|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
12-28-2008, 03:22 PM
|
#1 (permalink) |
|
Registered User
Join Date: Dec 2008
Posts: 8
OS: Windows XP
|
Hi, Need Help with Malware Infection (Win32.Banker.FSTrojan)
Hi, I've picked up some malware that is sending me false security notices such as:
“Warning! Spyware files: Win32.Banker.FSTrojan.SpyAgent.DA and other detected on your computer! It’s highly recommended to scan the system immediately to remove all spyware and adware programs.” “Your computer is infected! It is recommended to start spyware cleaner tool.” “Windows Security Center has detected spyware/adware infection! It is strongly recommended to use special antispyware tools to prevent data loss.” “System files and register changing are detected. Your PC is under the threat of loss of the data! It is recommended to start the guard scanner.” I use Trend Micro but it hasn't been able to fix this one, and I'm unable to use system restore or change my desktop background from a involuntary brightly colored display. I've read a little bit about this malware, and I was hoping you could help me get rid of it. Here are the log files: DDS (Version 1.1.0) - NTFSx86 Run by Sean at 13:15:00.68 on Sun 12/28/2008 Internet Explorer: 6.0.2900.5512 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1473 [GMT -8:00] AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) FW: Trend Micro Personal Firewall *enabled* ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\Explorer.EXE svchost.exe svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\M-Audio MobilePre\Install\MPInst.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Spyware Doctor\swdsvc.exe C:\Program Files\Spyware Doctor\SDTrayApp.exe C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe C:\Program Files\Trend Micro\BM\TMBMSRV.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\WINDOWS\system32\iprntctl.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\iprntlgn.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\odb.exe C:\WINDOWS\runsql.exe C:\WINDOWS\sv.exe C:\WINDOWS\svzip.exe C:\WINDOWS\svw.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe svchost.exe "C:\WINDOWS\system32\1041b.exe" C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\Internet Security\TmProxy.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Sean\Desktop\dds.com ============== Pseudo HJT Report =============== uStart Page = hxxp://www.newyorktimes.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie mDefault_Search_URL = hxxp://www.google.com/ie mStart Page = hxxp://www.newyorktimes.com uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe" uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [ccleaner] "c:\program files\ccleaner\CCleaner.exe" /AUTO uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033 uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R uRun: [UpdateWin] c:\windows\system32\1041b.exe uRunServices: [UpdateWin] c:\windows\system32\1041b.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /installquiet mRun: [IntelZeroConfig] c:\program files\intel\wireless\bin\ZCfgSvc.exe mRun: [<NO NAME>] mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless mRun: [SDTray] "c:\program files\spyware doctor\SDTrayApp.exe" mRun: [WinampAgent] "c:\program files\winamp\winampa.exe" mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe" mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe" mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe" mRun: [iPrint Tray] c:\windows\system32\iprntctl.exe TRAY_ICON mRun: [iPrint Event Monitor] c:\windows\system32\iprntlgn.exe mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [odb] c:\windows\odb.exe mRun: [UpdateWin] c:\windows\system32\1041b.exe mRun: [runsql] c:\windows\runsql.exe mRun: [netsv32] c:\windows\sv.exe mRun: [netzip] c:\windows\svzip.exe mRun: [netw] c:\windows\svw.exe mRunServices: [UpdateWin] c:\windows\system32\1041b.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe uPolicies-explorer: NoSetActiveDesktop = 1 (0x1) uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1) uPolicies-system: DisableTaskMgr = 1 (0x1) uPolicies-system: DisableRegistryTools = 1 (0x1) mPolicies-explorer: NoSetActiveDesktop = 1 (0x1) mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1) mPolicies-system: DisableTaskMgr = 1 (0x1) mPolicies-system: DisableRegistryTools = 1 (0x1) IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll STS: IPC Configuration Utility - No File STS: Windows Installer Class: {020487cc-fc04-4b1e-863f-d9801796230b} - c:\docume~1\sean\locals~1\temp\wndutl32.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\sean\applic~1\mozilla\firefox\profiles\yuvdb5aq.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - www.newyorktimes.com ============= SERVICES / DRIVERS =============== R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-7-20 28544] R1 IKFileFlt;File Filter Driver;c:\windows\system32\drivers\ikfileflt.sys [2008-6-12 39376] R1 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-6-12 53840] R1 IkSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-6-12 57424] R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-6-12 83024] R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2008-10-6 34671] R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-5-12 611664] R2 MobilePreInstallerService;MobilePre Installer;c:\program files\m-audio mobilepre\install\MPInst.exe [2008-8-10 49152] R2 sdCoreService;Spyware Doctor Service;c:\program files\spyware doctor\swdsvc.exe [2008-6-12 1309264] R2 tmevtmgr;tmevtmgr;\??\c:\windows\system32\drivers\tmevtmgr.sys [2008-8-30 52240] R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-8-29 36368] R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2008-11-28 24652] R2 WDBtnMgrSvc.exe;WD Drive Manager Service;"c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe" [2008-2-19 106496] R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-8-29 333328] R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2008-8-30 488768] R3 tmproxy;Trend Micro Proxy Service;"c:\program files\trend micro\internet security\TmProxy.exe" [2008-8-30 648456] S3 ma763004;M-Audio MobilePre USB;c:\windows\system32\drivers\MA763004.sys [2008-8-10 30976] =============== Created Last 30 ================ 2008-12-27 23:14 <DIR> --d----- c:\program files\SpyNoMore 2008-12-27 23:14 <DIR> --d----- c:\program files\common files\Download Manager 2008-12-27 22:52 <DIR> --d----- c:\program files\Webroot 2008-12-27 22:52 <DIR> --d----- c:\docume~1\sean\applic~1\Webroot 2008-12-27 22:40 <DIR> --d----- c:\program files\Lavasoft 2008-12-27 22:39 <DIR> --d----- c:\program files\common files\Wise Installation Wizard 2008-12-27 17:38 233,472 a------- c:\windows\svc.exe 2008-12-27 17:38 233,472 a------- c:\windows\svw.exe 2008-12-27 17:37 233,472 a------- c:\windows\svx.exe 2008-12-27 17:37 233,472 a------- c:\windows\wdmon.exe 2008-12-27 17:37 233,472 a------- c:\windows\vlc.exe 2008-12-27 17:36 277,504 a------- c:\windows\svhoster.exe 2008-12-27 17:36 279,552 a------- c:\windows\svzip.exe 2008-12-27 17:36 279,040 a------- c:\windows\sv.exe 2008-12-27 17:36 279,040 a------- c:\windows\runsql.exe 2008-12-27 17:34 128 a--sh--- c:\windows\system32\2700111040.dat 2008-12-27 17:34 201,216 a------- c:\windows\odb.exe 2008-12-27 17:33 40,960 ---shr-- c:\windows\system32\1041b.exe 2008-12-27 17:33 332,800 a------- c:\windows\system32\a.exe 2008-12-24 12:04 <DIR> --d----- c:\program files\iTunes Library Updater 2008-12-16 14:55 <DIR> --d----- c:\program files\Bonjour 2008-12-16 10:41 41,984 -------- c:\windows\Ctregrun.exe 2008-12-16 10:38 306,688 a------- c:\windows\IsUninst.exe 2008-12-16 10:37 71,596 -------- c:\windows\system32\drivers\PfModNT.sys 2008-12-16 10:37 44,032 -------- c:\windows\system32\CTSVCCDA.EXE 2008-12-16 10:37 25,088 -------- c:\windows\system32\CTSVCCTL.EXE 2008-12-16 10:36 <DIR> --d----- c:\program files\Creative 2008-12-13 08:09 12,072 a------- c:\windows\scunin.dat 2008-12-13 08:09 68,096 a------- c:\windows\ScUnin.exe 2008-12-13 08:09 967 a------- c:\windows\ScUnin.pif 2008-12-13 08:08 <DIR> --d----- c:\program files\Starcraft 2008-12-12 08:18 87,336 a------- c:\windows\system32\dns-sd.exe 2008-12-12 08:11 61,440 a------- c:\windows\system32\dnssd.dll 2008-11-30 21:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Blizzard 2008-11-30 14:38 <DIR> --d----- c:\program files\iPod 2008-11-30 14:38 <DIR> --d----- c:\program files\iTunes 2008-11-30 14:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-11-29 16:58 <DIR> --d----- c:\program files\Ghostgum 2008-11-29 16:56 <DIR> --d----- c:\program files\gs 2008-11-29 16:54 44,544 a------- c:\windows\system32\msxml4a.dll 2008-11-29 16:54 <DIR> --d----- c:\program files\TeXnicCenter 2008-11-29 10:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MiKTeX 2008-11-29 10:03 <DIR> --d----- c:\program files\MiKTeX 2.7 2008-11-28 19:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint 2008-11-28 19:26 <DIR> --d----- c:\program files\Viewpoint 2008-11-28 19:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\acccore 2008-11-28 19:25 <DIR> --d----- c:\program files\common files\AOL 2008-11-28 19:25 <DIR> --d----- c:\program files\AIM6 2008-11-28 19:25 373 a---h--- C:\IPH.PH ==================== Find3M ==================== 2008-12-27 10:09 17,130 a------- c:\windows\system32\nvModes.dat 2008-11-14 09:11 0 a------- c:\windows\system32\drivers\lvuvc.hs 2008-10-23 04:36 286,720 a------- c:\windows\system32\gdi32.dll 2008-10-16 11:06 268,648 a------- c:\windows\system32\mucltui.dll 2008-10-16 11:06 208,744 a------- c:\windows\system32\muweb.dll 2008-10-15 17:00 666,112 a------- c:\windows\system32\wininet.dll 2008-10-03 02:02 247,326 a------- c:\windows\system32\strmdll.dll 2008-09-30 13:43 1,286,152 a------- c:\windows\system32\msxml4.dll ============= FINISH: 13:15:57.31 =============== |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
12-28-2008, 04:12 PM
|
#2 (permalink) |
|
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Oct 2006
Posts: 4,581
OS: Vista
|
Re: Hi, Need Help with Malware Infection (Win32.Banker.FSTrojan)
Please visit this webpage for download links, and instructions for running combofix:
http://www.bleepingcomputer.com/comb...o-use-combofix * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Please include the C:\ComboFix.txt in your next reply for further review.
