Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

IE crash after "Insecure Internet activity", "Security Center Alert" popup

This is a discussion on IE crash after "Insecure Internet activity", "Security Center Alert" popup within the Resolved HJT Threads forums, part of the Tech Support Forum category. This began after dumbly going to some non-commercial website. NAV auto-protect did initially detect an infection, but indicated it could


 
 
Thread Tools Search this Thread
Old 12-06-2008, 11:44 AM   #1
Registered Member
 
Join Date: Dec 2008
Posts: 21
OS: XP 32



This began after dumbly going to some non-commercial website. NAV auto-protect did initially detect an infection, but indicated it could not quarantine or delete.

Now when launching IE6, it attempts to redirect to a fake virus software website. When I choose the "not recommended" link, IE crashes shortly afterward. Also, I get a fake "Security Center Alert" popup every few minutes. I stupidly clicked on the link to update the security center.

With System Restore deactivated, I have run (all updated, full scans in safe mode) NAV, Ad-aware, Spybot, SpySweeper, Avira and CCleaner. (Then I found this website and learned I should have waited to do this.) Spybot found a couple of registry entries, but that was the only detection made by any of the programs, other than NAV's initial auto-protect message. File gmer.txt is attached.

dds.txt:

DDS (Version 1.0) - NTFSx86
Run by Mike at 13:22:43.09 on Sat 12/06/2008
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1399 [GMT -6:00]

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe Photoshop Lightroom 1.4\apdproxy.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Documents and Settings\Mike\Application Data\Google\kjzna1562565.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Microsoft Reference\Bookshelf 98\qshelf98.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Mike\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uDefault_Page_URL = https://www.google.com/ig/dell?hl=en&...us&ibd=5080113
mDefault_Page_URL = hxxp://www.dell.com
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5080113
uInternet Settings,ProxyOverride = localhost; 127.0.0.1;*.local
uInternet Settings,ProxyServer = ftp=localhost:8118;gopher=localhost:8118;http=localhost:8118;https=localhost:8118;socks=localhost:9050
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
uRun: [Smax4] "c:\documents and settings\mike\application data\google\kjzna1562565.exe"
mRun: [Apoint] "c:\program files\apoint\Apoint.exe"
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Dell QuickSet] "c:\program files\dell\quickset\quickset.exe"
mRun: [SigmatelSysTrayApp] "c:\windows\stsystra.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [WavXMgr] "c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe"
mRun: [SecureUpgrade] "c:\program files\wave systems corp\SecureUpgrade.exe"
mRun: [KADxMain] "c:\windows\system32\KADxMain.exe"
mRun: [ISUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] "c:\progra~1\symant~1\VPTray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe photoshop lightroom 1.4\apdproxy.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
StartupFolder: c:\docume~1\mike\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\handspring\HOTSYNC.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\qshelf.lnk - c:\program files\microsoft reference\bookshelf 98\qshelf98.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {D05B7858-86E2-466D-BF69-A5D871651874} = 4.2.2.1,4.2.2.2
Notify: gemsafe - c:\program files\gemplus\gemsafe libraries\bin\WLEventNotify.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
LSA: Authentication Packages = msv1_0 wvauth

============= SERVICES / DRIVERS ===============

R0 PBADRV;PBADRV;c:\windows\system32\drivers\PBADRV.sys [2008-1-13 26608]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-11-12 29808]
R1 avgio;avgio;\??\c:\program files\avira\antivir personaledition classic\avgio.sys [2008-12-6 11840]
R1 DLARTL_M;DLARTL_M;c:\windows\system32\drivers\DLARTL_M.SYS [2008-1-13 28184]
R1 SAVRT;SAVRT;\??\c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;\??\c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-7-7 611664]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;"c:\program files\avira\antivir personaledition classic\sched.exe" [2008-12-6 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;"c:\program files\avira\antivir personaledition classic\avguard.exe" [2008-12-6 151297]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;"c:\program files\broadcom\asfipmon\AsfIpMon.exe" -service [2006-12-19 79432]
R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccEvtMgr.exe" [2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSetMgr.exe" [2006-11-21 169576]
R2 Symantec AntiVirus;Symantec AntiVirus;"c:\program files\symantec antivirus\Rtvscan.exe" [2007-3-14 1816768]
R2 TdmService;TdmService;c:\program files\wave systems corp\trusted drive manager\TdmService.exe [2007-9-7 737280]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe /Processid:{BDFEFE06-0F3F-44F4-984D-3BF2A1CA8D75} [2004-8-11 5120]
R2 WavxDMgr;WavxDMgr;c:\windows\system32\drivers\WavxDMgr.sys [2007-9-10 161280]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;"c:\program files\webroot\webrootsecurity\SpySweeper.exe" [2008-11-12 3667312]
R2 WRConsumerService;Webroot Client Service;"c:\program files\webroot\webrootsecurity\WRConsumerService.exe" [2008-12-6 1086840]
R3 avgntflt;avgntflt;\??\c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-12-6 52032]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-7 99376]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081206.003\naveng.sys [2008-12-6 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081206.003\navex15.sys [2008-12-6 876112]
R3 WaveFDE;Wave System Power Monitor Device Driver;c:\windows\system32\drivers\WaveFDE.sys [2007-9-7 18176]
S3 RTIUSB;RTI USB Driver;c:\windows\system32\drivers\RTIusb.sys [2005-9-30 17920]
S3 SavRoam;SAVRoam;"c:\program files\symantec antivirus\SavRoam.exe" [2007-3-14 116416]
S3 SecureStorageService;SecureStorageService;"c:\program files\wave systems corp\secure storage manager\SecureStorageService.exe" [2007-8-31 486400]
S3 WaveEnrollmentService;WaveEnrollmentService;"c:\program files\wave systems corp\authentication manager\WaveEnrollmentService.exe" [2007-9-13 192512]

=============== Created Last 30 ================

2008-12-06 13:16 250 a------- c:\windows\gmer.ini
2008-12-06 11:53 <DIR> --d----- c:\program files\CCleaner
2008-12-06 11:52 <DIR> --d----- c:\program files\Avira
2008-12-06 11:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2008-12-06 11:50 <DIR> --d----- C:\Binaries
2008-12-06 11:50 1,553,272 a------- c:\windows\WRSetup.dll
2008-12-06 11:50 <DIR> --d----- c:\program files\Webroot
2008-12-06 11:50 <DIR> --d----- c:\docume~1\mike\applic~1\Webroot
2008-12-06 11:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Webroot
2008-12-06 00:34 <DIR> --d----- c:\docume~1\mike\applic~1\Malwarebytes
2008-12-06 00:34 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-06 00:34 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-06 00:34 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-06 00:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-05 23:12 <DIR> --d----- c:\program files\Trend Micro
2008-12-05 23:08 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-05 21:15 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-11-29 00:46 23,576 a------- c:\windows\system32\wuapi.dll.mui
2008-11-18 13:43 <DIR> --d----- c:\program files\Sony
2008-11-12 16:02 170,608 a------- c:\windows\system32\drivers\ssidrv.sys
2008-11-12 16:02 29,808 a------- c:\windows\system32\drivers\ssfs0bbc.sys
2008-11-12 16:02 23,152 a------- c:\windows\system32\drivers\sshrmd.sys

==================== Find3M ====================

2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll

============= FINISH: 13:22:57.43 ===============
Attached Files
File Type: txt gmer.txt (48.1 KB, 17 views)
morty343 is offline  
Sponsored Links
Advertisement
 
Old 12-06-2008, 12:13 PM   #2
TSF Security Team
Emeritus
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 26,363
OS: N/A



Before any work can be done on this machine, there is something that requires your immediate intervention.

This machine is messed up pretty badly because you have several anti-virus programs on your machine. That's not a good idea!!

Alike firewalls, anti-virus programs have conflicts co-existing with each other & produces undesirable results. Please uninstall ALL leaving only one of them.

ALL the antivirus programs must be removed via add/remove program.
For any program that doesn't have an add/remove entry, you will have to do this:
re-install the program -> reboot -> uninstall
Post a fresh logs when you have completed the above task.
sUBs is offline  
Old 12-06-2008, 12:19 PM   #3
Registered Member
 
Join Date: Dec 2008
Posts: 21
OS: XP 32



I'm on it, will leave NAV unless advised otherwise.
morty343 is offline  
Sponsored Links
Advertisement
 
Old 12-06-2008, 03:53 PM   #4
Registered Member
 
Join Date: Dec 2008
Posts: 21
OS: XP 32



Ok, removed all AV and malware killing programs except NAV. Re-ran GMER and DDS. Files are attached, and here is DDS.txt:

