Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake virus scan, and security tool, svchosts high % in tsk mngr, browser redirecting


  • This topic is locked This topic is locked
19 replies to this topic

#1 Scyance

Scyance

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 04 March 2010 - 10:51 PM

The first issue I had when coming here was with a fake antivirus scan.. I used malwarebytes and it seemed to solve the issue.. boopme" was helping me with this, he had me run superantispyware, and eset. the super scan completed, quarantined and removed a few things. Then I was instructed to run eset.. I tried running it.. and didn't want to. so I ran in safe mode with networking. and wasn't able to complete.. the program stopped and I started seeing lots of errors. i was able to log off, and rebooted in safe mode.. I then got the security tool virus.. which I also seemed to have removed/fixed with malwarebytes.. I was told eset may have broke thru" something and it would be safer to post the logs and get some deeper help.. the fake scans seemed to have stopped but I still seen some browser redirects, and also 1 svchosts.exe increasing in mem usage, and using a high % of cpu.. couple other notes.. when we bought the computer it came with nortons ?, but stopped working correctly some time ago..tho I still see some processes for it in task manager? and errors when I start the computer, at log in.. something about navapsvc?.. can't remeber exatly not sure if thats normal? and also after logged in a norton antivirus auto=protect service encountered a problem and needed to close.. so.. Im not really sure, whats up with the computer now.. boopme, suggested I do the logs, and you can help get me fixed up. smile.gif I did run the dds and got the logs, that I will post.. but the gmer scan didn't complete.. It was scanning, then my computer rebooted?

Here is the initial posts and what I went thru, if u want to check it out..> http://www.bleepingcomputer.com/forums/t/298159/avexe-virus-fake-virus-scan-keeps-popping-up/

HEre is my DDS log file.. and the attacth" txt.. should be attached. Thanks for any help smile.gif


DDS (Ver_09-12-01.01) - NTFSx86
Run by HP_Administrator at 19:14:30.51 on Thu 03/04/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.425 [GMT -8:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\M-Audio Fast Track\GBInst.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\MsPMSPSv.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uInternet Settings,ProxyOverride =
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.1.1119.1736\swg.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRunOnce: [RunNarrator] Narrator.exe
mExplorerRun: [dsa7z] c:\windows\system32\N0TEB00K.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: straighttripping.com\www
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} - hxxp://streamplug.com/StreamPlug/SP.cab
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxps://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6741FA2E-5E72-11D9-B8D3-A78832C1C537} - hxxp://www.saliu.com/Generator7.CAB
DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxps://www-307.ibm.com/pc/support/IbmEgath.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\SAVRTPEL.SYS [2005-2-4 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2005-3-4 186016]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2005-3-4 239264]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2005-3-4 177824]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-12-30 1373480]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton internet security\norton antivirus\NAVAPSVC.EXE [2005-3-24 128112]
S3 ATIXPGAA;ATIXPGAA; [x]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2005-3-4 83616]
S3 I804xrn;I804xrn; [x]
S3 MA763010;M-Audio Fast Track;c:\windows\system32\drivers\MA763010.sys [2007-10-7 30848]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20060330.035\NAVENG.Sys [2006-3-31 77864]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20060330.035\NavEx15.Sys [2006-3-31 750952]
S3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\SAVRT.SYS [2005-2-4 334984]
S3 SAVScan;SAVScan;c:\program files\norton internet security\norton antivirus\SAVSCAN.EXE [2005-2-17 198368]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]

=============== Created Last 30 ================

2010-03-03 03:36:11 0 d-----w- c:\program files\ESET
2010-03-01 02:31:26 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-03-01 02:31:17 0 d-----w- c:\program files\SUPERAntiSpyware
2010-03-01 02:31:17 0 d-----w- c:\docume~1\hp_adm~1\applic~1\SUPERAntiSpyware.com
2010-03-01 02:30:11 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-02-23 23:20:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-23 23:20:33 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-23 21:53:05 53320 ----a-w- c:\windows\system32\drivers\MiniIcpt.sys
2010-02-23 21:52:18 51784 ----a-w- c:\windows\system32\drivers\GDTdiIcpt.sys
2010-02-23 21:51:42 27720 ----a-w- c:\windows\system32\drivers\GDBehave.sys
2010-02-23 21:51:20 0 d-----w- c:\docume~1\alluse~1\applic~1\G DATA
2010-02-23 21:50:21 0 d-----w- c:\program files\G Data
2010-02-23 21:50:21 0 d-----w- c:\program files\common files\G DATA
2010-02-23 13:09:57 0 d-----w- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2010-02-23 13:09:47 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-23 13:09:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-23 12:33:37 151 ---ha-w- c:\windows\system32\autorun.inf
2010-02-19 19:44:27 0 d-----w- c:\program files\iZotope
2010-02-19 19:44:27 0 d-----w- c:\program files\common files\iZotope
2010-02-19 19:43:49 0 d-----w- c:\program files\VstPlugins1

