Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page tinyproxy.exe malware: Need Help!!!
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 11-13-2008, 10:36 AM   #1 (permalink)
Registered User
 
Join Date: Nov 2007
Posts: 6
OS: XP


tinyproxy.exe malware: Need Help!!!
My computer is infected with malware called tinyproxy.exe i believe. It redirects all search pages and sometimes will not load pages at all. I have run spybot and ad-aware, but they did not clean it. Any help would be appreciated. DDS log and HiJackThis log are pasted, and gmer.txt along with Attach.txt are attached.

Thanks, RC






DDS log:


DDS (Version 1.0) - NTFSx86
Run by Brandi Perry at 11:19:00.15 on 2008-11-13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.197 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\tinyproxy\tinyproxy.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brandi Perry\Desktop\Virus Cleaners\dds.scr
C:\DOCUME~1\BRANDI~1\LOCALS~1\Temp\RarSFX0\FI.exe

============== Psuedo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://windiwsfsearch.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://windiwsfsearch.com/ie6.html
uWindow Title = Microsoft Internet Explorer provided by Comcast
uSearchMigratedDefaultURL = hxxp://windiwsfsearch.com/search?q={searchTerms}
uDefault_Search_URL = hxxp://windiwsfsearch.com
mDefault_Search_URL = hxxp://windiwsfsearch.com
mSearch Page = hxxp://windiwsfsearch.com
mSearch Bar = hxxp://windiwsfsearch.com/ie6.html
mWindow Title = Microsoft Internet Explorer provided by Comcast
mSearchMigratedDefaultURL = hxxp://windiwsfsearch.com/search?q={searchTerms}
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:9090
uInternet Settings,ProxyOverride = *.local;<local>
uSearchAssistant = hxxp://windiwsfsearch.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearchURL = hxxp://windiwsfsearch.com
mSearchAssistant = hxxp://windiwsfsearch.com
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - c:\program files\yahoo!\common\companion\installs\cpn\yt.dll
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {2B394226-862F-4aa4-AA53-988E24F50841} - c:\program files\virslab\ViRsLabWarning.dll
BHO: {3B7AAEB1-9F3D-4491-9C06-C7165CA8D058} - c:\program files\applications\iebt.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
TB: {E43B6656-814B-4839-8FF8-AFFDE0DA9A3F} - c:\program files\applications\iebr.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\common\companion\installs\cpn\yt.dll
TB: {E43B6656-814B-4839-8FF8-AFFDE0DA9A3F} - c:\program files\applications\iebr.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ViRsLab] "c:\program files\virslab\ViRsLab.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
O15 -: Trusted Zone: *.musicmatch.com
O15 -: Trusted Zone: *.musicmatch.com
Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office11\MSOXMLMF.DLL
STS: {6b9a461b-893f-45ee-8c59-06d3a2223b24} - c:\windows\system32\ebmkdz.dll

============= SERVICES / DRIVERS ===============

R2 DNS Client (Dnscache) ;DNS Client (Dnscache) ;c:\program files\tinyproxy\tinyproxy.exe

=============== Created Last 30 ================

2008-11-13 09:32 <DIR> --d----- c:\program files\trend micro
2008-11-13 08:54 250 a------- c:\windows\gmer.ini
2008-11-13 08:49 <DIR> --d----- c:\program files\tinyproxy
2008-11-13 08:49 <DIR> --d----- c:\windows\system32\890166
2008-11-13 08:49 <DIR> --d----- c:\windows\system32\512686
2008-11-13 08:49 <DIR> --d----- C:\ComboFix
2008-11-07 12:03 1,003 ----h--- c:\windows\f49f4d98.dat
2008-11-07 12:01 1 ----h--- c:\windows\f49f4daa.dat
2008-11-07 12:00 29,696 ----h--- c:\windows\bolivar24.exe
2008-10-27 08:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Lavasoft
2008-10-27 08:07 <DIR> --d----- c:\program files\common files\Wise Installation Wizard

