpqset.exe????????7?0?4?7??????? ?,?B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3632)
c:\windows\system32\ieframe.dll
c:\windows\system32\msls31.dll
c:\windows\system32\shdoclc.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\MSCTF.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\Iomega\System32\AppServices.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\program files\HPQ\SHARED\HPQWMI.exe
.
**************************************************************************
.
Completion time: 2010-01-27 09:20:20 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-27 14:20

Pre-Run: 2,568,540,160 bytes free
Post-Run: 3,027,505,152 bytes free

- - End Of File - - BE342E8D4A45AE58C76BC66600CD5180


#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 28 January 2010 - 07:18 AM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter

2. Now copy/paste the entire content of the codebox below into the Notepad window:

CODE
KillAll::

Driver::
ndisdrv

File::
c:\windows\system32\ndisdrv.sys


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe/KittyFix.exe as depicted in the animation below. This will start ComboFix/KittyFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.




Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

How's the computer now? smile.gif

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 minmaz

minmaz
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 28 January 2010 - 08:21 AM

Combofix & Hijackthis logs...

ComboFix 10-01-26.06 - Sue M 01/28/2010 7:34.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.94 [GMT -5:00]
Running from: c:\documents and settings\Sue M\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Sue M\Desktop\CFScript.txt
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FILE ::
"c:\windows\system32\ndisdrv.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NDISDRV
-------\Service_ndisdrv


((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-28 )))))))))))))))))))))))))))))))
.

2010-01-27 13:53 . 2010-01-27 13:55 -------- d-----w- C:\Combo-Fix
2010-01-27 03:26 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-01-27 02:58 . 2010-01-27 02:58 40960 ----a-w- c:\windows\vsnpstd.exe
2010-01-27 01:41 . 2010-01-27 01:41 -------- d-----w- c:\documents and settings\Sue M\Local Settings\Application Data\Western Digital
2010-01-27 01:15 . 2010-01-27 01:18 -------- d-----w- C:\2d21bb17fecbbecb17c41b6400aa
2010-01-26 08:14 . 2010-01-26 08:14 -------- d-----w- c:\program files\MSXML 6.0
2010-01-26 07:26 . 2010-01-26 07:40 -------- d-----w- C:\597ee40065efe3759c70
2010-01-26 07:05 . 2010-01-27 01:38 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-01-26 06:57 . 2010-01-26 06:57 -------- d-----w- c:\windows\system32\MpEngineStore
2010-01-26 06:34 . 2008-10-24 11:10 453632 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-01-26 06:33 . 2010-01-26 06:33 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-26 06:30 . 2009-08-04 13:58 2136064 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-01-26 06:30 . 2009-08-04 14:00 2180352 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-01-26 06:30 . 2009-08-04 13:13 2015744 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-01-26 06:30 . 2009-08-04 13:13 2057728 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-01-26 05:46 . 2009-08-11 00:06 69936 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2010-01-26 05:45 . 2009-05-13 21:30 13360 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2010-01-26 05:28 . 2005-01-22 18:30 163840 ----a-w- c:\windows\system32\igfxres.dll
2010-01-26 05:17 . 2004-08-04 12:00 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll
2010-01-26 05:17 . 2004-08-04 12:00 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys
2010-01-26 05:17 . 2004-08-04 12:00 48256 -c--a-w- c:\windows\system32\dllcache\w32.dll
2010-01-26 05:17 . 2004-08-04 12:00 14336 -c--a-w- c:\windows\system32\dllcache\tsprof.exe
2010-01-26 05:15 . 2001-08-18 03:36 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2010-01-26 05:15 . 2004-08-04 12:00 111104 -c--a-w- c:\windows\system32\dllcache\mtstocom.exe
2010-01-26 05:15 . 2004-08-04 12:00 7680 -c--a-w- c:\windows\system32\dllcache\migregdb.exe
2010-01-26 05:15 . 2004-08-04 12:00 92416 -c--a-w- c:\windows\system32\dllcache\mga.sys
2010-01-26 05:15 . 2004-08-04 12:00 92032 -c--a-w- c:\windows\system32\dllcache\mga.dll
2010-01-26 05:15 . 2001-08-18 03:36 65536 -c--a-w- c:\windows\system32\dllcache\EXCH_mailmsg.dll
2010-01-26 05:15 . 2004-08-04 12:00 18944 -c--a-w- c:\windows\system32\dllcache\lprmon.dll
2010-01-26 05:15 . 2004-08-04 12:00 22528 -c--a-w- c:\windows\system32\dllcache\lpdsvc.dll
2010-01-26 05:15 . 2004-08-04 12:00 33792 -c--a-w- c:\windows\system32\dllcache\lmmib2.dll
2010-01-26 05:13 . 2004-08-04 12:00 18944 -c--a-w- c:\windows\system32\dllcache\cprofile.exe
2010-01-26 05:13 . 2004-08-04 12:00 9728 -c--a-w- c:\windows\system32\dllcache\change.exe
2010-01-26 05:13 . 2004-08-04 12:00 15872 -c--a-w- c:\windows\system32\dllcache\chgport.exe
2010-01-26 05:13 . 2004-08-04 12:00 14336 -c--a-w- c:\windows\system32\dllcache\chgusr.exe
2010-01-26 05:13 . 2004-08-04 12:00 13312 -c--a-w- c:\windows\system32\dllcache\chglogon.exe
2010-01-26 05:13 . 2004-08-04 12:00 54528 -c--a-w- c:\windows\system32\dllcache\cap7146.sys
2010-01-26 05:13 . 2004-08-04 12:00 331264 -c--a-w- c:\windows\system32\dllcache\aqueue.dll
2010-01-26 05:13 . 2001-08-18 03:36 45056 -c--a-w- c:\windows\system32\dllcache\EXCH_aqadmin.dll
2010-01-26 05:08 . 2004-08-04 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-01-26 05:08 . 2004-08-04 12:00 32768 -c--a-w- c:\windows\system32\dllcache\icwdl.dll
2010-01-26 05:08 . 2004-08-04 12:00 20480 -c--a-w- c:\windows\system32\dllcache\inetwiz.exe
2010-01-26 05:08 . 2004-08-04 12:00 86016 -c--a-w- c:\windows\system32\dllcache\icwconn2.exe
2010-01-26 05:08 . 2004-08-04 12:00 214528 -c--a-w- c:\windows\system32\dllcache\icwconn1.exe
2010-01-26 04:45 . 2004-08-04 12:00 480256 -c--a-w- c:\windows\system32\dllcache\cintsetp.exe
2010-01-26 04:45 . 2004-08-04 12:00 198656 -c--a-w- c:\windows\system32\dllcache\cintime.dll
2010-01-26 04:45 . 2004-08-04 12:00 97792 -c--a-w- c:\windows\system32\dllcache\chtmbx.dll
2010-01-26 04:45 . 2004-08-04 12:00 56320 -c--a-w- c:\windows\system32\dllcache\chtskdic.dll
2010-01-26 04:45 . 2004-08-04 12:00 455168 -c--a-w- c:\windows\system32\dllcache\tintsetp.exe
2010-01-26 04:45 . 2004-08-04 12:00 44032 -c--a-w- c:\windows\system32\dllcache\tintlphr.exe
2010-01-26 04:45 . 2004-08-04 12:00 173568 -c--a-w- c:\windows\system32\dllcache\chtskf.dll
2010-01-26 04:45 . 2004-08-04 12:00 10240 -c--a-w- c:\windows\system32\dllcache\tmigrate.dll
2010-01-26 04:44 . 2004-08-04 12:00 70144 -c--a-w- c:\windows\system32\dllcache\pintlphr.exe
2010-01-26 04:44 . 2004-08-04 12:00 67584 -c--a-w- c:\windows\system32\dllcache\pmigrate.dll
2010-01-26 04:44 . 2004-08-04 12:00 59392 -c--a-w- c:\windows\system32\dllcache\imscinst.exe
2010-01-26 04:44 . 2004-08-04 12:00 10096640 -c--a-w- c:\windows\system32\dllcache\hwxcht.dll