==================== Find3M ====================

2010-03-03 06:40:31 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-03 06:40:31 95360 ----a-w- c:\windows\system32\dllcache\atapi.sys
2002-07-27 00:02:06 153088 -c--a-w- c:\program files\UNWISE.EXE

============= FINISH: 19:15:23.50 ===============

Attached Files


Edited by Scyance, 04 March 2010 - 11:23 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:21 AM

Posted 07 March 2010 - 08:30 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 Scyance

Scyance
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 08 March 2010 - 01:47 AM

mOle... I am here.. smile.gif

Thanks in advance.. for the help.
smile.gif


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:21 AM

Posted 08 March 2010 - 02:27 PM

Let's kill the bad processes and attempt to run Combofix.

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • Please post the resulting log in your next reply.

Then

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 Scyance

Scyance
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 08 March 2010 - 06:07 PM

I ran rkill.. I already had it from boopme, trying to help me, previously.. I then downloaded, and renamed combofix.. and ran that.. I didn't see nothing asking me about microsoft windos recovery.. Guess thats okay.. but I did see somethng about Nortons running.. and I can continue at my own risk.. I don't see Nortons icon, in my system tray.. I also seen this when I was running ESET, it said it noticed that was there also.. but I don't see anything? Tho I have always noticed.. SymWSC.exe in my task manager, and I think thats something to do with it? I could be wrong. also I sometimes see LUCOMS1.. run momentarily, then it disappear, when I first log in, within task manager, and I think Ive read this is also something to do with nortons? Again, all this Im not sure, Im just trying to give all the info I can.. smile.gif OKay.. continue on.

combofix, said it seen Nortons, and to run at my own risk.. I continued.. I couldn't do anything else? at that point..

it started scanning.. and couple minutes after said something about rootkit activity and the computer had to restart.. and not to manually close it, let combofix do it.. so I did..

After rebot.. my log in pops up.. *which is normal*. and also everytime I also see a Navapsvc.exe application error.. I close the error.. and hit log in..

After log in.. the Combofix, starts scanning again.. and this time I see.. completed stages appearing.. after 50, Isee some mention of deleting files, and then it rebots..

after reboting again I see log in.. and again the navapsvc.exe application error.. which has been normal for this computer for a while.. I close the error, and log in..

Combofix is up and says.. preparing log report.. don't run programs, until finished.. so I wait..
I then see.. NOTEBOOK.EXE encountered a problem and needs to close.. *which is another process Ive suspected as something funny, running in my task manager at start up* so maybe this is all good??? Im kinda scared to interupt combofix, so I wait a while, then go ahead and close the Notebook error.. seems to not effect Combofix. after a couple more minutes.. the Log pops up....

I go to internet explorer, to type ALL THIS.. and after I double click on the icon, I get a message.. about Internet Explorer not being my default browser, and do I want to change that.. I just clicked no.. not knowing what I should do.. and didn't want to change anything.. tho Internet Explorer, is the browser, Ive always used.. So that was different?

HEres the logs.. smile.gif rkills.. and Combofix *not sure if you wanted me to attach it? so I pasted it in*..


This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as HP_Administrator on 03/08/2010 at 13:53:48.


Processes terminated by Rkill or while it was running:


C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Documents and Settings\HP_Administrator\Desktop\stevez beatzz!!\rkill.com


Rkill completed on 03/08/2010 at 13:53:51.


......................Combofix log.............................>


ComboFix 10-03-08.01 - HP_Administrator 03/08/2010 14:05:41.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.666 [GMT -8:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComFix.exe
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\AutoRun.inf
c:\windows\system32\lo.dll
c:\windows\system32\msvcsv60.dll
c:\windows\system32\ps2.bat
D:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-02-08 to 2010-03-08 )))))))))))))))))))))))))))))))
.

2010-03-03 03:36 . 2010-03-03 03:36 -------- d-----w- c:\program files\ESET
2010-03-01 02:31 . 2010-03-01 02:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-01 02:31 . 2010-03-01 02:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-01 02:31 . 2010-03-01 02:31 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2010-03-01 02:30 . 2010-03-01 02:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-28 11:29 . 2010-02-28 11:29 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-02-24 04:32 . 2010-02-24 04:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-02-24 04:32 . 2010-02-24 04:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Scansoft
2010-02-24 04:32 . 2010-02-28 03:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\WTablet
2010-02-23 23:20 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-23 23:20 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-23 21:53 . 2010-02-23 21:53 53320 ----a-w- c:\windows\system32\drivers\MiniIcpt.sys
2010-02-23 21:52 . 2010-02-23 21:52 51784 ----a-w- c:\windows\system32\drivers\GDTdiIcpt.sys
2010-02-23 21:51 . 2010-02-23 21:51 27720 ----a-w- c:\windows\system32\drivers\GDBehave.sys
2010-02-23 21:51 . 2010-02-23 22:56 -------- d-----w- c:\documents and settings\All Users\Application Data\G DATA
2010-02-23 21:50 . 2010-02-23 22:57 -------- d-----w- c:\program files\G Data
2010-02-23 21:50 . 2010-02-23 22:57 -------- d-----w- c:\program files\Common Files\G DATA
2010-02-23 21:40 . 2010-02-23 21:40 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Downloaded Installations
2010-02-23 21:38 . 2010-02-23 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-02-23 13:09 . 2010-02-23 13:09 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2010-02-23 13:09 . 2010-02-28 01:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-23 13:09 . 2010-02-23 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-19 19:44 . 2010-02-19 19:44 -------- d-----w- c:\program files\iZotope
2010-02-19 19:44 . 2010-02-19 19:44 -------- d-----w- c:\program files\Common Files\iZotope
2010-02-19 19:43 . 2010-02-19 19:46 -------- d-----w- c:\program files\VstPlugins1
2010-02-19 01:30 . 2010-02-25 02:06 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\pajsso

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-08 22:20 . 2008-12-31 03:40 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\WTablet
2010-03-08 22:20 . 2009-01-03 03:12 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2010-03-03 06:40 . 2004-08-10 19:00 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-03 03:56 . 2010-03-03 03:56 24 ----a-w- c:\documents and settings\NetworkService\Application Data\glchvt.dat
2010-03-01 02:49 . 2010-03-01 02:31 117760 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-01 02:31 . 2010-03-01 02:31 52224 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-01 02:31 . 2010-03-01 02:31 65024 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2010-03-01 02:31 . 2010-03-01 02:31 5120 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
2010-03-01 02:31 . 2010-03-01 02:31 18944 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2010-02-28 05:02 . 2009-11-14 08:44 16 ----a-w- c:\windows\msocreg32.dat
2002-07-27 00:02 . 2006-02-27 03:53 153088 -c--a-w- c:\program files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-08-09 12:53 . 2005-05-11 00:50 253952 c:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe

2007-03-01 23:11 . 2007-03-01 23:11 43008 c:\program files\BitTorrent\bak\bittorrent.exe

2005-08-09 12:46 . 2005-08-09 12:46 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2003-05-02 01:44 . 2003-05-02 01:44 65536 c:\program files\Common Files\Roxio Shared\System\bak\EngUtil.exe

2005-03-04 16:40 . 2006-02-27 20:31 49824 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe

2005-02-26 05:34 . 2005-02-26 05:34 245760 c:\program files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe

2005-06-02 06:35 . 2005-06-02 06:35 49152 c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe

2005-05-12 13:12 . 2005-05-12 13:12 49152 c:\program files\HP\HP Software Update\bak\HPwuSchd2.exe

2005-08-09 12:18 . 2005-08-09 12:18 36972 c:\program files\Java\jre1.5.0\bin\bak\jusched.exe

2004-08-04 23:06 . 2004-10-13 23:24 1694208 c:\program files\Messenger\bak\msmsgs.exe

2005-03-30 00:03 . 2005-03-30 00:03 22656 c:\program files\Norton Internet Security\bak\UrlLstCk.exe

2006-02-27 03:53 . 2004-04-23 19:00 192512 c:\program files\Pinnacle\Shared Files\Programs\USBTip\bak\USBTip.exe

2005-08-09 13:00 . 2006-12-14 23:55 282624 c:\program files\QuickTime\bak\qttask.exe
2008-11-04 18:30 . 2008-11-04 18:30 413696 c:\program files\QuickTime\QTTask.exe

2003-05-23 01:36 . 2003-05-23 01:36 319488 c:\program files\Roxio\Easy CD Creator 6\AudioCentral\bak\RxMon.exe

2003-05-30 07:21 . 2003-05-30 07:21 868352 c:\program files\Roxio\Easy CD Creator 6\DragToDisc\bak\DrgToDsc.exe

2006-01-31 01:25 . 2006-01-31 01:25 100056 c:\program files\SymNetDrv\bak\SNDMon.exe

2004-08-11 02:04 . 2004-08-11 02:04 59392 c:\windows\ehome\bak\ehtray.exe
2004-08-11 02:04 . 2004-08-11 02:04 59392 c:\windows\ehome\ehtray.exe

2004-08-10 19:00 . 2004-08-10 19:00 15360 c:\windows\system32\bak\ctfmon.exe
2004-08-10 19:00 . 2004-08-10 19:00 15360 c:\windows\system32\ctfmon.exe

2005-08-09 12:43 . 2004-10-25 22:17 90112 c:\windows\system32\bak\ps2.exe

2006-02-27 03:44 . 2004-03-11 00:26 406016 c:\windows\system32\bak\PSDrvCheck.exe

2006-02-28 03:20 . 2005-05-10 04:00 98304 c:\windows\system32\spool\drivers\w32x86\3\bak\E_FATIALA.EXE

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-10 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"dsa7z"="c:\windows\system32\N0TEB00K.EXE" [2008-01-05 12288]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"Midi1"=usbmn1x1.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2007-04-04 01:50 1603152 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2007-05-15 01:01 644696 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-10 19:00 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2004-08-11 02:04 59392 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-11-20 21:20 290088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2007-02-04 20:02 79400 ----a-w- c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 18:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryBot]
c:\program files\RegistryBot\RegistryBot.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 17:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB2Check]
2004-08-12 21:20 65536 ----a-w- c:\windows\system32\PCLECoInst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe]
2006-09-20 16:35 20480 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
dcommmc REG_SZ c:\windows\system32\mstsstrA.dll
dosxhone REG_SZ c:\windows\system32\bootysvr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [12/30/2008 7:39 PM 1373480]
S3 ATIXPGAA;ATIXPGAA; [x]
S3 I804xrn;I804xrn; [x]
S3 MA763010;M-Audio Fast Track;c:\windows\system32\drivers\MA763010.sys [10/7/2007 6:17 PM 30848]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
.
Contents of the 'Scheduled Tasks' folder

2010-03-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2009-02-27 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2005-05-24 23:46]

2010-03-06 c:\windows\Tasks\Norton AntiVirus - Scan my computer - HP_Administrator.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-03-24 22:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
Trusted Zone: straighttripping.com\www
DPF: {6741FA2E-5E72-11D9-B8D3-A78832C1C537} - hxxp://www.saliu.com/Generator7.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-08 14:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(472)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(304)
c:\windows\system32\shdoclc.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\M-Audio Fast Track\GBInst.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
.
**************************************************************************
.
Completion time: 2010-03-08 14:30:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-08 22:30

Pre-Run: 6,034,034,688 bytes free
Post-Run: 21,154,664,448 bytes free

- - End Of File - - FD3FBD7CD54B77D6C4F8E7899ACEB0C5

#6 Scyance

Scyance
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 08 March 2010 - 06:08 PM

opps.. I must have hit the submit button twice?.. I couldn't find the delete post option? sorry bout that..

Edited by Scyance, 08 March 2010 - 06:21 PM.


#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:21 AM

Posted 08 March 2010 - 08:49 PM

There's no delete button. Don't worry about it.