==================== Find3M ====================

2008-11-13 07:45 388,608 a------- c:\windows\system32\CF12272.exe
2008-11-13 07:44 388,608 a------- c:\windows\system32\CF12154.exe
2008-11-13 07:36 <DIR> --d----- c:\program files\ewido anti-malware
2008-11-13 00:08 <DIR> --d----- c:\program files\Coupons
2008-11-08 06:53 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-11-08 01:27 <DIR> --d----- c:\docume~1\brandi~1\applic~1\Move Networks
2008-10-27 08:08 <DIR> --d----- c:\program files\Lavasoft
2008-10-27 07:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-10-24 05:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-15 10:57 332,800 a------- c:\windows\system32\dllcache\netapi32.dll
2008-10-03 11:41 6,066,176 -------- c:\windows\system32\dllcache\ieframe.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 05:57 1,846,016 a------- c:\windows\system32\win32k.sys
2008-09-15 05:57 1,846,016 a------- c:\windows\system32\dllcache\win32k.sys
2008-09-04 10:42 1,106,944 a------- c:\windows\system32\msxml3.dll
2008-09-04 10:42 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll
2008-08-29 16:21 <DIR> --d----- c:\docume~1\brandi~1\applic~1\Viewpoint
2008-08-28 04:04 333,056 -------- c:\windows\system32\dllcache\srv.sys
2008-08-27 02:24 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-08-25 02:38 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-08-25 02:37 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-08-22 23:56 635,848 a------- c:\windows\system32\dllcache\iexplore.exe
2008-08-22 23:54 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-07-20 15:25 <DIR> --d----- c:\docume~1\brandi~1\applic~1\Walgreens
2008-01-23 20:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2006-12-09 08:37 <DIR> --d----- c:\docume~1\brandi~1\applic~1\EBookSys
2006-06-07 11:28 <DIR> --d----- c:\docume~1\brandi~1\applic~1\Podfitness Inc
2006-03-23 19:42 <DIR> --d----- c:\docume~1\brandi~1\applic~1\Intuit
2006-03-23 19:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2005-11-28 12:03 <DIR> --d----- c:\docume~1\brandi~1\applic~1\Symantec
2005-08-31 21:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2005-05-28 11:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Dell
2004-12-26 20:35 <DIR> --d----- c:\docume~1\brandi~1\applic~1\Musicmatch
2004-11-07 19:20 <DIR> --d----- c:\docume~1\brandi~1\applic~1\MX
2004-08-08 21:24 <DIR> --d----- c:\docume~1\brandi~1\applic~1\MSN6
2004-07-25 11:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MSN6
2004-04-04 20:23 <DIR> --d----- c:\docume~1\brandi~1\applic~1\AOL
2004-01-16 16:25 <DIR> --d----- c:\docume~1\brandi~1\applic~1\Jasc Software Inc
2004-01-16 16:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SBSI

============= FINISH: 11:19:34.21 ===============





HiJackThis log:


Logfile of HijackThis v1.99.1
Scan saved at 11:34, on 2008-11-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\tinyproxy\tinyproxy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brandi Perry\Desktop\Virus Cleaners\Hijack this\HJT1991.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://windiwsfsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://windiwsfsearch.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://windiwsfsearch.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://windiwsfsearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://windiwsfsearch.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://windiwsfsearch.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://windiwsfsearch.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://windiwsfsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9090
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ViRsLabWarningBHO Class - {2B394226-862F-4aa4-AA53-988E24F50841} - C:\Program Files\ViRsLab\ViRsLabWarning.dll (file missing)
O2 - BHO: (no name) - {3B7AAEB1-9F3D-4491-9C06-C7165CA8D058} - C:\Program Files\Applications\iebt.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Internet Service - {E43B6656-814B-4839-8FF8-AFFDE0DA9A3F} - C:\Program Files\Applications\iebr.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ViRsLab] "C:\Program Files\ViRsLab\ViRsLab.exe"
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/tes...enXInstall.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://www.waggintailsdaycare.com/plugin/h263ctrl.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...24/mcfscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DNS Client (Dnscache) - Unknown owner - C:\Program Files\tinyproxy\tinyproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
Attached Files
File Type: txt gmer.txt (3.4 KB, 3 views)
File Type: txt Attach.txt (14.1 KB, 2 views)
rcathey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 11-13-2008, 06:32 PM   #2 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,581
OS: Vista


Re: tinyproxy.exe malware: Need Help!!!
Hi, welcome to TSF!

You have a worm from facebook which modifies your proxy. We will clean out the malware first then fix your proxy.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-14-2008, 08:59 AM   #3 (permalink)
Registered User
 
Join Date: Nov 2007
Posts: 6
OS: XP


Re: tinyproxy.exe malware: Need Help!!!
Here is the ComboFix log. I saw where it deleted tinyproxy.exe, but now I can't get internet access from that computer. IE says it cannot display the webpage. The network icon in the task bar shows that I am connected. Is this because of the proxy change? I did install the Recovery Console.

BTW, Thanks for the help.

______________________________________________

ComboFix 08-11-12.02 - Brandi Perry 2008-11-14 9:18:19.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.277 [GMT -6:00]
Running from: c:\documents and settings\Brandi Perry\Desktop\Virus Cleaners\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\TinyProxy
c:\program files\TinyProxy\tinyproxy.exe
c:\windows\bolivar24.exe
c:\windows\SYSTEM32\512686
c:\windows\SYSTEM32\512686\512686.dll
c:\windows\SYSTEM32\890166
c:\windows\SYSTEM32\890166\890166.dll
c:\windows\system32\drivers\fad.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DNS_CLIENT_(DNSCACHE)_
-------\Service_DNS Client (Dnscache)


((((((((((((((((((((((((( Files Created from 2008-10-14 to 2008-11-14 )))))))))))))))))))))))))))))))
.

2008-11-13 09:32 . 2008-11-13 09:32 <DIR> d-------- C:\rsit
2008-11-13 09:32 . 2008-11-13 09:32 <DIR> d-------- c:\program files\trend micro
2008-11-13 08:54 . 2008-11-13 08:54 250 --a------ c:\windows\gmer.ini
2008-11-08 00:03 . 2008-11-08 00:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2008-11-07 12:03 . 2008-11-07 12:05 1,003 ---h----- c:\windows\f49f4d98.dat
2008-11-07 12:01 . 2008-11-08 00:12 1 ---h----- c:\windows\f49f4daa.dat
2008-10-27 08:08 . 2008-10-27 08:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-27 08:07 . 2008-10-27 08:07 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-10-25 14:12 . 2008-10-25 14:12 <DIR> dr-h----- c:\documents and settings\Rand\Application Data\yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-13 13:36 --------- d-----w c:\program files\ewido anti-malware
2008-11-13 06:08 --------- d-----w c:\program files\Coupons
2008-11-12 22:50 --------- d-----w c:\documents and settings\Brandi Perry\Application Data\AdobeUM
2008-11-08 12:53 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-08 07:27 --------- d-----w c:\documents and settings\Brandi Perry\Application Data\Move Networks
2008-10-27 14:08 --------- d-----w c:\program files\Lavasoft
2008-10-27 13:40 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-12 23:22 --------- d--h--r c:\documents and settings\Brandi Perry\Application Data\yahoo!
2007-02-16 05:03 54 ----a-w c:\documents and settings\Brandi Perry\Application Data\MTC-savedfolder.dat
2007-02-05 02:49 19,968 ----a-w c:\program files\Lecture series letter.doc
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B394226-862F-4aa4-AA53-988E24F50841}]
c:\program files\ViRsLab\ViRsLabWarning.dll [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E43B6656-814B-4839-8FF8-AFFDE0DA9A3F}"= "c:\program files\Applications\iebr.dll" [BU]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{E43B6656-814B-4839-8FF8-AFFDE0DA9A3F}"= "c:\program files\Applications\iebr.dll" [BU]

[HKEY_CLASSES_ROOT\clsid\{e43b6656-814b-4839-8ff8-affde0da9a3f}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"ViRsLab"="c:\program files\ViRsLab\ViRsLab.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-07-10 270648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-01-16 151597]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2003-05-22 16:15 327680 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
c:\program files\Common Files\Symantec Shared\ccApp.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DadApp]
--a------ 2002-11-01 16:47 208560 c:\program files\Dell\AccessDirect\DadApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
-ra------ 2003-06-20 14:18 368640 c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
c:\program files\Dell Support\DSAgnt.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2003-08-06 01:04 114741 c:\windows\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
--a------ 2003-08-13 10:27 28672 c:\windows\SYSTEM32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2003-03-08 22:30 188416 c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-07-10 08:18 270648 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2004-12-10 19:44 11776 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2004-12-10 19:44 110592 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
--a------ 2003-06-18 12:00 200704 c:\program files\Microsoft Money\System\mnyexpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 9.0]
c:\program files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton SystemWorks]
c:\program files\Norton SystemWorks\cfgwiz.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2003-09-23 11:23 204800 c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a------ 2003-02-13 01:01 155648 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 12:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2005-11-15 21:27 100056 c:\progra~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2004-05-14 08:35 536576 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2004-05-13 18:23 98304 c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
--a------ 2002-04-24 19:37 1544192 c:\program files\support.com\bin\tgcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-01-16 16:17 151597 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a------ 2004-11-12 11:24 106557 c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-03-27 14:22 4670968 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
--a------ 2002-08-28 17:17 28672 c:\windows\SYSTEM32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-08-29 05:59 122880 c:\windows\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLTRYSVC"=2 (0x2)
"SymWSC"=2 (0x2)
"LiveUpdate"=3 (0x3)
"ewido security suite control"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"GEARSecurity"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"Speed Disk service"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
"NProtectService"=2 (0x2)
"NPFMntor"=2 (0x2)
"Norton Ghost"=2 (0x2)
"navapsvc"=2 (0x2)
"gusvc"=3 (0x3)
"DSBrokerService"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S2 DNS Client (Dnscache) ;DNS Client (Dnscache) ;c:\program files\tinyproxy\tinyproxy.exe [ ]

*Newly Created Service* - DNS_CLIENT_(DNSCACHE)_
.
Contents of the 'Scheduled Tasks' folder

