We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide
Malware: Spyware Guard 2008
Comments
-
Log from Combofix
ComboFix 08-12-15.08 - Joanne 2008-12-16 19:28:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.501.256 [GMT 0:00]
Running from: c:\documents and settings\Joanne\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Joanne\Application Data\0200000015a0c49b509C.manifest
c:\documents and settings\Joanne\Application Data\0200000015a0c49b509O.manifest
c:\documents and settings\Joanne\Application Data\0200000015a0c49b509P.manifest
c:\documents and settings\Joanne\Application Data\0200000015a0c49b509S.manifest
c:\documents and settings\Joanne\Application Data\u155.exe
c:\documents and settings\Joanne\Application Data\windll32.exe
C:\mimic.log
c:\windows\GnuHashes.ini
c:\windows\system32\feecebdfcdafdb.dll
c:\windows\system32\GroupPolicy000.dat
c:\windows\system32\GroupPolicyManifest
c:\windows\system32\GroupPolicyManifest\1.music.mp3
c:\windows\system32\GroupPolicyManifest\1.music.mp3.kwd
c:\windows\system32\GroupPolicyManifest\2.crack.zip
c:\windows\system32\GroupPolicyManifest\2.crack.zip.kwd
c:\windows\system32\GroupPolicyManifest\3.video.zip
c:\windows\system32\GroupPolicyManifest\3.video.zip.kwd
c:\windows\system32\GroupPolicyManifest\4.setup.zip
c:\windows\system32\GroupPolicyManifest\4.setup.zip.kwd
c:\windows\system32\GroupPolicyManifest\5.unpack.zip
c:\windows\system32\GroupPolicyManifest\5.unpack.zip.kwd
c:\windows\system32\GroupPolicyManifest\6.limepro.zip
c:\windows\system32\GroupPolicyManifest\6.limepro.zip.kwd
c:\windows\system32\GroupPolicyManifest\7.keygen.zip
c:\windows\system32\GroupPolicyManifest\7.keygen.zip.kwd
c:\windows\system32\GroupPolicyManifest\8.mpgvideo.mpg
c:\windows\system32\GroupPolicyManifest\8.mpgvideo.mpg.kwd
H:\Autorun.inf
h:\recycler\autorun.inf
h:\recycler\desktop.ini
h:\recycler\Folder.htt
h:\recycler\info.exe
h:\recycler\protect.ed
h:\recycler\warning.bmp
.
((((((((((((((((((((((((( Files Created from 2008-11-16 to 2008-12-16 )))))))))))))))))))))))))))))))
.
2008-12-16 18:58 . 2008-12-16 18:58 0 --a
c:\windows\nsreg.dat
2008-12-15 22:16 . 2008-12-15 22:16 <DIR> d
c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-15 21:16 . 2008-12-15 21:16 <DIR> d
c:\program files\Malwarebytes' Anti-Malware
2008-12-15 21:16 . 2008-12-15 21:16 <DIR> d
c:\documents and settings\Joanne\Application Data\Malwarebytes
2008-12-15 21:16 . 2008-12-15 21:16 <DIR> d
c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-15 21:16 . 2008-12-03 19:53 38,496 --a
c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-15 21:16 . 2008-12-03 19:53 15,504 --a
c:\windows\system32\drivers\mbam.sys
2008-12-15 20:31 . 2008-12-15 20:31 <DIR> d
c:\documents and settings\Administrator
2008-12-15 10:31 . 2008-12-15 11:07 81,288 --a
c:\windows\system32\drivers\iksyssec.sys
2008-12-15 10:31 . 2008-12-15 11:07 66,952 --a
c:\windows\system32\drivers\iksysflt.sys
2008-12-15 10:31 . 2008-12-15 11:07 40,840 --a
c:\windows\system32\drivers\ikfilesec.sys
2008-12-15 10:31 . 2008-06-02 15:19 29,576 --a
c:\windows\system32\drivers\kcom.sys
2008-12-15 10:30 . 2008-12-16 18:13 <DIR> d
c:\program files\Spyware Doctor
2008-12-15 10:30 . 2008-12-15 10:30 <DIR> d
c:\documents and settings\Joanne\Application Data\PC Tools
2008-12-15 10:30 . 2008-12-16 19:26 <DIR> d-a
c:\documents and settings\All Users\Application Data\TEMP
2008-12-15 10:29 . 2008-12-15 14:18 <DIR> d
c:\program files\Norton Security Scan
2008-12-15 10:29 . 2008-12-15 14:18 <DIR> d
c:\program files\Common Files\Symantec Shared
2008-12-15 10:27 . 2008-12-16 17:45 <DIR> d
c:\documents and settings\All Users\Application Data\Google Updater
2008-12-15 09:37 . 2008-12-15 09:37 <DIR> d
c:\program files\Lavasoft
2008-12-15 09:37 . 2008-12-15 09:37 <DIR> d
c:\program files\Common Files\Wise Installation Wizard
2008-12-15 09:37 . 2008-12-15 09:39 <DIR> d