2010-01-26 04:44 . 2004-08-04 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-01-26 04:44 . 2004-08-04 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-01-26 04:44 . 2004-08-04 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-01-26 04:44 . 2004-08-04 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-01-04 22:02 . 2010-01-04 22:02 27984 ----a-w- c:\windows\system32\sbbd.exe
2009-12-30 04:26 . 2009-12-30 04:26 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-27 01:42 . 2006-06-07 19:29 65752 -c--a-w- c:\documents and settings\Sue M\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-26 06:32 . 2005-04-10 09:34 -------- d-----w- c:\program files\Java
2010-01-26 06:31 . 2010-01-26 06:31 152576 ----a-w- c:\documents and settings\Sue M\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-26 06:30 . 2010-01-26 06:30 79488 ----a-w- c:\documents and settings\Sue M\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-26 05:07 . 2004-08-07 12:54 23428 ----a-w- c:\windows\system32\emptyregdb.dat
2010-01-02 02:06 . 2006-05-16 13:52 -------- d-----w- c:\program files\Trend Micro
2009-12-30 05:17 . 2009-12-27 14:45 107 ----a-w- c:\documents and settings\Sue M\Application Data\netstat.bat
2009-12-30 05:17 . 2009-12-27 14:45 107 ----a-w- c:\documents and settings\Sue M\Application Data\netstat.bat
2009-12-30 04:25 . 2009-12-12 17:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-30 03:42 . 2009-12-27 01:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-30 03:41 . 2007-05-15 16:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-28 04:41 . 2005-10-09 18:19 -------- d-----w- c:\program files\Canon
2009-12-27 01:33 . 2009-12-27 01:33 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-12-27 01:33 . 2009-12-27 01:33 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-12-27 01:33 . 2009-12-27 01:33 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-12-27 01:33 . 2009-12-27 01:33 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-12-25 05:46 . 2009-12-25 05:46 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-12-24 03:22 . 2009-12-24 03:22 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-22 05:42 . 2004-08-04 12:00 662016 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:42 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-12 17:54 . 2009-12-12 17:54 -------- d-----w- c:\documents and settings\Sue M\Application Data\Malwarebytes
2009-12-12 17:54 . 2009-12-12 17:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-10 13:25 . 2007-05-10 03:34 -------- d-----w- c:\documents and settings\Sue M\Application Data\ZoomBrowser EX
2009-12-10 13:24 . 2009-07-09 13:35 -------- d-----w- c:\documents and settings\Sue M\Application Data\CameraWindowDC
2009-12-06 04:57 . 2005-12-05 21:04 66136 -c--a-w- c:\documents and settings\Jeff Minemier\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-06 01:25 . 2007-11-10 21:43 -------- d-----w- c:\program files\Full Tilt Poker
2009-12-03 21:14 . 2009-12-12 17:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13 . 2009-12-12 17:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-21 16:36 . 2004-08-04 12:00 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2008-11-15 03:46 . 2008-11-15 03:46 14394041 ----a-w- c:\program files\Jalbum-install.exe
2008-10-03 04:48 . 2008-10-03 04:48 112000 -c--a-w- c:\program files\blkmagic.exe
2008-09-02 17:00 . 2008-09-02 17:00 7499056 ----a-w- c:\program files\Firefox Setup 3.0.1.exe
2007-12-15 05:17 . 2007-12-15 05:17 15452536 -c--a-w- c:\program files\IE7-WindowsXP-x86-enu.exe
2007-12-14 04:15 . 2007-12-14 04:15 13330224 -c--a-w- c:\program files\avinstall.exe
2007-12-14 03:14 . 2007-12-14 03:14 7467056 -c--a-w- c:\program files\spybotsd15.exe
2007-10-16 05:09 . 2007-10-16 05:09 1448229 -c--a-w- c:\program files\avatar_setup.exe
2005-10-17 07:29 . 2005-10-17 07:29 11012006 -c--a-w- c:\program files\ysitebuilder.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-22 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-22 126976]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-04-10 98304]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"hpWirelessAssistant"="c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-01-21 790528]
"Drag'n'Drop_Autolaunch"="c:\program files\Iomega HotBurn Pro\Autolaunch.exe" [2002-10-15 86016]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver2\LVCOMS.EXE" [2002-09-20 90112]
"hppwrsav"="c:\scanjet\PrecisionScanLT\hppwrsav.exe" [1999-06-07 23552]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-11-05 185632]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-26 149280]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SBAMTray"="c:\program files\Sunbelt Software\CounterSpy\SBAMTray.exe" [2010-01-04 685392]
"SNPSTD"="c:\windows\vsnpstd.exe" [2010-01-27 40960]
"LSBWATCHER"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2010-01-27 253952]
"CPQSET"="c:\program files\HPQ\Default Settings\cpqset.exe" [2010-01-27 233534]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Palo Alto Software Update Manager 8.0.lnk - c:\program files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe [2005-6-8 122880]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Jalbum8.1\\Jalbum.exe"=
"c:\\Program Files\\Sunbelt Software\\CounterSpy\\SBAMTray.exe"=

R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [1/26/2010 12:45 AM 13360]
R2 SBAMSvc;CounterSpy Antispyware;c:\program files\Sunbelt Software\CounterSpy\SBAMSvc.exe [1/4/2010 5:02 PM 1012080]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [1/26/2010 12:46 AM 69936]
S2 PPSCAN;PPSCAN;c:\windows\system32\drivers\ppscan.sys [6/20/2007 9:53 AM 91520]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [12/12/2009 12:54 PM 38224]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/13/2009 8:22 AM 95024]

--- Other Services/Drivers In Memory ---

*Deregistered* - dnbudf
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
TCP: {4835DB3C-4B48-4B23-8734-3206634C22CB} = 193.104.110.38,4.2.2.1,209.18.47.61 209.18.47.62
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://207.5.168.68/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\Sue M\Application Data\Mozilla\Firefox\Profiles\ij4few13.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-28 07:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CPQSET = c:\program files\HPQ\Default Settings\cpqset.exe????????7?0?4?7??????? ?,?B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3368)
c:\windows\system32\ieframe.dll
c:\windows\system32\msls31.dll
c:\windows\system32\shdoclc.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\MSCTF.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\Iomega\System32\AppServices.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\program files\HPQ\SHARED\HPQWMI.exe
.
**************************************************************************
.
Completion time: 2010-01-28 08:05:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-28 13:05
ComboFix2.txt 2010-01-27 14:20

Pre-Run: 3,012,075,520 bytes free
Post-Run: 2,987,368,448 bytes free

- - End Of File - - 5AE10945146BA664566A2897A892362F


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:20:17 AM, on 1/28/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\SCANJET\PrecisionScanLT\hppwrsav.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe
O4 - HKLM\..\Run: [SNPSTD] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [LSBWATCHER] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [CPQSET] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - Global Startup: Palo Alto Software Update Manager 8.0.lnk = C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://host-d.oddcast.com/hostClientIE.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidO...PhotoOnline.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://207.5.168.68/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4835DB3C-4B48-4B23-8734-3206634C22CB}: NameServer = 193.104.110.38,4.2.2.1,209.18.47.61 209.18.47.62
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: CounterSpy Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9054 bytes



#6 minmaz

minmaz
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 28 January 2010 - 08:29 AM

Just an FYI, the links you provided aren't working necessarily. The first one sends you to major geeks and I think the url should be http://www.malwarebytes.org/affiliates/bes...wnload-mbam.php instead of what you have. The second link does not work at all. I am now installing/running malwarebytes, but may not be able to post results until after I return from work tonight if it takes a while.

Sue

#7 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 28 January 2010 - 09:30 AM

Ok, thanks for the info.. I'll wait for the Malwarebytes' result smile.gif

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#8 minmaz

minmaz
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 28 January 2010 - 08:54 PM

Malwarebytes log...

Malwarebytes' Anti-Malware 1.44
Database version: 3650
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

1/28/2010 8:45:32 PM
mbam-log-2010-01-28 (20-45-32).txt

Scan type: Full Scan (C:\|)
Objects scanned: 235078
Time elapsed: 1 hour(s), 19 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4835db3c-4b48-4b23-8734-3206634c22cb}\NameServer (Trojan.DNSChanger) -> Data: 193.104.110.38,4.2.2.1,209.18.47.61 209.18.47.62 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP1\A0000119.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP1\A0000146.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Combo-Fix\Combo-Fix.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\Combo-Fix\PV.cfxxe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Combo-Fix\pv.com (Trojan.Agent) -> Quarantined and deleted successfully.


#9 minmaz

minmaz
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 28 January 2010 - 10:58 PM

ESET log...note that I was unable to choose Scan Unwanted Applications as that was not an option...

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=6be705a831001a428a1a224d09f59418
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-01-29 03:44:25
# local_time=2010-01-28 10:44:25 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=256 16777215 100 0 37511756 37511756 0 0
# compatibility_mode=512 16777215 100 0 1416387 1416387 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=114287
# found=1
# cleaned=1
# scan_time=4264
C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt Win32/TrojanDownloader.FakeAlert.AED virus (deleted - quarantined) 00000000000000000000000000000000 C


#10 minmaz

minmaz
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 28 January 2010 - 11:29 PM

As far as how my computer is doing, still infected for sure. I ran a counterspy quick scan and came up with the same trojan...Backdoor.Bifrost (see attached screen shot). In addition, I constantly have my computer requesting windows updates. I am pretty certain this is a virus and don't want to download anything that might further mess up my system. Is there any way to check to see if these updates are ok? Thanks!

Sue

Attached Files



#11 minmaz

minmaz
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 28 January 2010 - 11:32 PM

Last post...here is the counterspy details on the virus...shows the registry key...

Attached Files



#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 29 January 2010 - 05:44 AM

That's a legitimate Registry Key.. Lets do a search for it..

Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    CODE
    :regfind
    wget
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 minmaz

minmaz
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 29 January 2010 - 08:07 AM

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 08:07 on 29/01/2010 by Sue M (Administrator - Elevation successful)

========== regfind ==========

Searching for "wget"
No data found.

-=End Of File=-

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 29 January 2010 - 09:10 AM

Hmm.. run your CounterSpy again.. Does it still detect any similar infection? smile.gif

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 minmaz

minmaz
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 01 February 2010 - 10:04 PM

No infections...I was waiting to see if anything else popped up. When you had last responded, I went ahead and did research on the windows updates. There were over 44 updates that I needed to download. I assume this may have happened after I was first infected with the winupdate virus? At any rate, things look like they're better. Let me know if you think I should run anything else and thank you for your help!

Sue




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users