2008-11-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 12:42]

2005-01-17 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1096313504.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-05 23:52]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://windiwsfsearch.com/search?q={searchTerms}
R0 -: HKCU-Main,Default_Search_URL = hxxp://windiwsfsearch.com
R0 -: HKLM-Main,Search Bar = hxxp://windiwsfsearch.com/ie6.html
R0 -: HKLM-Main,Window Title = Microsoft Internet Explorer provided by Comcast
R0 -: HKLM-Main,SearchMigratedDefaultURL = hxxp://windiwsfsearch.com/search?q={searchTerms}
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-Internet Settings,ProxyServer = http=127.0.0.1:9090
R1 -: HKCU-Internet Settings,ProxyOverride = *.local;<local>
R1 -: HKCU-SearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 -: HKLM-Internet Explorer,SearchURL = hxxp://windiwsfsearch.com
O8 -: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
O8 -: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 -: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
O8 -: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
O8 -: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
O15 -: Trusted Zone: *.musicmatch.com
O15 -: Trusted Zone: *.musicmatch.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-14 09:22:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-11-14 9:30:01 - machine was rebooted [Brandi Perry]
ComboFix-quarantined-files.txt 2008-11-14 15:29:58
ComboFix2.txt 2008-11-13 13:55:22

Pre-Run: 14,081,867,776 bytes free
Post-Run: 14,029,561,856 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

230 --- E O F --- 2008-11-13 03:53:48
rcathey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-14-2008, 10:34 AM   #4 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,581
OS: Vista


Re: tinyproxy.exe malware: Need Help!!!
Hi,

Yes, it is because of the proxy.

*To fix it:

In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.
In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver.


*I see you have Viewpoint installed...
Viewpoint related software are considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player


*Open notepad.
Copy and paste the text inside the code box below to notepad

Code:
File::
c:\windows\f49f4d98.dat
c:\windows\f49f4daa.dat
Folder::
c:\program files\ewido anti-malware
c:\program files\ViRsLab
c:\program files\Applications
Driver::
DNS Client (Dnscache)
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B394226-862F-4aa4-AA53-988E24F50841}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E43B6656-814B-4839-8FF8-AFFDE0DA9A3F}"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{E43B6656-814B-4839-8FF8-AFFDE0DA9A3F}"=-
[-HKEY_CLASSES_ROOT\clsid\{e43b6656-814b-4839-8ff8-affde0da9a3f}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ViRsLab"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 9.0]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton SystemWorks]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://windiwsfsearch.com/search?q={searchTerms}
R0 -: HKCU-Main,Default_Search_URL = hxxp://windiwsfsearch.com
R0 -: HKLM-Main,Search Bar = hxxp://windiwsfsearch.com/ie6.html
R0 -: HKLM-Main,SearchMigratedDefaultURL = hxxp://windiwsfsearch.com/search?q={searchTerms}
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-Internet Settings,ProxyServer = http=127.0.0.1:9090
R1 -: HKCU-Internet Settings,ProxyOverride = *.local;<local>
R1 -: HKLM-Internet Explorer,SearchURL = hxxp://windiwsfsearch.com
  • Save and Name it as "CFScript"
  • Drag and drop CFScript.txt to your copy of combofix.
  • You can take a look at the image below if you're unsure on how to do it.
  • Combofix wil restart your machine then it will produce a log afterwards.
__________

One reason why you got infected is because you have no antivirus running onboard. Having no antivirus these days is an open invitation for malware to enter your system.

You are basically vulnerable to all sorts of malware. Cleaning will be useless if you have no active protection because you'll only be infected again immediately.

That's why I want you to install, update, and scan with an antivirus.

download Avira Antivir: http://www.free-av.com
___________

Your Java is out of date....
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components.
  • Click Start > Control Panel
  • Click Add/Remove Programs
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove button.
  • Repeat as many times as necessary to remove all versions of Java.
  • Reboot your computer once all Java components are removed.
Then download Java Runtime Environment 6u10, and install it to your computer.
  • Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
___________

Please run this online scan to help look for remnants.

First, Go to Start>Control Panel>Add/Remove Programs and remove Kaspersky online scanner if present prior to downloading the most up-to-date one.

Next, establish an internet connection & perform an online scan using Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.


Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

On your next reply, please include a
  • kaspersky scan log
  • combofix log
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Last edited by Angelfire777; 11-14-2008 at 10:36 AM.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-16-2008, 04:20 PM   #5 (permalink)
Registered User
 
Join Date: Nov 2007
Posts: 6
OS: XP


Re: tinyproxy.exe malware: Need Help!!!
Everything done. Here are the logs. Looks like it is clean. It is still a little slow but I don't think that is because of the worm.

Thanks, RC
_________________________________
Kaspersky Scan Log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, November 16, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, November 16, 2008 13:43:47
Records in database: 1387799
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 75234
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:53:13

No malware has been detected. The scan area is clean.

The selected area was scanned.


___________________________________________

ComboFix Log:


ComboFix 08-11-14.01 - Brandi Perry 2008-11-16 13:11:10.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.234 [GMT -6:00]
Running from: c:\documents and settings\Brandi Perry\Desktop\Virus Cleaners\ComboFix.exe
Command switches used :: c:\documents and settings\Brandi Perry\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\f49f4d98.dat
c:\windows\f49f4daa.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DNS_CLIENT_(DNSCACHE)_
-------\Service_DNS Client (Dnscache)


((((((((((((((((((((((((( Files Created from 2008-10-16 to 2008-11-16 )))))))))))))))))))))))))))))))
.

2008-11-16 12:00 . 2008-11-16 12:00 <DIR> d-------- c:\program files\Avira
2008-11-16 12:00 . 2008-11-16 12:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-11-16 11:56 . 2008-11-16 11:55 410,976 --a------ c:\windows\SYSTEM32\deploytk.dll
2008-11-16 11:56 . 2008-11-16 11:56 73,728 --a------ c:\windows\SYSTEM32\javacpl.cpl
2008-11-16 08:28 . 2008-11-16 08:28 <DIR> d-------- C:\Temp
2008-11-15 13:15 . 2008-11-15 13:15 <DIR> d-------- c:\program files\Kaspersky Lab
2008-11-15 13:06 . 2008-11-15 13:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-11-13 09:32 . 2008-11-13 09:32 <DIR> d-------- C:\rsit
2008-11-13 09:32 . 2008-11-13 09:32 <DIR> d-------- c:\program files\trend micro
2008-11-13 08:54 . 2008-11-13 08:54 250 --a------ c:\windows\gmer.ini
2008-11-08 00:03 . 2008-11-08 00:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2008-10-27 08:08 . 2008-10-27 08:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-27 08:07 . 2008-10-27 08:07 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-10-25 14:12 . 2008-10-25 14:12 <DIR> dr-h----- c:\documents and settings\Rand\Application Data\yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-16 17:55 --------- d-----w c:\program files\Java
2008-11-16 14:31 --------- d-----w c:\program files\Symantec
2008-11-16 14:31 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-15 19:07 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-15 19:07 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-15 18:32 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-13 06:08 --------- d-----w c:\program files\Coupons
2008-11-12 22:50 --------- d-----w c:\documents and settings\Brandi Perry\Application Data\AdobeUM
2008-11-08 07:27 --------- d-----w c:\documents and settings\Brandi Perry\Application Data\Move Networks
2008-10-27 14:08 --------- d-----w c:\program files\Lavasoft
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-12 23:22 --------- d--h--r c:\documents and settings\Brandi Perry\Application Data\yahoo!
2007-02-16 05:03 54 ----a-w c:\documents and settings\Brandi Perry\Application Data\MTC-savedfolder.dat
2007-02-05 02:49 19,968 ----a-w c:\program files\Lecture series letter.doc
.

((((((((((((((((((((((((((((( snapshot@2008-11-14_ 9.29.26.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-11-16 06:33:59 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2008-11-16 15:24:31 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2005-11-16 06:33:59 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2008-11-16 15:24:31 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2005-11-16 06:33:59 49,152 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
+ 2008-11-16 15:24:31 49,152 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
+ 2008-05-09 19:15:51 45,376 ----a-w c:\windows\SYSTEM32\DRIVERS\avgntdd.sys
+ 2008-01-22 00:11:28 22,336 ----a-w c:\windows\SYSTEM32\DRIVERS\avgntmgr.sys
+ 2008-11-16 18:05:23 75,072 ----a-w c:\windows\SYSTEM32\DRIVERS\avipbb.sys
+ 2007-03-01 16:34:22 28,352 ----a-w c:\windows\SYSTEM32\DRIVERS\ssmdrv.sys
- 2005-11-10 16:27:06 49,248 ----a-w c:\windows\SYSTEM32\java.exe
+ 2008-11-16 17:56:00 144,792 ----a-w c:\windows\SYSTEM32\java.exe
- 2005-11-10 16:27:16 49,250 ----a-w c:\windows\SYSTEM32\javaw.exe
+ 2008-11-16 17:56:00 144,792 ----a-w c:\windows\SYSTEM32\javaw.exe
- 2005-11-10 18:03:54 127,078 ----a-w c:\windows\SYSTEM32\javaws.exe
+ 2008-11-16 17:56:00 148,888 ----a-w c:\windows\SYSTEM32\javaws.exe
+ 2008-11-16 19:14:45 16,384 ----atw c:\windows\temp\Perflib_Perfdata_7c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 536576]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-07-10 270648]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-16 136600]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-28 c:\windows\SYSTEM32\Ati2mdxx.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2003-05-22 16:15 327680 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DadApp]
--a------ 2002-11-01 16:47 208560 c:\program files\Dell\AccessDirect\DadApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Download]
--a------ 2006-10-12 17:12 1185280 c:\temp\SSGet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2003-03-08 22:30 188416 c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2004-12-10 19:44 11776 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2004-12-10 19:44 110592 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
--a------ 2003-06-18 12:00 200704 c:\program files\Microsoft Money\System\mnyexpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2003-09-23 11:23 204800 c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 05:24 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a------ 2003-02-13 01:01 155648 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
--a------ 2002-04-24 19:37 1544192 c:\program files\support.com\bin\tgcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-01-16 16:17 151597 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-03-27 14:22 4670968 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-08-29 05:59 122880 c:\windows\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SymWSC"=2 (0x2)
"LiveUpdate"=3 (0x3)
"ewido security suite control"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"GEARSecurity"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"Speed Disk service"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)
"NProtectService"=2 (0x2)
"NPFMntor"=2 (0x2)
"Norton Ghost"=2 (0x2)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"WLTRYSVC"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"gusvc"=3 (0x3)
"AVP"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"aawservice"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S2 DNS Client (Dnscache) ;DNS Client (Dnscache) ;c:\program files\tinyproxy\tinyproxy.exe []

*Newly Created Service* - DNS_CLIENT_(DNSCACHE)_
*Newly Created Service* - SSMDRV
.
Contents of the 'Scheduled Tasks' folder

2008-11-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 12:42]

2005-01-17 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1096313504.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-05 23:52]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_06\bin\jusched.exe



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-16 13:16:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\windows\SYSTEM32\LEXPPS.EXE
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-11-16 13:23:43 - machine was rebooted [Brandi Perry]
ComboFix-quarantined-files.txt 2008-11-16 19:23:38
ComboFix2.txt 2008-11-15 18:51:09
ComboFix3.txt 2008-11-14 15:30:02
ComboFix4.txt 2008-11-13 13:55:22

Pre-Run: 13,472,456,704 bytes free
Post-Run: 13,573,619,712 bytes free

201 --- E O F --- 2008-11-13 03:53:48
rcathey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-17-2008, 09:55 AM   #6 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,581
OS: Vista


Re: tinyproxy.exe malware: Need Help!!!
Hi,

By slow how is it slow?

If you uninstalled viewpoint, delete this folder: c:\documents and settings\All Users\Application Data\Viewpoint


*I would like you to scan a file for me.

Please go HERE. Copy and paste the following file path in to the box.

c:\temp\SSGet.exe

Then click submit.

Please post the results to your next reply.


*Please turn off all your realtime protection programs like teatimer, adwatch (if they are on) because one of them is keeping on restoring one malware entry.

then, click start > run > copy and paste:

sc delete "DNS Client (Dnscache) "

press enter and reboot your computer.


*on your next reply, please post a fresh DDS log and the results of the file scan
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-18-2008, 09:38 AM   #7 (permalink)
Registered User
 
Join Date: Nov 2007
Posts: 6
OS: XP


Re: tinyproxy.exe malware: Need Help!!!
By slow I mean Internet Explorer seems slow. I've removed a few things from the startup list using msconfig and it seems a little better now.

The Viewpoint file has been deleted.

VirusTotal report and DDS log are posted, Attach.txt is attached

_____________________________
Here is the VirusTotal report:

File SSGet.exe received on 11.18.2008 17:03:49 (CET)

Result: 0/36 (0%)

Antivirus Version Last Update Result
AhnLab-V3 2008.11.18.2 2008.11.18 -
AntiVir 7.9.0.31 2008.11.18 -
Authentium 5.1.0.4 2008.11.18 -
Avast 4.8.1281.0 2008.11.18 -
AVG 8.0.0.199 2008.11.18 -
BitDefender 7.2 2008.11.18 -
CAT-QuickHeal 10.00 2008.11.18 -
ClamAV 0.94.1 2008.11.18 -
DrWeb 4.44.0.09170 2008.11.18 -
eSafe 7.0.17.0 2008.11.18 -
eTrust-Vet 31.6.6210 2008.11.14 -
Ewido 4.0 2008.11.18 -
F-Prot 4.4.4.56 2008.11.18 -
F-Secure 8.0.14332.0 2008.11.18 -
Fortinet 3.117.0.0 2008.11.18 -
GData 19 2008.11.18 -
Ikarus T3.1.1.45.0 2008.11.18 -
K7AntiVirus 7.10.527 2008.11.18 -
Kaspersky 7.0.0.125 2008.11.18 -
McAfee 5437 2008.11.17 -
Microsoft 1.4104 2008.11.17 -
NOD32 3622 2008.11.18 -
Norman 5.80.02 2008.11.18 -
Panda 9.0.0.4 2008.11.17 -
PCTools 4.4.2.0 2008.11.18 -
Prevx1 V2 2008.11.18 -
Rising 21.04.12.00 2008.11.18 -
SecureWeb-Gateway 6.7.6 2008.11.18 -
Sophos 4.35.0 2008.11.18 -
Sunbelt 3.1.1801.2 2008.11.14 -
Symantec 10 2008.11.18 -
TheHacker 6.3.1.1.157 2008.11.18 -
TrendMicro 8.700.0.1004 2008.11.18 -
VBA32 3.12.8.9 2008.11.18 -
ViRobot 2008.11.18.1474 2008.11.18 -
VirusBuster 4.5.11.0 2008.11.18 -
Additional information
File size: 1185280 bytes
MD5...: 4b7e0b9185ced0fa5ab0753f15686ec2
SHA1..: afb4f753d46056dee11b691518ccf2ee8f6051d1
SHA256: a84f7fa9920accc5cd8205949f1caaa7a0dafff596ecb4bc1d30ba71268e35b8
SHA512: fdd2a97c7e5969141adc14357977d94f9f992a8e25798b70cf3d269a6f9381fe
bd093db3494e92156ddeddc4e0f5185e7f26ceea16f4360c222d158bf51a958f
PEiD..: BobSoft Mini Delphi -> BoB / BobSoft
TrID..: File type identification
Win32 Executable Borland Delphi 7 (85.4%)
InstallShield setup (5.4%)
Win32 EXE PECompact compressed (generic) (5.3%)
Win32 Executable Delphi generic (1.8%)
Win32 Executable Generic (1.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x476cac
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x75d38 0x75e00 6.52 5698067c6dc61b335ecd11f4dc71501a
DATA 0x77000 0x1d04 0x1e00 4.44 dde3fbfe0ad69dbb8102fa27267a4bcb
BSS 0x79000 0xf4d 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x7a000 0x2400 0x2400 5.06 39eb5733210b7ea1aa426ae7bf38e5cb
.tls 0x7d000 0x10 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0x7e000 0x18 0x200 0.20 83f9b668ee8bde857efb01d30b8cd14d
.reloc 0x7f000 0x95ac 0x9600 6.63 e2134afb5c1ed7f009ed5921b089697e
.rsrc 0x89000 0x9e000 0x9da00 1.01 1561a1ff5bccbf29a6383a4bb01f8ec2

( 15 imports )
> kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
> user32.dll: GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey
> oleaut32.dll: SysFreeString, SysReAllocStringLen, SysAllocStringLen
> kernel32.dll: TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
> advapi32.dll: RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegDeleteValueA, RegCreateKeyExA, RegCloseKey
> kernel32.dll: lstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, UnmapViewOfFile, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, ReadFile, OpenFileMappingA, MulDiv, MapViewOfFile, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadLocale, GetTempPathA, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileSize, GetExitCodeThread, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FindResourceA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileMappingA, CreateFileA, CreateEventA, CompareStringA, CloseHandle
> version.dll: VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
> gdi32.dll: UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, PlayEnhMetaFile, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExtTextOutA, ExcludeClipRect, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
> user32.dll: CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
> kernel32.dll: Sleep
> oleaut32.dll: SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
> ole32.dll: CoUninitialize, CoInitialize
> comctl32.dll: ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
> shell32.dll: ShellExecuteA

( 0 exports )

ThreatExpert info: http://www.threatexpert.com/report.a...b0753f15686ec2

______________________________________________
DDS Log:

DDS (Version 1.0) - NTFSx86
Run by Brandi Perry at 10:26:37.86 on Tue 11/18/2008
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.304 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Brandi Perry\Desktop\Virus Cleaners\dds.scr
C:\DOCUME~1\BRANDI~1\LOCALS~1\Temp\RarSFX0\FI.exe

============== Psuedo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mWindow Title = Microsoft Internet Explorer provided by Comcast
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - c:\program files\yahoo!\common\companion\installs\cpn\yt.dll
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\common\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
O15 -: Trusted Zone: *.musicmatch.com
O15 -: Trusted Zone: *.musicmatch.com
Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office11\MSOXMLMF.DLL

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2008-11-16 12:00 <DIR> --d----- c:\program files\Avira
2008-11-16 12:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2008-11-16 11:56 410,976 a------- c:\windows\system32\deploytk.dll
2008-11-16 11:56 73,728 a------- c:\windows\system32\javacpl.cpl
2008-11-16 08:28 <DIR> --d----- C:\Temp
2008-11-15 13:15 <DIR> --d----- c:\program files\Kaspersky Lab
2008-11-15 13:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2008-11-14 09:16 <DIR> a-dshr-- C:\cmdcons
2008-11-13 09:32 <DIR> --d----- c:\program files\trend micro
2008-11-13 08:54 250 a------- c:\windows\gmer.ini
2008-11-13 07:45 161,792 a------- c:\windows\SWREG.exe
2008-11-13 07:45 98,816 a------- c:\windows\sed.exe
2008-10-27 08:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Lavasoft
2008-10-27 08:07 <DIR> --d----- c:\program files\common files\Wise Installation Wizard

==================== Find3M ====================

2008-11-16 08:31 <DIR> --d----- c:\program files\common files\Symantec Shared
2008-11-16 08:31 <DIR> --d----- c:\program files\Symantec
2008-11-15 13:07 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-11-15 13:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-11-13 00:08 <DIR> --d----- c:\program files\Coupons
2008-11-08 01:27 <DIR> --d----- c:\docume~1\brandi~1\applic~1\Move Networks
2008-10-27 08:08 <DIR> --d----- c:\program files\Lavasoft
2008-10-24 05:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-15 10:57 332,800 a------- c:\windows\system32\dllcache\netapi32.dll
2008-10-03 11:41 6,066,176 -------- c:\windows\system32\dllcache\ieframe.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 05:57 1,846,016 a------- c:\windows\system32\win32k.sys
2008-09-15 05:57 1,846,016 a------- c:\windows\system32\dllcache\win32k.sys
2008-09-04 10:42 1,106,944 a------- c:\windows\system32\msxml3.dll
2008-09-04 10:42 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll
2008-08-29 16:21 <DIR> --d----- c:\docume~1\brandi~1\applic~1\Viewpoint
2008-08-28 04:04 333,056 -------- c:\windows\system32\dllcache\srv.sys
2008-08-27 02:24 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-08-25 02:38 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-08-25 02:37 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-08-22 23:56 635,848 a------- c:\windows\system32\dllcache\iexplore.exe
2008-08-22 23:54 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-07-20 15:25 <DIR> --d----- c:\docume~1\brandi~1\applic~1\Walgreens
2008-01-23 20:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2006-12-09 08:37 <DIR> --d----- c:\docume~1\brandi~1\applic~1\EBookSys
2006-06-07 11:28 <DIR> --d----- c:\docume~1\brandi~1\applic~1\Podfitness Inc
2006-03-23 19:42 <DIR> --d----- c:\docume~1\brandi~1\applic~1\Intuit
2006-03-23 19:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2005-11-28 12:03 <DIR> --d----- c:\docume~1\brandi~1\applic~1\Symantec
2005-05-28 11:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Dell
2004-12-26 20:35 <DIR> --d----- c:\docume~1\brandi~1\applic~1\Musicmatch
2004-11-07 19:20 <DIR> --d----- c:\docume~1\brandi~1\applic~1\MX
2004-08-08 21:24 <DIR> --d----- c:\docume~1\brandi~1\applic~1\MSN6
2004-07-25 11:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MSN6
2004-04-04 20:23 <DIR> --d----- c:\docume~1\brandi~1\applic~1\AOL
2004-01-16 16:25 <DIR> --d----- c:\docume~1\brandi~1\applic~1\Jasc Software Inc
2004-01-16 16:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SBSI

============= FINISH: 10:27:27.29 ===============
rcathey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-18-2008, 05:11 PM   #8 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,581
OS: Vista


Re: tinyproxy.exe malware: Need Help!!!
Hi,

It seems that you disabled Antivir. As I've said advised you before in my previous posts, having no antivirus is an open invitation to malware. I'm quite sure you don't want us to go through cleaning procedures again..

delete this folder: c:\documents and settings\Brandi Perry\application data\Viewpoint

See if the following helps your speed.

Please download ATF Cleaner - http://www.atribune.org/ccount/click.php?id=1
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Last edited by Angelfire777; 11-18-2008 at 05:15 PM.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-19-2008, 10:02 AM   #9 (permalink)
Registered User
 
Join Date: Nov 2007
Posts: 6
OS: XP


Re: tinyproxy.exe malware: Need Help!!!
I have re-enabled AntiVir. I disabled it during the scan so that it wouldn't keep the malware from deleting.

Thanks for all your help.
rcathey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-19-2008, 10:16 AM   #10 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 4,581
OS: Vista


Re: tinyproxy.exe malware: Need Help!!!
Hi,

I assume everything is okay now?


Click start > run > copy and paste:

combofix /u

That will hide your system files, clear your system restore cache and uninstall combofix.


Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"

And miekiemoes' "How to Prevent Malware"

Happy safe surfing!

Note: Please reply to this thread one last time so I could mark it as resolved.
__________________
UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 11:26 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85