c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-15 09:19 . 2008-04-14 01:11 21,504 --a
c:\windows\system32\hidserv.dll
2008-12-15 09:19 . 2008-04-14 01:11 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll
2008-12-15 09:19 . 2008-04-13 19:39 14,592 --a
c:\windows\system32\drivers\kbdhid.sys
2008-12-15 09:19 . 2008-04-13 19:39 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2008-12-15 09:19 . 2001-08-17 13:48 12,160 --a
c:\windows\system32\drivers\mouhid.sys
2008-12-15 09:19 . 2001-08-17 13:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2008-12-15 09:18 . 2008-04-13 19:45 10,368 --a
c:\windows\system32\drivers\hidusb.sys
2008-12-15 09:18 . 2008-04-13 19:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2008-12-12 14:05 . 2008-12-12 14:05 165 --a
C:\log.udt
2008-12-06 21:48 . 2008-12-06 21:48 373,760 --ahs---- c:\windows\system32\30.tmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-15 14:18
d
w c:\program files\ZTE Mobile Connection
2008-12-15 11:33
d
w c:\program files\iTunes
2008-12-15 10:27
d
w c:\program files\Google
2008-12-15 09:33
d
w c:\documents and settings\Joanne\Application Data\alot
2008-12-14 16:14
d
w c:\program files\Java
2008-12-13 22:32
d
w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-13 22:01
d
w c:\documents and settings\Joanne\Application Data\LimeWire
2008-12-12 14:02
d
w c:\program files\Creative
2008-12-03 13:34
d
w c:\program files\LimeWire
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 22:13
d
w c:\documents and settings\Joanne\Application Data\Apple Computer
2008-10-22 21:10
d
w c:\program files\iPod
2008-10-22 21:10
d
w c:\documents and settings\All Users\Application Data\!!3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-22 20:55
d
w c:\program files\Safari
2008-10-21 12:04
d
w c:\program files\Microsoft Silverlight
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-30 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-14 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"five Media Manager Tray"="c:\program files\Entriq\MediaSphere\EntriqMediaTray.exe" [2008-05-21 368640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 c:\windows\RTHDCPL.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9e.exe" [2007-11-21 218496]
c:\documents and settings\Joanne\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
S0 bb878924ffc231c8a2970eb2d07c9daa;bb878924ffc231c8a2970eb2d07c9daa;c:\windows\system32\bb878924ffc231c8a2970eb2d07c9daa.sys []
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-15 356920]
.
Contents of the 'Scheduled Tasks' folder
2008-10-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -
Notify-a0ef59e1509 - c:\windows\System32\dimsntfy32.dll
.
Supplementary Scan
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
.
.
File Associations
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-16 19:31:46
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Other Running Processes
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-16 19:34:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-16 19:34:29
Pre-Run: 57,545,428,992 bytes free
Post-Run: 57,781,932,032 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
h:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
184 --- E O F --- 2008-12-13 22:32:260 -
Thanks for the log.
Please install HijackThis; hopefully it should work.
Please do the following...
1. Download Flash_Disinfector.exe by sUBs and save it to your desktop.- Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
- The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
- Wait until it has finished scanning and then exit the program.
- Reboot your computer when done.
2. Run HijackThis and click on Open the Misc Tools section.
Click on delete a file on reboot...
Copy and paste the following into the "File name:" text box and then click Open:
c:\windows\system32\30.tmp
When you are asked "Do you want to restart your computer now?", click NO.
Repeat these steps for the following file(s) and this time, when you reach the end, click OK:
c:\windows\system32\bb878924ffc231 c8a2970eb2d07c9daa.sys
Your PC MUST reboot to delete the files!
3. Please do an online scan with Kaspersky WebScanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.- The program will launch and then begin downloading the latest definition files:
- Once the files have been downloaded click on NEXT
- Now click on Scan Settings
- In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Scan Options:
Scan Mail Bases
[*]Click OK
[*]Now under select a target to scan:-
Select
[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.- Now click on the Save Report As button:
- Change Save as type: to Text file
- Save this as Kaspersky scan to your Desktop
0 -
Sorry to borrow this thread, but I have an OEM install of Windows XP Home.
How do I check if I have the Recovery Console installed and, if necessary, can I install it anyway?:wall: Flagellation, necrophilia and bestiality - Am I flogging a dead horse? :wall:
Any posts are my opinion and only that. Please read at your own risk.0 -
I'm not sure how you check if the Recovery Console is installed, but usually with OEM computers/laptops they provide you with "Recovery Disks". This Microsoft page use to have info on Recovery Console, but it's changed somewhat.0
-
So far kaspersky has crashed halfway through downloading the definition files, think I may have lost connection with the Internet0
-
Try again!0
-
Bunnie1982 wrote: »Log from Combofix
ComboFix 08-12-15.08 - Joanne 2008-12-16 19:28:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.501.256 [GMT 0:00]
Running from: c:\documents and settings\Joanne\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Joanne\Application Data\0200000015a0c49b509C.manifest
c:\documents and settings\Joanne\Application Data\0200000015a0c49b509O.manifest
c:\documents and settings\Joanne\Application Data\0200000015a0c49b509P.manifest
c:\documents and settings\Joanne\Application Data\0200000015a0c49b509S.manifest
c:\documents and settings\Joanne\Application Data\u155.exe
c:\documents and settings\Joanne\Application Data\windll32.exe
C:\mimic.log
c:\windows\GnuHashes.ini
c:\windows\system32\feecebdfcdafdb.dll
c:\windows\system32\GroupPolicy000.dat
c:\windows\system32\GroupPolicyManifest
c:\windows\system32\GroupPolicyManifest\1.music.mp3
c:\windows\system32\GroupPolicyManifest\1.music.mp3.kwd
c:\windows\system32\GroupPolicyManifest\2.crack.zip
c:\windows\system32\GroupPolicyManifest\2.crack.zip.kwd
c:\windows\system32\GroupPolicyManifest\3.video.zip
c:\windows\system32\GroupPolicyManifest\3.video.zip.kwd
c:\windows\system32\GroupPolicyManifest\4.setup.zip
c:\windows\system32\GroupPolicyManifest\4.setup.zip.kwd
c:\windows\system32\GroupPolicyManifest\5.unpack.zip
c:\windows\system32\GroupPolicyManifest\5.unpack.zip.kwd
c:\windows\system32\GroupPolicyManifest\6.limepro.zip
c:\windows\system32\GroupPolicyManifest\6.limepro.zip.kwd
c:\windows\system32\GroupPolicyManifest\7.keygen.zip
c:\windows\system32\GroupPolicyManifest\7.keygen.zip.kwd
c:\windows\system32\GroupPolicyManifest\8.mpgvideo.mpg
c:\windows\system32\GroupPolicyManifest\8.mpgvideo.mpg.kwd
H:\Autorun.inf
h:\recycler\autorun.inf
h:\recycler\desktop.ini
h:\recycler\Folder.htt
h:\recycler\info.exe
h:\recycler\protect.ed
h:\recycler\warning.bmp
.
((((((((((((((((((((((((( Files Created from 2008-11-16 to 2008-12-16 )))))))))))))))))))))))))))))))
.
2008-12-16 18:58 . 2008-12-16 18:58 0 --a
c:\windows\nsreg.dat
2008-12-15 22:16 . 2008-12-15 22:16 <DIR> d
c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-15 21:16 . 2008-12-15 21:16 <DIR> d
c:\program files\Malwarebytes' Anti-Malware
2008-12-15 21:16 . 2008-12-15 21:16 <DIR> d
c:\documents and settings\Joanne\Application Data\Malwarebytes
2008-12-15 21:16 . 2008-12-15 21:16 <DIR> d
c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-15 21:16 . 2008-12-03 19:53 38,496 --a
c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-15 21:16 . 2008-12-03 19:53 15,504 --a
c:\windows\system32\drivers\mbam.sys
2008-12-15 20:31 . 2008-12-15 20:31 <DIR> d
c:\documents and settings\Administrator
2008-12-15 10:31 . 2008-12-15 11:07 81,288 --a
c:\windows\system32\drivers\iksyssec.sys
2008-12-15 10:31 . 2008-12-15 11:07 66,952 --a
c:\windows\system32\drivers\iksysflt.sys
2008-12-15 10:31 . 2008-12-15 11:07 40,840 --a
c:\windows\system32\drivers\ikfilesec.sys
2008-12-15 10:31 . 2008-06-02 15:19 29,576 --a
c:\windows\system32\drivers\kcom.sys
2008-12-15 10:30 . 2008-12-16 18:13 <DIR> d
c:\program files\Spyware Doctor
2008-12-15 10:30 . 2008-12-15 10:30 <DIR> d
c:\documents and settings\Joanne\Application Data\PC Tools
2008-12-15 10:30 . 2008-12-16 19:26 <DIR> d-a
c:\documents and settings\All Users\Application Data\TEMP
2008-12-15 10:29 . 2008-12-15 14:18 <DIR> d
c:\program files\Norton Security Scan
2008-12-15 10:29 . 2008-12-15 14:18 <DIR> d
c:\program files\Common Files\Symantec Shared
2008-12-15 10:27 . 2008-12-16 17:45 <DIR> d
c:\documents and settings\All Users\Application Data\Google Updater
2008-12-15 09:37 . 2008-12-15 09:37 <DIR> d
c:\program files\Lavasoft
2008-12-15 09:37 . 2008-12-15 09:37 <DIR> d
c:\program files\Common Files\Wise Installation Wizard
2008-12-15 09:37 . 2008-12-15 09:39 <DIR> d
c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-15 09:19 . 2008-04-14 01:11 21,504 --a
c:\windows\system32\hidserv.dll
2008-12-15 09:19 . 2008-04-14 01:11 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll
2008-12-15 09:19 . 2008-04-13 19:39 14,592 --a
c:\windows\system32\drivers\kbdhid.sys
2008-12-15 09:19 . 2008-04-13 19:39 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2008-12-15 09:19 . 2001-08-17 13:48 12,160 --a
c:\windows\system32\drivers\mouhid.sys
2008-12-15 09:19 . 2001-08-17 13:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2008-12-15 09:18 . 2008-04-13 19:45 10,368 --a
c:\windows\system32\drivers\hidusb.sys
2008-12-15 09:18 . 2008-04-13 19:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2008-12-12 14:05 . 2008-12-12 14:05 165 --a
C:\log.udt
2008-12-06 21:48 . 2008-12-06 21:48 373,760 --ahs---- c:\windows\system32\30.tmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-15 14:18
d
w c:\program files\ZTE Mobile Connection
2008-12-15 11:33
d
w c:\program files\iTunes
2008-12-15 10:27
d
w c:\program files\Google
2008-12-15 09:33
d
w c:\documents and settings\Joanne\Application Data\alot
2008-12-14 16:14
d
w c:\program files\Java
2008-12-13 22:32
d
w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-13 22:01
d
w c:\documents and settings\Joanne\Application Data\LimeWire
2008-12-12 14:02
d
w c:\program files\Creative
2008-12-03 13:34
d
w c:\program files\LimeWire
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 22:13
d
w c:\documents and settings\Joanne\Application Data\Apple Computer
2008-10-22 21:10
d
w c:\program files\iPod
2008-10-22 21:10
d
w c:\documents and settings\All Users\Application Data\!!3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-22 20:55
d
w c:\program files\Safari
2008-10-21 12:04
d
w c:\program files\Microsoft Silverlight
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-30 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-14 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"five Media Manager Tray"="c:\program files\Entriq\MediaSphere\EntriqMediaTray.exe" [2008-05-21 368640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 c:\windows\RTHDCPL.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9e.exe" [2007-11-21 218496]
c:\documents and settings\Joanne\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
S0 bb878924ffc231c8a2970eb2d07c9daa;bb878924ffc231c8a2970eb2d07c9daa;c:\windows\system32\bb878924ffc231c8a2970eb2d07c9daa.sys []
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-15 356920]
.
Contents of the 'Scheduled Tasks' folder
2008-10-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -
Notify-a0ef59e1509 - c:\windows\System32\dimsntfy32.dll
.
Supplementary Scan
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
.
.
File Associations
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-16 19:31:46
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Other Running Processes
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-16 19:34:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-16 19:34:29
Pre-Run: 57,545,428,992 bytes free
Post-Run: 57,781,932,032 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
h:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
184 --- E O F --- 2008-12-13 22:32:26
Interesting log..Always follow the path of least resistance.0 -
Kaspersky scan log - looks like my sister has been downloading things she shouldn't have:
KASPERSKY ONLINE SCANNER 7 REPORT Tuesday, December 16, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, December 16, 2008 17:52:49
Records in database: 1466314
Scan settingsScan using the following databaseextendedScan archivesyesScan mail databasesyesScan areaMy ComputerC:\
E:\
F:\
G:\
H:\
I:\
J:\ Scan statisticsFiles scanned64397Threat name9Infected objects22Suspicious objects0Duration of the scan01:18:55
File nameThreat nameThreats countC:\Documents and Settings\All Users\Application Data\Microsoft\Protect\svhost2.exeInfected: Trojan.Win32.Qhost.kng1C:\Documents and Settings\All Users\Documents\My Music\spyprotector_install_9082.exeInfected: Trojan-Downloader.Win32.FraudLoad.vees1C:\Documents and Settings\Joanne\My Documents\LimeWire\Incomplete\T-3545425-jls.mp3Infected: Trojan-Downloader.WMA.GetCodec.r1C:\Documents and Settings\Joanne\My Documents\LimeWire\Saved\already there jls.mp3Infected: Trojan-Downloader.WMA.GetCodec.r1C:\Documents and Settings\Joanne\My Documents\LimeWire\Saved\beatles meadley jls MTV.mp3Infected: Trojan-Downloader.WMA.GetCodec.f1C:\Documents and Settings\Joanne\My Documents\LimeWire\Saved\eoighen quigg.mp3Infected: Trojan-Downloader.WMA.GetCodec.r1C:\Documents and Settings\Joanne\My Documents\LimeWire\Saved\million love songs jls.mp3Infected: Trojan-Downloader.WMA.GetCodec.c1C:\Program Files\iTunes\already there jls.mp3Infected: Trojan-Downloader.WMA.GetCodec.r1C:\Program Files\iTunes\million love songs jls.mp3Infected: Trojan-Downloader.WMA.GetCodec.c1C:\Program Files\iTunes\T-3545425-alexandra burke unbreak my.mp3Infected: Trojan-Downloader.WMA.GetCodec.r1C:\Program Files\iTunes\twist shout jls.wmaInfected: Trojan-Downloader.WMA.Wimad.n1C:\Program Files\Windows Media Player\already there jls.mp3Infected: Trojan-Downloader.WMA.GetCodec.r1C:\Program Files\Windows Media Player\sample playlists\twist shout jls.wmaInfected: Trojan-Downloader.WMA.Wimad.n1C:\Qoobox\Quarantine\C\WINDOWS\system32\GroupPolicyManifest\1.music.mp3.virInfected: Trojan-Downloader.WMA.GetCodec.r1C:\Qoobox\Quarantine\C\WINDOWS\system32\GroupPolicyManifest\2.crack.zip.virInfected: Trojan-Downloader.Win32.Agent.aseo1C:\Qoobox\Quarantine\C\WINDOWS\system32\GroupPolicyManifest\3.video.zip.virInfected: Trojan-Downloader.Win32.Agent.aseo1C:\Qoobox\Quarantine\C\WINDOWS\system32\GroupPolicyManifest\4.setup.zip.virInfected: Trojan-Downloader.Win32.Agent.aseo1C:\Qoobox\Quarantine\C\WINDOWS\system32\GroupPolicyManifest\5.unpack.zip.virInfected: Trojan-Downloader.Win32.Agent.aseo1C:\Qoobox\Quarantine\C\WINDOWS\system32\GroupPolicyManifest\6.limepro.zip.virInfected: Trojan-Downloader.Win32.Agent.aseo1C:\Qoobox\Quarantine\C\WINDOWS\system32\GroupPolicyManifest\7.keygen.zip.virInfected: Trojan-Downloader.Win32.Agent.aseo1C:\Qoobox\Quarantine\C\WINDOWS\system32\_feecebdfcdafdb_.dll.zipInfected: Worm.Win32.AutoRun.raz1C:\WINDOWS\system32\dddaafbcaff.dllInfected: Worm.Win32.AutoRun.ugf1The selected area was scanned.
Just about to run HijackThis0 -
HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:47:31, on 16/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Entriq\MediaSphere\EntriqMediaTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Entriq\MediaSphere\3.8.2.9\EntriqMediaServer.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - !!18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - !!72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - !!761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - !!2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [five Media Manager Tray] "C:\Program Files\Entriq\MediaSphere\EntriqMediaTray.exe" /CustomId:five
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O9 - Extra button: Send to OneNote - !!2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - !!2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - !!92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: !!6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204317382161
O16 - DPF: !!6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204317442411
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - !!88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 7264 bytes0 -
You have many infected music files, no doubt coming from LimWire. I don't know the rules of this forum as I haven't looked at them, but all other anti-malware forums would refuse to help people who have illegals files on their computers.
This is just a heads up! Infected files are not worth the damage they cause your computer.
Anway, please do the following....
1. Run HijackThis and click on Open the Misc Tools section.
Click on delete a file on reboot...
Copy and paste the following into the "File name:" text box and then click Open:
C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\svhost2.exe
When you are asked "Do you want to restart your computer now?", click NO.
Repeat these steps for the following file(s) and this time, when you reach the end, click OK:
C:\Documents and Settings\All Users\Documents\My Music\spyprotector_install_9082.exe
C:\Documents and Settings\Joanne\My Documents\LimeWire\Incomplete\T-3545425-jls.mp3
C:\Documents and Settings\Joanne\My Documents\LimeWire\Saved\already there jls.mp3
C:\Documents and Settings\Joanne\My Documents\LimeWire\Saved\beatles meadley jls MTV.mp3
C:\Documents and Settings\Joanne\My Documents\LimeWire\Saved\eoighen quigg.mp3
C:\Documents and Settings\Joanne\My Documents\LimeWire\Saved\million love songs jls.mp3
C:\Program Files\iTunes\already there jls.mp3
C:\Program Files\iTunes\million love songs jls.mp3
C:\Program Files\iTunes\T-3545425-alexandra burke unbreak my.mp3
C:\Program Files\iTunes\twist shout jls.wma
C:\Program Files\Windows Media Player\already there jls.mp3
C:\Program Files\Windows Media Player\sample playlists\twist shout jls.wma
C:\WINDOWS\system32\dddaafb caff.dll
Your PC MUST reboot to delete the files!
2. I don't see any indication of a Firewall in your HijackThis log. This may be because:
(1.) You are using Windows Firewall or a hardware Firewall.
(2.) You are using a Firewall of an unknown vendor.
(3.) You are using a Firewall, but it is disabled for unknown reasons
(4.) You don't use any firewall at all.
In the case you don't have a Firewall, please download one from the list below - They are Free!
Comodo
Zone Alarm
Sunbelt Kerio PF
Outpost Firewall
Also, you don't seem to have an Anti-Virus on your computer...
AntiVir <-- I recommend this
AVG Free Edition
avast! 4 Home Edition
3. I need to see another log from HijackThis.- Run Hijackthis.
- Click on Open the Misc Tools section.
- Next click on Open uninstall manager.
- Press the Save list button.
- Save the file to your desktop, with the default name of uninstall_list
- Copy & Paste the entire contents of that file in your in your next post.
0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 353.6K Banking & Borrowing
- 254.2K Reduce Debt & Boost Income
- 455.1K Spending & Discounts
- 246.6K Work, Benefits & Business
- 603K Mortgages, Homes & Bills
- 178.1K Life & Family
- 260.6K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards