|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
12-25-2007, 07:50 PM
|
#21 (permalink) | |
|
Security Team (ret.)
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,404
OS: XP Pro SP3
|
Re: PC which infected tena_79's pc
This should finish things up...
Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below. 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Open *notepad* and copy/paste the text in the quotebox below into it: Quote:
 Refering to the picture above, drag CFScript.txt into ComboFix.exe Restart your computer. When finished, it shall produce a log for you at C:\ComboFix.txt Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please. *Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall* ========================== Download and install SP2 http://www.softwarepatch.com/windows/xpsp2.html
__________________
Eddy |
|
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
12-26-2007, 12:04 AM
|
#22 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 14
OS: XP SP1
|
Re: PC which infected tena_79's pc
Okay this is the combofix report:
ComboFix 07-12-21.4 - imatera 2007-12-26 14:46:08.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.102 [GMT 8:00] Running from: C:\Documents and Settings\imatera\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\imatera\Desktop\CFScript.txt * Created a new restore point FILE C:\WINDOWS\system32\Help.ico C:\WINDOWS\system32\pavas.ico C:\WINDOWS\system32\Uninstall.ico . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\Help.ico C:\WINDOWS\system32\pavas.ico C:\WINDOWS\system32\Uninstall.ico . ((((((((((((((((((((((((( Files Created from 2007-11-26 to 2007-12-26 ))))))))))))))))))))))))))))))) . 2007-12-13 10:45 . 2007-12-21 08:00 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat 2007-12-13 10:45 . 2007-12-13 11:22 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat 2007-12-13 10:43 . 2007-12-13 10:43 <DIR> d----c--- C:\Program Files\Kaspersky Lab 2007-12-13 10:43 . 2007-12-26 14:59 1,232,928 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-12-13 10:43 . 2007-12-26 15:08 59,424 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-12-13 10:43 . 2007-12-26 14:50 17,540 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2007-12-13 10:43 . 2007-12-26 14:50 6,596 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx 2007-12-13 10:29 . 2007-12-13 10:29 <DIR> d----c--- C:\kav 2007-12-13 10:17 . 2007-12-13 10:18 <DIR> d-------- C:\WINDOWS\system32\NtmsData 2007-12-13 10:17 . 2007-12-13 10:17 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy 2007-12-13 08:54 . 2007-12-13 10:35 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Avira 2007-12-12 11:26 . 2007-12-12 11:26 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Avg7 2007-12-12 09:33 . 2007-12-26 15:09 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-12-12 09:32 . 2007-12-12 09:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-12-10 14:37 . 2007-12-12 12:52 <DIR> d----c--- C:\Program Files\prjJtksmERA 2007-12-06 15:51 . 2007-12-06 15:51 <DIR> d----c--- C:\Program Files\Trend Micro 2007-12-06 14:26 . 2007-12-06 14:26 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys 2007-12-06 14:08 . 2007-12-07 08:29 <DIR> d----c--- C:\Program Files\WinClamAVShield 2007-12-06 13:52 . 2007-12-06 13:53 <DIR> d----c--- C:\Program Files\Crawler 2007-12-06 13:52 . 2007-12-26 11:00 <DIR> d----c--- C:\Documents and Settings\imatera\Application Data\Spyware Terminator 2007-12-06 13:52 . 2007-12-17 11:15 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Spyware Terminator 2007-12-06 13:51 . 2007-12-18 11:00 <DIR> d----c--- C:\Program Files\Spyware Terminator 2007-12-06 10:08 . 2007-12-12 13:15 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-12-03 10:00 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys 2007-12-03 10:00 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys 2007-12-03 10:00 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys 2007-12-03 10:00 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-24 08:33 --------- dc----w C:\Documents and Settings\imatera\Application Data\MySQL . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2007-12-06 14:07] "AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51] R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\System32\drivers\sp_rsdrv2.sys [2007-12-06 14:26] R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\System32\DRIVERS\klim5.sys [2007-04-04 14:58] S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\AN983.sys [2004-08-04 06:31] . ************************************************************************** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-26 15:08:58 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-12-26 15:10:39 - machine was rebooted C:\ComboFix2.txt ... 2007-12-26 09:08 C:\ComboFix3.txt ... 2007-12-10 14:19 And this is the hijackthis report: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:13:21, on 26/12/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\xampp\apache\bin\Apache.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe C:\Program Files\xampp\mysql\bin\mysqld-max-nt.exe C:\Program Files\Spyware Terminator\sp_rsser.exe C:\Program Files\xampp\apache\bin\Apache.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.mohr.gov.my:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *mohr.gov.my;10.21*;<local> O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" O8 - Extra context menu item: Crawler Search - tbr:iemenu O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1181109283758 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{7E29FA32-96ED-4E6B-8B0F-CB069AC13198}: NameServer = 10.21.81.214,10.20.16.2 O17 - HKLM\System\CS1\Services\Tcpip\..\{7E29FA32-96ED-4E6B-8B0F-CB069AC13198}: NameServer = 10.21.81.214,10.20.16.2 O17 - HKLM\System\CS2\Services\Tcpip\..\{7E29FA32-96ED-4E6B-8B0F-CB069AC13198}: NameServer = 10.21.81.214,10.20.16.2 O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\xampp\apache\bin\Apache.exe O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe O23 - Service: mysql - Unknown owner - C:\Program.exe (file missing) O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe -- End of file - 4191 bytes |
|
|
|
12-27-2007, 05:57 PM
|
#25 (permalink) | |
|
Security Team (ret.)
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,404
OS: XP Pro SP3
|
Re: PC which infected tena_79's pc
Ok Fine...
This will clear away any of the files and folders that were created by ComboFix. Go to : Start > Run then copy and paste the following highlighted text below and click OK. Quote:
__________________
Eddy |
|
|
|
|
| Thread Tools | |
|
|
My pc is free of virus at last 
