Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Need to Make Sure Spyware/Trojan is Gone
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 03-13-2009, 09:18 PM   #1 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 18
OS: xp service pack 2 (build2600)


Need to Make Sure Spyware/Trojan is Gone
Hello all, I was hoping to get help for something really stupid I did.

Basically I went to a torrent search site, hxxp://torrent-finder.com, which I have used with out harm before (never going to do that again though). This time in going there Firefox (version 2) froze on me but I didn't think anything of it. Eventually I had to use task manager to close it and went back to what I was doing. A couple minutes later I get a pop-up for "Spyware Protect 2009" saying my computer was infected. I had no browsers open when it popped up and I knew I never had this program on my computer so I figured BAD sign. Then my Avast anti-virus (4.8 home edition) pops up saying my computer is infected and suggest me to move them to the chest, which I did. Avast found 2 infections which I moved to the chest before my computer shut off on its own and then restarted.

During boot the Avast Anti-Virus started scanning my computer and found 3 infections which I chose to delete because I was scared of my computer becoming a toaster. This is what Avast found:

---
03/13/2009 17:07
Scan of all local drives

File C:\Documents and Settings\Owner\Local Settings\Temp\D4E.tmp is infected by Win32:Rootkit-gen [Rtk], Deleted
File C:\WINDOWS\system32\trzD63.tmp is infected by Win32:Spyware-gen [Trj], Deleted
File C:\WINDOWS\trzD62.tmp is infected by Win32:Rootkit-gen [Rtk], Deleted
Number of searched folders: 13214
Number of tested files: 166511
Number of infected files: 3
---

My computer then started up normally. As soon as everything came on I went and updated my SpyBot Search and Destroy and ran a scan with the results coming back saying everything was fine. After that I did some google-ing to find out how to make sure my computer was ok and so here I am hoping someone can tell me my computer is clean. Thanks!

Below is the DDS log:
---

DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 18:57:25.50 on Fri 03/13/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.204 [GMT -7:00]

AV: avast! antivirus 4.8.1335 [VPS 090313-0] *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ikernel.exe
C:\Documents and Settings\Owner\Desktop\dds.pif

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.msnbc.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [CHotkey] zHotkey.exe
mRun: [ShowWnd] ShowWnd.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [D-Link AirPlus G] c:\program files\d-link\airplus g\AirGCFG.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\BigFix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {F4430FE8-2638-42e5-B849-800749B94EED} - c:\program files\partygaming.net\partypokernet\RunPF.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: akamai.net
Trusted Zone: aol.com\free
Trusted Zone: delphiforums.com
Trusted Zone: ebay.com\search
Trusted Zone: ebay.com\www
Trusted Zone: java.com\www
Trusted Zone: musicvideos.com\www
Trusted Zone: yahoo.com
Trusted Zone: yahoo.com\*.music
Trusted Zone: yahoo.com\games
Trusted Zone: yahoo.com\launchtoday.music
Trusted Zone: yahoo.com\music
Trusted Zone: yahoo.com\radio.music
Trusted Zone: yimg.com
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1113621296703
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\yccyogln.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.msnbc.msn.com/

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-2-22 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-2-22 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-2-22 138680]
R2 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [2005-5-1 34916]
R2 r_server;Remote Administrator Service;c:\windows\system32\r_server.exe [2000-7-9 184320]
R4 NAVAPEL;NAVAPEL;\??\c:\program files\navnt\navapel.sys --> c:\program files\navnt\NAVAPEL.SYS [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-2-22 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-2-22 352920]
S3 vidcap;vidcap;c:\windows\system32\drivers\vidcap.sys --> c:\windows\system32\drivers\vidcap.sys [?]

=============== Created Last 30 ================

2009-03-13 18:11 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-03-13 16:51 55,808 a------- c:\windows\system32\mcenspc.dll

==================== Find3M ====================

2009-02-09 03:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-02-01 12:47 0 a---h--- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2009-02-01 12:47 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-02-01 12:46 0 a---h--- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-01-19 23:50 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2009-01-19 23:50 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-01-19 22:52 3,308 a------- c:\windows\mozver.dat
2008-03-20 00:43 57,776 a------- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2006-09-09 17:49 25,140 a------- c:\docume~1\owner\applic~1\wklnhst.dat
2005-04-15 21:45 0 a--sh--- c:\windows\sminst\HPCD.sys

============= FINISH: 18:57:53.92 ===============
Attached Files
File Type: zip attatch.zip.zip (4.4 KB, 1 views)
MusicBecca is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 03-14-2009, 09:48 AM   #2 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,767
OS: 2000 Pro; XP Pro; XP Home


Re: Need to Make Sure Spyware/Trojan is Gone
Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

---------------------------------------------------------------------------------------------

As you've found out the hard way, torrents are not always safe, and most infected machines use torrents or P2P applications.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

Please see this topic for more information:

Perils of P2P File Sharing

---------------------------------------------------------------------------------------------

There is still sign of infection on this machine.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-14-2009, 12:22 PM   #3 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 18
OS: xp service pack 2 (build2600)


Re: Need to Make Sure Spyware/Trojan is Gone
Hey Tetonbob, thanks for the speedy reply. Just wanted to let you know that I was unable to automatically install the Windows Recovery Console because I completely missed the part that said I needed to be connected to the internet and I had my wireless disabled and was unable to turn it on. Should I manually install it per the instructions?

ComboFix Log below:

ComboFix 09-03-13.02 - Owner 2009-03-14 11:07:26.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.221 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090313-0] *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\mcenspc.dll
c:\windows\system32\nsprs.dll
c:\windows\system32\serauth1.dll
c:\windows\system32\serauth2.dll
D:\Autorun.inf
G:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_R_SERVER
-------\Service_r_server


((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 )))))))))))))))))))))))))))))))
.

2009-03-13 18:11 . 2009-03-13 18:11 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-02-22 13:13 . 2009-02-22 13:13 <DIR> d-------- c:\program files\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-14 06:32 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-14 01:52 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-14 01:45 --------- d-----w c:\program files\BitLord
2009-03-14 01:45 --------- d-----w c:\program files\Antenna
2009-03-14 01:06 --------- d-----w c:\program files\Google
2009-03-12 20:06 --------- d-----w c:\documents and settings\Owner\Application Data\AdobeUM
2009-03-03 06:36 --------- d-----w c:\program files\mIRC
2009-02-28 04:43 --------- d-----w c:\program files\Digsby
2009-02-22 20:09 --------- d-----w c:\program files\Rebecca
2009-02-01 19:47 0 ---ha-w c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2009-02-01 19:47 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-02-01 19:46 0 ---ha-w c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-01-21 04:44 --------- d-----w c:\documents and settings\Owner\Application Data\Digsby
2009-01-21 04:44 --------- d-----w c:\documents and settings\All Users\Application Data\Digsby
2009-01-21 04:41 --------- d-----w c:\program files\Trillian
2009-01-20 06:52 --------- d-----w c:\program files\Zune
2009-01-20 06:50 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-01-20 06:50 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2009-01-20 05:08 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-20 05:00 --------- d-----w c:\documents and settings\Owner\Application Data\OpenOffice.org
2009-01-20 04:56 --------- d-----w c:\program files\OpenOffice.org 3
2009-01-20 04:56 --------- d-----w c:\program files\JRE
2009-01-20 04:56 --------- d-----w c:\program files\Java
2009-01-20 04:54 --------- d-----w c:\program files\Open Office
2008-03-20 07:43 57,776 ----a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2006-09-10 00:49 25,140 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2006-10-11 08:04 61,036 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2006-10-11 08:04 48,742 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-11 08:05 29,313 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2006-10-11 08:05 41,082 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2006-10-11 08:04 166,510 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2005-04-16 04:45 0 --sha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-21 68856]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 785520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-04-17 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"D-Link AirPlus G"="c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2004-09-14 1212416]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-08-16 45056]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-12-12 157312]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 c:\windows\system32\Hdaudpropshortcut.exe]
"CHotkey"="zHotkey.exe" [2004-05-17 c:\windows\zHotkey.exe]
"ShowWnd"="ShowWnd.exe" [2003-09-19 c:\windows\ShowWnd.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-09-23 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-09-24 c:\windows\ALCWZRD.EXE]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2005-02-14 1742384]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3IV2"= 3ivxVfWCodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Owner\\Downloads\\WS_FTP\\WS_FTP95.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4899:TCP"= 4899:TCP:Remote
"139:TCP"= 139:TCP:192.168.1.2/255.255.255.255:Enabled:@xpsp2res.dll,-22004

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-02-22 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-02-22 20560]
R2 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [2005-05-01 34916]
S3 vidcap;vidcap;c:\windows\system32\DRIVERS\vidcap.sys --> c:\windows\system32\DRIVERS\vidcap.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5ab29321-7eef-11d9-9d2e-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2005-04-16 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-04 12:00]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.msnbc.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
Trusted Zone: akamai.net
Trusted Zone: aol.com\free
Trusted Zone: delphiforums.com
Trusted Zone: ebay.com\search
Trusted Zone: ebay.com\www
Trusted Zone: java.com\www
Trusted Zone: musicvideos.com\www
Trusted Zone: yahoo.com
Trusted Zone: yahoo.com\*.music
Trusted Zone: yahoo.com\games
Trusted Zone: yahoo.com\launchtoday.music
Trusted Zone: yahoo.com\music
Trusted Zone: yahoo.com\radio.music
Trusted Zone: yimg.com
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\yccyogln.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msnbc.msn.com/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-14 11:11:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\ZuneBusEnum.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-03-14 11:15:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-14 18:15:22

Pre-Run: 155,147,223,040 bytes free
Post-Run: 155,081,977,856 bytes free

189 --- E O F --- 2009-03-11 10:01:19
MusicBecca is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-14-2009, 12:39 PM   #4 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,767
OS: 2000 Pro; XP Pro; XP Home


Re: Need to Make Sure Spyware/Trojan is Gone
Hi MusicBecca -

We like Recovery Console installed before removal of malware for a number of reasons, but it looks like you've made it through without, and the active infection is removed. Recovery Console (RC) installed gives you or other techs an avenue for access in the future should it be needed, and installing it via ComboFix adds a two second delay to your boot screen. If you want it installed for the future (recommended), just ensure you have internet enabled, double click on ComboFix.exe once again to run it, and allow RC to be installed. Post the log produced.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-14-2009, 01:00 PM   #5 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 18
OS: xp service pack 2 (build2600)


Re: Need to Make Sure Spyware/Trojan is Gone
Hey again, installed the Recovery Console just fine. Here's the log:

ComboFix 09-03-13.02 - Owner 2009-03-14 11:55:39.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.175 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090313-0] *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 )))))))))))))))))))))))))))))))
.

2009-03-13 18:11 . 2009-03-13 18:11 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-02-22 13:13 . 2009-02-22 13:13 <DIR> d-------- c:\program files\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-14 06:32 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-14 01:52 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-14 01:45 --------- d-----w c:\program files\BitLord
2009-03-14 01:45 --------- d-----w c:\program files\Antenna
2009-03-14 01:06 --------- d-----w c:\program files\Google
2009-03-12 20:06 --------- d-----w c:\documents and settings\Owner\Application Data\AdobeUM
2009-03-03 06:36 --------- d-----w c:\program files\mIRC
2009-02-28 04:43 --------- d-----w c:\program files\Digsby
2009-02-22 20:09 --------- d-----w c:\program files\Rebecca
2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\win32k.sys
2009-02-01 19:47 0 ---ha-w c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2009-02-01 19:47 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-02-01 19:46 0 ---ha-w c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-01-21 04:44 --------- d-----w c:\documents and settings\Owner\Application Data\Digsby
2009-01-21 04:44 --------- d-----w c:\documents and settings\All Users\Application Data\Digsby
2009-01-21 04:41 --------- d-----w c:\program files\Trillian
2009-01-20 06:52 --------- d-----w c:\program files\Zune
2009-01-20 06:50 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-01-20 06:50 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2009-01-20 05:08 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-20 05:00 --------- d-----w c:\documents and settings\Owner\Application Data\OpenOffice.org
2009-01-20 04:56 --------- d-----w c:\program files\OpenOffice.org 3
2009-01-20 04:56 --------- d-----w c:\program files\JRE
2009-01-20 04:56 --------- d-----w c:\program files\Java
2009-01-20 04:54 --------- d-----w c:\program files\Open Office
2008-03-20 07:43 57,776 ----a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2006-09-10 00:49 25,140 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2006-10-11 08:04 61,036 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2006-10-11 08:04 48,742 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-11 08:05 29,313 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2006-10-11 08:05 41,082 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2006-10-11 08:04 166,510 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2005-04-16 04:45 0 --sha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-21 68856]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 785520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-04-17 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"D-Link AirPlus G"="c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2004-09-14 1212416]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-08-16 45056]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-12-12 157312]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 c:\windows\system32\Hdaudpropshortcut.exe]
"CHotkey"="zHotkey.exe" [2004-05-17 c:\windows\zHotkey.exe]
"ShowWnd"="ShowWnd.exe" [2003-09-19 c:\windows\ShowWnd.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-09-23 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-09-24 c:\windows\ALCWZRD.EXE]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2005-02-14 1742384]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3IV2"= 3ivxVfWCodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Owner\\Downloads\\WS_FTP\\WS_FTP95.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4899:TCP"= 4899:TCP:Remote
"139:TCP"= 139:TCP:192.168.1.2/255.255.255.255:Enabled:@xpsp2res.dll,-22004

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-02-22 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-02-22 20560]
R2 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [2005-05-01 34916]
S3 vidcap;vidcap;c:\windows\system32\DRIVERS\vidcap.sys --> c:\windows\system32\DRIVERS\vidcap.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5ab29321-7eef-11d9-9d2e-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2005-04-16 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-04 12:00]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.msnbc.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
Trusted Zone: akamai.net
Trusted Zone: aol.com\free
Trusted Zone: delphiforums.com
Trusted Zone: ebay.com\search
Trusted Zone: ebay.com\www
Trusted Zone: java.com\www
Trusted Zone: musicvideos.com\www
Trusted Zone: yahoo.com
Trusted Zone: yahoo.com\*.music
Trusted Zone: yahoo.com\games
Trusted Zone: yahoo.com\launchtoday.music
Trusted Zone: yahoo.com\music
Trusted Zone: yahoo.com\radio.music
Trusted Zone: yimg.com
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\yccyogln.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msnbc.msn.com/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-14 11:56:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\NavLogon.dll
.
Completion time: 2009-03-14 11:58:04
ComboFix-quarantined-files.txt 2009-03-14 18:58:02
ComboFix2.txt 2009-03-14 18:15:27

Pre-Run: 155,065,847,808 bytes free
Post-Run: 155,049,631,744 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

167 --- E O F --- 2009-03-11 10:01:19
MusicBecca is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-14-2009, 01:32 PM   #6 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,767
OS: 2000 Pro; XP Pro; XP Home


Re: Need to Make Sure Spyware/Trojan is Gone
Please let me know how the machine is behaving.

Several applications are outdated, and should be updated.

Firefox 2.0 is no longer receiving security updates. Please update to Firefox 3

http://www.mozilla.com/en-US/firefox/

Spybot Search & Destroy is at version 1.62, yours is 1.3, so it's not doing much good. If you want to continue using Spybot Search & Destroy, please update it.

http://www.safer-networking.org/index2.html


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 12. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the "Download" button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Please download ATF Cleaner by Atribune.
  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

---------------------------------------------------------------------------------------------

Please run this online scan to help look for remnants.

Perform an online scan with Panda ActiveScan
  • Click on Scan Your PC Now
  • A "pop up" window will appear, or a new tab will open.
  • Click on Register
  • Choose the option you like most, but we recommend the Free Registration.
  • Click on Register
  • Enter your e-mail address, and create a password.
  • Select "I do not want to receive any type of information". (unless you want to receive such information)
  • Click on Send
  • Confirm registration, and continue by entering your user name and password, then click on Enter
  • Select Full Scan, then Click on Scan Now
  • Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
  • If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
  • Please ignore the offer to buy the program. Click on Export To
  • Export the log and save it to your desktop.
  • Please attach the contents of that log to your reply.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-14-2009, 11:32 PM   #7 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 18
OS: xp service pack 2 (build2600)


Re: Need to Make Sure Spyware/Trojan is Gone
Alright, I updated Firefox, SpyBot, and Java with no problems. Desktop seems to be acting fine. Was having some connectivity and browsing issues right after the infection but all seems fine now. Laptop is a different story.... decided to run SpyBot on it just in case and it found virtumonde, which I think I got from a chord/tab site I went to.... Anyway the panda log is attatched.
Attached Files
File Type: txt ActiveScan.txt (5.6 KB, 1 views)
MusicBecca is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-14-2009, 11:56 PM   #8 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,767
OS: 2000 Pro; XP Pro; XP Home


Re: Need to Make Sure Spyware/Trojan is Gone
Looks good. Panda seems to have taken exception to mIRC and RAdmin. If you knowingly installed these apps and want them back, it looks like you'll need to reinstall.

Panda also has identified some cookies.

Cookies get installed on your computer everytime you visit any webpage. Now some of those are good cookies that get installed for ease of use for next time you visit the same page, but some cookies are spyware used for tracking users surfing habits.

Most of those cookies are third party cookies that can be blocked:

In Firefox go to Tools > Options > Privacy > Cookies

Click Exceptions, identify the site you want to block, and click on Block.

In IE go to Tools > Internet Options > Privacy and click on Advanced in the Privacy tab

Now put a check next to "Override automatic cookie handling"

Set first party cookies to Accept and third party cookies to Block

Also put a check to "Always allow session cookies" OK your way out.

This won't prevent all bad cookies from being installed, but will reduce the amount.

Also there is another program you can use.

Spywareblaster Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restricts the actions of potentially unwanted sites in Internet Explorer.

You can read more about cookies at the Cookie Concept

You can tidy up with this ATF Cleaner.

---------------------------------------------------------------------------------------------

The other items Panda found are in System Restore points, and will be addressed by uninstalling ComboFix as instructed below

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u



This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:
  • Microsoft Windows Update - http://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • SpywareBlaster to help prevent spyware from installing in the first place.
    • Install & update SpywareBlaster with the latest definitions.
      After you have updated, click the button - enable protection for all unprotected items
  • McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.
  • Winpatrol

    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.

  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
    • Download Host.zip to your desktop.
    • From your Desktop right-click (hosts.zip) and select:
      Extract All from the menu.
    • Click Next, click Next, select the option:
      "Show Extracted files", click Finish
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

    Do not install more than one AntiVirus program because they will conflict with each other.

  • Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

  • http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles
If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-15-2009, 12:12 AM   #9 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 18
OS: xp service pack 2 (build2600)


Re: Need to Make Sure Spyware/Trojan is Gone
Hey thanks Tetonbob.
I did knowingly install mIRC but I don't know what RAdmin is so I'm assuming I can just ignore it since its gone now, right? Also, I've set up Firefox so it will clear all my private data every time I close it, so all set there.

Couple things though...

1. Is it ok to have Spyware Blaster AND SpyBot or just 1 of them?

2. When ComboFix was uninstalling I got a pop-up from it saying something about it only being compatible with XP and Vista and I have XP, soooo should I ignore that too?

3. Would you possible mind helping me with my laptop since I've found that it has a virus now? I'll totally understand if I need to start another thread seeing as how you've already helped me out a great deal.

Again, thanks!
MusicBecca is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-15-2009, 08:05 AM   #10 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,767
OS: 2000 Pro; XP Pro; XP Home


Re: Need to Make Sure Spyware/Trojan is Gone
Quote:
Originally Posted by MusicBecca View Post
Hey thanks Tetonbob.
I did knowingly install mIRC but I don't know what RAdmin is so I'm assuming I can just ignore it since its gone now, right?

It's a remote administration application. If you don't recall installing it, you can ignore it.

Also, I've set up Firefox so it will clear all my private data every time I close it, so all set there.

Couple things though...

1. Is it ok to have Spyware Blaster AND SpyBot or just 1 of them?

Should be ok to have both.

2. When ComboFix was uninstalling I got a pop-up from it saying something about it only being compatible with XP and Vista and I have XP, soooo should I ignore that too?

Not sure, don't recall ever seeing that before. If you received a message which stated ComboFix successfully uninstalled, all should be fine. If not, let me know.

3. Would you possible mind helping me with my laptop since I've found that it has a virus now? I'll totally understand if I need to start another thread seeing as how you've already helped me out a great deal.

Sure, post the same initial logs, DDS and GMER, from the laptop.

Again, thanks!
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-15-2009, 02:29 PM   #11 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 18
OS: xp service pack 2 (build2600)


Re: Need to Make Sure Spyware/Trojan is Gone
Forgot the zip....
Attached Files
File Type: zip Attach.zip (4.8 KB, 1 views)
MusicBecca is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-15-2009, 02:35 PM   #12 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,767
OS: 2000 Pro; XP Pro; XP Home


Re: Need to Make Sure Spyware/Trojan is Gone
Hi -

Wanted to be sure your questions from first machine have been answered, and also, I don't see the main log from DDS, dds.txt.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-15-2009, 02:37 PM   #13 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 18
OS: xp service pack 2 (build2600)


Re: Need to Make Sure Spyware/Trojan is Gone
Not sure what happened there... thought I had posted everything then forgot the zip, then posted that and now just the zip post is there....whatever... trying this again...

As far as my desktop is concerned I thought that ComboFix had successfully uninstalled but in going to my C drive there is a ComboFix folder with "n" and "nircmd" which are both ms-dos applications. Back in C there are also two text documents: "Bug" and "ComboFix". And finally two other files: "boot.bak" and "cmldr". So if you could advise on this that would be awesome.

Here's the DDS log for my laptop


DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 12:28:24.59 on Sun 03/15/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.446.141 [GMT -7:00]

AV: avast! antivirus 4.8.1296 [VPS 090314-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Owner.YOUR-A95A8233BF\Desktop\dds.pif

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6422
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6422
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6422
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Dispatch Toolbar: {4e7bd74f-2b8d-469e-bfdc-cf39f0d3f960} - c:\progra~1\prodeg~1\PRODEG~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: Dispatch Toolbar: {4e7bd74f-2b8d-469e-bfdc-cf39f0d3f960} - c:\progra~1\prodeg~1\PRODEG~1.DLL
TB: {4E7BD74F-2B8D-469E-87BA-B92FE9CAAE38} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [vptray] c:\program files\navnt\vptray.exe
dRun: [Power2GoExpress] NA
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157945637361
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://www.vzwpix.com/activex/VerizonWirelessUploadControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner~1.you\applic~1\mozilla\firefox\profiles\wpby62tg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - www.msnbc.com
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-1-5 111184]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-5 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-1-5 155160]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-1-5 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-1-5 352920]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2006-9-10 200576]
S2 Norton AntiVirus Server;Norton AntiVirus Client;c:\program files\navnt\rtvscan.exe [2002-2-20 471040]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2006-9-10 69692]

=============== Created Last 30 ================

2009-02-18 16:41 <DIR> -cd----- c:\docume~1\owner~1.you\applic~1\KompoZer
2009-02-18 16:39 <DIR> -cd----- c:\program files\KompoZer 0.7.10
2009-02-17 20:35 <DIR> -cd----- c:\program files\P90X
2009-02-17 19:59 <DIR> -cd----- c:\program files\MagicISO

==================== Find3M ====================

2009-02-09 03:19 1,846,272 ac------ c:\windows\system32\win32k.sys
2008-01-15 17:18 34,688 ac------ c:\docume~1\owner~1.you\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 12:29:21.06 ===============
MusicBecca is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-15-2009, 02:41 PM   #14 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,767
OS: 2000 Pro; XP Pro; XP Home


Re: Need to Make Sure Spyware/Trojan is Gone
Quote:
there is a ComboFix folder with "n" and "nircmd" which are both ms-dos applications.
C:\ComboFix should have been deleted, but if it's still present, please delete it.

Quote:
Back in C there are also two text documents: "Bug" and "ComboFix".
These can be deleted.

Quote:
And finally two other files: "boot.bak" and "cmldr".
Please leave these. One is backup boot.ini, the other is part of Recovery Console.

It might be useful to also run this tool on the desktop to help tidy up

Please download OTCleanIt and save it to desktop.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

I'll be back a bit later after I review the logs for your laptop.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-15-2009, 03:25 PM   #15 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,767
OS: 2000 Pro; XP Pro; XP Home


Re: Need to Make Sure Spyware/Trojan is Gone
Quote:
run SpyBot on it just in case and it found virtumonde
I'm not seeing any active infection in these logs. What exactly, and where, did Spybot find something? File path, registry location, etc...

Also, did this machine used to have Norton installed or is it part of a domain sometimes?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-15-2009, 03:42 PM   #16 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 18
OS: xp service pack 2 (build2600)


Re: Need to Make Sure Spyware/Trojan is Gone
SpyBot found Virtumond here: "C:\WINDOWS\system32\ZuneMTPZ.dll" on 3/13... then it looked like it had taken care of it but then i decided to run the scan again and it found it w/ a different .dll. I'm running it again right now to see if it finds it again.... i'll post again when it is finished

and yes i used to have norton on here but I do remember than when I uninstalled it there was some error but I didnt think anything of it because it looked like it was gone.
MusicBecca is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-15-2009, 03:56 PM   #17 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,767
OS: 2000 Pro; XP Pro; XP Home


Re: Need to Make Sure Spyware/Trojan is Gone
Ok, thanks.

ZuneMTPZ.dll would seem to be a false positive, it seems this is a file related to Zune, which is installed on this machine. I'd be interested in seeing a logfile from Spybot.

Please use the instructions on this page to completely uninstall your Norton Products.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-15-2009, 04:18 PM   #18 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 18
OS: xp service pack 2 (build2600)


Re: Need to Make Sure Spyware/Trojan is Gone
Alright, in spybot I found the report section and check of to report everything because Im not sure exactly what you needed to see.... I have attatched it. Please tell me if you needed something different.
Attached Files
File Type: txt spybot.txt (246.4 KB, 1 views)
MusicBecca is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-15-2009, 04:40 PM   #19 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,767
OS: 2000 Pro; XP Pro; XP Home


Re: Need to Make Sure Spyware/Trojan is Gone
I'll have to take some time to review that...in the interim, this is a simple way to see what it's removed

Run SpyBot check for problems, fix all red items, when its finished right click and choose copy results (not full report) to clipboard and paste that back here please.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-15-2009, 05:11 PM   #20 (permalink)
Registered User
 
Join Date: Mar 2009
Posts: 18
OS: xp service pack 2 (build2600)


Re: Need to Make Sure Spyware/Trojan is Gone
Hey, just an update via my desktop. SpyBot is still running on the laptop... froze the first time around, Probably because I was trying to run the report at the same time. Anyway, Virtumonde showed up again. C:\WINDOWS\system32\zipfldr.dll. As soon as it's done I'll paste the results in here.

Also, some time ago I found a gif annimation online that reminds me of your icon but it's bloody and (I think) hilarious.... mind if I upload it?
MusicBecca is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 02:35 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85