DDS (Version 1.0) - NTFSx86
Run by Mike at 17:37:16.21 on Sat 12/06/2008
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1433 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe Photoshop Lightroom 1.4\apdproxy.exe
C:\Documents and Settings\Mike\Application Data\Google\kjzna1562565.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Microsoft Reference\Bookshelf 98\qshelf98.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Mike\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uDefault_Page_URL = https://www.google.com/ig/dell?hl=en&...us&ibd=5080113
mDefault_Page_URL = hxxp://www.dell.com
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5080113
uInternet Settings,ProxyOverride = localhost; 127.0.0.1;*.local
uInternet Settings,ProxyServer = ftp=localhost:8118;gopher=localhost:8118;http=localhost:8118;https=localhost:8118;socks=localhost:9050
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
uRun: [Smax4] "c:\documents and settings\mike\application data\google\kjzna1562565.exe"
mRun: [Apoint] "c:\program files\apoint\Apoint.exe"
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SigmatelSysTrayApp] "c:\windows\stsystra.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [WavXMgr] "c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe"
mRun: [SecureUpgrade] "c:\program files\wave systems corp\SecureUpgrade.exe"
mRun: [KADxMain] "c:\windows\system32\KADxMain.exe"
mRun: [ISUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] "c:\progra~1\symant~1\VPTray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe photoshop lightroom 1.4\apdproxy.exe"
StartupFolder: c:\docume~1\mike\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\handspring\HOTSYNC.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\qshelf.lnk - c:\program files\microsoft reference\bookshelf 98\qshelf98.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {D05B7858-86E2-466D-BF69-A5D871651874} = 4.2.2.1,4.2.2.2
Notify: gemsafe - c:\program files\gemplus\gemsafe libraries\bin\WLEventNotify.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
LSA: Authentication Packages = msv1_0 wvauth

============= SERVICES / DRIVERS ===============

R0 PBADRV;PBADRV;c:\windows\system32\drivers\PBADRV.sys [2008-1-13 26608]
R1 DLARTL_M;DLARTL_M;c:\windows\system32\drivers\DLARTL_M.SYS [2008-1-13 28184]
R1 SAVRT;SAVRT;\??\c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;\??\c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;"c:\program files\broadcom\asfipmon\AsfIpMon.exe" -service [2006-12-19 79432]
R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccEvtMgr.exe" [2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSetMgr.exe" [2006-11-21 169576]
R2 Symantec AntiVirus;Symantec AntiVirus;"c:\program files\symantec antivirus\Rtvscan.exe" [2007-3-14 1816768]
R2 TdmService;TdmService;c:\program files\wave systems corp\trusted drive manager\TdmService.exe [2007-9-7 737280]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe /Processid:{BDFEFE06-0F3F-44F4-984D-3BF2A1CA8D75} [2004-8-11 5120]
R2 WavxDMgr;WavxDMgr;c:\windows\system32\drivers\WavxDMgr.sys [2007-9-10 161280]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-7 99376]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081206.003\naveng.sys [2008-12-6 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081206.003\navex15.sys [2008-12-6 876112]
R3 WaveFDE;Wave System Power Monitor Device Driver;c:\windows\system32\drivers\WaveFDE.sys [2007-9-7 18176]
S3 RTIUSB;RTI USB Driver;c:\windows\system32\drivers\RTIusb.sys [2005-9-30 17920]
S3 SavRoam;SAVRoam;"c:\program files\symantec antivirus\SavRoam.exe" [2007-3-14 116416]
S3 SecureStorageService;SecureStorageService;"c:\program files\wave systems corp\secure storage manager\SecureStorageService.exe" [2007-8-31 486400]
S3 WaveEnrollmentService;WaveEnrollmentService;"c:\program files\wave systems corp\authentication manager\WaveEnrollmentService.exe" [2007-9-13 192512]

=============== Created Last 30 ================

2008-12-06 17:13 <DIR> --d----- c:\windows\system32\appmgmt
2008-12-06 13:16 250 a------- c:\windows\gmer.ini
2008-12-06 11:50 <DIR> --d----- C:\Binaries
2008-12-06 00:34 <DIR> --d----- c:\docume~1\mike\applic~1\Malwarebytes
2008-12-06 00:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-05 23:12 <DIR> --d----- c:\program files\Trend Micro
2008-11-29 00:46 23,576 a------- c:\windows\system32\wuapi.dll.mui
2008-11-18 13:43 <DIR> --d----- c:\program files\Sony

==================== Find3M ====================

2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll

============= FINISH: 17:37:24.15 ===============
Attached Files
File Type: zip Attach.zip (3.2 KB, 11 views)
File Type: zip gmer.zip (3.2 KB, 20 views)
morty343 is offline  
Old 12-06-2008, 05:33 PM   #5
TSF Security Team
Emeritus
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 26,363
OS: N/A



Please visit this webpage for instructions for downloading and running ComboFix:

https://www.bleepingcomputer.com/comb...o-use-combofix

Post the log from ComboFix when you've accomplished that.
sUBs is offline  
Old 12-06-2008, 09:25 PM   #6
Registered Member
 
Join Date: Dec 2008
Posts: 21
OS: XP 32



Ok, thanks! Finally had a chance to go thru the procedure, looks like the popup has been taken care of, and the browser redirect is gone too. So far so good!

ComboFix report:

ComboFix 08-12-06.04 - Mike 2008-12-06 23:10:27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1439 [GMT -6:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mike\Application Data\Google\kjzna1562565.exe
c:\windows\IE4 Error Log.txt
c:\windows\system32\x64

.
((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-06 13:16 . 2008-12-06 17:38 250 --a------ c:\windows\gmer.ini
2008-12-06 11:50 . 2008-12-06 11:50 <DIR> d-------- C:\Binaries
2008-12-06 00:34 . 2008-12-06 00:34 <DIR> d-------- c:\documents and settings\Mike\Application Data\Malwarebytes
2008-12-06 00:34 . 2008-12-06 00:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-05 23:12 . 2008-12-05 23:12 <DIR> d-------- c:\program files\Trend Micro
2008-11-29 00:46 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-11-18 13:43 . 2008-11-18 13:43 <DIR> d-------- c:\program files\Sony

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 05:14 --------- d-----w c:\program files\Symantec AntiVirus
2008-12-06 23:15 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-06 03:14 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-18 19:43 --------- d--h--w c:\program files\InstallShield Installation Information
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-18 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-18 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-18 138008]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"SigmatelSysTrayApp"="c:\windows\stsystra.exe" [2007-02-18 303104]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 92160]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-14 125632]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"Adobe Photo Downloader"="c:\program files\Adobe Photoshop Lightroom 1.4\apdproxy.exe" [2008-04-01 61440]

c:\documents and settings\Mike\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Handspring\HOTSYNC.EXE [2008-04-17 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-01-13 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Qshelf.lnk - c:\program files\Microsoft Reference\Bookshelf 98\qshelf98.exe [2008-01-25 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 15:20 73728 c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Mike\\Desktop\\rel_3.2_1A07\\ac3loader.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=

R1 DLARTL_M;DLARTL_M;c:\windows\system32\Drivers\DLARTL_M.SYS [2008-01-13 28184]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;"c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe" -service [2006-12-19 79432]
R2 TdmService;TdmService;c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe [2007-09-07 737280]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe /Processid:{BDFEFE06-0F3F-44F4-984D-3BF2A1CA8D75} [2004-08-11 5120]
R2 WavxDMgr;WavxDMgr;c:\windows\system32\DRIVERS\WavxDMgr.sys [2007-09-10 161280]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-02 97536]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-07 99376]
R3 WaveFDE;Wave System Power Monitor Device Driver;c:\windows\system32\DRIVERS\WaveFDE.sys [2007-09-07 18176]
S3 RTIUSB;RTI USB Driver;c:\windows\system32\Drivers\RTIusb.sys [2005-09-30 17920]
S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2007-03-14 116416]
S3 SecureStorageService;SecureStorageService;"c:\program files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe" [2007-08-31 486400]
S3 WaveEnrollmentService;WaveEnrollmentService;"c:\program files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe" [2007-09-13 192512]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Smax4 - c:\documents and settings\Mike\Application Data\Google\kjzna1562565.exe



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-12-06 23:13:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(728)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\SigmaTel\C-Major Audio\WDM\stacsv.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
c:\windows\system32\dllhost.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-06 23:15:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-07 05:15:48

Pre-Run: 103,232,155,648 bytes free
Post-Run: 103,335,972,864 bytes free

144
morty343 is offline  
Old 12-06-2008, 09:39 PM   #7
TSF Security Team
Emeritus
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 26,363
OS: N/A



Open NOTEPAD.exe and copy/paste the text in the codebox below:
(don't forget to copy and paste REGEDIT4)

Code:
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000
Save this as fix.reg Choose to "Save type as - All Files"
It should look like this:
Double click on fix.reg & allow it to merge into the registry


---------------


Using Internet Explorer, visit https://www.kaspersky.com/service?chapter=161739400

Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator.

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
sUBs is offline  
Old 12-06-2008, 09:44 PM   #8
Registered Member
 
Join Date: Dec 2008
Posts: 21
OS: XP 32



After making the change to the registry, do you want me to run ComboFix again, and post the log?
morty343 is offline  
Old 12-06-2008, 09:45 PM   #9
TSF Security Team
Emeritus
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 26,363
OS: N/A



That's not necessary. Let's wait for the Kaspersky scan report
sUBs is offline  
Old 12-06-2008, 11:36 PM   #10
Registered Member
 
Join Date: Dec 2008
Posts: 21
OS: XP 32



(I disabled NAV auto-protect before the scan, but noticed it somehow re-enabled during the scan. I disabled it again while the scan was running.) Here is the scan report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, December 7, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, December 07, 2008 03:56:00
Records in database: 1441542
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 53803
Threat name: 9
Infected objects: 17
Suspicious objects: 2
Duration of the scan: 00:53:34


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Documents\desktemp\UBCD4WinV320.exe Infected: not-a-virus:NetTool.Win32.Portscan.c 1
C:\Documents and Settings\All Users\Documents\desktemp\UBCD4WinV320.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 2
C:\Documents and Settings\All Users\Documents\desktemp\UBCD4WinV320.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 3
C:\Documents and Settings\All Users\Documents\desktemp\UBCD4WinV320.exe Infected: not-a-virus:PSWTool.Win32.PasswordsPro.k 1
C:\Documents and Settings\Mike\Local Settings\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\Microsoft\Outlook Express\confirmation letters.dbx Infected: Trojan-Spy.HTML.Paylap.ao 1
C:\Documents and Settings\Mike\Local Settings\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\Microsoft\Outlook Express\Inbox.dbx Infected: Trojan-Spy.HTML.Bankfraud.v 1
C:\Documents and Settings\Mike\Local Settings\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\Microsoft\Outlook Express\Inbox.dbx Infected: Trojan-Spy.HTML.Bankfraud.ar 1
C:\Documents and Settings\Mike\Local Settings\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\Microsoft\Outlook Express\Inbox.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Documents and Settings\Mike\Local Settings\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\Microsoft\Outlook Express\Inbox.dbx Infected: Email-Worm.Win32.Sober.y 1
C:\UBCD4Win\plugin\Network\ultravnc\files\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
C:\UBCD4Win\plugin\Network\ultravnc\files\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
C:\UBCD4Win\plugin\Network\VNCServer\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\UBCD4Win\plugin\Network\VNCServer\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\UBCD4Win\plugin\Network\VNCServer\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\UBCD4Win\plugin\Password\passwordspro\files\PasswordsPro.exe Infected: not-a-virus:PSWTool.Win32.PasswordsPro.k 1

The selected area was scanned.
morty343 is offline  
Old 12-07-2008, 02:13 AM   #11
TSF Security Team
Emeritus
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 26,363
OS: N/A



Quote:
C:\Documents and Settings\Mike\Local Settings\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\Microsoft\Outlook Express\confirmation letters.dbx --> Trojan-Spy.HTML.Paylap.ao 1
C:\Documents and Settings\Mike\Local Settings\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\Microsoft\Outlook Express\Inbox.dbx --> Trojan-Spy.HTML.Bankfraud.v 1
C:\Documents and Settings\Mike\Local Settings\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\Microsoft\Outlook Express\Inbox.dbx --> Trojan-Spy.HTML.Bankfraud.ar 1
C:\Documents and Settings\Mike\Local Settings\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\Microsoft\Outlook Express\Inbox.dbx -->Trojan-Spy.HTML.Fraud.gen 2
C:\Documents and Settings\Mike\Local Settings\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\Microsoft\Outlook Express\Inbox.dbx --> Email-Worm.Win32.Sober.y 1
It reports some infected emails in Outlook Express. Those are probably junk mail. Best delete them

Your system is now clean. Kindly follow these simple steps in order to keep your computer clean and secure:

  1. Uninstall ComboFix ... do not skip this step
    This process will perform some post cleanup measures.
    Do this by going to to Start > Run & typing in ComboFix /u


  2. ANTIVIRUS SOFTWARE
    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  3. Microsoft Windows Update ? https://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  4. SPYWAREBLASTER
    SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

    Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here ? https://www.bleepingcomputer.com/forums/tutorial49.html

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
  • https://www.trillian.cc ? Trillian or https://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • https://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • https://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • https://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - https://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.
sUBs is offline  
Old 12-07-2008, 10:07 AM   #12
Registered Member
 
Join Date: Dec 2008
Posts: 21
OS: XP 32



Thanks sUBs, much appreciated! I will take the remaining steps above.
morty343 is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 11:45 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts