« previous next »
Pages: 1 2 [3] 4   Go Down

Author Topic: Virus not going away  (Read 24067 times)

0 Members and 1 Guest are viewing this topic.

mr_metoo

  • Guest
Re: Virus not going away
« Reply #30 on: December 05, 2008, 10:46:22 PM »
[File - Lop Check]
C:\Documents and Settings\All Users\Application Data\Winferno\RegPowerClean folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Winferno folder moved successfully.
C:\Documents and Settings\All Users\Application Data\ZangoSA folder moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Zango\Zango\Zango\v3.0\HostOI\dynamic folder moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Zango\Zango\Zango\v3.0\HostOI folder moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Zango\Zango\Zango\v3.0 folder moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Zango\Zango\Zango folder moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Zango\Zango\v3.0\Zango\dynamic folder moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Zango\Zango\v3.0\Zango folder moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Zango\Zango\v3.0 folder moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Zango\Zango folder moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Zango\v3.0\Zango\static\DownLoad folder moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Zango\v3.0\Zango\static\2 folder moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Zango\v3.0\Zango\static\1 folder moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Zango\v3.0\Zango\static folder moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Zango\v3.0\Zango\dynamic\ustat folder moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML folder moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Zango\v3.0\Zango\dynamic folder moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Zango\v3.0\Zango folder moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Zango\v3.0\HostOL\static folder moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Zango\v3.0\HostOL\dynamic folder moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Zango\v3.0\HostOL folder moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Zango\v3.0\HostOI\static folder moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Zango\v3.0\HostOI\dynamic folder moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Zango\v3.0\HostOI folder moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Zango\v3.0 folder moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Zango\IESkins folder moved successfully.
C:\Documents and Settings\NetworkService\Application Data\Zango folder moved successfully.
File C:\Documents and Settings\Owner\Application Data\gadcom not found!
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\static\DownLoad folder moved successfully.
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\static\1 folder moved successfully.
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\static folder moved successfully.
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic folder moved successfully.
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango folder moved successfully.
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\HostOL\static\DownLoad folder moved successfully.
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\HostOL\static\1 folder moved successfully.
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\HostOL\static folder moved successfully.
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\HostOL\dynamic folder moved successfully.
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\HostOL folder moved successfully.
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\HostOI\static folder moved successfully.
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\HostOI\dynamic folder moved successfully.
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\HostOI folder moved successfully.
C:\Documents and Settings\Owner\Application Data\Zango\v3.0 folder moved successfully.
C:\Documents and Settings\Owner\Application Data\Zango folder moved successfully.
File C:\WINDOWS\Tasks\rpc.job not found!
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\History\History.IE5\MSHist012008120520081206\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\hpodvd09.log scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF2FAB.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_234.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.2.1 fix logfile created on 12052008_160200

Files moved on Reboot...
File C:\Documents and Settings\Owner\Local Settings\Temp\nsy8D.tmp\ not found!
C:\Documents and Settings\Owner\Local Settings\Temp\History\History.IE5\MSHist012008120520081206\index.dat moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\hpodvd09.log moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\~DF2FAB.tmp moved successfully.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_234.dat moved successfully.

Registry entries deleted on Reboot...
Registry delete failed. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\windows\system32\tanetezo.dll scheduled to be deleted on reboot.
Logged

mr_metoo

  • Guest
Re: Virus not going away
« Reply #31 on: December 05, 2008, 10:46:59 PM »
I think thats everything you needed there.  Anything else just let me know.
Logged

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Virus not going away
« Reply #32 on: December 05, 2008, 11:40:45 PM »
Hi can you confirm that you ran the Hijackthis before the OTScanit fix ?

If you did could you re-run Hijackthis and post a new log Ta
Logged

mr_metoo

  • Guest
Re: Virus not going away
« Reply #33 on: December 05, 2008, 11:44:32 PM »
Quote from: essexboy on December 05, 2008, 11:40:45 PM
Hi can you confirm that you ran the Hijackthis before the OTScanit fix ?

If you did could you re-run Hijackthis and post a new log Ta


I ran the Hijackthis after the OTScanit.  I waited till my cpu rebooted after the OTScanit.


