Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Desktop security 2010


  • This topic is locked This topic is locked
13 replies to this topic

#1 MXCanuck

MXCanuck

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver, BC
  • Local time:04:32 PM

Posted 16 March 2010 - 04:50 PM

Hi Guys,
This is my first post here & I'm hoping someone can help me.
I've got problems with my computer & I think it is the Desktop Security 2010 Virus but I've read virtually every post regarding this virus & I can't get it off my computer??
Here's the symptoms...pop ups from Desktop Security 2010 alerting me to various problems & urging me to take action to downoad their software. Screen.Grab.J.exe, Sft.dez.Wien, several different very official sounding threats.
So the pop-ups just keep coming & the only way I can get them to stop is I downloaded Rkill & that stops them...until I reboot my computer & then it all begins again.
I've downloaded Malawarebites...the newest version & set it to update & it appears to be working perfect but after scanning for 40 minutes, doesn't find anything wrong. I've tried scanning before Rkill & just let the pop-ups run....after Rkill once they're shut down, I've searched my computer for any file containing the words Desktop 2010 but nothing...not even in my Registry?
I'm no computer genius....pretend you're talking to a 10yr old smile.gif
I'll post a HJT log & I can also post the Rkills log if you like?
Thank you in advance for any help!! smile.gif
Thanks again,
Marty

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:49:07 PM, on 3/16/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\program files\common files\microsoft shared\msinfo\msinfo32office.exe
C:\program files\common files\adobe\web\adobewebsystems.exe
C:\program files\common files\adobe\web\adobewebsystems.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\program files\microsoft office\powerpoint viewer\intldatewindows.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\program files\common files\microsoft shared\msinfo\msinfo32office.exe
C:\program files\canon\zoombrowser ex\program\toolkitsupport.exe
C:\WINDOWS\system32\hkcmd.exe
C:\program files\microsoft office\powerpoint viewer\intldatewindows.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
c:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Martin McKenzie\My Documents\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.shaw.ca/start/enCA/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.shaw.ca/start/enCA/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca/start/enCA/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Shaw Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: LitmusBHO - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - (no file)
O4 - HKLM\..\Run: [WKVO] C:\DOCUME~1\MARTIN~1\LOCALS~1\Temp\WKVO.exe
O4 - HKLM\..\Run: [Windowssystem] c:\program files\common files\microsoft shared\msinfo\msinfo32office.exe
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [SystemsAdobeWeb] C:\program files\common files\adobe\web\adobewebsystems.exe
O4 - HKLM\..\Run: [SystemsAdobe] c:\program files\common files\adobe\web\adobewebsystems.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [shawnotify] c:\progra~1\shaw\update\siuloader.exe /notify
O4 - HKLM\..\Run: [saextMicrosoft] C:\program files\microsoft office\powerpoint viewer\intldatewindows.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [msinfo32OInfo1212.0.4518.1014] C:\program files\common files\microsoft shared\msinfo\msinfo32office.exe
O4 - HKLM\..\Run: [MLibComon] c:\program files\canon\zoombrowser ex\program\toolkitsupport.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HelpMicrosoft] c:\program files\common files\microsoft shared\help\1046\microsofthxdsui2.05.50727.210.exe
O4 - HKLM\..\Run: [gdiplusintldate11.0.8161] c:\program files\microsoft office\powerpoint viewer\intldatewindows.exe
O4 - HKLM\..\RunServices: [WKVO] C:\DOCUME~1\MARTIN~1\LOCALS~1\Temp\WKVO.exe
O4 - HKLM\..\RunServices: [offfiltxsystem] c:\program files\common files\microsoft shared\filters\messageifilter.exe
O4 - HKLM\..\RunServices: [OInfo12OInfoS125.1.2600.0] C:\program files\common files\microsoft shared\msinfo\msinfo32office.exe
O4 - HKLM\..\RunServices: [SystemsAdobe] C:\program files\common files\adobe\web\adobewebsystems.exe
O4 - HKLM\..\RunServices: [Operatingintldate] C:\program files\microsoft office\powerpoint viewer\intldatewindows.exe
O4 - HKLM\..\RunServices: [LibraryLibrary] c:\program files\canon\zoombrowser ex\program\toolkitsupport.exe
O4 - HKLM\..\RunServices: [MicrosoftHelp] c:\program files\common files\microsoft shared\help\1046\microsofthxdsui2.05.50727.210.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [lnoemauwuv8p] C:\Documents and Settings\Martin McKenzie\Local Settings\temp\m.25B.tmp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 9041 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:32 AM

Posted 17 March 2010 - 07:57 AM

Hi,

* Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.

Paste the following bold part into the Suspicious File Packer window:

C:\DOCUME~1\MARTIN~1\LOCALS~1\Temp\WKVO.exe
c:\program files\common files\microsoft shared\filters\messageifilter.exe
C:\program files\common files\microsoft shared\msinfo\msinfo32office.exe
C:\program files\common files\adobe\web\adobewebsystems.exe
C:\program files\microsoft office\powerpoint viewer\intldatewindows.exe
c:\program files\canon\zoombrowser ex\program\toolkitsupport.exe
c:\program files\common files\microsoft shared\help\1046\microsofthxdsui2.05.50727.210.exe
C:\Documents and Settings\Martin McKenzie\Local Settings\temp\m.25B.tmp.exe


Allow SFP to pack the file. This will generate a CAB archive on your desktop.
Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.




AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 MXCanuck

MXCanuck
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver, BC
  • Local time:04:32 PM

Posted 17 March 2010 - 11:56 AM

Hi,
Thank you so much for your help! thumbup2.gif
OK...Things have very much changed overnight...now there's all kinds of new pop-ups on my screen this morning with messages & even automated voices telling me I have a virus!
I clicked Rkill...that fixed them but now I see there's TONS of Desktop security 2010 files on my computer.
I haven't done anything with them at this point...just followed your instruction & ran into a few problems.
#1-I downloaded the program you requested & posted the highlighted files but when I sent it I got a message back saying"Query Failed" Then there's a picture of a computer getting hit with a big hammer & it says Bleepingcomputer is working on the site & try back later. Waited an hour...same thing.
#2-I downloaded Combofix, closed all programs but Combofix claims I have Shaw Secure 9.01 running....it's not in my program files & I haven't ran it for a long time...not sure where it could be. I did a search for Shaw & Secure on my computer...nothing...so I continued the Combofix scan.
Here's the results:

ComboFix 10-03-16.05 - Martin McKenzie 03/17/2010 9:41.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.117 [GMT -7:00]
Running from: c:\documents and settings\Martin McKenzie\My Documents\Downloads\ComboFix.exe
AV: Shaw Secure 9.01 *On-access scanning enabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: Shaw Secure 9.01 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}
.

((((((((((((((((((((((((( Files Created from 2010-02-17 to 2010-03-17 )))))))))))))))))))))))))))))))
.

2010-03-17 11:37 . 2010-03-17 11:37 3974144 ----a-w- c:\documents and settings\Martin McKenzie\Application Data\Desktop Security 2010\securityhelper.exe
2010-03-17 11:37 . 2010-03-17 09:56 52736 ----a-w- c:\documents and settings\Martin McKenzie\Application Data\Desktop Security 2010\taskmgr.dll
2010-03-17 11:37 . 2010-03-17 11:37 -------- d-----w- c:\documents and settings\Martin McKenzie\Application Data\Desktop Security 2010
2010-03-17 11:37 . 2010-03-17 09:56 3229696 ----a-w- c:\documents and settings\Martin McKenzie\Application Data\Desktop Security 2010\Desktop Security 2010.exe
2010-03-17 11:37 . 2010-03-17 09:55 223744 ----a-w- c:\documents and settings\Martin McKenzie\Application Data\Desktop Security 2010\securitycenter.exe
2010-03-17 11:37 . 2010-01-21 18:29 86070 ----a-w- c:\documents and settings\Martin McKenzie\Application Data\Desktop Security 2010\pthreadVC2.dll
2010-03-17 11:37 . 2010-01-21 18:29 499712 ----a-w- c:\documents and settings\Martin McKenzie\Application Data\Desktop Security 2010\msvcp71.dll
2010-03-17 11:37 . 2010-01-21 18:29 348160 ----a-w- c:\documents and settings\Martin McKenzie\Application Data\Desktop Security 2010\msvcr71.dll
2010-03-17 11:37 . 2010-01-21 18:29 1060864 ----a-w- c:\documents and settings\Martin McKenzie\Application Data\Desktop Security 2010\mfc71.dll
2010-03-17 11:37 . 2010-01-21 18:29 57344 ----a-w- c:\documents and settings\Martin McKenzie\Application Data\Desktop Security 2010\MFC71ENU.DLL
2010-03-16 18:15 . 2010-03-16 18:15 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-16 18:15 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-16 18:15 . 2010-03-16 18:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-16 18:15 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-16 04:43 . 2010-03-16 04:43 -------- d-----w- c:\program files\TrendMicro
2010-03-16 03:57 . 2010-03-16 03:57 -------- d-----w- c:\program files\CCleaner
2010-03-16 03:31 . 2010-03-16 03:31 -------- d-----w- c:\documents and settings\Martin McKenzie\Application Data\Reg-Tool
2010-03-16 00:14 . 2010-02-24 17:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-16 17:52 . 2010-02-16 17:58 -------- d-----w- c:\documents and settings\Martin McKenzie\Application Data\Vso
2010-02-16 17:52 . 2010-02-16 17:58 47360 ----a-w- c:\documents and settings\Martin McKenzie\Application Data\pcouffin.sys
2010-02-16 17:52 . 2010-02-16 17:52 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-02-16 17:44 . 2010-02-16 17:47 -------- d-----w- c:\documents and settings\Martin McKenzie\Application Data\InfraRecorder
2010-02-16 17:34 . 2004-05-12 01:19 192512 ----a-w- c:\windows\system32\MACDll.dll
2010-02-16 17:34 . 2010-02-16 17:34 -------- d-----w- c:\program files\101 All to CD DVD Burner
2010-02-16 17:34 . 2005-12-01 06:49 161792 ----a-w- c:\windows\system32\lame_enc.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-17 16:26 . 2008-09-26 21:49 256 ----a-w- c:\windows\system32\pool.bin
2010-03-17 16:26 . 2009-02-13 18:37 -------- d-----w- c:\documents and settings\Martin McKenzie\Application Data\LimeWire
2010-03-17 16:15 . 2009-10-19 16:52 -------- d-----w- c:\program files\Panda Security
2010-03-16 21:23 . 2008-12-01 17:07 -------- d-----w- c:\documents and settings\Martin McKenzie\Application Data\ZoomBrowser EX
2010-03-16 21:21 . 2009-02-06 01:44 -------- d-----w- c:\documents and settings\Martin McKenzie\Application Data\CameraWindowDC
2010-03-16 03:47 . 2009-10-19 23:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-16 03:03 . 2009-10-19 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-03-10 11:04 . 2009-08-18 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-09 22:41 . 2008-09-22 17:33 -------- d-----w- c:\program files\FTP Commander
2010-02-16 17:38 . 2009-10-22 22:51 -------- d-----w- c:\program files\SlySoft
2010-01-28 22:28 . 2009-02-13 18:35 -------- d-----w- c:\program files\LimeWire
2010-01-05 10:00 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((( SnapShot_2010-03-16_23.47.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-17 16:23 . 2010-03-17 16:23 16384 c:\windows\temp\Perflib_Perfdata_730.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-13 2000112]
"Desktop Security 2010"="c:\documents and settings\Martin McKenzie\Application Data\Desktop Security 2010\Desktop Security 2010.exe" [2010-03-17 3229696]
"SecurityCenter"="c:\documents and settings\Martin McKenzie\Application Data\Desktop Security 2010\securitycenter.exe" [2010-03-17 223744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windowssystem"="c:\program files\common files\microsoft shared\msinfo\msinfo32office.exe" [2010-03-15 122880]
"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-04-01 155648]
"SystemsAdobeWeb"="c:\program files\common files\adobe\web\adobewebsystems.exe" [2010-03-15 122880]
"SystemsAdobe"="c:\program files\common files\adobe\web\adobewebsystems.exe" [2010-03-15 122880]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]
"saextMicrosoft"="c:\program files\microsoft office\powerpoint viewer\intldatewindows.exe" [2010-03-15 122880]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-03-26 228088]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"msinfo32OInfo1212.0.4518.1014"="c:\program files\common files\microsoft shared\msinfo\msinfo32office.exe" [2010-03-15 122880]
"MLibComon"="c:\program files\canon\zoombrowser ex\program\toolkitsupport.exe" [2010-03-15 122880]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"HelpMicrosoft"="c:\program files\common files\microsoft shared\help\1046\microsofthxdsui2.05.50727.210.exe" [2010-03-15 122880]
"gdiplusintldate11.0.8161"="c:\program files\microsoft office\powerpoint viewer\intldatewindows.exe" [2010-03-15 122880]

c:\documents and settings\Martin McKenzie\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-12-16 503808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-3-28 1283608]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-9-22 813584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-09-21 23:54 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 20:28 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [10/19/2009 1:51 PM 28552]
S0 fsbts;fsbts; [x]
S0 FSFW;F-Secure Firewall Driver; [x]
S0 szkg5;szkg5; [x]
S0 szkgfs;szkgfs; [x]
S1 F-Secure HIPS;F-Secure HIPS Driver; [x]
S1 SASKUTIL;SASKUTIL; [x]
S3 F-Secure Gatekeeper;F-Secure Gatekeeper; [x]
S3 FSORSPClient;F-Secure ORSP Client; [x]
S4 F-Secure Filter;F-Secure File System Filter; [x]
S4 F-Secure Recognizer;F-Secure File System Recognizer; [x]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.ca/
mStart Page = hxxp://start.shaw.ca/start/enCA/
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\documents and settings\Martin McKenzie\Application Data\Mozilla\Firefox\Profiles\fdvk2nar.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://my.ebay.com/ws/eBayISAPI.dll?MyEbay&gbh=1
FF - component: c:\documents and settings\Martin McKenzie\Application Data\Mozilla\Firefox\Profiles\fdvk2nar.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\documents and settings\Martin McKenzie\My Documents\Downloads\HijackThis.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3052)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-17 09:46:33
ComboFix-quarantined-files.txt 2010-03-17 16:46
ComboFix2.txt 2010-03-16 23:48
ComboFix3.txt 2009-10-19 20:41

Pre-Run: 65,472,598,016 bytes free
Post-Run: 65,450,844,160 bytes free

- - End Of File - - F6D69B11C2DA309231CEA638A9ACA53A


#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:32 AM

Posted 17 March 2010 - 12:05 PM

Hi,

Do you still have the .cab file there? If so, please send it to miekeATmalwarebytes.org (replace AT with @)
I really need those samples.

By the way, I see you have malwarebytes installed already, it should detect the desktop security here already though, so not sure what happened here. Please start malwarebytes, click the update tab and download latest updates.
Then run a scan again with malwarebytes (QUICK scan, not full scan). Then post the malwarebytes log in your next reply as well.

Then we'll deal with those other malicious ones, but I need those samples first smile.gif
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:32 AM

Posted 17 March 2010 - 01:35 PM

Also, please let me know once you have sent these samples smile.gif
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:32 AM

Posted 17 March 2010 - 01:57 PM

Hi,

I received a mail instead where you copied and pasted those paths in the mail instead of the samples attached. Unless this wasn't you and someone else did this.
Anyway, leave it for now, we'll try to collect them with combofix instead...

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

QUOTE
Collect::[8]
c:\program files\microsoft office\powerpoint viewer\intldatewindows.exe
c:\program files\common files\microsoft shared\help\1046\microsofthxdsui2.05.50727.210.exe
C:\Documents and Settings\Martin McKenzie\Local Settings\temp\m.25B.tmp.exe
C:\DOCUME~1\MARTIN~1\LOCALS~1\Temp\WKVO.exe
c:\program files\canon\zoombrowser ex\program\toolkitsupport.exe
c:\program files\common files\microsoft shared\msinfo\msinfo32office.exe
c:\program files\common files\adobe\web\adobewebsystems.exe
Folder::
c:\documents and settings\Martin McKenzie\Application Data\Desktop Security 2010
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Desktop Security 2010"=-
"SecurityCenter"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windowssystem"=-
"SystemsAdobeWeb"=-
"SystemsAdobe"=-
"saextMicrosoft"=-
"msinfo32OInfo1212.0.4518.1014"=-
"MLibComon"=-
"HelpMicrosoft"=-
"gdiplusintldate11.0.8161"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again.
Then, please visit this site:
http://www.bleepingcomputer.com/submit-malware.php?channel=8
Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
Then click the "Send File" button below in order to upload it. If it still gives that error, please try again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Edited by miekiemoes, 17 March 2010 - 01:58 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 MXCanuck

MXCanuck
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver, BC
  • Local time:04:32 PM

Posted 17 March 2010 - 02:48 PM

OK,
That was a little over my head but hopefully I did it correctly. Once Combofix had finished running & created a log...my computer wouldn't go online? I shut it off & restarted & it seems good...no sign of virus.
Here's the Combofix log...am I fixed?

ComboFix 10-03-16.05 - Martin McKenzie 03/17/2010 12:12:17.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.233 [GMT -7:00]
Running from: c:\documents and settings\Martin McKenzie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Martin McKenzie\Desktop\CFScript.txt
AV: Shaw Secure 9.01 *On-access scanning enabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: Shaw Secure 9.01 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}

file zipped: c:\program files\canon\zoombrowser ex\program\toolkitsupport.exe
file zipped: c:\program files\common files\adobe\web\adobewebsystems.exe
file zipped: c:\program files\common files\microsoft shared\help\1046\microsofthxdsui2.05.50727.210.exe
file zipped: c:\program files\common files\microsoft shared\msinfo\msinfo32office.exe
file zipped: c:\program files\microsoft office\powerpoint viewer\intldatewindows.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\canon\zoombrowser ex\program\toolkitsupport.exe
c:\program files\common files\adobe\web\adobewebsystems.exe
c:\program files\common files\microsoft shared\help\1046\microsofthxdsui2.05.50727.210.exe
c:\program files\common files\microsoft shared\msinfo\msinfo32office.exe
c:\program files\microsoft office\powerpoint viewer\intldatewindows.exe

.
((((((((((((((((((((((((( Files Created from 2010-02-17 to 2010-03-17 )))))))))))))))))))))))))))))))
.

2010-03-16 18:15 . 2010-03-16 18:15 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-16 18:15 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-16 18:15 . 2010-03-16 18:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-16 18:15 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-16 04:43 . 2010-03-16 04:43 -------- d-----w- c:\program files\TrendMicro
2010-03-16 03:57 . 2010-03-16 03:57 -------- d-----w- c:\program files\CCleaner
2010-03-16 03:31 . 2010-03-16 03:31 -------- d-----w- c:\documents and settings\Martin McKenzie\Application Data\Reg-Tool
2010-03-16 00:14 . 2010-02-24 17:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-16 17:52 . 2010-02-16 17:58 -------- d-----w- c:\documents and settings\Martin McKenzie\Application Data\Vso
2010-02-16 17:52 . 2010-02-16 17:58 47360 ----a-w- c:\documents and settings\Martin McKenzie\Application Data\pcouffin.sys
2010-02-16 17:52 . 2010-02-16 17:52 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-02-16 17:44 . 2010-02-16 17:47 -------- d-----w- c:\documents and settings\Martin McKenzie\Application Data\InfraRecorder
2010-02-16 17:34 . 2004-05-12 01:19 192512 ----a-w- c:\windows\system32\MACDll.dll
2010-02-16 17:34 . 2010-02-16 17:34 -------- d-----w- c:\program files\101 All to CD DVD Burner
2010-02-16 17:34 . 2005-12-01 06:49 161792 ----a-w- c:\windows\system32\lame_enc.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-17 19:06 . 2008-12-01 17:07 -------- d-----w- c:\documents and settings\Martin McKenzie\Application Data\ZoomBrowser EX
2010-03-17 18:58 . 2008-09-26 21:49 256 ----a-w- c:\windows\system32\pool.bin
2010-03-17 18:58 . 2009-02-13 18:37 -------- d-----w- c:\documents and settings\Martin McKenzie\Application Data\LimeWire
2010-03-17 16:15 . 2009-10-19 16:52 -------- d-----w- c:\program files\Panda Security
2010-03-16 21:21 . 2009-02-06 01:44 -------- d-----w- c:\documents and settings\Martin McKenzie\Application Data\CameraWindowDC
2010-03-16 03:47 . 2009-10-19 23:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-16 03:03 . 2009-10-19 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-03-10 11:04 . 2009-08-18 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-09 22:41 . 2008-09-22 17:33 -------- d-----w- c:\program files\FTP Commander
2010-02-16 17:38 . 2009-10-22 22:51 -------- d-----w- c:\program files\SlySoft
2010-01-28 22:28 . 2009-02-13 18:35 -------- d-----w- c:\program files\LimeWire
2010-01-05 10:00 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((( SnapShot_2010-03-16_23.47.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-17 18:58 . 2010-03-17 18:58 16384 c:\windows\temp\Perflib_Perfdata_464.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-13 2000112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-04-01 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-03-26 228088]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]

c:\documents and settings\Martin McKenzie\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-12-16 503808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-3-28 1283608]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-9-22 813584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-09-21 23:54 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 20:28 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [10/19/2009 1:51 PM 28552]
S0 fsbts;fsbts; [x]
S0 FSFW;F-Secure Firewall Driver; [x]
S0 szkg5;szkg5; [x]
S0 szkgfs;szkgfs; [x]
S1 F-Secure HIPS;F-Secure HIPS Driver; [x]
S1 SASKUTIL;SASKUTIL; [x]
S3 F-Secure Gatekeeper;F-Secure Gatekeeper; [x]
S3 FSORSPClient;F-Secure ORSP Client; [x]
S4 F-Secure Filter;F-Secure File System Filter; [x]
S4 F-Secure Recognizer;F-Secure File System Recognizer; [x]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.ca/
mStart Page = hxxp://start.shaw.ca/start/enCA/
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\documents and settings\Martin McKenzie\Application Data\Mozilla\Firefox\Profiles\fdvk2nar.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://my.ebay.com/ws/eBayISAPI.dll?MyEbay&gbh=1
FF - component: c:\documents and settings\Martin McKenzie\Application Data\Mozilla\Firefox\Profiles\fdvk2nar.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-17 12:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
Completion time: 2010-03-17 12:17:28
ComboFix-quarantined-files.txt 2010-03-17 19:17
ComboFix2.txt 2010-03-17 16:46
ComboFix3.txt 2010-03-16 23:48
ComboFix4.txt 2009-10-19 20:41

Pre-Run: 65,455,325,184 bytes free
Post-Run: 65,408,069,632 bytes free

- - End Of File - - 8B79C16850B96EF6DA11E14D60F94E8C


#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:32 AM

Posted 17 March 2010 - 03:13 PM

Hi,

Can you also do this?

QUOTE
Then, please visit this site:
http://www.bleepingcomputer.com/submit-malware.php?channel=8
Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
Then click the "Send File" button below in order to upload it. If it still gives that error, please try again.

Let me know if you have done this.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:32 AM

Posted 17 March 2010 - 03:22 PM

Hi,

Now you uploaded the cabfile instead which doesn't contain the files anymore since we removed it with combofix already.

Ok, let me explain again what you exactly have to upload now...

Go to this page: http://www.bleepingcomputer.com/submit-malware.php?channel=8
Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created). This is NOT the cabfile you had to create before, this is located in the C:\Qoobox\Quarantine\ folder with the name [8]-Submit_date_time.zip[/b] (date_time will be replaced with the date and time when this file was created). Please reread smile.gif
If you don't understand, just ask instead.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 MXCanuck

MXCanuck
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver, BC
  • Local time:04:32 PM

Posted 17 March 2010 - 04:30 PM

I'm not doing so good...I tried to do it again properly & the site is down again sad.gif
I sent it to your email...is that OK or shall I keep trying?


#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:32 AM

Posted 17 March 2010 - 04:32 PM

Hi, it's OK. I received them via mail now. smile.gif
Thanks.

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now smile.gif

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 MXCanuck

MXCanuck
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver, BC
  • Local time:04:32 PM

Posted 17 March 2010 - 04:41 PM

Everything seems great now!
It just gave me a message that said Combofix has been removed & no signs of trouble smile.gif
I thank you so much...it all just reminds me how complicated these little machines are smile.gif
Thank you again! thumbup.gif
Kiss the Malaware Killer Dog from MXCanuck! hug.gif

Attached Files


Edited by MXCanuck, 17 March 2010 - 04:47 PM.


#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:32 AM

Posted 17 March 2010 - 04:45 PM

Glad I could help. smile.gif

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:32 AM

Posted 18 March 2010 - 01:30 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users