Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

pop up i can hear but cant see.need help

This is a discussion on pop up i can hear but cant see.need help within the Resolved HJT Threads forums, part of the Tech Support Forum category. im not very sure what to do .i tried several antimalware software i tried avast. i tried malware bytes i


 
 
Thread Tools Search this Thread
Old 07-29-2010, 08:29 AM   #1
Registered Member
 
Join Date: Jul 2010
Posts: 17
OS: xp



im not very sure what to do .i tried several antimalware software
i tried avast. i tried malware bytes
i did the dds and when i try to do the gmer ,it was stooping saying Iexplore.exe could have been infected with a rootkit ,each time i try to follow up with it ,my computer freeze.so here the dds report
tell em what i can add to make it easier for you
thank you

(i just replace the name with XXXX)
DDS (Ver_10-03-17.01) - NTFSx86
Run by xxxxxx at 0:21:31.31 on Thu 07/29/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2313 [GMT -4:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe 4
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
svchost.exe 4
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Lexmark Pro200-S500 Series\lxebmon.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\ManyCam 2.4\ManyCam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
svchost.exe
C:\WINDOWS\system32\CSHelper.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxebserv.exe
C:\WINDOWS\system32\lxebcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\BurnAware Free\NMSAccess32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Henry Masten\My Documents\antoine\66\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://nhworksjobmatch.nhes.nh.gov/
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*https://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*https://www.yahoo.com
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ManyCam] "c:\program files\manycam 2.4\ManyCam.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [lxebmon.exe] "c:\program files\lexmark pro200-s500 series\lxebmon.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [DLCXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCXtime.dll,[email protected]
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {4F29DE54-5EB7-4D76-B610-A86B5CD2A234} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebPlayer.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1270528109843
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
DPF: {FAB2BB9D-91E9-457E-9D42-75A7FCCBBC00} - hxxp://dsc-big-catch.s3.amazonaws.com/plugin/DFusionHomeWebPlugIn.Installer.exe
TCP: {99B0B6B9-A00C-40AF-8371-2B53AFD2E2C5} = 8.8.8.8,8.8.4.4
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-20 165456]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-27 214664]
R1 NEOFLTR_600_12023;Juniper Networks TDI Filter Driver (NEOFLTR_600_12023);c:\windows\system32\drivers\NEOFLTR_600_12023.sys [2007-8-10 63024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-20 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-20 40384]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-7-21 266240]
R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R2 lxeb_device;lxeb_device;c:\windows\system32\lxebcoms.exe -service --> c:\windows\system32\lxebcoms.exe -service [?]
R2 lxebCATSCustConnectService;lxebCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxebserv.exe [2010-1-12 193192]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [2007-4-15 34712]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-26 24652]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-20 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-20 40384]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
R3 WsAudioDevice_383;WsAudioDevice_383;c:\windows\system32\drivers\WsAudioDevice_383.sys [2009-9-19 16640]
S1 SBRE;SBRE;c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREDrv.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-29 136176]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2008-11-12 1527900]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-5 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-5 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-1-5 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-1-5 40552]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 TFilter;TFilter;\??\c:\progra~1\avanqu~1\system~1\tfilter.sys --> c:\progra~1\avanqu~1\system~1\TFilter.sys [?]
S3 XDva212;XDva212;\??\c:\windows\system32\xdva212.sys --> c:\windows\system32\XDva212.sys [?]
S3 XDva215;XDva215;\??\c:\windows\system32\xdva215.sys --> c:\windows\system32\XDva215.sys [?]
S3 XDva219;XDva219;\??\c:\windows\system32\xdva219.sys --> c:\windows\system32\XDva219.sys [?]
S3 XDva224;XDva224;\??\c:\windows\system32\xdva224.sys --> c:\windows\system32\XDva224.sys [?]
S3 XDva259;XDva259;\??\c:\windows\system32\xdva259.sys --> c:\windows\system32\XDva259.sys [?]
S3 XDva279;XDva279;\??\c:\windows\system32\xdva279.sys --> c:\windows\system32\XDva279.sys [?]
S3 XDva302;XDva302;\??\c:\windows\system32\xdva302.sys --> c:\windows\system32\XDva302.sys [?]
S3 XDva309;XDva309;\??\c:\windows\system32\xdva309.sys --> c:\windows\system32\XDva309.sys [?]