Thank you for all your help so far also.
Logged

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Virus not going away
« Reply #34 on: December 06, 2008, 12:01:41 AM »
The reason I asked is that some elements I called for deletion were still present..  Lets get one of the bigger boys on it

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.
Logged

mr_metoo

  • Guest
Re: Virus not going away
« Reply #35 on: December 06, 2008, 12:11:15 AM »
Im not sure how to disable my antispyware.  I clicked on all 3 links but none of them allow me to save.
Logged

mr_metoo

  • Guest
Re: Virus not going away
« Reply #36 on: December 06, 2008, 12:12:05 AM »
I was just able to save it.
Logged

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Virus not going away
« Reply #37 on: December 06, 2008, 12:27:41 AM »
I am just about to turn in now.. I will look at the log first thing in the morning
Logged

mr_metoo

  • Guest
Re: Virus not going away
« Reply #38 on: December 06, 2008, 12:49:57 AM »
I appreciate the help
Logged

mr_metoo

  • Guest
Re: Virus not going away
« Reply #39 on: December 06, 2008, 12:51:42 AM »
ComboFix 08-12-05.02 - Owner 2008-12-05 18:43:37.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.127 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\bold.log
c:\documents and settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Start Menu\Programs\Zango
c:\documents and settings\All Users\Start Menu\Programs\Zango\Reset Cursor.lnk
c:\documents and settings\All Users\Start Menu\Programs\Zango\Weather.lnk
c:\documents and settings\All Users\Start Menu\Programs\Zango\Zango Customer Support Center.lnk
c:\documents and settings\All Users\Start Menu\Programs\Zango\Zango Games!.lnk
c:\documents and settings\All Users\Start Menu\Programs\Zango\Zango Library.lnk
c:\documents and settings\All Users\Start Menu\Programs\Zango\Zango Screensavers!.lnk
c:\documents and settings\All Users\Start Menu\Programs\Zango\Zango Uninstall Instructions.lnk
c:\documents and settings\All Users\Start Menu\Programs\Zango\Zango Videos!.lnk
c:\documents and settings\Owner\Application Data\WeatherDPA
c:\documents and settings\Owner\Application Data\WeatherDPA\Weather\WeatherStartup.xml
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\FunWebProducts
c:\program files\FunWebProducts\ScreenSaver\Images\002FCC92.urr
c:\program files\FunWebProducts\ScreenSaver\Images\19DEC060.urr
c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
c:\program files\FunWebProducts\Shared\Cache\MailStampBtn-new.html
c:\program files\FunWebProducts\Shared\Cache\MailStampBtn.html
c:\program files\FunWebProducts\Shared\Cache\MyStationeryBtn-new.html
c:\program files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\1.bin\F3BROVLY.DLL
c:\program files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
c:\program files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\1.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\M3HTML.DLL
c:\program files\MyWebSearch\bar\1.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\1.bin\M3MSG.DLL
c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Cache\073E0C3B
c:\program files\MyWebSearch\bar\Cache\073E137E.bin
c:\program files\MyWebSearch\bar\Cache\073E1795.bin
c:\program files\MyWebSearch\bar\Cache\073E19C7.bin
c:\program files\MyWebSearch\bar\Cache\073E1BDB.bin
c:\program files\MyWebSearch\bar\Cache\0F1F6AF2.bin
c:\program files\MyWebSearch\bar\Cache\0F1F70DE.bin
c:\program files\MyWebSearch\bar\Cache\0F1F7255.bin
c:\program files\MyWebSearch\bar\Cache\0F1F7458.bin
c:\program files\MyWebSearch\bar\Cache\files.ini
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\History\search2
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\bar\Settings\setting2.htm
c:\program files\MyWebSearch\bar\Settings\settings.dat
c:\program files\OneStepSearch
c:\program files\OneStepSearch\home.js
c:\program files\OneStepSearch\readme.html
c:\program files\video activex access
c:\program files\zango
c:\program files\zango\bin\10.3.75.0\arrow.ico
c:\program files\zango\bin\10.3.75.0\CntntCntr.dll
c:\program files\zango\bin\10.3.75.0\copyright.txt
c:\program files\zango\bin\10.3.75.0\CoreSrv.dll
c:\program files\zango\bin\10.3.75.0\firefox\extensions\chrome.manifest
c:\program files\zango\bin\10.3.75.0\firefox\extensions\components\npclntax.xpt
c:\program files\zango\bin\10.3.75.0\firefox\extensions\install.rdf
c:\program files\zango\bin\10.3.75.0\firefox\extensions\plugins\npclntax_ZangoSA.dll
c:\program files\zango\bin\10.3.75.0\HostOE.dll
c:\program files\zango\bin\10.3.75.0\HostOL.dll
c:\program files\zango\bin\10.3.75.0\link.ico
c:\program files\zango\bin\10.3.75.0\Srv.exe
c:\program files\zango\bin\10.3.75.0\Toolbar.dll
c:\program files\zango\bin\10.3.75.0\Wallpaper.dll
c:\program files\zango\bin\10.3.75.0\Weather.exe
c:\program files\zango\bin\10.3.75.0\WeSkin.dll
c:\program files\zango\bin\10.3.75.0\ZangoSAAX.dll
c:\program files\zango\bin\10.3.75.0\ZangoSADF.exe
c:\program files\zango\bin\10.3.75.0\ZangoSAHook.dll
c:\program files\zango\bin\10.3.75.0\ZangoUninstaller.exe
c:\windows\IE4 Error Log.txt
c:\windows\system32\_003377_.tmp.dll
c:\windows\system32\_003378_.tmp.dll
c:\windows\system32\_003379_.tmp.dll
c:\windows\system32\_003380_.tmp.dll
c:\windows\system32\_003387_.tmp.dll
c:\windows\system32\_003388_.tmp.dll
c:\windows\system32\_003389_.tmp.dll
c:\windows\system32\_003390_.tmp.dll
c:\windows\system32\_003392_.tmp.dll
c:\windows\system32\_003393_.tmp.dll
c:\windows\system32\_003396_.tmp.dll
c:\windows\system32\_003397_.tmp.dll
c:\windows\system32\_003399_.tmp.dll
c:\windows\system32\_003400_.tmp.dll
c:\windows\system32\_003401_.tmp.dll
c:\windows\system32\_003403_.tmp.dll
c:\windows\system32\_003406_.tmp.dll
c:\windows\system32\_003407_.tmp.dll
c:\windows\system32\_003411_.tmp.dll
c:\windows\system32\_003412_.tmp.dll
c:\windows\system32\_003414_.tmp.dll
c:\windows\system32\_003416_.tmp.dll
c:\windows\system32\_003417_.tmp.dll
c:\windows\system32\_003419_.tmp.dll
c:\windows\system32\_003420_.tmp.dll
c:\windows\system32\_003421_.tmp.dll
c:\windows\system32\_003422_.tmp.dll
c:\windows\system32\_003423_.tmp.dll
c:\windows\system32\_003426_.tmp.dll
c:\windows\system32\_003427_.tmp.dll
c:\windows\system32\_003428_.tmp.dll
c:\windows\system32\_003429_.tmp.dll
c:\windows\system32\_003430_.tmp.dll
c:\windows\system32\_003435_.tmp.dll
c:\windows\system32\_003437_.tmp.dll
c:\windows\system32\2m4lxKAr.exe.a_a
c:\windows\system32\alatopus.ini
c:\windows\system32\alog.txt
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\fagopitu.dll
c:\windows\system32\ikezutit.ini
c:\windows\system32\kawolumi.dll
c:\windows\system32\lobofenu.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\o81S622H.exe.a_a
c:\windows\system32\pebapehe.dll
c:\windows\system32\supotala.dll
c:\windows\system32\tituzeki.dll
D:\Autorun.inf

Logged

mr_metoo

  • Guest
Re: Virus not going away
« Reply #40 on: December 06, 2008, 12:52:23 AM »
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ONESTEP_SEARCH_SERVICE


(((((((((((((((((((((((((   Files Created from 2008-11-05 to 2008-12-05  )))))))))))))))))))))))))))))))
.

2008-12-05 18:42 . 2008-12-05 18:43   <DIR>   d--------   C:\32788R22FWJFW
2008-12-05 16:29 . 2008-12-05 16:29   <DIR>   d--------   c:\program files\Trend Micro
2008-12-05 16:02 . 2008-12-05 16:02   <DIR>   d--------   C:\_OTScanIt
2008-12-03 11:01 . 2008-12-03 11:01   <DIR>   d--------   c:\windows\system32\config\systemprofile\Application Data\Zango
2008-12-03 11:01 . 2008-12-03 11:01   <DIR>   d--------   c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2008-11-23 00:05 . 2008-11-25 14:20   <DIR>   d--------   c:\documents and settings\Owner\Application Data\DivX
2008-11-22 19:45 . 2008-11-22 19:45   <DIR>   d--------   c:\documents and settings\Owner\Downloads
2008-11-22 19:45 . 2008-11-22 19:47   <DIR>   d--------   c:\documents and settings\Owner\Application Data\NewsLeecher
2008-11-22 19:44 . 2008-11-22 19:44   <DIR>   d--------   c:\program files\NewsLeecher
2008-11-22 17:33 . 2008-11-22 17:34   <DIR>   d--------   c:\program files\DivX
2008-11-15 16:11 . 2008-11-15 16:11   <DIR>   d--------   c:\program files\SopCast
2008-11-12 10:00 . 2008-10-24 06:21   455,296   --a--c---   c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 09:59 . 2008-09-04 12:15   1,106,944   --a--c---   c:\windows\system32\dllcache\msxml3.dll
2008-11-10 09:35 . 2008-11-10 09:35   <DIR>   d--------   c:\program files\TorrentMan
2008-11-10 09:35 . 2008-11-10 09:35   <DIR>   d--------   c:\program files\Conduit

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-04 03:32   ---------   d-----w   c:\documents and settings\Owner\Application Data\Move Networks
2008-11-30 20:21   ---------   d-----w   c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-11-30 20:01   ---------   d--h--r   c:\documents and settings\Owner\Application Data\yahoo!
2008-11-30 19:59   ---------   d-----w   c:\documents and settings\All Users\Application Data\yahoo!
2008-11-12 17:13   ---------   d-----w   c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-10 14:35   ---------   d-----w   c:\program files\BitLord
2008-11-05 00:39   ---------   d-----w   c:\documents and settings\NetworkService\Application Data\AdobeUM
2008-11-05 00:36   ---------   d--h--w   c:\program files\InstallShield Installation Information
2008-11-04 00:19   ---------   d-----w   c:\program files\CyberLink
2008-11-04 00:18   ---------   d-----w   c:\program files\The Weather Channel FW
2008-11-04 00:16   ---------   d-----w   c:\program files\Napster
2008-11-04 00:16   ---------   d-----w   c:\documents and settings\All Users\Application Data\Napster
2008-11-04 00:15   ---------   d-----w   c:\program files\MySpace
2008-11-04 00:14   ---------   d-----w   c:\program files\PartyGaming
2008-11-04 00:13   ---------   d-----w   c:\program files\Vidalia Bundle
2008-11-04 00:13   ---------   d-----w   c:\documents and settings\Owner\Application Data\tor
2008-11-04 00:12   ---------   d-----w   c:\program files\Google
2008-11-04 00:10   ---------   d-----w   c:\program files\Winamp
2008-11-02 03:54   ---------   d-----w   c:\program files\Common Files\Adobe
2008-10-28 22:36   823,296   ----a-w   c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36   823,296   ----a-w   c:\windows\system32\divx_xx07.dll
2008-10-28 22:35   815,104   ----a-w   c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35   802,816   ----a-w   c:\windows\system32\divx_xx11.dll
2008-10-28 22:35   684,032   ----a-w   c:\windows\system32\DivX.dll
2008-10-28 00:53   ---------   d-----w   c:\program files\Netflix
2008-10-26 01:35   ---------   d-----w   c:\program files\Common Files\NSV
2008-10-25 20:42   ---------   d-----w   c:\documents and settings\All Users\Application Data\espionServerData
2008-10-25 20:10   ---------   d-----w   c:\documents and settings\All Users\Application Data\FLEXnet
2008-10-25 20:08   ---------   d-----w   c:\program files\Common Files\Macrovision Shared
2008-10-25 17:01   ---------   d-----w   c:\documents and settings\Owner\Application Data\Winamp
2008-10-25 16:59   ---------   d-----w   c:\documents and settings\All Users\Application Data\OrbNetworks
2008-10-25 16:56   ---------   d-----w   c:\program files\Winamp Remote
2008-10-24 16:04   ---------   d-----w   c:\program files\Microsoft Works
2008-10-24 11:21   455,296   ----a-w   c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 19:13   202,776   ----a-w   c:\windows\system32\wuweb.dll
2008-10-16 19:13   1,809,944   ----a-w   c:\windows\system32\wuaueng.dll
2008-10-16 19:12   561,688   ----a-w   c:\windows\system32\wuapi.dll
2008-10-16 19:12   323,608   ----a-w   c:\windows\system32\wucltui.dll
2008-10-16 19:09   92,696   ----a-w   c:\windows\system32\cdm.dll
2008-10-16 19:09   51,224   ----a-w   c:\windows\system32\wuauclt.exe
2008-10-16 19:09   43,544   ----a-w   c:\windows\system32\wups2.dll
2008-10-16 19:08   34,328   ----a-w   c:\windows\system32\wups.dll
2008-10-16 19:06   268,648   ----a-w   c:\windows\system32\mucltui.dll
2008-10-16 19:06   208,744   ----a-w   c:\windows\system32\muweb.dll
2008-10-15 16:57   332,800   ----a-w   c:\windows\system32\SETB3C.tmp
2008-10-15 16:57   332,800   ----a-w   c:\windows\system32\SET3F2.tmp
2008-10-03 17:41   6,066,176   ----a-w   c:\windows\system32\SET545.tmp
2008-09-30 21:43   1,286,152   ----a-w   c:\windows\system32\msxml4.dll
2008-09-25 08:03   81,920   ----a-w   c:\windows\system32\dpl100.dll
2008-09-25 08:03   593,920   ----a-w   c:\windows\system32\dpuGUI11.dll
2008-09-25 08:03   57,344   ----a-w   c:\windows\system32\dpv11.dll
2008-09-25 08:03   53,248   ----a-w   c:\windows\system32\dpuGUI10.dll
2008-09-25 08:03   524,288   ----a-w   c:\windows\system32\DivXsm.exe
2008-09-25 08:03   344,064   ----a-w   c:\windows\system32\dpus11.dll
2008-09-25 08:03   294,912   ----a-w   c:\windows\system32\dpu11.dll
2008-09-25 08:03   294,912   ----a-w   c:\windows\system32\dpu10.dll
2008-09-25 08:03   196,608   ----a-w   c:\windows\system32\dtu100.dll
2008-09-25 08:03   161,096   ----a-w   c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-19 21:57   3,596,288   ----a-w   c:\windows\system32\qt-dx331.dll
2008-09-19 21:57   129,784   ----a-w   c:\windows\system32\pxafs.dll
2008-09-19 21:57   120,056   ----a-w   c:\windows\system32\pxcpyi64.exe
2008-09-19 21:57   118,520   ----a-w   c:\windows\system32\pxinsi64.exe
2008-09-19 21:55   200,704   ----a-w   c:\windows\system32\ssldivx.dll
2008-09-19 21:55   1,044,480   ----a-w   c:\windows\system32\libdivx.dll
2008-09-19 21:54   12,288   ----a-w   c:\windows\system32\DivXWMPExtType.dll
2008-09-15 12:12   1,846,400   ----a-w   c:\windows\system32\win32k.sys
2008-09-10 01:14   1,307,648   ----a-w   c:\windows\system32\msxml6.dll
2007-07-02 21:29   44   ----a-w   c:\documents and settings\Owner\Application Data\wklnhst.dat
Logged