__________________
UNITE and ASAP since 2006  If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it. |
|
|
|
|
12-28-2008, 05:11 PM
|
#3 (permalink) |
|
Registered User
Join Date: Dec 2008
Posts: 8
OS: Windows XP
|
Re: Hi, Need Help with Malware Infection (Win32.Banker.FSTrojan)
Thanks, here's the ComboFix log:
ComboFix 08-12-28.01 - Sean 2008-12-28 16:04:10.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1467 [GMT -8:00] Running from: c:\documents and settings\Sean\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Sean\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) FW: Trend Micro Personal Firewall *disabled* * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Sean\Application Data\~tmp.html c:\windows\runsql.exe c:\windows\sv.exe c:\windows\svc.exe c:\windows\svhoster.exe c:\windows\svw.exe c:\windows\svx.exe c:\windows\svzip.exe c:\windows\system32\a.exe c:\windows\vlc.exe c:\windows\wdmon.exe . ((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-28 ))))))))))))))))))))))))))))))) . 2008-12-28 13:18 . 2008-12-28 13:18 250 --a------ c:\windows\gmer.ini 2008-12-27 23:14 . 2008-12-27 23:16 <DIR> d-------- c:\program files\SpyNoMore 2008-12-27 23:14 . 2008-12-27 23:14 <DIR> d-------- c:\program files\Common Files\Download Manager 2008-12-27 22:52 . 2008-12-27 22:52 <DIR> d-------- c:\program files\Webroot 2008-12-27 22:52 . 2008-12-27 22:52 <DIR> d-------- c:\documents and settings\Sean\Application Data\Webroot 2008-12-27 22:40 . 2008-12-27 22:40 <DIR> d-------- c:\program files\Lavasoft 2008-12-27 22:39 . 2008-12-27 22:39 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-12-27 17:34 . 2008-12-27 17:33 201,216 --a------ c:\windows\odb.exe 2008-12-27 17:34 . 2008-12-27 17:35 128 --ahs---- c:\windows\system32\2700111040.dat 2008-12-27 17:33 . 2008-12-27 17:33 40,960 -r-hs---- c:\windows\system32\1041b.exe 2008-12-24 12:04 . 2008-12-24 12:04 <DIR> d-------- c:\program files\iTunes Library Updater 2008-12-16 14:55 . 2008-12-16 14:55 <DIR> d-------- c:\program files\Bonjour 2008-12-16 11:38 . 2008-12-16 13:14 <DIR> d-------- c:\documents and settings\Sean\Application Data\Creative 2008-12-16 10:41 . 1999-10-10 17:00 41,984 --------- c:\windows\Ctregrun.exe 2008-12-16 10:38 . 1998-10-29 13:45 306,688 --a------ c:\windows\IsUninst.exe 2008-12-16 10:37 . 2004-06-03 09:10 71,596 --------- c:\windows\system32\drivers\PfModNT.sys 2008-12-16 10:37 . 1999-12-12 17:01 44,032 --------- c:\windows\system32\CTSVCCDA.EXE 2008-12-16 10:37 . 1999-11-17 17:00 25,088 --------- c:\windows\system32\CTSVCCTL.EXE 2008-12-16 10:36 . 2008-12-16 10:41 <DIR> d-------- c:\program files\Creative 2008-12-13 08:09 . 2008-12-13 08:09 68,096 --a------ c:\windows\ScUnin.exe 2008-12-13 08:09 . 2008-12-13 08:09 12,072 --a------ c:\windows\scunin.dat 2008-12-13 08:09 . 2008-12-13 08:09 967 --a------ c:\windows\ScUnin.pif 2008-12-13 08:08 . 2008-12-27 10:07 <DIR> d-------- c:\program files\Starcraft 2008-12-12 08:18 . 2008-12-12 08:18 87,336 --a------ c:\windows\system32\dns-sd.exe 2008-12-12 08:11 . 2008-12-12 08:11 61,440 --a------ c:\windows\system32\dnssd.dll 2008-11-30 21:59 . 2008-11-30 21:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard 2008-11-30 14:38 . 2008-11-30 14:38 <DIR> d-------- c:\program files\iTunes 2008-11-30 14:38 . 2008-11-30 14:38 <DIR> d-------- c:\program files\iPod 2008-11-30 14:38 . 2008-11-30 14:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-11-29 16:58 . 2008-11-29 16:58 <DIR> d-------- c:\program files\Ghostgum 2008-11-29 16:56 . 2008-11-29 16:56 <DIR> d-------- c:\program files\gs 2008-11-29 16:54 . 2008-11-29 16:54 <DIR> d-------- c:\program files\TeXnicCenter 2008-11-29 16:54 . 2006-05-28 13:39 44,544 --a------ c:\windows\system32\msxml4a.dll 2008-11-29 10:16 . 2008-11-29 10:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\MiKTeX 2008-11-29 10:03 . 2008-11-29 10:12 <DIR> d-------- c:\program files\MiKTeX 2.7 2008-11-28 19:44 . 2008-11-28 19:45 <DIR> d-------- c:\program files\QuickTime 2008-11-28 19:34 . 2008-11-28 19:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles 2008-11-28 19:26 . 2008-11-28 19:26 <DIR> d-------- c:\program files\Viewpoint 2008-11-28 19:26 . 2008-11-28 19:26 <DIR> d-------- c:\documents and settings\Sean\Application Data\acccore 2008-11-28 19:26 . 2008-11-28 19:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Viewpoint 2008-11-28 19:26 . 2008-11-28 19:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore 2008-11-28 19:25 . 2008-11-28 19:25 <DIR> d-------- c:\program files\Common Files\AOL 2008-11-28 19:25 . 2008-11-28 19:26 <DIR> d-------- c:\program files\AIM6 2008-11-28 19:25 . 2008-11-28 19:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL OCP 2008-11-28 19:25 . 2008-11-28 19:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL 2008-11-28 19:25 . 2008-11-28 19:26 373 --ah----- C:\IPH.PH . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-28 21:18 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2008-12-28 06:09 --------- d-----w c:\documents and settings\Sean\Application Data\U3 2008-12-18 04:34 --------- d-----w c:\program files\DC++ 2008-12-18 04:32 --------- d-----w c:\documents and settings\Sean\Application Data\Skype 2008-12-18 00:33 --------- d-----w c:\documents and settings\Sean\Application Data\skypePM 2008-12-16 18:41 --------- d--h--w c:\program files\InstallShield Installation Information 2008-12-11 16:03 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2008-12-11 06:02 --------- d-----w c:\program files\Common Files\Blizzard Entertainment 2008-11-30 22:38 --------- d-----w c:\program files\Common Files\Apple 2008-11-30 04:48 --------- d-----w c:\documents and settings\Sean\Application Data\Apple Computer 2008-11-30 04:33 --------- d-----w c:\program files\Winamp 2008-11-30 04:30 --------- d-----w c:\documents and settings\Sean\Application Data\Winamp 2008-11-28 02:24 --------- d-----w c:\program files\NCH Swift Sound 2008-11-28 02:24 --------- d-----w c:\documents and settings\Sean\Application Data\NCH Swift Sound 2008-11-28 02:24 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound 2008-11-19 20:18 --------- d-----w c:\program files\Apple Software Update 2008-11-17 07:12 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer 2008-11-17 07:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple 2008-11-14 17:11 0 ----a-w c:\windows\system32\drivers\lvuvc.hs 2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll 2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll 2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll 2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll 2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll 2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-12-15 22:55 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2008-12-15 22:55 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2008-12-15 22:55 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll 2008-12-15 22:55 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll 2008-12-15 22:55 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll . ------- Sigcheck ------- 2007-10-30 08:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys 2008-06-20 02:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys 2008-06-20 03:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys 2008-06-20 03:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys 2008-06-20 02:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\$NtServicePackUninstall$\tcpip.sys 2004-08-04 02:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB941644$\tcpip.sys 2008-04-13 11:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys 2007-10-30 09:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys 2008-04-13 11:20 361344 accf5a9a1ffaa490f33dba1c632b95e1 c:\windows\ServicePackFiles\i386\tcpip.sys 2008-06-20 03:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\dllcache\tcpip.sys 2008-06-20 03:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\drivers\tcpip.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-16 68856] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 202024] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2008-05-28 1197296] "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-04-03 165784] "Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-08 7118848] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-22 401408] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-22 385024] "SDTray"="c:\program files\Spyware Doctor\SDTrayApp.exe" [2007-06-27 1051464] "WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352] "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984] "NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136] "NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328] "UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-09-22 1398024] "iPrint Tray"="c:\windows\system32\iprntctl.exe" [2007-09-06 40960] "iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2007-09-06 45056] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "odb"="c:\windows\odb.exe" [2008-12-27 201216] "nwiz"="nwiz.exe" [2005-09-08 c:\windows\system32\nwiz.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] 2005-07-22 21:46 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] UpdateWin REG_SZ c:\windows\system32\1041b.exe [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^M-Audio MobilePre Control Panel Launcher.