=============== Created Last 30 ================

2010-07-29 03:17:46 7168 --sha-w- c:\windows\system32\Thumbs.db
2010-07-28 16:23:46 0 d-----w- c:\docume~1\henrym~1\applic~1\Malwarebytes
2010-07-28 16:23:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-28 16:23:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-28 16:23:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-28 16:23:33 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-28 02:39:41 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-07-23 03:08:29 0 d-----w- c:\docume~1\alluse~1\applic~1\LAG
2010-07-23 03:08:18 0 d-----w- c:\windows\11AE680750D24F5982B32C3E695E94C2.TMP
2010-07-21 21:55:44 17686528 ----a-w- c:\windows\system32\mkl_blueripple.dll
2010-07-21 21:55:44 1347584 ----a-w- c:\windows\system32\rapture3d_oal.dll
2010-07-21 21:55:43 0 d-----w- c:\program files\BRS
2010-07-21 21:48:54 0 d-----w- c:\program files\OpenAL
2010-07-21 21:48:53 445016 ----a-w- c:\windows\system32\wrap_oal.dll
2010-07-21 21:48:53 109144 ----a-w- c:\windows\system32\OpenAL32.dll
2010-07-19 20:28:06 0 d-----w- c:\program files\Zeta Centauri
2010-07-17 14:21:26 0 d-----w- C:\users
2010-07-17 14:21:04 0 d-----w- c:\program files\Daniusoft
2010-07-17 02:00:22 0 d-----w- c:\program files\AIM Toolbar
2010-07-17 02:00:22 0 d-----w- c:\docume~1\alluse~1\applic~1\AIM Toolbar
2010-07-17 02:00:17 0 d-----w- c:\program files\common files\Software Update Utility
2010-07-17 02:00:11 0 d-----w- c:\docume~1\alluse~1\applic~1\AIM
2010-07-17 01:59:54 0 d-----w- c:\program files\AIM
2010-07-14 11:31:56 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-06 02:26:17 0 d-----w- c:\program files\Speccy
2010-07-04 06:05:35 292208 ----a-w- c:\windows\system32\YSys.dll
2010-07-04 06:05:34 0 d-----w- c:\windows\system32\hwswchecker
2010-07-04 06:05:34 0 d-----w- c:\program files\GameTap Web Player
2010-07-04 06:05:10 0 d-----w- c:\docume~1\alluse~1\applic~1\GameTap Web Player
2010-07-01 12:31:01 290816 ----a-w- c:\windows\system32\cyviewer.ocx
2010-07-01 12:31:01 0 d-----w- c:\program files\Ashampoo
2010-06-29 22:52:05 38848 ----a-w- c:\windows\avastSS.scr

==================== Find3M ====================

2094-01-28 01:15:14 42512 ----a-w- c:\windows\fonts\AnkeCalligraph.TTF
2010-07-29 01:03:24 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-06-23 23:41:05 71552 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-06-02 08:55:30 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-06-02 08:55:30 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-06-02 08:55:30 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-05-26 15:41:02 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-05-26 15:41:02 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-05-26 15:41:02 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-05-26 15:41:02 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2010-05-26 15:41:02 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2007-08-27 09:12:37 251 -c--a-w- c:\program files\wt3d.ini
2007-03-22 19:38:27 61 -csh--w- c:\windows\cnerolf.bin
2008-07-01 15:16:09 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008070120080702\index.dat

============= FINISH: 0:21:51.37 ===============
Attached Files
File Type: txt Attach.txt (16.5 KB, 20 views)
aneth is offline  
Sponsored Links
Advertisement
 
Old 07-29-2010, 08:38 AM   #2
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Hello, and Welcome to TSF.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

  1. Download ComboFix from this location only!

    ComboFix link, click here

  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


    You can get help on disabling your protection programs here
  3. Double click on combofix & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

    The Recovery Console was successfully installed.



    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 07-29-2010, 08:40 AM   #3
Registered Member
 
Join Date: Jul 2010
Posts: 17
OS: xp



ok will do.should i get offline to be safe?
aneth is offline  
Sponsored Links
Advertisement
 
Old 07-29-2010, 08:41 AM   #4
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



The machine needs an active internet connection while ComboFix is working. ComboFix does disable and restore the internet connection.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 07-29-2010, 09:21 AM   #5
Registered Member
 
Join Date: Jul 2010
Posts: 17
OS: xp



ok here what i got.look like Bootkit Whistler was found and disinfected
(i just replace full name with xxxxxxx)

ComboFix 10-07-27.04 - xxxxx 07/29/2010 11:53:37.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2605 [GMT -4:00]
Running from: c:\documents and settings\xxxxx\My Documents\antoine\66\wCFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Install.exe
C:\Thumbs.db
c:\windows\system32\bszip.dll
c:\windows\system32\drivers\1028_DELL_XPS_Dell DM061 .MRK
c:\windows\system32\drivers\DELL_XPS_Dell DM061 .MRK
c:\windows\system32\Thumbs.db

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE


((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-29 )))))))))))))))))))))))))))))))
.