mr_metoo

  • Guest
Re: Virus not going away
« Reply #41 on: December 06, 2008, 12:55:54 AM »
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-07-28 05:47   160496   --a------   c:\progra~1\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerBar"="c:\program files\CyberLink\DVD Solution\PowerBar.exe" [2005-06-28 110592]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4347120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"SunKist"="c:\program files\Digital Media Reader\shwicon2k.exe" [2004-05-26 139264]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-03-01 98304]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-11 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe [2005-03-10 757760]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a------ 2004-10-18 20:42 79448 c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-04-15 00:05 344064 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 23:56 64512 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2004-11-03 16:03 125528 c:\program files\Common Files\AOL\1141258253\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a------ 2005-08-12 15:16 1121792 c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-03-01 19:12 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2002-09-14 01:42 212992 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2005-02-25 20:24 966656 c:\windows\creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-03-14 11:33 171448 c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-01-11 13:44 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 15:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2008-11-05 21:59 4347120 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"PrismXL"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"gusvc"=3 (0x3)
Logged

mr_metoo

  • Guest
Re: Virus not going away
« Reply #42 on: December 06, 2008, 12:56:35 AM »
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1141258253\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-09 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-04-09 20560]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\DRIVERS\HSFHWATI.sys [2006-03-01 200192]
S3 AMDMSRIO;AMDMSRIO;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\Safe To Delete 3_0_4_8\AMDMSRIO.sys []
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{7c5c0f58-e061-457d-9033-77307f5ed00c} - (no file)
BHO-{39070b34-de03-44b9-aa07-96d7a56359c6} - c:\windows\system32\kawolumi.dll
BHO-{b408eaf6-3091-4a5c-9b66-5732570e74b7} - c:\windows\system32\kawolumi.dll
Toolbar-{7c5c0f58-e061-457d-9033-77307f5ed00c} - (no file)
WebBrowser-{7C5C0F58-E061-457D-9033-77307F5ED00C} - (no file)
HKCU-Run-Vidalia - c:\program files\Vidalia Bundle\Vidalia\vidalia.exe
HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
HKLM-Run-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe
HKLM-Run-salumibudi - c:\windows\system32\boserote.dll
MSConfigStartUp-Cleanup - c:\docume~1\Owner\LOCALS~1\Temp\2007517193253_mcappins.exe
MSConfigStartUp-msci - c:\docume~1\Owner\LOCALS~1\Temp\2007517193245_mcinfo.exe
MSConfigStartUp-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
MSConfigStartUp-MySpaceIM - c:\program files\MySpace\IM\MySpaceIM.exe
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\mwsoemon.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
TCP: {89240DEC-04FA-4E9B-88CE-5E910643F795} = 192.168.1.1,68.238.112.12
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\coko014g.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 18:46:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-05 18:48:11
ComboFix-quarantined-files.txt  2008-12-05 23:47:09

Pre-Run: 66,985,668,608 bytes free
Post-Run: 66,962,358,272 bytes free

417   --- E O F ---   2008-11-12 17:17:08
Logged

NeilM

  • Guest
Re: Virus not going away
« Reply #43 on: December 06, 2008, 03:08:37 AM »
FreewheelinFrank, finally got it to run (Didn't work the first 2 tries).  Here is my log:

ComboFix 08-12-05.02 - Neil 2008-12-05 20:48:54.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.748 [GMT -5:00]
Running from: c:\sysi\ComboFix.exe
Command switches used :: c:\sysi\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Neil\Application Data\MCROSO~1.NET
c:\documents and settings\Neil\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\Common Files\{38C16~1
c:\program files\Common Files\{F8C16~1
c:\program files\Common Files\uninstall information
c:\temp\tn3
c:\windows\system32\bgocoyvv.ini
c:\windows\system32\CMMGR32.EXE
c:\windows\system32\dobe~1
c:\windows\system32\dobe~1\?dobe\
c:\windows\system32\xbadd.bak1
c:\windows\system32\xbadd.ini

----- BITS: Possible infected sites -----

hxxp://77.74.48.101
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_COM+_MESSAGES
-------\Legacy_NPF


(((((((((((((((((((((((((   Files Created from 2008-11-06 to 2008-12-06  )))))))))))))))))))))))))))))))
.

2008-12-05 10:13 . 2008-12-05 10:13   <DIR>   d--------   c:\windows\system32\CatRoot_bak
2008-12-05 09:44 . 2008-12-05 09:44   <DIR>   d--------   C:\New Folder
2008-12-03 00:50 . 2008-12-03 00:50   <DIR>   d--------   C:\VundoFix Backups
2008-12-02 01:09 . 2008-12-02 01:09   <DIR>   d--------   c:\program files\Trend Micro
2008-12-01 18:18 . 2008-12-01 18:18   192,007   --a------   c:\windows\system32\g25.exe
2008-12-01 18:18 . 2008-12-01 18:18   47,598   --a------   c:\windows\system32\vfdnlmlafinitgcdy.exe
2008-11-25 11:41 . 2008-11-25 11:41   <DIR>   d--------   c:\program files\PhotoME
2008-11-25 11:41 . 2008-11-25 11:41   <DIR>   d--------   c:\documents and settings\All Users\Application Data\PhotoME
2008-11-17 14:42 . 2008-11-17 14:42   <DIR>   d--------   c:\windows\system32\Dell
2008-11-17 14:42 . 2008-11-17 14:42   <DIR>   d--------   c:\program files\Dell
2008-11-16 23:51 . 2008-11-20 12:10   <DIR>   d--------   c:\program files\processing-0156
2008-11-14 09:50 . 2008-11-14 09:50   <DIR>   d--------   c:\windows\system32\QuickTime
2008-11-14 09:50 . 2008-11-14 09:50   <DIR>   d--------   c:\program files\Common Files\TechSmith Shared
2008-11-14 09:50 . 2008-11-14 09:50   <DIR>   d--------   c:\documents and settings\All Users\Application Data\TechSmith
2008-11-14 09:49 . 2008-11-14 09:50   <DIR>   d--------   c:\program files\Camtasia Studio

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 01:54   ---------   d-----w   c:\program files\PeerGuardian2
2008-12-06 01:53   ---------   d-----w   c:\documents and settings\Neil\Application Data\WTablet
2008-12-05 14:18   ---------   d-----w   c:\program files\SUPERAntiSpyware
2008-12-05 14:05   ---------   d-----w   c:\program files\Firefox
2008-12-04 15:40   ---------   d-----w   c:\documents and settings\LocalService\Application Data\WTablet
2008-12-03 18:35   ---------   d-----w   c:\documents and settings\Neil\Application Data\TmpRecentIcons
2008-12-03 17:41   ---------   d-----w   c:\program files\Malwarebytes' Anti-Malware
2008-12-03 13:10   ---------   d-----w   c:\program files\Spybot
2008-12-03 09:18   ---------   d-----w   c:\program files\NNsquad
2008-12-01 15:47   ---------   d-----w   c:\program files\Trillian
2008-12-01 14:40   ---------   d-----w   c:\documents and settings\Neil\Application Data\OpenOffice.org2
2008-12-01 03:14   ---------   d-----w   c:\program files\Thunderbird
2008-11-24 17:37   ---------   d-----w   c:\program files\Yecho
2008-11-05 03:32   ---------   d-----w   c:\program files\Common Files\Adobe
2008-11-03 17:41   ---------   d-----w   c:\documents and settings\Neil\Application Data\uTorrent
2008-11-03 04:49   ---------   d-----w   c:\documents and settings\Neil\Application Data\Autodesk
2008-11-03 04:49   ---------   d-----w   c:\documents and settings\All Users\Application Data\Autodesk
2008-11-03 04:39   ---------   d-----w   c:\program files\Common Files\Autodesk Shared
2008-11-03 04:36   ---------   d-----w   c:\program files\Autodesk
2008-11-03 04:32   ---------   d-----w   c:\program files\Reference Assemblies
2008-11-03 03:37   ---------   d-----w   c:\program files\NaturalMotion
2008-11-03 03:23   ---------   d-----w   c:\program files\7-Zip
2008-10-28 02:11   ---------   d-----w   c:\program files\Steam
2008-10-27 02:32   ---------   d-----w   c:\program files\XUL Explorer
2008-10-26 04:15   ---------   d-----w   c:\documents and settings\Neil\Application Data\XULExplorer
2008-10-22 21:10   38,496   ----a-w   c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 21:10   15,504   ----a-w   c:\windows\system32\drivers\mbam.sys
2008-10-20 11:22   ---------   d-----w   c:\program files\Apple Software Update
2008-10-20 03:03   ---------   d-----w   c:\program files\iTunes
2008-10-20 03:03   ---------   d-----w   c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-20 03:01   ---------   d-----w   c:\program files\iPod
2008-10-20 02:57   ---------   d-----w   c:\program files\Bonjour
2008-10-20 02:55   ---------   d-----w   c:\program files\QuickTime
2008-10-20 02:54   ---------   d-----w   c:\program files\Common Files\Apple
2008-10-15 02:18   ---------   d-----w   c:\program files\Brother
2008-10-15 02:17   ---------   d--h--w   c:\program files\InstallShield Installation Information
2008-10-15 02:14   ---------   d-----w   c:\program files\Nuance
2008-10-15 02:14   ---------   d-----w   c:\program files\Common Files\ScanSoft Shared
2008-10-15 02:14   ---------   d-----w   c:\documents and settings\All Users\Application Data\ScanSoft
2008-10-15 02:14   ---------   d-----w   c:\documents and settings\All Users\Application Data\InstallShield
2008-10-15 02:13   ---------   d-----w   c:\program files\ScanSoft
2008-10-15 02:12   ---------   d-----w   c:\documents and settings\All Users\Application Data\Brother
2008-10-12 16:07   ---------   d-----w   c:\documents and settings\Neil\Application Data\Notepad++
2008-10-12 15:52   ---------   d-----w   c:\program files\Notepad++
2008-10-12 14:18   ---------   d-----w   c:\program files\Common Files\AliasWavefront Shared
2008-10-12 14:15   ---------   d--h--w   c:\program files\Zero G Registry
2008-10-12 13:41   ---------   d-----w   c:\program files\backburner 2
2007-01-16 17:47   87,608   ----a-w   c:\documents and settings\Neil\Application Data\ezpinst.exe
2007-01-16 17:47   47,360   ----a-w   c:\documents and settings\Neil\Application Data\pcouffin.sys
2008-08-28 11:28   32,768   --sha-w   c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082820080829\index.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@="{30351346-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 11:35   536576   --a------   c:\program files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@="{30351347-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 11:35   536576   --a------   c:\program files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@="{30351348-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 11:35   536576   --a------   c:\program files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@="{3035134B-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 11:35   536576   --a------   c:\program files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@="{3035134C-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 11:35   536576   --a------   c:\program files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@="{3035134D-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 11:35   536576   --a------   c:\program files\TortoiseSVN\bin\tortoisesvn.dll

Logged

NeilM

  • Guest
Re: Virus not going away
« Reply #44 on: December 06, 2008, 03:09:06 AM »
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@="{3035134E-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 11:35   536576   --a------   c:\program files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2006-12-06 1294336]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1421824]
"SpybotSD TeaTimer"="c:\program files\Spybot\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Versato"="c:\program files\MagicKey\MagicKey.exe" [2001-05-03 135168]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-10-22 7700480]
"NNma"="c:\program files\NNsquad\nnma.exe" [2008-05-26 999479]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 29984]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-02-19 1089536]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-12-21 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 c:\windows\system32\nvmctray.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless Connection Manager.lnk - c:\program files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\wirelesscm.exe [2008-09-15 29290496]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-09-28 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2006-10-19 09:12 258048 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll
"VIDC.VQS4"= vqs4dec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RaySat_3dsmax7Server"=2 (0x2)
"mi-raysat_3dsmax8"=2 (0x2)
"maya70docserver"=2 (0x2)
"AWHelpServer"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\FileZilla\\FileZilla.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\VirtualCanada\\VirtualCanadaVirtuel.exe"=
"c:\\Program Files\\Crazybump\\CrazyBump.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Firefox\\firefox.exe"=
"c:\\Program Files\\NNsquad\\nnma.exe"=
"c:\\Program Files\\Brother\\Brmfl08g\\FAXRX.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2009\\3dsmax.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6551:UDP"= 6551:UDP:SmartCheck
"67:UDP"= 67:UDP:DHCP Discovery Service
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
"54925:UDP"= 54925:UDP:BrotherNetwork Scanner
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-02 78416]
R1 hwinterface;hwinterface;c:\windows\system32\Drivers\hwinterface.sys [2006-01-08 3026]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2006-09-19 29184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-02 20560]
R2 SSIPDDP;SSIPDDP Parallel port device driver;\??\c:\windows\System32\DRIVERS\SSIPDDP.SYS [2005-09-09 55296]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2007-11-11 1373480]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\DRIVERS\jswscimd.sys [2008-09-15 57344]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
R3 WSIMD;wsimd Service;c:\windows\system32\DRIVERS\wsimd.sys [2008-09-15 57408]
S2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max Design 2009 32-bit 32-bit;"c:\program files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe" [2008-03-10 65536]
S3 DCamVQ110;VQ110 Digital Video Camera;c:\windows\system32\DRIVERS\VQ110.sys [2007-01-08 130224]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2003-01-30 18864]
S3 ezfa;EZF Advance Cable Driver N;c:\windows\system32\drivers\ezfa.sys [2004-12-25 25596]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\jswpsapi.exe [2008-09-15 356434]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]
S4 RaySat_3dsmax7Server;RaySat_3dsmax7 Server;c:\3dsmax7\mentalray\satellite\raysat_3dsmax7server.exe [2005-04-08 65536]

*Newly Created Service* - PGFILTER
.
Contents of the 'Scheduled Tasks' folder

2008-11-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - c:\windows\System32\mscoree.DLL
TCP: {7FAF96FE-4362-4BF3-891B-1DC3A1147511} = 204.101.251.1,204.101.251.2

c:\windows\Downloaded Program Files\iaplayer.dll - O16 -: {DB7BF79A-FC51-4B5A-92BC-A65731174380}
hxxp://www.beta.instantaction.com/download/iaplayer.cab
c:\windows\Downloaded Program Files\cab.inf
FireFox -: Profile - c:\documents and settings\Neil\Application Data\Mozilla\Firefox\Profiles\default.6w0\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Firefox\plugins\npnul32.dll
FF -: plugin - c:\program files\Firefox\plugins\npqtplugin.dll
FF -: plugin - c:\program files\Firefox\plugins\npqtplugin2.dll
FF -: plugin - c:\program files\Firefox\plugins\npqtplugin3.dll
FF -: plugin - c:\program files\Firefox\plugins\npqtplugin4.dll
FF -: plugin - c:\program files\Firefox\plugins\npqtplugin5.dll
FF -: plugin - c:\program files\Firefox\plugins\npVizible Player.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\TGEBrowser\np3DPlugin.dll
FF -: plugin - c:\program files\Yecho\np3DYecho.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 20:53:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\_av_proI.tm~a02152\setup.lok 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1292)
c:\windows\WlanGINA\Version\1.0.4.0\WlanGINA.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Logged
Pages: 1 2 [3] 4   Go Up
« previous next »