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\M-Audio MobilePre Control Panel Launcher.lnk backup=c:\windows\pss\M-Audio MobilePre Control Panel Launcher.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WD Anywhere Backup Launcher.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WD Anywhere Backup Launcher.lnk backup=c:\windows\pss\WD Anywhere Backup Launcher.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Sean^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk] path=c:\documents and settings\Sean\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6] --a------ 2008-10-21 09:09 50472 c:\program files\AIM6\aim6.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoBoingo] --a------ 2008-11-27 09:54 2155 c:\program files\Boingo\GoBoingo\GoBoingo.lnk [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-11-20 10:20 290088 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon] --a------ 2007-07-25 15:06 2027792 c:\program files\Logitech\QuickCam\Quickcam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Drive Manager] --a------ 2008-02-19 01:13 438272 c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1700:TCP"= 1700:TCP:MioNet Remote Drive Access 0 "1701:TCP"= 1701:TCP:MioNet Remote Drive Access 1 "1702:TCP"= 1702:TCP:MioNet Remote Drive Access 2 "1703:TCP"= 1703:TCP:MioNet Remote Drive Access 3 "1704:TCP"= 1704:TCP:MioNet Remote Drive Access 4 "1705:TCP"= 1705:TCP:MioNet Remote Drive Access 5 "1706:TCP"= 1706:TCP:MioNet Remote Drive Access 6 "1707:TCP"= 1707:TCP:MioNet Remote Drive Access 7 "1708:TCP"= 1708:TCP:MioNet Remote Drive Access 8 "1709:TCP"= 1709:TCP:MioNet Remote Drive Access 9 "1641:TCP"= 1641:TCP:MioNet Remote Drive Verification "1647:TCP"= 1647:TCP:MioNet Storage Device Configuration "5432:UDP"= 5432:UDP:MioNet Storage Device Discovery R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-07-20 28544] R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2008-10-06 34671] R2 MobilePreInstallerService;MobilePre Installer;c:\program files\M-Audio MobilePre\Install\MPInst.exe [2008-08-10 49152] R2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2008-08-29 36368] R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-11-28 24652] R2 WDBtnMgrSvc.exe;WD Drive Manager Service;"c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe" [2008-02-19 106496] R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2008-08-29 333328] S2 tmevtmgr;tmevtmgr;\??\c:\windows\system32\drivers\tmevtmgr.sys [2008-08-30 52240] S3 ma763004;M-Audio MobilePre USB;c:\windows\system32\drivers\MA763004.sys [2008-08-10 30976] S3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2008-08-30 488768] S3 tmproxy;Trend Micro Proxy Service;"c:\program files\Trend Micro\Internet Security\TmProxy.exe" [2008-08-30 648456] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{478d7440-3981-11dd-913b-00123fe774d2}] \Shell\AutoRun\command - e:\wd_windows_tools\setup.exe *Newly Created Service* - GMER *Newly Created Service* - PROCEXP90 . Contents of the 'Scheduled Tasks' folder 2008-12-16 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 09:34] . - - - - ORPHANS REMOVED - - - - Toolbar-SITEguard - (no file) SharedTaskScheduler-IPC Configuration Utility - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://www.newyorktimes.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie mStart Page = hxxp://www.newyorktimes.com uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Sean\Application Data\Mozilla\Firefox\Profiles\yuvdb5aq.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - www.newyorktimes.com . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-28 16:05:29 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(756) c:\program files\Intel\Wireless\Bin\LgNotify.dll . Completion time: 2008-12-28 16  23ComboFix-quarantined-files.txt 2008-12-29 00 12Pre-Run: 34,063,814,656 bytes free Post-Run: 34,061,598,720 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 276 --- E O F --- 2008-12-19 15:31:30 |
|
|
|
|
12-29-2008, 12:29 PM
|
#4 (permalink) |
|
Registered User
Join Date: Dec 2008
Posts: 8
OS: Windows XP
|
Re: Hi, Need Help with Malware Infection (Win32.Banker.FSTrojan)
Hey, since I posted the ComboFix log above, a program called Spyware Guard 2008 has installed itself and keeps reinstalling whenever I try to remove it.
Most of the other problems have gone away though: I'm no longer receiving the fake security notices and I can change my desktop background. I've scanned with AdAware and Trend Micro, and they've cleaned up some things, but Spyware Guard is still active (Trend Micro is currently blocking it from running, but it does keep reinstalling itself). Do you have any advice for removing Spyware Guard? Should I run ComboFix again? |
|
|
|
|
12-29-2008, 12:46 PM
|
#5 (permalink) |
|
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Oct 2006
Posts: 4,581
OS: Vista
|
Re: Hi, Need Help with Malware Infection (Win32.Banker.FSTrojan)
Yes please run it one more time and post the log. I want to see if anything changed.
__________________
UNITE and ASAP since 2006 If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it. |
|
|
|
|
12-29-2008, 04:08 PM
|
#6 (permalink) |
|
Registered User
Join Date: Dec 2008
Posts: 8
OS: Windows XP
|
Re: Hi, Need Help with Malware Infection (Win32.Banker.FSTrojan)
Hey, I'm having difficulty running ComboFix again. Doubleclicking isn't doing anything - I downloaded it again and it still doesn't work. I also tried accessing this forum from the infected computer to get the link again, but Firefox has a problem loading the page. I can visit other sites, but not this forum or the ComboFix instruction page at BleepingComputer. I'm not really sure what's going on. What should I try next?
|
|
|
|
|
12-29-2008, 05:43 PM
|
#7 (permalink) |
|
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Oct 2006
Posts: 4,581
OS: Vista
|
Re: Hi, Need Help with Malware Infection (Win32.Banker.FSTrojan)
Please rename combofix.exe to cfix.exe then try again.
__________________
UNITE and ASAP since 2006 If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it. |
|
|
|
|
12-29-2008, 08:29 PM
|
#8 (permalink) |
|
Registered User
Join Date: Dec 2008
Posts: 8
OS: Windows XP
|
Re: Hi, Need Help with Malware Infection (Win32.Banker.FSTrojan)
Sweet, the renaming worked. Here's the new log:
Is there anything else I should do? ComboFix 08-12-28.04 - Sean 2008-12-29 18:51:59.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1645 [GMT -8:00] Running from: c:\documents and settings\Sean\Desktop\cfix.exe.exe AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) FW: Trend Micro Personal Firewall *disabled* . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\moduleie.dll c:\documents and settings\All Users\Application Data\svhost.exe c:\program files\Spyware Guard 2008 c:\program files\Spyware Guard 2008\conf.cfg c:\program files\Spyware Guard 2008\mbase.vdb c:\program files\Spyware Guard 2008\quarantine.vdb c:\program files\Spyware Guard 2008\queue.vdb c:\program files\Spyware Guard 2008\spywareguard.exe c:\program files\Spyware Guard 2008\uninstall.exe c:\program files\Spyware Guard 2008\vbase.vdb c:\windows\reged.exe c:\windows\spoolsystem.exe c:\windows\sys.com c:\windows\syscert.exe c:\windows\sysexplorer.exe c:\windows\system32\drivers\TDSSmuct.sys c:\windows\system32\TDSSkley.dll c:\windows\system32\TDSSotoy.dll c:\windows\system32\TDSStfnv.dat c:\windows\system32\TDSSuhuy.dll c:\windows\system32\TDSSuhvt.dll c:\windows\system32\TDSSwrtk.dll c:\windows\system32\TDSSwwbr.log c:\windows\system32\winscenter.exe c:\windows\vmreg.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_TDSSserv.sys -------\Legacy_TDSSserv.sys ((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 ))))))))))))))))))))))))))))))) . 2008-12-29 18:44 . 2008-12-29 18:44 <DIR> d-------- C:\32788R22FWJFW.0.tmp 2008-12-28 15:49 . 2008-12-28 16:06 <DIR> d-------- C:\ComboFix 2008-12-28 13:18 . 2008-12-28 13:18 250 --a------ c:\windows\gmer.ini 2008-12-27 23:14 . 2008-12-27 23:16 <DIR> d-------- c:\program files\SpyNoMore 2008-12-27 23:14 . 2008-12-27 23:14 <DIR> d-------- c:\program files\Common Files\Download Manager 2008-12-27 22:52 . 2008-12-27 22:52 <DIR> d-------- c:\program files\Webroot 2008-12-27 22:52 . 2008-12-27 22:52 <DIR> d-------- c:\documents and settings\Sean\Application Data\Webroot 2008-12-27 22:40 . 2008-12-27 22:40 <DIR> d-------- c:\program files\Lavasoft 2008-12-27 22:39 . 2008-12-27 22:39 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-12-27 17:34 . 2008-12-27 17:33 201,216 --a------ c:\windows\odb.exe 2008-12-27 17:34 . 2008-12-27 17:35 128 --ahs---- c:\windows\system32\2700111040.dat 2008-12-27 17:33 . 2008-12-27 17:33 40,960 -r-hs---- c:\windows\system32\1041b.exe 2008-12-24 12:04 . 2008-12-24 12:04 <DIR> d-------- c:\program files\iTunes Library Updater 2008-12-16 14:55 . 2008-12-16 14:55 <DIR> d-------- c:\program files\Bonjour 2008-12-16 11:38 . 2008-12-16 13:14 <DIR> d-------- c:\documents and settings\Sean\Application Data\Creative 2008-12-16 10:41 . 1999-10-10 17:00 41,984 --------- c:\windows\Ctregrun.exe 2008-12-16 10:38 . 1998-10-29 13:45 306,688 --a------ c:\windows\IsUninst.exe 2008-12-16 10:37 . 2004-06-03 09:10 71,596 --------- c:\windows\system32\drivers\PfModNT.sys 2008-12-16 10:37 . 1999-12-12 17:01 44,032 --------- c:\windows\system32\CTSVCCDA.EXE 2008-12-16 10:37 . 1999-11-17 17:00 25,088 --------- c:\windows\system32\CTSVCCTL.EXE 2008-12-16 10:36 . 2008-12-16 10:41 <DIR> d-------- c:\program files\Creative 2008-12-13 08:09 . 2008-12-13 08:09 68,096 --a------ c:\windows\ScUnin.exe 2008-12-13 08:09 . 2008-12-13 08:09 12,072 --a------ c:\windows\scunin.dat 2008-12-13 08:09 . 2008-12-13 08:09 967 --a------ c:\windows\ScUnin.pif 2008-12-13 08:08 . 2008-12-27 10:07 <DIR> d-------- c:\program files\Starcraft 2008-12-12 08:18 . 2008-12-12 08:18 87,336 --a------ c:\windows\system32\dns-sd.exe 2008-12-12 08:11 . 2008-12-12 08:11 61,440 --a------ c:\windows\system32\dnssd.dll 2008-11-30 21:59 . 2008-11-30 21:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard 2008-11-30 14:38 . 2008-11-30 14:38 <DIR> d-------- c:\program files\iTunes 2008-11-30 14:38 . 2008-11-30 14:38 <DIR> d-------- c:\program files\iPod 2008-11-30 14:38 . 2008-11-30 14:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-11-29 16:58 . 2008-11-29 16:58 <DIR> d-------- c:\program files\Ghostgum 2008-11-29 16:56 . 2008-11-29 16:56 <DIR> d-------- c:\program files\gs 2008-11-29 16:54 . 2008-11-29 16:54 <DIR> d-------- c:\program files\TeXnicCenter 2008-11-29 16:54 . 2006-05-28 13:39 44,544 --a------ c:\windows\system32\msxml4a.dll 2008-11-29 10:16 . 2008-11-29 10:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\MiKTeX 2008-11-29 10:03 . 2008-11-29 10:12 <DIR> d-------- c:\program files\MiKTeX 2.7 2008-11-28 19:44 . 2008-11-28 19:45 <DIR> d-------- c:\program files\QuickTime 2008-11-28 19:34 . 2008-11-28 19:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles 2008-11-28 19:26 . 2008-11-28 19:26 <DIR> d-------- c:\program files\Viewpoint 2008-11-28 19:26 . 2008-11-28 19:26 <DIR> d-------- c:\documents and settings\Sean\Application Data\acccore 2008-11-28 19:26 . 2008-11-28 19:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Viewpoint 2008-11-28 19:26 . 2008-11-28 19:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore 2008-11-28 19:25 . 2008-11-28 19:25 <DIR> d-------- c:\program files\Common Files\AOL 2008-11-28 19:25 . 2008-11-28 19:26 <DIR> d-------- c:\program files\AIM6 2008-11-28 19:25 . 2008-11-28 19:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL OCP 2008-11-28 19:25 . 2008-11-28 19:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL 2008-11-28 19:25 . 2008-11-28 19:26 373 --ah----- C:\IPH.PH 2008-11-27 18:24 . 2008-11-27 18:24 <DIR> d-------- c:\documents and settings\Sean\Application Data\NCH Swift Sound 2008-11-27 18:24 . 2008-11-27 18:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\NCH Swift Sound 2008-11-27 18:22 . 2008-11-27 18:24 <DIR> d-------- c:\program files\NCH Swift Sound 2008-11-16 23:13 . 2008-11-29 20:48 <DIR> d-------- c:\documents and settings\Sean\Application Data\Apple Computer 2008-11-16 23:11 . 2008-11-19 12:18 <DIR> d-------- c:\program files\Apple Software Update 2008-11-16 23:11 . 2008-11-16 23:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer 2008-11-16 23:10 . 2008-11-30 14:38 <DIR> d-------- c:\program files\Common Files\Apple 2008-11-16 23:10 . 2008-11-16 23:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple 2008-11-16 22:28 . 2008-12-17 20:34 <DIR> d-------- c:\program files\DC++ 2008-11-12 12:44 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll 2008-11-12 12:35 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys 2008-11-04 07:30 . 2008-11-04 07:30 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx 2008-11-04 07:30 . 2008-11-04 07:30 57,344 --a------ c:\windows\system32\QuickTime.qts . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-29 22:19 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2008-12-28 06:09 --------- d-----w c:\documents and settings\Sean\Application Data\U3 2008-12-18 04:32 --------- d-----w c:\documents and settings\Sean\Application Data\Skype 2008-12-18 00:33 --------- d-----w c:\documents and settings\Sean\Application Data\skypePM 2008-12-16 18:41 --------- d--h--w c:\program files\InstallShield Installation Information 2008-12-11 16:03 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2008-12-11 06:02 --------- d-----w c:\program files\Common Files\Blizzard Entertainment 2008-11-30 04:33 --------- d-----w c:\program files\Winamp 2008-11-30 04:30 --------- d-----w c:\documents and settings\Sean\Application Data\Winamp 2008-11-14 17:11 0 ----a-w c:\windows\system32\drivers\lvuvc.hs 2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll 2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll 2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll 2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll 2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll 2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-23 21:46 245,408 ----a-w c:\windows\system32\unicows.dll 2008-09-20 02:01 233,472 ----a-w c:\windows\system32\REX Shared Library.dll 2008-09-20 02:01 225,280 ----a-w c:\windows\system32\ReWire.dll 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll 2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll 2008-12-15 22:55 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2008-12-15 22:55 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2008-12-15 22:55 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll 2008-12-15 22:55 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll 2008-12-15 22:55 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll . ------- Sigcheck ------- 2007-10-30 08:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys 2008-06-20 02:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys 2008-06-20 03:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys 2008-06-20 03:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys 2008-06-20 02:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\$NtServicePackUninstall$\tcpip.sys 2004-08-04 02:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB941644$\tcpip.sys 2008-04-13 11:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys 2007-10-30 09:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys 2008-04-13 11:20 361344 accf5a9a1ffaa490f33dba1c632b95e1 c:\windows\ServicePackFiles\i386\tcpip.sys 2008-06-20 03:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\dllcache\tcpip.sys 2008-06-20 03:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\drivers\tcpip.sys . ((((((((((((((((((((((((((((( snapshot@2008-12-28_16.05.53.76 ))))))))))))))))))))))))))))))))))))))))) . - 2008-08-31 00:48:54 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat + 2008-12-29 21:57:54 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat - 2008-08-31 00:48:54 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-12-29 21:57:54 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2008-08-31 00:48:54 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2008-12-29 21:57:54 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-16 68856] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 202024] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2008-05-28 1197296] "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-04-03 165784] "Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-08 7118848] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-22 401408] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-22 385024] "SDTray"="c:\program files\Spyware Doctor\SDTrayApp.exe" [2007-06-27 1051464] "WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352] "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984] "NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136] "NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328] "UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-09-22 1398024] "iPrint Tray"="c:\windows\system32\iprntctl.exe" [2007-09-06 40960] "iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2007-09-06 45056] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "odb"="c:\windows\odb.exe" [2008-12-27 201216] "nwiz"="nwiz.exe" [2005-09-08 c:\windows\system32\nwiz.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] 2005-07-22 21:46 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] UpdateWin REG_SZ c:\windows\system32\1041b.exe [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^M-Audio MobilePre Control Panel Launcher.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\M-Audio MobilePre Control Panel Launcher.lnk backup=c:\windows\pss\M-Audio MobilePre Control Panel Launcher.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WD Anywhere Backup Launcher.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WD Anywhere Backup Launcher.lnk backup=c:\windows\pss\WD Anywhere Backup Launcher.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Sean^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk] path=c:\documents and settings\Sean\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6] --a------ 2008-10-21 09:09 50472 c:\program files\AIM6\aim6.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoBoingo] --a------ 2008-11-27 09:54 2155 c:\program files\Boingo\GoBoingo\GoBoingo.lnk [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-11-20 10:20 290088 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon] --a------ 2007-07-25 15:06 2027792 c:\program files\Logitech\QuickCam\Quickcam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Drive Manager] --a------ 2008-02-19 01:13 438272 c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1700:TCP"= 1700:TCP:MioNet Remote Drive Access 0 "1701:TCP"= 1701:TCP:MioNet Remote Drive Access 1 "1702:TCP"= 1702:TCP:MioNet Remote Drive Access 2 "1703:TCP"= 1703:TCP:MioNet Remote Drive Access 3 "1704:TCP"= 1704:TCP:MioNet Remote Drive Access 4 "1705:TCP"= 1705:TCP:MioNet Remote Drive Access 5 "1706:TCP"= 1706:TCP:MioNet Remote Drive Access 6 "1707:TCP"= 1707:TCP:MioNet Remote Drive Access 7 "1708:TCP"= 1708:TCP:MioNet Remote Drive Access 8 "1709:TCP"= 1709:TCP:MioNet Remote Drive Access 9 "1641:TCP"= 1641:TCP:MioNet Remote Drive Verification "1647:TCP"= 1647:TCP:MioNet Storage Device Configuration "5432:UDP"= 5432:UDP:MioNet Storage Device Discovery R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-07-20 28544] R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2008-10-06 34671] R2 MobilePreInstallerService;MobilePre Installer;c:\program files\M-Audio MobilePre\Install\MPInst.exe [2008-08-10 49152] R2 tmevtmgr;tmevtmgr;\??\c:\windows\system32\drivers\tmevtmgr.sys [2008-08-30 52240] R2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2008-08-29 36368] R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-11-28 24652] R2 WDBtnMgrSvc.exe;WD Drive Manager Service;"c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe" [2008-02-19 106496] R3 ma763004;M-Audio MobilePre USB;c:\windows\system32\drivers\MA763004.sys [2008-08-10 30976] R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2008-08-29 333328] R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2008-08-30 488768] R3 tmproxy;Trend Micro Proxy Service;"c:\program files\Trend Micro\Internet Security\TmProxy.exe" [2008-08-30 648456] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{478d7440-3981-11dd-913b-00123fe774d2}] \Shell\AutoRun\command - e:\wd_windows_tools\setup.exe . Contents of the 'Scheduled Tasks' folder 2008-12-16 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 09:34] . - - - - ORPHANS REMOVED - - - - HKLM-Run-spywareguard - c:\program files\Spyware Guard 2008\spywareguard.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.newyorktimes.com/ mStart Page = hxxp://www.newyorktimes.com uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 Trusted Zone: free.aol.com FF - ProfilePath - c:\documents and settings\Sean\Application Data\Mozilla\Firefox\Profiles\yuvdb5aq.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - www.newyorktimes.com . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-29 18:59:07 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv.sys] "imagepath"="\systemroot\system32\drivers\TDSSmuct.sys" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(864) c:\program files\Intel\Wireless\Bin\LgNotify.dll . Completion time: 2008-12-29 19:02:44 ComboFix-quarantined-files.txt 2008-12-30 03:00:18 ComboFix2.txt 2008-12-29 00 25Pre-Run: 33,659,162,624 bytes free Post-Run: 33,640,562,688 bytes free 306 --- E O F --- 2008-12-19 15:31:30 |
|
|
|
|
12-30-2008, 12:27 PM
|
#9 (permalink) |
|
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Oct 2006
Posts: 4,581
OS: Vista
|
Re: Hi, Need Help with Malware Infection (Win32.Banker.FSTrojan)
Hi
*I see you have Viewpoint installed... Viewpoint related software are considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546 I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
*Open notepad. Copy and paste the text inside the code box below to notepad Code:
http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/328810-hi-need-help-malware-infection-win32-banker-fstrojan.html
File::
c:\windows\system32\drivers\lvuvc.hs
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"UpdateWin"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"FirewallOverride"=dword:00000000
Collect::
c:\windows\system32\1041b.exe
Filelook::
c:\windows\odb.exe
Dirlook::
c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis. Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file. If you're not prompted to upload the file, ComboFix will generate a zipped file at C:\Qoobox\Quarantine\[4]Submit@Date_Time.zip. Please submit this file to http://www.bleepingcomputer.com/subm....php?channel=4. *Go here to run an online scannner from ESET.
On your next reply, please include a
__________________
UNITE and ASAP since 2006 If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it. |
|
|
|
|
12-30-2008, 11:36 PM
|
#10 (permalink) |
|
Registered User
Join Date: Dec 2008
Posts: 8
OS: Windows XP
|
Re: Hi, Need Help with Malware Infection (Win32.Banker.FSTrojan)
Hey, the file has been submitted for analysis. Here are the logs:
ComboFix 08-12-28.04 - Sean 2008-12-30 19:58:17.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1558 [GMT -8:00] Running from: c:\documents and settings\Sean\Desktop\cfix.exe.exe Command switches used :: c:\documents and settings\Sean\Desktop\CFScript.txt AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) FW: Trend Micro Personal Firewall *disabled* * Created a new restore point FILE :: c:\windows\system32\drivers\lvuvc.hs . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\1041b.exe c:\windows\system32\drivers\lvuvc.hs . ((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-31 ))))))))))))))))))))))))))))))) . 2008-12-29 18:44 . 2008-12-29 18:44 <DIR> d-------- C:\32788R22FWJFW.0.tmp 2008-12-28 15:49 . 2008-12-28 16:06 <DIR> d-------- C:\ComboFix 2008-12-28 13:18 . 2008-12-28 13:18 250 --a------ c:\windows\gmer.ini 2008-12-27 23:14 . 2008-12-27 23:16 <DIR> d-------- c:\program files\SpyNoMore 2008-12-27 23:14 . 2008-12-27 23:14 <DIR> d-------- c:\program files\Common Files\Download Manager 2008-12-27 22:52 . 2008-12-27 22:52 <DIR> d-------- c:\program files\Webroot 2008-12-27 22:52 . 2008-12-27 22:52 <DIR> d-------- c:\documents and settings\Sean\Application Data\Webroot 2008-12-27 22:40 . 2008-12-27 22:40 <DIR> d-------- c:\program files\Lavasoft 2008-12-27 22:39 . 2008-12-27 22:39 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-12-27 17:34 . 2008-12-27 17:33 201,216 --a------ c:\windows\odb.exe 2008-12-27 17:34 . 2008-12-27 17:35 128 --ahs---- c:\windows\system32\2700111040.dat 2008-12-24 12:04 . 2008-12-24 12:04 <DIR> d-------- c:\program files\iTunes Library Updater 2008-12-16 14:55 . 2008-12-16 14:55 <DIR> d-------- c:\program files\Bonjour 2008-12-16 11:38 . 2008-12-16 13:14 <DIR> d-------- c:\documents and settings\Sean\Application Data\Creative 2008-12-16 10:41 . 1999-10-10 17:00 41,984 --------- c:\windows\Ctregrun.exe 2008-12-16 10:38 . 1998-10-29 13:45 306,688 --a------ c:\windows\IsUninst.exe 2008-12-16 10:37 . 2004-06-03 09:10 71,596 --------- c:\windows\system32\drivers\PfModNT.sys 2008-12-16 10:37 . 1999-12-12 17:01 44,032 --------- c:\windows\system32\CTSVCCDA.EXE 2008-12-16 10:37 . 1999-11-17 17:00 25,088 --------- c:\windows\system32\CTSVCCTL.EXE 2008-12-16 10:36 . 2008-12-16 10:41 <DIR> d-------- c:\program files\Creative 2008-12-13 08:09 . 2008-12-13 08:09 68,096 --a------ c:\windows\ScUnin.exe 2008-12-13 08:09 . 2008-12-13 08:09 12,072 --a------ c:\windows\scunin.dat 2008-12-13 08:09 . 2008-12-13 08:09 967 --a------ c:\windows\ScUnin.pif 2008-12-13 08:08 . 2008-12-27 10:07 <DIR> d-------- c:\program files\Starcraft 2008-12-12 08:18 . 2008-12-12 08:18 87,336 --a------ c:\windows\system32\dns-sd.exe 2008-12-12 08:11 . 2008-12-12 08:11 61,440 --a------ c:\windows\system32\dnssd.dll 2008-11-30 21:59 . 2008-11-30 21:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard 2008-11-30 14:38 . 2008-11-30 14:38 <DIR> d-------- c:\program files\iTunes 2008-11-30 14:38 . 2008-11-30 14:38 <DIR> d-------- c:\program files\iPod 2008-11-30 14:38 . 2008-11-30 14:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-11-29 16:58 . 2008-11-29 16:58 <DIR> d-------- c:\program files\Ghostgum 2008-11-29 16:56 . 2008-11-29 16:56 <DIR> d-------- c:\program files\gs 2008-11-29 16:54 . 2008-11-29 16:54 <DIR> d-------- c:\program files\TeXnicCenter 2008-11-29 16:54 . 2006-05-28 13:39 44,544 --a------ c:\windows\system32\msxml4a.dll 2008-11-29 10:16 . 2008-11-29 10:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\MiKTeX 2008-11-29 10:03 . 2008-11-29 10:12 <DIR> d-------- c:\program files\MiKTeX 2.7 2008-11-28 19:44 . 2008-11-28 19:45 <DIR> d-------- c:\program files\QuickTime 2008-11-28 19:34 . 2008-11-28 19:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles 2008-11-28 19:26 . 2008-11-28 19:26 <DIR> d-------- c:\documents and settings\Sean\Application Data\acccore 2008-11-28 19:26 . 2008-12-30 19:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Viewpoint 2008-11-28 19:26 . 2008-11-28 19:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore 2008-11-28 19:25 . 2008-11-28 19:25 <DIR> d-------- c:\program files\Common Files\AOL 2008-11-28 19:25 . 2008-11-28 19:26 <DIR> d-------- c:\program files\AIM6 2008-11-28 19:25 . 2008-11-28 19:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL OCP 2008-11-28 19:25 . 2008-11-28 19:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL 2008-11-28 19:25 . 2008-11-28 19:26 373 --ah----- C:\IPH.PH 2008-11-27 18:24 . 2008-11-27 18:24 <DIR> d-------- c:\documents and settings\Sean\Application Data\NCH Swift Sound 2008-11-27 18:24 . 2008-11-27 18:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\NCH Swift Sound 2008-11-27 18:22 . 2008-11-27 18:24 <DIR> d-------- c:\program files\NCH Swift Sound 2008-11-16 23:13 . 2008-11-29 20:48 <DIR> d-------- c:\documents and settings\Sean\Application Data\Apple Computer 2008-11-16 23:11 . 2008-11-19 12:18 <DIR> d-------- c:\program files\Apple Software Update 2008-11-16 23:11 . 2008-11-16 23:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer 2008-11-16 23:10 . 2008-11-30 14:38 <DIR> d-------- c:\program files\Common Files\Apple 2008-11-16 23:10 . 2008-11-16 23:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple 2008-11-16 22:28 . 2008-12-17 20:34 <DIR> d-------- c:\program files\DC++ 2008-11-12 12:44 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll 2008-11-12 12:35 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys 2008-11-04 07:30 . 2008-11-04 07:30 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx 2008-11-04 07:30 . 2008-11-04 07:30 57,344 --a------ c:\windows\system32\QuickTime.qts . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-30 09:42 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2008-12-28 06:09 --------- d-----w c:\documents and settings\Sean\Application Data\U3 2008-12-18 04:32 --------- d-----w c:\documents and settings\Sean\Application Data\Skype 2008-12-18 00:33 --------- d-----w c:\documents and settings\Sean\Application Data\skypePM 2008-12-16 18:41 --------- d--h--w c:\program files\InstallShield Installation Information 2008-12-11 16:03 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2008-12-11 06:02 --------- d-----w c:\program files\Common Files\Blizzard Entertainment 2008-11-30 04:33 --------- d-----w c:\program files\Winamp 2008-11-30 04:30 --------- d-----w c:\documents and settings\Sean\Application Data\Winamp 2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll 2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll 2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll 2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll 2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll 2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-23 21:46 245,408 ----a-w c:\windows\system32\unicows.dll 2008-09-20 02:01 233,472 ----a-w c:\windows\system32\REX Shared Library.dll 2008-09-20 02:01 225,280 ----a-w c:\windows\system32\ReWire.dll 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll 2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll 2008-12-15 22:55 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2008-12-15 22:55 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2008-12-15 22:55 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll 2008-12-15 22:55 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll 2008-12-15 22:55 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\odb.exe -- Unable to find file version info. MD5: cc42ff35438c1cbeeb18f7b52e1f68f8 ---- Directory of c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} ---- 2008-07-04 10:35 54632 --a------ c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\DifXInstall32.exe 2008-04-24 05:25 11168 --a------ c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\gearaspiwdmx86.cat 2008-04-17 10:12 319456 --a------ c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\DIFxAPI.dll 2008-04-17 10:12 2761 --a------ c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\GEARAspiWDM.inf 2008-04-17 10:12 15464 --a------ c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\x86\GEARAspiWDM.sys 2008-04-17 10:12 107368 --a------ c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\x86\GEARAspi.dll ------- Sigcheck ------- 2007-10-30 08:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys 2008-06-20 02:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys 2008-06-20 03:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys 2008-06-20 03:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys 2008-06-20 02:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\$NtServicePackUninstall$\tcpip.sys 2004-08-04 02:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB941644$\tcpip.sys 2008-04-13 11:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys 2007-10-30 09:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys 2008-04-13 11:20 361344 accf5a9a1ffaa490f33dba1c632b95e1 c:\windows\ServicePackFiles\i386\tcpip.sys 2008-06-20 03:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\dllcache\tcpip.sys 2008-06-20 03:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\drivers\tcpip.sys . ((((((((((((((((((((((((((((( snapshot@2008-12-28_16.05.53.76 ))))))))))))))))))))))))))))))))))))))))) . - 2008-08-31 00:48:54 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat + 2008-12-29 21:57:54 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat - 2008-08-31 00:48:54 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-12-29 21:57:54 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2008-08-31 00:48:54 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2008-12-29 21:57:54 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-16 68856] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 202024] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2008-05-28 1197296] "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-04-03 165784] "Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-08 7118848] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-22 401408] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-22 385024] "SDTray"="c:\program files\Spyware Doctor\SDTrayApp.exe" [2007-06-27 1051464] "WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352] "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984] "NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136] "NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328] "UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-09-22 1398024] "iPrint Tray"="c:\windows\system32\iprntctl.exe" [2007-09-06 40960] "iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2007-09-06 45056] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "odb"="c:\windows\odb.exe" [2008-12-27 201216] "nwiz"="nwiz.exe" [2005-09-08 c:\windows\system32\nwiz.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] 2005-07-22 21:46 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^M-Audio MobilePre Control Panel Launcher.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\M-Audio MobilePre Control Panel Launcher.lnk backup=c:\windows\pss\M-Audio MobilePre Control Panel Launcher.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WD Anywhere Backup Launcher.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WD Anywhere Backup Launcher.lnk backup=c:\windows\pss\WD Anywhere Backup Launcher.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Sean^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk] path=c:\documents and settings\Sean\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6] --a------ 2008-10-21 09:09 50472 c:\program files\AIM6\aim6.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoBoingo] --a------ 2008-11-27 09:54 2155 c:\program files\Boingo\GoBoingo\GoBoingo.lnk [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-11-20 10:20 290088 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon] --a------ 2007-07-25 15:06 2027792 c:\program files\Logitech\QuickCam\Quickcam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Drive Manager] --a------ 2008-02-19 01:13 438272 c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1700:TCP"= 1700:TCP:MioNet Remote Drive Access 0 "1701:TCP"= 1701:TCP:MioNet Remote Drive Access 1 "1702:TCP"= 1702:TCP:MioNet Remote Drive Access 2 "1703:TCP"= 1703:TCP:MioNet Remote Drive Access 3 "1704:TCP"= 1704:TCP:MioNet Remote Drive Access 4 "1705:TCP"= 1705:TCP:MioNet Remote Drive Access 5 "1706:TCP"= 1706:TCP:MioNet Remote Drive Access 6 "1707:TCP"= 1707:TCP:MioNet Remote Drive Access 7 "1708:TCP"= 1708:TCP:MioNet Remote Drive Access 8 "1709:TCP"= 1709:TCP:MioNet Remote Drive Access 9 "1641:TCP"= 1641:TCP:MioNet Remote Drive Verification "1647:TCP"= 1647:TCP:MioNet Storage Device Configuration "5432:UDP"= 5432:UDP:MioNet Storage Device Discovery R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-07-20 28544] R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2008-10-06 34671] R2 MobilePreInstallerService;MobilePre Installer;c:\program files\M-Audio MobilePre\Install\MPInst.exe [2008-08-10 49152] R2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2008-08-29 36368] R2 WDBtnMgrSvc.exe;WD Drive Manager Service;"c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe" [2008-02-19 106496] R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2008-08-29 333328] S2 tmevtmgr;tmevtmgr;\??\c:\windows\system32\drivers\tmevtmgr.sys [2008-08-30 52240] S3 ma763004;M-Audio MobilePre USB;c:\windows\system32\drivers\MA763004.sys [2008-08-10 30976] S3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2008-08-30 488768] S3 tmproxy;Trend Micro Proxy Service;"c:\program files\Trend Micro\Internet Security\TmProxy.exe" [2008-08-30 648456] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{478d7440-3981-11dd-913b-00123fe774d2}] \Shell\AutoRun\command - e:\wd_windows_tools\setup.exe . Contents of the 'Scheduled Tasks' folder 2008-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 09:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.newyorktimes.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie mStart Page = hxxp://www.newyorktimes.com uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 Trusted Zone: free.aol.com FF - ProfilePath - c:\documents and settings\Sean\Application Data\Mozilla\Firefox\Profiles\yuvdb5aq.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - www.newyorktimes.com . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-30 19:59:09 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(864) c:\program files\Intel\Wireless\Bin\LgNotify.dll . Completion time: 2008-12-30 19:59:58 ComboFix-quarantined-files.txt 2008-12-31 03:59:48 ComboFix2.txt 2008-12-30 03:02:46 ComboFix3.txt 2008-12-29 00 25Pre-Run: 33,588,674,560 bytes free Post-Run: 33,581,125,632 bytes free 282 --- E O F --- 2008-12-19 15:31:30 Eset log: # version=4 # OnlineScanner.ocx=1.0.0.56 # OnlineScannerDLLA.dll=1, 0, 0, 51 # OnlineScannerDLLW.dll=1, 0, 0, 51 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=3724 (20081230) # vers_arch_module=1.064 (20080214) # vers_adv_heur_module=1.064 (20070717) # EOSSerial=e3203adea2c08549a5e30fb539846f07 # end=finished # remove_checked=false # unwanted_checked=true # utc_time=2008-12-31 05:28:03 # local_time=2008-12-30 09:28:03 (-0800, Pacific Standard Time) # country="United States" # osver=5.1.2600 NT Service Pack 3 # scanned=335323 # found=20 # scan_time=4641 C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ypitcgcusy.dll a variant of Win32/Kryptik.DR trojan AC562FB5686C062EE027EA1AC677D52D C:\Qoobox\Quarantine\[4]-Submit_2008-12-30@19.58.zip Win32/Kryptik.DS.Gen trojan F9763D0747104AB8C762F350DC82E09A C:\Qoobox\Quarantine\[4]-Submit_2008-12-30@19.58.zip »ZIP »1041b.exe Win32/Kryptik.DS.Gen trojan 00000000000000000000000000000000 C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\svhost.exe.vir a variant of Win32/Kryptik.DR trojan 10374D265219C94DA3EE122E1F4CF8E7 C:\Qoobox\Quarantine\C\Program Files\Spyware Guard 2008\spywareguard.exe.vir a variant of Win32/Kryptik.DR trojan 1D1D05D9FF789DF0C15914FD5ABCE946 C:\Qoobox\Quarantine\C\Program Files\Spyware Guard 2008\uninstall.exe.vir a variant of Win32/Kryptik.DR trojan 9005BCE817E8C7CCE6BD0A9137DC2AAE C:\Qoobox\Quarantine\C\WINDOWS\runsql.exe.vir Win32/Kryptik.DS.Gen trojan 6C0335CACCDB5736A665AE88E0525E74 C:\Qoobox\Quarantine\C\WINDOWS\sv.exe.vir Win32/Kryptik.DS.Gen trojan F5733AFF2E5577B812AAF65E590041F7 C:\Qoobox\Quarantine\C\WINDOWS\svc.exe.vir Win32/Kryptik.DS.Gen trojan 9D8AE96749A7F34BD68B419656717F7D C:\Qoobox\Quarantine\C\WINDOWS\svhoster.exe.vir Win32/Kryptik.DS.Gen trojan CE7EBA6B39295176C95CA4D07D7EC948 C:\Qoobox\Quarantine\C\WINDOWS\svw.exe.vir Win32/Kryptik.DS.Gen trojan 0F2A6D6F01785B31FEE671088C65DAA4 C:\Qoobox\Quarantine\C\WINDOWS\svx.exe.vir Win32/Kryptik.DS.Gen trojan 201344C8D62705CF11D3A11716DCFFA3 C:\Qoobox\Quarantine\C\WINDOWS\svzip.exe.vir Win32/Kryptik.DS.Gen trojan 3F659B77E393709E8DB3065CC728D00D C:\Qoobox\Quarantine\C\WINDOWS\vlc.exe.vir Win32/Kryptik.DS.Gen trojan 2CF789252C5E48486925F06C063E3A9E C:\Qoobox\Quarantine\C\WINDOWS\wdmon.exe.vir Win32/Kryptik.DS.Gen trojan EF1BF943A468275CC7784AD9A443A6E5 C:\Qoobox\Quarantine\C\WINDOWS\system32\a.exe.vir Win32/Kryptik.DS.Gen trojan 20FBD94D6163D576217ED9E2045CD811 C:\Qoobox\Quarantine\C\WINDOWS\system32\winscenter.exe.vir a variant of Win32/Kryptik.DR trojan DBFBA1BB7588F0B01E351EC280EB8AE2 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\__.zip Win32/Agent.ODG trojan 6CAD9A925B8041BF67BD559BD8091CD8 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\__.zip »ZIP »TDSSmuct.sys Win32/Agent.ODG trojan 00000000000000000000000000000000 C:\WINDOWS\odb.exe Win32/Kryptik.DS.Gen trojan CC42FF35438C1CBEEB18F7B52E1F68F8 |
|
|
|
|
01-03-2009, 01:17 PM
|
#11 (permalink) |
|
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Oct 2006
Posts: 4,581
OS: Vista
|
Re: Hi, Need Help with Malware Infection (Win32.Banker.FSTrojan)
Hi, I'm very sorry for the delay.
*Open notepad. Copy and paste the text inside the code box below to notepad Code:
File:: c:\windows\system32\2700111040.dat c:\windows\odb.exe C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ypitcgcusy.dll Folder:: c:\documents and settings\All Users\Application Data\Viewpoint Registry:: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "odb"=-
let me know how's it running.
__________________
UNITE and ASAP since 2006 If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it. |
|
|
|
|
01-04-2009, 02:30 PM
|
#12 (permalink) |
|
Registered User
Join Date: Dec 2008
Posts: 8
OS: Windows XP
|
Re: Hi, Need Help with Malware Infection (Win32.Banker.FSTrojan)
Comp is running pretty well, no pop-ups, no slow performance issues.
Here's the new log: ComboFix 09-01-02.01 - Sean 2009-01-04 13:11:11.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1550 [GMT -8:00] Running from: c:\documents and settings\Sean\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Sean\Desktop\CFScript.txt AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) FW: Trend Micro Personal Firewall *disabled* * Created a new restore point FILE :: c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ypitcgcusy.dll c:\windows\odb.exe c:\windows\system32\2700111040.dat . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Viewpoint c:\windows\odb.exe c:\windows\system32\2700111040.dat . ((((((((((((((((((((((((( Files Created from 2008-12-04 to 2009-01-04 ))))))))))))))))))))))))))))))) . 2009-01-04 13:01 . 2009-01-04 13:01 <DIR> d-------- c:\windows\LastGood 2009-01-03 13:59 . 2009-01-03 13:59 <DIR> d-------- c:\program files\dvd43 2009-01-03 13:59 . 2009-01-03 13:59 18,816 --a------ c:\windows\system32\drivers\dvd43llh.sys 2009-01-03 13:57 . 2009-01-03 13:57 <DIR> d-------- c:\program files\DVD Shrink 2009-01-03 13:57 . 2009-01-03 14:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\DVD Shrink 2008-12-30 20:06 . 2008-12-30 21:28 <DIR> d-------- c:\program files\EsetOnlineScanner 2008-12-29 18:44 . 2008-12-29 18:44 <DIR> d-------- C:\32788R22FWJFW.0.tmp 2008-12-28 13:18 . 2008-12-28 13:18 250 --a------ c:\windows\gmer.ini 2008-12-27 23:14 . 2008-12-27 23:16 <DIR> d-------- c:\program files\SpyNoMore 2008-12-27 23:14 . 2008-12-27 23:14 <DIR> d-------- c:\program files\Common Files\Download Manager 2008-12-27 22:52 . 2008-12-27 22:52 <DIR> d-------- c:\program files\Webroot 2008-12-27 22:52 . 2008-12-27 22:52 <DIR> d-------- c:\documents and settings\Sean\Application Data\Webroot 2008-12-27 22:40 . 2008-12-27 22:40 <DIR> d-------- c:\program files\Lavasoft 2008-12-27 22:39 . 2008-12-27 22:39 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-12-24 12:04 . 2008-12-24 12:04 <DIR> d-------- c:\program files\iTunes Library Updater 2008-12-16 14:55 . 2008-12-16 14:55 <DIR> d-------- c:\program files\Bonjour 2008-12-16 11:38 . 2008-12-16 13:14 <DIR> d-------- c:\documents and settings\Sean\Application Data\Creative 2008-12-16 10:41 . 1999-10-10 17:00 41,984 --------- c:\windows\Ctregrun.exe 2008-12-16 10:38 . 1998-10-29 13:45 306,688 --a------ c:\windows\IsUninst.exe 2008-12-16 10:37 . 2004-06-03 09:10 71,596 --------- c:\windows\system32\drivers\PfModNT.sys 2008-12-16 10:37 . 1999-12-12 17:01 44,032 --------- c:\windows\system32\CTSVCCDA.EXE 2008-12-16 10:37 . 1999-11-17 17:00 25,088 --------- c:\windows\system32\CTSVCCTL.EXE 2008-12-16 10:36 . 2008-12-16 10:41 <DIR> d-------- c:\program files\Creative 2008-12-13 08:09 . 2008-12-13 08:09 68,096 --a------ c:\windows\ScUnin.exe 2008-12-13 08:09 . 2008-12-13 08:09 12,072 --a------ c:\windows\scunin.dat 2008-12-13 08:09 . 2008-12-13 08:09 967 --a------ c:\windows\ScUnin.pif 2008-12-13 08:08 . 2008-12-27 10:07 <DIR> d-------- c:\program files\Starcraft 2008-12-12 08:18 . 2008-12-12 08:18 87,336 --a------ c:\windows\system32\dns-sd.exe 2008-12-12 08:11 . 2008-12-12 08:11 61,440 --a------ c:\windows\system32\dnssd.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-04 12:31 --------- d-----w c:\documents and settings\Sean\Application Data\Skype 2009-01-04 08:33 --------- d-----w c:\documents and settings\Sean\Application Data\skypePM 2009-01-03 22:18 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2008-12-28 06:09 --------- d-----w c:\documents and settings\Sean\Application Data\U3 2008-12-18 04:34 --------- d-----w c:\program files\DC++ 2008-12-16 18:41 --------- d--h--w c:\program files\InstallShield Installation Information 2008-12-11 16:03 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2008-12-11 06:02 --------- d-----w c:\program files\Common Files\Blizzard Entertainment 2008-12-01 05:59 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard 2008-11-30 22:38 --------- d-----w c:\program files\iTunes 2008-11-30 22:38 --------- d-----w c:\program files\iPod 2008-11-30 22:38 --------- d-----w c:\program files\Common Files\Apple 2008-11-30 22:38 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-11-30 04:48 --------- d-----w c:\documents and settings\Sean\Application Data\Apple Computer 2008-11-30 04:33 --------- d-----w c:\program files\Winamp 2008-11-30 04:30 --------- d-----w c:\documents and settings\Sean\Application Data\Winamp 2008-11-30 00:58 --------- d-----w c:\program files\Ghostgum 2008-11-30 00:56 --------- d-----w c:\program files\gs 2008-11-30 00:54 --------- d-----w c:\program files\TeXnicCenter 2008-11-29 18:16 --------- d-----w c:\documents and settings\All Users\Application Data\MiKTeX 2008-11-29 18:12 --------- d-----w c:\program files\MiKTeX 2.7 2008-11-29 03:45 --------- d-----w c:\program files\QuickTime 2008-11-29 03:34 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles 2008-11-29 03:26 --------- d-----w c:\program files\AIM6 2008-11-29 03:26 --------- d-----w c:\documents and settings\Sean\Application Data\acccore 2008-11-29 03:26 --------- d-----w c:\documents and settings\All Users\Application Data\acccore 2008-11-29 03:25 --------- d-----w c:\program files\Common Files\AOL 2008-11-29 03:25 --------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP 2008-11-29 03:25 --------- d-----w c:\documents and settings\All Users\Application Data\AOL 2008-11-28 02:24 --------- d-----w c:\program files\NCH Swift Sound 2008-11-28 02:24 --------- d-----w c:\documents and settings\Sean\Application Data\NCH Swift Sound 2008-11-28 02:24 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound 2008-11-19 20:18 --------- d-----w c:\program files\Apple Software Update 2008-11-17 07:12 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer 2008-11-17 07:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple 2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll 2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll 2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll 2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll 2008-12-31 09:36 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2008-12-31 09:36 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2008-12-31 09:36 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll 2008-12-31 09:36 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll 2008-12-31 09:36 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll . ------- Sigcheck ------- 2007-10-30 08:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys 2008-06-20 02:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys 2008-06-20 03:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys 2008-06-20 03:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys 2008-06-20 02:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\$NtServicePackUninstall$\tcpip.sys 2004-08-04 02:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB941644$\tcpip.sys 2008-04-13 11:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys 2007-10-30 09:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys 2008-04-13 11:20 361344 accf5a9a1ffaa490f33dba1c632b95e1 c:\windows\ServicePackFiles\i386\tcpip.sys 2008-06-20 03:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\dllcache\tcpip.sys 2008-06-20 03:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\drivers\tcpip.sys . ((((((((((((((((((((((((((((( snapshot@2008-12-28_16.05.53.76 ))))))))))))))))))))))))))))))))))))))))) . - 2008-08-31 00:48:54 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat + 2008-12-29 21:57:54 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat - 2008-08-31 00:48:54 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-12-29 21:57:54 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2008-08-31 00:48:54 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2008-12-29 21:57:54 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2008-09-06 07:30:42 241,704 -c----w c:\windows\system32\dllcache\wgaLogon.dll + 2008-09-06 07:29:58 917,032 -c----w c:\windows\system32\dllcache\WgaTray.exe - 2008-03-21 01 36 1,480,232 ------w c:\windows\system32\LegitCheckControl.dll+ 2008-09-06 07:30:06 1,480,232 ------w c:\windows\system32\LegitCheckControl.dll + 2007-07-27 23:49:02 196,683 ----a-w c:\windows\system32\lnod32apiA.dll + 2007-07-27 23:49:02 225,355 ----a-w c:\windows\system32\lnod32apiW.dll + 2005-12-06 04:25:22 139,264 ----a-w c:\windows\system32\lnod32umc.dll + 2005-12-05 21:37:10 106,496 ----a-w c:\windows\system32\lnod32upd.dll - 2008-12-27 18:09:15 17,130 ----a-w c:\windows\system32\nvModes.dat + 2009-01-04 10:21:29 36,406 ----a-w c:\windows\system32\nvModes.dat + 2007-08-03 02:11:28 253,952 ----a-w c:\windows\system32\OnlineScannerDLLA.dll + 2007-08-03 02:11:14 241,664 ----a-w c:\windows\system32\OnlineScannerDLLW.dll + 2007-08-06 21:17:40 19,456 ----a-w c:\windows\system32\OnlineScannerLang.dll + 2007-06-13 19:10:34 77,824 ----a-w c:\windows\system32\OnlineScannerUninstaller.exe + 2008-09-06 07:30:42 241,704 ------w c:\windows\system32\WgaLogon.dll + 2008-09-06 07:29:58 917,032 ------w c:\windows\system32\WgaTray.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-16 68856] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 202024] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2008-05-28 1197296] "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-04-03 165784] "Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-08 7118848] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-22 401408] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-22 385024] "SDTray"="c:\program files\Spyware Doctor\SDTrayApp.exe" [2007-06-27 1051464] "WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352] "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984] "NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136] "NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328] "UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-09-22 1398024] "iPrint Tray"="c:\windows\system32\iprntctl.exe" [2007-09-06 40960] "iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2007-09-06 45056] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-13 169984] "nwiz"="nwiz.exe" [2005-09-08 c:\windows\system32\nwiz.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] 2005-07-22 21:46 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^M-Audio MobilePre Control Panel Launcher.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\M-Audio MobilePre Control Panel Launcher.lnk backup=c:\windows\pss\M-Audio MobilePre Control Panel Launcher.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WD Anywhere Backup Launcher.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WD Anywhere Backup Launcher.lnk backup=c:\windows\pss\WD Anywhere Backup Launcher.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Sean^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk] path=c:\documents and settings\Sean\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6] --a------ 2008-10-21 09:09 50472 c:\program files\AIM6\aim6.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43] --a------ 2008-11-17 18:50 827904 c:\program files\dvd43\DVD43_Tray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoBoingo] --a------ 2008-11-27 09:54 2155 c:\program files\Boingo\GoBoingo\GoBoingo.lnk [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-11-20 10:20 290088 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon] --a------ 2007-07-25 15:06 2027792 c:\program files\Logitech\QuickCam\Quickcam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Drive Manager] --a------ 2008-02-19 01:13 438272 c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1700:TCP"= 1700:TCP:MioNet Remote Drive Access 0 "1701:TCP"= 1701:TCP:MioNet Remote Drive Access 1 "1702:TCP"= 1702:TCP:MioNet Remote Drive Access 2 "1703:TCP"= 1703:TCP:MioNet Remote Drive Access 3 "1704:TCP"= 1704:TCP:MioNet Remote Drive Access 4 "1705:TCP"= 1705:TCP:MioNet Remote Drive Access 5 "1706:TCP"= 1706:TCP:MioNet Remote Drive Access 6 "1707:TCP"= 1707:TCP:MioNet Remote Drive Access 7 "1708:TCP"= 1708:TCP:MioNet Remote Drive Access 8 "1709:TCP"= 1709:TCP:MioNet Remote Drive Access 9 "1641:TCP"= 1641:TCP:MioNet Remote Drive Verification "1647:TCP"= 1647:TCP:MioNet Storage Device Configuration "5432:UDP"= 5432:UDP:MioNet Storage Device Discovery R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-07-20 28544] R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2008-10-06 34671] R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-08-29 333328] R4 MobilePreInstallerService;MobilePre Installer;c:\program files\M-Audio MobilePre\Install\MPInst.exe [2008-08-10 49152] R4 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-08-29 36368] R4 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [2008-02-19 106496] S3 ma763004;M-Audio MobilePre USB;c:\windows\system32\drivers\MA763004.sys [2008-08-10 30976] S3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2008-08-30 488768] S3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2008-08-30 648456] S4 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-08-30 52240] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{478d7440-3981-11dd-913b-00123fe774d2}] \Shell\AutoRun\command - e:\wd_windows_tools\setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{559dd43c-d39b-11dd-9209-00123fe774d2}] \Shell\AutoRun\command - E:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder 2008-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 09:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.newyorktimes.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie mStart Page = hxxp://www.newyorktimes.com uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 Trusted Zone: free.aol.com FF - ProfilePath - c:\documents and settings\Sean\Application Data\Mozilla\Firefox\Profiles\yuvdb5aq.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - www.newyorktimes.com FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-04 13:14:29 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1548) c:\program files\Intel\Wireless\Bin\LgNotify.dll . Completion time: 2009-01-04 13:15:23 ComboFix-quarantined-files.txt 2009-01-04 21:15:12 ComboFix2.txt 2008-12-31 03:59:59 ComboFix3.txt 2008-12-30 03:02:46 ComboFix4.txt 2008-12-29 00 25Pre-Run: 30,828,437,504 bytes free Post-Run: 30,816,808,960 bytes free 286 --- E O F --- 2009-01-04 21:02:33 |
|
|
|
|
01-04-2009, 03:24 PM
|
#13 (permalink) |
|
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Oct 2006
Posts: 4,581
OS: Vista
|
Re: Hi, Need Help with Malware Infection (Win32.Banker.FSTrojan)
looks good
 Click start > run > copy and paste: combofix /u That will hide your system files, clear your system restore cache and uninstall combofix. Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. Please check out miekiemoes' "How to Prevent Malware" Happy safe surfing! Note: Please reply to this thread one last time so I could mark it as resolved.
__________________
UNITE and ASAP since 2006 If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it. |
|
|
|
| Thread Tools | |
|
|