Combofix has dealt with the main infection so we can now go looking for the little guys. smile.gif

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

Posted Image
m0le is a proud member of UNITE

#8 Scyance

Scyance
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 09 March 2010 - 03:29 AM

I have tried running ESET before.. and had problems.. not sure if you seen that in my post.. but to recap.. real quickly.. I tried running it, as suggested from boopme, and it didn't seem to run correctly.. I seen it go from step 2, updating.. *which nothing moved* to suddenly looking like it immediately updated, and switched to step 4, saying the scan was finished, but all files, scaned, infected, time it took to run, etc.. were all 0s so I didn't think that was right..
I then tried to run ESET in safemode with networking. this time I can see the updating.. in step 2.. and it even starts to scan my files.. in step 4.. thats when I ran into some problems.. it closed abruptly, and I started seeing lots of explorer.exe errors.. I reboted in normal mode to see the damage, and sure enough I was now getting the fake Security Tool scan.. Which I looked up on your site, how to fix.. by running, rkill, malwarebytes.. even switching hosts file.. That was when boopme, told me that we may have broke thru something, and to now post my log over here.. to get some help.. before messing up my computer more.. This was before...

I just attempted to run ESET right now, thinking it may be better this time.. and it gets stuck on step 2, updating.. it shows like 50% and says something to the effect of it sees Ive run it recently and will only download the files needed.. Then I get an error saying, it can't update, is proxy configured? So.. not sure what you want me to do? at this point. I was thinking I can try running it in safe mode.. but didn't want to do anything.. to mess things up more. bfore you sayings its okay.. so I'll let you tell me whats next. smile.gif

Also.. Our power just turned off.. and when the computer came up again, I noticed a New? internet explorer icon on my desktop? not sure if this is normal? as the one I had used was a shortcut one.. so maybe thats normal? after the other steps we took.. Anyways.. thats about it.. thanks again for the help, m0le.. smile.gif will be waiting for your new instructions... Thanks..


#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:21 AM

Posted 09 March 2010 - 05:22 PM

Combofix will set some defaults, one of which is the new IE icon. Don't worry about that. thumbup2.gif

I asked you to try ESET because I thought it would have improved since the Combofix run...

Let's try another online scanner to see if we get the same problems. Run this with IE.

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#10 Scyance

Scyance
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 09 March 2010 - 08:30 PM

Yeah, I was hoping that ESET scan would go good this time.. at least it said it wasn't going to scan, instead of "pretend" like it did.. How come Im able to update, and run these in safemode, and not regular mode.. could it be something with Nortons? Its just funny, how it always sees it there... I don't see no little icon in the bottom right? I dunno.. I could be way off. just some thoughts.. smile.gif I ran bitdefender.. and it did seem to find some things?.. I've uploaded it, as its a html file.. Thanks again m0le.. for all your help.. smile.gif

Attached Files



#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:21 AM

Posted 09 March 2010 - 08:40 PM

ESET seems to be conflicting with just about every other antivirus program at the moment.

The good news is the old faithful, BitDefender has completed a good run. There are Java cache and system restore infections which are dead unless reactivated, there are a few keygens and it also removed everything it recognised from Qoobox, Combofix's quarantne.

So, the logs are looking good. How is the PC doing?
Posted Image
m0le is a proud member of UNITE

#12 Scyance

Scyance
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 11 March 2010 - 03:56 AM

I haven't been using it too much.. and keeping it offline.. since I would see my svchosts mem usage increase higher and higher, and also use up alot of CPU the more time I was online..*fearing it would some how get worse* so yesterday.. I let it be online.. and just watched the task manager for a while.. and it was looking pretty good. I didn't see the svchosts increase anymore.. and I also don't see NOTEBOOK.EXE anymore in there, which I was suspicious of.. I remember seeing a mention of that in bitdefender, so it looks like that fixed it..i also did a few searches in yahoo..and it doesn't seem to be redirecting my links.. so thats also good. smile.gif Only things that I see now are *I think* associated with nortons.. 1 error at log in.. 1 right after log in.. and I see aupdate, lucoms1, and lucallbackproxy.exe pop up now and then in task manager.. I think thats normal with Nortons trying to update? even tho like I said, I don't actually see any Nortons icon? so.. I was wondering what you thought of me uninstalling Nortons? is that recommended? or would it be difficult to do, even possibly making things worse? Id rather deal with a couple errors, then my computer breaking down. HA ;) Thanks for the help m01e.. Im going to use it a little more.. make sure nothing pops up. smile.gif

Edited by Scyance, 11 March 2010 - 03:58 AM.


#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:21 AM

Posted 11 March 2010 - 05:49 PM

If you want to uninstall Norton it can be done using their uninstaller.

First remove the Norton components through the Add/Remove facility.

Then download the Norton uninstaller from here

Most times that should be enough. Come back to me if there's any problems and we'll manually remove anything that's left.

Make sure that you choose a recommended replacement antivirus and antispyware to replace it.
Posted Image
m0le is a proud member of UNITE

#14 Scyance

Scyance
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:21 AM

Posted 11 March 2010 - 08:05 PM

alright.. so I uninstalled Nortons.. no more errors at login or after, and no more of its processes running in task manager.. Out of curiousity, I wanted to see if malwarebytes would now update.. and it WAS able to.. so that did seem to be the problem.. I didn't scan again.. just updated..

Now. smile.gif a couple questions.. smile.gif

what happens to files that are quarantined if a program is removed like Nortons? Not sure if it was quarantining? anything? just curious? should I be okay? or should I try to rescan my system with something? to make sure?

Also.. What are some antivirus, and antispyware recommendations? I have malwarebytes and superantispyware *both free versions, from you guys helping me* but I think I need a replacement for Nortons right? Something that would be running in the background protecting me all the time?

In your other post.. you said "There are Java cache and system restore infections which are dead unless reactivated," ...
How might they be reactivated?.. So I can make sure, to avoid that.. ;)




#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:21 AM

Posted 11 March 2010 - 08:35 PM

QUOTE(Scyance @ Mar 12 2010, 01:05 AM) View Post
what happens to files that are quarantined if a program is removed like Nortons? Not sure if it was quarantining? anything? just curious? should I be okay? or should I try to rescan my system with something? to make sure?


Quarantined files are destroyed when the antivirus is uninstalled. You don't need to check your system.


QUOTE(Scyance @ Mar 12 2010, 01:05 AM) View Post
Also.. What are some antivirus, and antispyware recommendations? I have malwarebytes and superantispyware *both free versions, from you guys helping me* but I think I need a replacement for Nortons right? Something that would be running in the background protecting me all the time?


Yes, you need to replace Norton. I use Avast, Bleeping Computer also recommend Antivir - two good free programs. If you like to pay for your protection then any large company antivirus is of good quality (McAfee, Kaspersky, NOD32). The link below gives you all the recommended options available to you. MBAM should not be taken as a program like Superantispyware as only the paid-for version runs in realtime. SAS is a good product so hold on to that but use MBAM as a seek and destroy if you suspect infection.

QUOTE(Scyance @ Mar 12 2010, 01:05 AM) View Post
In your other post.. you said "There are Java cache and system restore infections which are dead unless reactivated," ...
How might they be reactivated?.. So I can make sure, to avoid that.. ;)


Ah, that is the final instructions. After this has been carried out any reinfection possibility will have been removed. Both the Java cache and system restore can be invoked by using System Restore. If you try and use this to try and disinfect the PC you could just be setting it back to the original infection state. The malware makes sure it digs into these useful caches. The next instructions will flush the Java cache and set a new system restore point and remove all others.


Here we go then...

To Clear the Java Runtime Environment (JRE) cache, do this:
  • Click Start > Settings > Control Panel.
  • Double-click the Java icon.
    -The Java Control Panel appears.
  • Click "Settings" under Temporary Internet Files.
    -The Temporary Files Settings dialog box appears.
  • Click "Delete Files".
    -The Delete Temporary Files dialog box appears.
    -There are three options on this window to clear the cache.
    • Delete Files
    • View Applications
    • View Applets
  • Click "OK" on Delete Temporary Files window.
    -Note: This deletes all the Downloaded Applications and Applets from the cache.
  • Click "OK" on Temporary Files Settings window.
  • Close the Java Control Panel.
You can also view these instructions along with screenshots here.


Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it Scyance, happy surfing!

Cheers.

m0le


Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users