2010-07-29 04:45 . 2010-07-29 04:45 -------- d-----w- c:\documents and settings\xxxxxxx\Application Data\ElevatedDiagnostics
2010-07-28 16:23 . 2010-07-28 16:23 -------- d-----w- c:\documents and settings\xxxxxxx\Application Data\Malwarebytes
2010-07-28 16:23 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-28 16:23 . 2010-07-28 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-28 16:23 . 2010-07-28 16:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-28 16:23 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-28 02:39 . 2010-06-01 17:37 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-07-27 20:20 . 2010-07-27 20:20 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-07-27 08:37 . 2010-07-27 08:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Yahoo
2010-07-27 08:37 . 2010-07-27 08:37 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-07-27 08:37 . 2010-07-27 08:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\AIM Toolbar
2010-07-27 01:36 . 2010-07-27 01:36 -------- d-----w- c:\program files\Common Files\Skype
2010-07-23 03:08 . 2010-07-23 03:08 -------- d-----w- c:\documents and settings\Henry Masten\Local Settings\Application Data\LAG
2010-07-23 03:08 . 2010-07-23 03:08 -------- d-----w- c:\documents and settings\All Users\Application Data\LAG
2010-07-23 03:08 . 2010-07-23 03:08 -------- d-----w- c:\windows\11AE680750D24F5982B32C3E695E94C2.TMP
2010-07-21 21:55 . 2009-11-18 22:11 1347584 ----a-w- c:\windows\system32\rapture3d_oal.dll
2010-07-21 21:55 . 2009-11-01 17:11 17686528 ----a-w- c:\windows\system32\mkl_blueripple.dll
2010-07-21 21:55 . 2010-07-21 21:55 -------- d-----w- c:\program files\BRS
2010-07-21 21:48 . 2010-07-21 21:48 -------- d-----w- c:\program files\OpenAL
2010-07-21 21:48 . 2010-07-21 21:48 445016 ----a-w- c:\windows\system32\wrap_oal.dll
2010-07-21 21:48 . 2010-07-21 21:48 109144 ----a-w- c:\windows\system32\OpenAL32.dll
2010-07-19 20:28 . 2010-07-19 20:28 2238 ----a-r- c:\documents and settings\Henry Masten\Application Data\Microsoft\Installer\{A7596859-749A-47E3-A2F3-D6DADD29D40A}\RoboBlather.exe1_A7596859749A47E3A2F3D6DADD29D40A.exe
2010-07-19 20:28 . 2010-07-19 20:28 10134 ----a-r- c:\documents and settings\Henry Masten\Application Data\Microsoft\Installer\{A7596859-749A-47E3-A2F3-D6DADD29D40A}\ARPPRODUCTICON.exe
2010-07-19 20:28 . 2010-07-19 20:28 -------- d-----w- c:\program files\Zeta Centauri
2010-07-17 14:21 . 2010-07-17 14:21 -------- d-----w- C:\users
2010-07-17 14:21 . 2010-07-17 14:21 -------- d-----w- c:\program files\Daniusoft
2010-07-17 02:38 . 2010-07-17 02:38 -------- d-----w- c:\documents and settings\Henry Masten\Local Settings\Application Data\AIM Toolbar
2010-07-17 02:00 . 2010-07-17 02:00 -------- d-----w- c:\program files\AIM Toolbar
2010-07-17 02:00 . 2010-07-17 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM Toolbar
2010-07-17 02:00 . 2010-07-17 02:00 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-07-17 02:00 . 2010-07-27 02:35 -------- d-----w- c:\documents and settings\xxxxxxx\Local Settings\Application Data\AIM
2010-07-17 02:00 . 2010-07-17 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2010-07-17 01:59 . 2010-07-17 02:00 -------- d-----w- c:\program files\AIM
2010-07-14 11:31 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-06 02:26 . 2010-07-06 02:26 -------- d-----w- c:\program files\Speccy
2010-07-04 06:13 . 2010-07-04 06:13 1589248 ----a-w- c:\documents and settings\All Users\Application Data\GameTap Web Player\appdata\bindata\data\GTArcade.dll
2010-07-04 06:09 . 2010-07-04 06:09 1658880 ----a-w- c:\documents and settings\All Users\Application Data\GameTap Web Player\appdata\bindata\data\naur.dll
2010-07-04 06:06 . 2010-07-04 06:06 2686976 ----a-w- c:\documents and settings\All Users\Application Data\GameTap Web Player\appdata\bindata\data\pcgitl.dll
2010-07-04 06:05 . 2010-03-24 00:38 292208 ----a-w- c:\windows\system32\YSys.dll
2010-07-04 06:05 . 2010-07-04 06:05 -------- d-----w- c:\program files\GameTap Web Player
2010-07-04 06:05 . 2010-07-04 06:05 -------- d-----w- c:\windows\system32\hwswchecker
2010-07-04 06:05 . 2010-07-04 06:06 -------- d-----w- c:\documents and settings\All Users\Application Data\GameTap Web Player
2010-07-01 12:31 . 2010-07-01 12:31 -------- d-----w- c:\program files\Ashampoo
2010-06-29 22:52 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-29 03:07 . 2008-12-17 12:54 -------- d-----w- c:\program files\Opera
2010-07-29 01:03 . 2008-03-12 00:24 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-07-28 02:27 . 2007-08-24 11:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-07-28 02:27 . 2007-08-24 11:02 -------- d-----w- c:\program files\Yahoo!
2010-07-27 15:53 . 2007-12-25 16:07 -------- d-----w- c:\program files\ValuSoft
2010-07-27 01:45 . 2008-11-04 02:55 -------- d-----w- c:\documents and settings\xxxxxxxxxxx\Application Data\Skype
2010-07-27 01:34 . 2008-11-04 02:56 -------- d-----w- c:\documents and settings\xxxxxxxxxxx\Application Data\skypePM
2010-07-23 03:08 . 2007-10-24 00:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-21 21:59 . 2010-03-20 03:04 -------- d-----w- c:\program files\NCSoft
2010-07-21 21:59 . 2007-03-06 11:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-21 14:50 . 2007-03-06 13:37 -------- d-----w- c:\program files\Google
2010-07-19 22:50 . 2010-04-12 04:05 -------- d-----w- c:\program files\Mixxx
2010-07-13 01:26 . 2008-03-23 16:07 -------- d-----w- c:\program files\dl_cats
2010-07-04 18:23 . 2009-09-19 16:29 -------- d-----w- c:\documents and settings\Henry Masten\Application Data\Software Informer
2010-07-01 21:05 . 2010-06-22 16:08 66 ----a-w- c:\documents and settings\All Users\Application Data\Lexmark Pro200-S500 Series\Job Status\Scripts\fw4446W01.bat
2010-07-01 21:05 . 2010-06-22 16:08 66 ----a-w- c:\documents and settings\All Users\Application Data\Lexmark Pro200-S500 Series\Job Status\Scripts\fw44432W2.bat
2010-07-01 21:05 . 2010-06-22 16:08 66 ----a-w- c:\documents and settings\All Users\Application Data\Lexmark Pro200-S500 Series\Job Status\Scripts\fw4444301.bat
2010-07-01 21:05 . 2010-06-22 16:08 66 ----a-w- c:\documents and settings\All Users\Application Data\Lexmark Pro200-S500 Series\Job Status\Scripts\fw4444201.bat
2010-07-01 21:05 . 2010-06-22 16:08 66 ----a-w- c:\documents and settings\All Users\Application Data\Lexmark Pro200-S500 Series\Job Status\Scripts\fw4444101.bat
2010-07-01 21:05 . 2010-06-22 16:08 66 ----a-w- c:\documents and settings\All Users\Application Data\Lexmark Pro200-S500 Series\Job Status\Scripts\fw4443301.bat
2010-07-01 21:05 . 2010-06-22 16:08 66 ----a-w- c:\documents and settings\All Users\Application Data\Lexmark Pro200-S500 Series\Job Status\Scripts\fw4443201.bat
2010-07-01 21:05 . 2010-06-22 16:08 66 ----a-w- c:\documents and settings\All Users\Application Data\Lexmark Pro200-S500 Series\Job Status\Scripts\fw4443101.bat
2010-06-28 20:57 . 2010-06-20 21:20 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2010-06-20 21:20 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-06-20 21:20 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2010-06-20 21:20 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2010-06-20 21:20 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2010-06-20 21:20 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2010-06-20 21:20 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2010-06-20 21:20 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-27 23:23 . 2008-09-11 04:37 -------- d-----w- c:\program files\BurnAware Free
2010-06-23 23:41 . 2009-07-15 14:37 71552 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-06-22 16:08 . 2010-01-14 19:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Lexmark Pro200-S500 Series
2010-06-20 21:19 . 2010-06-20 21:19 -------- d-----w- c:\program files\Alwil Software
2010-06-20 21:19 . 2010-06-20 21:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-06-20 20:53 . 2010-01-30 16:06 -------- d-----w- c:\program files\Common Files\AntiVirus
2010-06-19 02:25 . 2010-06-18 23:37 -------- d-----w- c:\program files\Igneous
2010-06-15 22:10 . 2008-01-20 02:45 -------- d-----w- c:\program files\CCleaner
2010-06-14 14:31 . 2007-03-06 10:42 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-09 18:04 . 2010-02-18 23:49 -------- d-----w- c:\program files\Windows Desktop Search
2010-06-09 12:43 . 2010-06-09 12:43 -------- d-----w- c:\documents and settings\xxxxxxxxxxx\Application Data\Windows Search
2010-06-06 16:55 . 2008-03-15 14:59 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-02 08:55 . 2010-06-18 23:38 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-06-02 08:55 . 2010-06-18 23:38 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-06-02 08:55 . 2010-06-18 23:38 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-05-26 15:41 . 2010-06-18 23:38 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-05-26 15:41 . 2010-06-18 23:38 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-05-26 15:41 . 2010-06-18 23:38 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-05-26 15:41 . 2010-06-18 23:38 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-05-26 15:41 . 2010-06-18 23:38 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2010-05-19 00:24 . 2010-05-19 00:24 413696 ----a-w- c:\documents and settings\xxxxxxxxxxx\Application Data\Total Immersion\Web\Player\gen\2.30\wrap_oal.dll
2010-05-19 00:24 . 2010-05-19 00:24 32768 ----a-w- c:\documents and settings\xxxxxxxxxxx\Application Data\Total Immersion\Web\Player\gen\2.30\inpout32.dll
2010-05-19 00:24 . 2010-05-19 00:24 610304 ----a-w- c:\documents and settings\xxxxxxxxxxx\Application Data\Total Immersion\Web\Player\gen\2.30\highgui100.dll
2010-05-19 00:24 . 2010-05-19 00:24 237568 ----a-w- c:\documents and settings\xxxxxxxxxxx\Application Data\Total Immersion\Web\Player\gen\2.30\glut32.dll
2010-05-19 00:24 . 2010-05-19 00:24 3426072 ----a-w- c:\documents and settings\xxxxxxxxxxx\Application Data\Total Immersion\Web\Player\gen\2.30\d3dx9_32.dll
2010-05-19 00:24 . 2010-05-19 00:24 937984 ----a-w- c:\documents and settings\xxxxxxxxxxx\Application Data\Total Immersion\Web\Player\gen\2.30\cxcore100.dll
2010-05-19 00:24 . 2010-05-19 00:24 724992 ----a-w- c:\documents and settings\xxxxxxxxxxx\Application Data\Total Immersion\Web\Player\gen\2.30\cv100.dll
2010-05-19 00:24 . 2010-05-19 00:24 2449408 ----a-w- c:\documents and settings\xxxxxxxxxxx\Application Data\Total Immersion\Web\Player\gen\2.30\cg.dll
2010-05-19 00:24 . 2010-05-19 00:24 593920 ----a-w- c:\documents and settings\xxxxxxxxxxx\Application Data\Total Immersion\Web\Player\gen\2.30\RenderSystem_GL.dll
2010-05-19 00:24 . 2010-05-19 00:24 389120 ----a-w- c:\documents and settings\xxxxxxxxxxx\Application Data\Total Immersion\Web\Player\gen\2.30\RenderSystem_Direct3D9.dll
2010-05-19 00:24 . 2010-05-19 00:24 103424 ----a-w- c:\documents and settings\xxxxxxxxxxx\Application Data\Total Immersion\Web\Player\gen\2.30\Plugin_ParticleFX.dll
2010-05-19 00:24 . 2010-05-19 00:23 57344 ----a-w- c:\documents and settings\xxxxxxxxxxx\Application Data\Total Immersion\Web\Player\gen\2.30\Plugin_CgProgramManager.dll
2010-05-19 00:23 . 2010-05-19 00:23 110592 ----a-w- c:\documents and settings\xxxxxxxxxxx\Application Data\Total Immersion\Web\Player\gen\2.30\OpenAL32.dll
2010-05-19 00:23 . 2010-05-19 00:23 5496320 ----a-w- c:\documents and settings\xxxxxxxxxxx\Application Data\Total Immersion\Web\Player\gen\2.30\OgreMain.dll
2010-05-19 00:23 . 2010-05-19 00:23 5324800 ----a-w- c:\documents and settings\xxxxxxxxxxx\Application Data\Total Immersion\Web\Player\gen\2.30\DFusionWebPlayer.dll
2010-05-06 10:41 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 11:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2007-08-27 09:12 . 2007-08-27 09:12 251 -c--a-w- c:\program files\wt3d.ini
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\opera\program\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\opera\program\plugins\ssldivx.dll
2007-03-22 19:38 . 2007-03-22 19:38 61 -csh--w- c:\windows\cnerolf.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ManyCam"="c:\program files\ManyCam 2.4\ManyCam.exe" [2009-12-19 1824040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-21 61440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"lxebmon.exe"="c:\program files\Lexmark Pro200-S500 Series\lxebmon.exe" [2009-08-10 766632]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"DLCXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-10-16 106496]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-3-6 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2009-08-10 11:39 139944 ----a-w- c:\program files\Lexmark Pro200-S500 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark Pro200-S500 Series Fax Server]
2009-08-10 11:38 316072 ----a-w- c:\program files\Lexmark Pro200-S500 Series\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
2009-02-03 18:05 233304 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Quicken WillMaker Plus 2004\\qlp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\WINDOWS\\system32\\dlcxcoms.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\WINDOWS\\system32\\lxebcoms.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Lexmark\\Dashboard\\LX__Dashboard.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\GameTap Web Player\\bin\\release\\GameTapPlayer.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56636:TCP"= 56636:TCP:Pando Media Booster
"56636:UDP"= 56636:UDP:Pando Media Booster
"57691:TCP"= 57691:TCP:Pando Media Booster
"57691:UDP"= 57691:UDP:Pando Media Booster
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/20/2010 5:20 PM 165456]
R1 NEOFLTR_600_12023;Juniper Networks TDI Filter Driver (NEOFLTR_600_12023);c:\windows\system32\drivers\NEOFLTR_600_12023.sys [8/10/2007 1:07 AM 63024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/20/2010 5:20 PM 17744]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [7/21/2009 10:10 AM 266240]
R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R2 lxeb_device;lxeb_device;c:\windows\system32\lxebcoms.exe -service --> c:\windows\system32\lxebcoms.exe -service [?]
R2 lxebCATSCustConnectService;lxebCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxebserv.exe [1/12/2010 11:41 AM 193192]
R2 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [4/15/2007 6:53 PM 34712]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/26/2007 6:53 AM 24652]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 6:06 AM 21632]
R3 WsAudioDevice_383;WsAudioDevice_383;c:\windows\system32\drivers\WsAudioDevice_383.sys [9/19/2009 12:18 PM 16640]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys --> c:\windows\system32\drivers\SBREDrv.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/29/2010 11:54 AM 136176]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [11/12/2008 3:17 PM 1527900]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 TFilter;TFilter;\??\c:\progra~1\AVANQU~1\SYSTEM~1\TFilter.sys --> c:\progra~1\AVANQU~1\SYSTEM~1\TFilter.sys [?]
S3 XDva212;XDva212;\??\c:\windows\system32\XDva212.sys --> c:\windows\system32\XDva212.sys [?]
S3 XDva215;XDva215;\??\c:\windows\system32\XDva215.sys --> c:\windows\system32\XDva215.sys [?]
S3 XDva219;XDva219;\??\c:\windows\system32\XDva219.sys --> c:\windows\system32\XDva219.sys [?]
S3 XDva224;XDva224;\??\c:\windows\system32\XDva224.sys --> c:\windows\system32\XDva224.sys [?]
S3 XDva259;XDva259;\??\c:\windows\system32\XDva259.sys --> c:\windows\system32\XDva259.sys [?]
S3 XDva279;XDva279;\??\c:\windows\system32\XDva279.sys --> c:\windows\system32\XDva279.sys [?]
S3 XDva302;XDva302;\??\c:\windows\system32\XDva302.sys --> c:\windows\system32\XDva302.sys [?]
S3 XDva309;XDva309;\??\c:\windows\system32\XDva309.sys --> c:\windows\system32\XDva309.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = https://nhworksjobmatch.nhes.nh.gov/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*https://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*https://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
TCP: {99B0B6B9-A00C-40AF-8371-2B53AFD2E2C5} = 8.8.8.8,8.8.4.4
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {4F29DE54-5EB7-4D76-B610-A86B5CD2A234} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebPlayer.cab
DPF: {FAB2BB9D-91E9-457E-9D42-75A7FCCBBC00} - hxxp://dsc-big-catch.s3.amazonaws.com/plugin/DFusionHomeWebPlugIn.Installer.exe
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
AddRemove-The Free Tuareg 1.5 - c:\program files\Bram Bos\Tuareg Free\DeIsL1.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2010-07-29 12:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,[email protected]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,39,c8,a8,fd,54,5e,65,49,a7,58,75,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,60,01,af,6a,79,a0,eb,45,b5,0c,9a,\

[HKEY_USERS\S-1-5-21-1960408961-329068152-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e4,a0,a5,46,82,cf,85,6c,2d,43,07,e5,0d,69,ab,40,9f,15,8a,30,39,73,5e,
ac,2d,0e,2d,55,5e,27,e8,90,73,39,b8,88,c3,7a,2a,53,f5,07,51,02,c8,93,d5,c3,\
"??"=hex:58,6b,2c,2f,be,f8,88,53,eb,e6,a2,9b,97,9a,99,b5

[HKEY_USERS\S-1-5-21-1960408961-329068152-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:e9,05,de,07,d4,f2,0f,c3,ad,5b,dd,d7,c4,90,d0,bd,4d,1c,dc,5e,07,
3d,39,7a,74,3e,e2,1a,25,7a,61,e2,40,a3,77,de,11,23,9d,02,56,a4,19,04,3d,da,\
"rkeysecu"=hex:84,06,94,9c,9c,c4,85,81,04,8b,75,2d,d2,e9,40,54

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(6376)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\dlcxcoms.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\windows\system32\lxebcoms.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\BurnAware Free\NMSAccess32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\dllhost.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2010-07-29 12:12:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-29 16:12

Pre-Run: 156,591,935,488 bytes free
Post-Run: 156,573,388,800 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - C417CE52C16D294823FD90BEA51D7FC2
aneth is offline  
Old 07-29-2010, 09:23 AM   #6
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Hi -

Please don't edit the logs. I may need the full and correct path. We can remove the name later. Please attach the C:\ComboFix.txt log.

Also, I should think the popup sound is gone, correct?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 07-29-2010, 09:26 AM   #7
Registered Member
 
Join Date: Jul 2010
Posts: 17
OS: xp



well sorry i already saved it with the xxxx
and yes for now i didnt get any sound from pop up,so is it fixed?
Attached Files
File Type: txt log.txt (27.3 KB, 19 views)
aneth is offline  
Old 07-29-2010, 09:28 AM   #8
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



The log which opens is in %temp%

Is the log you've attached the log located at C:\ComboFix.txt ? I don't think so, because it's named log.txt which is the temp log which opens. Please go to C:\ComboFix.txt and post or attach that log.

What does xxxx signify?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 07-29-2010, 09:35 AM   #9
Registered Member
 
Join Date: Jul 2010
Posts: 17
OS: xp



just a name
here the file.kind of look the same.but i didn't add any xxxx hehe.
still no pop up sounds,should i run this software in every computer or should i wait until a problem occur?im sure there is always a risk....
Attached Files
File Type: txt ComboFix.txt (27.4 KB, 18 views)
aneth is offline  
Old 07-29-2010, 09:39 AM   #10
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Thank you. No, ComboFix should not be run without an initial analysis of symptoms and logs, by someone trained in it's use.

We've resolved the main threat, the Whistler bootkit infection. Still a bit of work to do.

Next steps...

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------
  1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  2. Open notepad and copy/paste the text in the quotebox below into it:

    Quote:

    DirLook::
    c:\program files\Common Files\AntiVirus

    Driver::
    XDva212
    XDva215
    XDva219
    XDva224
    XDva259
    XDva279
    XDva302
    XDva309
    Reglock::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000000



    Save this as CFScript.txt




    Referring to the picture above, drag CFScript.txt into ComboFix.exe
  3. ComboFix may request an update; please allow it.
  4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  5. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.


    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 07-29-2010, 10:11 AM   #11
Registered Member
 
Join Date: Jul 2010
Posts: 17
OS: xp



ok, im glad you know what u are doing,this is looking like my Applied Finite Math classs to me.well thank you.whats next?
Attached Files
File Type: txt ComboFix.txt (34.3 KB, 17 views)
aneth is offline  
Old 07-29-2010, 10:23 AM   #12
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Good job. Heheh, Applied Mathematics, eh? I'm quite sure that would seem foreign to me.

Did you once have Comodo installed?

Next....

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs):

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1


These are all outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall these older versions when you update, nor tell you that you should. Java(TM) 6 Update 18 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. Let me know if it does not.

Going forward, Java will overwrite existing installs, so removing older versions should not be required after this.

Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

I see you have Malwarebytes' AntiMalware installed.

Please update it's definitions, and run a new Quick Scan.
  • Launch Malwarebytes' Antimalware
  • On the updates tab, click on Check for Updates
  • If an update is found, it will begin. Once the update is complete..
  • Click on the Scanner tab. Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Save it to your desktop. Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.

-------------------------------------------------------------------------------------------

Please run this online scan to help look for remnants.

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 07-29-2010, 11:04 AM   #13
Registered Member
 
Join Date: Jul 2010
Posts: 17
OS: xp



ok i did delete the java stuff and updated it.

for comodo i have no idea,i dont recall using it ,but maybe in my previous attempt to get a safe computer i may have load it .

for malwarebite ,its all good

and stil not pop up btw. im going to do the last scan and will reply with log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4367

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/29/2010 2:03:05 PM
mbam-log-2010-07-29 (14-03-05).txt

Scan type: Quick scan
Objects scanned: 145836
Time elapsed: 14 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
aneth is offline  
Old 07-29-2010, 01:58 PM   #14
Registered Member
 
Join Date: Jul 2010
Posts: 17
OS: xp



looking like there is more ,.....


[email protected] as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=38b360708ec1004b8de01de769c9cc53
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-07-29 08:54:47
# local_time=2010-07-29 04:54:47 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=768 16777215 100 0 3271929 3271929 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 20804802 20804802 0 0
# scanned=115446
# found=3
# cleaned=0
# scan_time=9765
C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I
C:\Program Files\Windows Live\Messenger\msimg32.dll Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
${Memory} Win32/Toolbar.MyWebSearch application 00000000000000000000000000000000 I
aneth is offline  
Old 07-29-2010, 02:11 PM   #15
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



Good job. We can remove those.

Open NOTEPAD.exe and copy/paste the text in the codebox below into it:
Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe"
"C:\Program Files\Windows Live\Messenger\msimg32.dll"

) do (
del /a/f %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)

if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run


You should receive a message, "Deleted Successfully !! Press Any Key to Continue..." Please do, and continue on. If not, let me know.




Other than that....We should be done here. Some final housekeeping instructions, and protection information for you.

Your logs appear clean.You should be good to go. We still have a few items to address.


Disconnect from the internet and disable your AntiVirus temporarily.

Go to -> Run -> copy/paste in the following single line command & click OK

ComboFix /Uninstall
This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Re-enable your AntiVirus now. Reconnect to the internet at your leisure.

Delete any remaining tools we've used (DDS and GMER) and logs from them.

Empty your Recycle Bin.

---------------------------------------------------------------------------------------------

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:
  • Microsoft Windows Update - https://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • SpywareBlaster to help prevent spyware from installing in the first place.
    • Install & update SpywareBlaster with the latest definitions.
      After you have updated, click the button - enable protection for all unprotected items
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

  • Winpatrol

    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.

  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

    Do not install more than one AntiVirus program because they will conflict with each other.

  • Scan here https://secunia.com/vulnerability_scanning/online/ for out of date & vulnerable common applications on your computer

  • https://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles
If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
Old 07-29-2010, 02:22 PM   #16
Registered Member
 
Join Date: Jul 2010
Posts: 17
OS: xp



awesome.thank you very much.it was so easy to do hehe
are u sure you cannot do my Applied Finite Math lol
thank you again
i will recommend this website
aneth is offline  
Old 07-29-2010, 03:10 PM   #17
TSF Security Manager
Emeritus
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 52,197
OS: XP Pro; XP Home; Win7 x86 & x64



I don't think you'd like the results if I did your Applied Finite Math.

You're quite welcome for the help.

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015
tetonbob is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 03:07 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts