We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide
Trojan removal
johnnytee
Posts: 315 Forumite
in Techie Stuff
Every time I run my anti virus software: Avast. superantispyware, malwarebytes, it highlights this trojan on my system: 'trojan.spoolSV'. I bin it every time it's detected,but the during the next scan it's picked up again. How can I remove this from my system? It appears to reside in the registry.
0
Comments
-
having to guess you have windows
try doing your scan in safe mode
do you have the link/path to the infected registry file ?0 -
It would help if you could post the logs so we can see EXACTLY where they are and what the files are called
Also ~ if you havnt done already update malwarebytes and runa FULL scan then/or ~
Please run COMBOFIX
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be)
If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download:idea:0 -
ComboFix 09-07-13.01 - johnny 14/07/2009 3:34.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.44.1033.18.703.301 [GMT -7:00]
Running from: c:\documents and settings\johnny\My Documents\Downloads\ComboFix.exe
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\johnny\Application Data\bcrypt.html
c:\recycler\S-1-5-21-0243336035-3055115375-381863305-1553
c:\recycler\S-1-5-21-0631834926-1489033653-365069575-7176
c:\recycler\S-1-5-21-9178295140-1810313391-842744357-1571
c:\windows\system32\_000003_.tmp.dll
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000010_.tmp.dll
c:\windows\system32\_000013_.tmp.dll
c:\windows\system32\_000014_.tmp.dll
c:\windows\system32\_000015_.tmp.dll
c:\windows\system32\_000018_.tmp.dll
c:\windows\system32\_000022_.tmp.dll
c:\windows\system32\test.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Legacy_BNDMSS
((((((((((((((((((((((((( Files Created from 2009-06-14 to 2009-07-14 )))))))))))))))))))))))))))))))
.
2009-07-14 10:29 . 2009-07-14 10:29 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-14 08:05 . 2004-10-28 18:06 201216 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-07-14 08:04 . 2005-10-20 22:33 991232 ----a-w- c:\windows\system32\esent.dll
2009-07-14 08:03 . 2005-09-01 01:49 16384 ----a-w- c:\windows\system32\linkinfo.dll
2009-07-14 08:02 . 2006-03-01 19:44 83456 ----a-w- c:\windows\system32\mtxoci.dll
2009-07-14 08:02 . 2006-03-01 19:44 64512 ----a-w- c:\windows\system32\mtxclu.dll
2009-07-13 15:05 . 2009-07-13 15:05
d
w- c:\windows\system32\bits
2009-07-13 15:04 . 2009-07-14 09:39
d--h--w- c:\windows\$hf_mig$
2009-07-09 18:51 . 2009-07-09 20:58
d
w- C:\WDM
2009-07-09 18:51 . 2009-07-09 18:51
d
w- C:\VAS
2009-07-09 18:41 . 2009-07-09 18:41
d
w- c:\documents and settings\johnny\Application Data\Malwarebytes
2009-07-09 18:41 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-09 18:40 . 2009-07-14 10:29
d
w- c:\program files\Malwarebytes' Anti-Malware
2009-07-09 18:40 . 2009-07-13 20:36 18456 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-09 18:40 . 2009-07-09 18:40
d
w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-09 18:21 . 2004-07-01 22:08 7680 -c----w- c:\windows\system32\dllcache\bitsprx2.dll
2009-07-09 18:21 . 2004-07-01 22:08 7680
w- c:\windows\system32\bitsprx2.dll
2009-07-09 18:21 . 2004-07-01 22:08 7168 -c----w- c:\windows\system32\dllcache\bitsprx3.dll
2009-07-09 18:21 . 2004-07-01 22:08 7168
w- c:\windows\system32\bitsprx3.dll
2009-07-09 18:21 . 2004-07-01 22:08 361984 -c----w- c:\windows\system32\dllcache\qmgr.dll
2009-07-09 18:21 . 2004-07-01 22:08 331776 -c----w- c:\windows\system32\dllcache\winhttp.dll
2009-07-09 18:21 . 2004-07-01 22:08 331776 ----a-w- c:\windows\system32\winhttp.dll
2009-07-09 18:21 . 2004-07-01 22:08 17408 -c----w- c:\windows\system32\dllcache\qmgrprxy.dll
2009-07-09 18:21 . 2004-07-01 22:08 17408 ----a-w- c:\windows\system32\qmgrprxy.dll
2009-07-09 18:18 . 2008-10-16 21:13 202776 ----a-w- c:\windows\system32\wuweb.dll
2009-07-09 18:18 . 2008-10-16 21:12 323608 ----a-w- c:\windows\system32\wucltui.dll
2009-07-09 18:18 . 2008-10-16 21:12 561688 ----a-w- c:\windows\system32\wuapi.dll
2009-07-09 18:18 . 2008-10-16 21:08 34328 ----a-w- c:\windows\system32\wups.dll
2009-07-09 18:18 . 2004-08-03 21:03 186136 ----a-w- c:\windows\system32\wuaueng1.dll
2009-07-09 18:18 . 2004-08-03 21:01 167704 ----a-w- c:\windows\system32\wuauclt1.exe
2009-07-09 16:50 . 2009-07-09 18:07
d
w- c:\windows\SxsCaPendDel
2009-07-09 16:38 . 2009-07-09 16:38
dc-h--w- c:\windows\$MSI30UninstallMSI30-KB884016$
2009-07-09 16:28 . 2009-07-09 16:33
d
w- c:\documents and settings\johnny\Application Data\Spotify
2009-07-09 16:28 . 2009-07-09 16:29
d
w- c:\documents and settings\johnny\Local Settings\Application Data\Spotify
2009-07-09 16:28 . 2009-07-09 16:28
d
w- c:\program files\Spotify
2009-07-08 10:36 . 2009-07-09 16:44
d
w- c:\documents and settings\All Users\Application Data\DriverCure
2009-07-08 10:36 . 2009-07-08 10:36
d
w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-07-07 18:02 . 2009-07-07 18:02 0 ----a-w- c:\windows\nsreg.dat
2009-07-07 18:02 . 2009-07-07 18:02
d
w- c:\documents and settings\johnny\Local Settings\Application Data\Mozilla
2009-07-04 12:06 . 2009-07-04 12:06
d
w- c:\documents and settings\johnny\Local Settings\Application Data\Help
2009-07-04 11:53 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-07-04 11:53 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-07-04 11:53 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-07-04 11:53 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-07-04 11:53 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-07-04 11:53 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-07-04 11:53 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-07-04 11:52 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-07-04 11:52 . 2003-03-18 19:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-07-04 11:52 . 2003-03-18 18:14 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2009-07-04 11:52 . 2003-02-21 02:42 348160 ----a-w- c:\windows\system32\MSVCR71.dll
2009-07-04 11:52 . 2009-07-04 11:52
d
w- c:\program files\Alwil Software
2009-07-04 11:50 . 2009-07-04 16:43
d
w- c:\documents and settings\johnny\Local Settings\Application Data\Google
2009-07-04 11:45 . 2009-07-04 11:52
d
w- c:\program files\Google
2009-07-04 11:42 . 2009-07-04 11:42
d
w- c:\program files\CCleaner
2009-07-04 11:06 . 2009-07-04 11:06
d
w- c:\program files\ATI Technologies
2009-07-04 10:38 . 2009-07-04 10:38
d
w- c:\documents and settings\All Users\Application Data\CyberLink
2009-07-04 10:38 . 2009-07-04 10:38
d
w- c:\program files\CyberLink
2009-07-04 10:37 . 2009-07-04 10:37
d
w- c:\program files\Java
2009-07-04 10:37 . 2009-07-04 10:37
d
w- c:\program files\Common Files\Java
2009-07-04 10:37 . 2009-07-04 10:37
d
w- c:\documents and settings\johnny\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142030}
2009-07-04 09:34 . 2009-07-04 11:43
d
w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-04 09:34 . 2009-07-04 09:35
d
w- c:\program files\Spybot - Search & Destroy
2009-07-04 09:28 . 2009-07-14 10:40 117760 ----a-w- c:\documents and settings\johnny\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-04 09:28 . 2009-07-04 09:28
d
w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-04 09:27 . 2009-07-04 09:27
d
w- c:\program files\SUPERAntiSpyware
2009-07-04 09:27 . 2009-07-04 09:27
d
w- c:\documents and settings\johnny\Application Data\SUPERAntiSpyware.com
2009-07-03 21:22 . 2003-09-26 00:41 44032 ----a-w- c:\windows\system32\drivers\bcm4sbxp.sys
2009-07-03 20:24 . 2004-07-22 12:50 1268234 ----a-w- c:\windows\system32\drivers\AGRSM.sys
2009-07-03 20:24 . 2004-07-22 11:38 88361 ----a-w- c:\windows\AGRSMMSG.exe
2009-07-03 20:24 . 2004-04-05 08:49 64512 ----a-w- c:\windows\agrsmdel.exe
2009-07-03 14:39 . 2009-07-03 14:39 13104 ----a-w- c:\documents and settings\johnny\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-03 14:37 . 2009-07-04 09:17
d
w- c:\windows\system32\wbem\AutoRecover
2009-07-03 14:32 . 2009-07-09 20:58
d--h--w- c:\program files\InstallShield Installation Information
2009-07-03 14:31 . 2009-07-04 09:11
d
w- c:\windows\peernet
2009-07-03 14:31 . 2009-07-03 14:31
d
w- c:\windows\provisioning
2009-07-03 14:29 . 2009-07-09 22:24
d
w- c:\program files\Common Files\InstallShield
2009-07-03 14:22 . 2002-05-14 19:08 20540
w- c:\windows\system32\dllcache\admin.dll
2009-07-03 14:21 . 2005-08-22 18:36 154624 -c----w- c:\windows\system32\dllcache\netman.dll
2009-07-03 14:14 . 2004-10-16 01:32 14568 ----a-w- c:\windows\system32\drivers\wg6n.sys
2009-07-03 14:14 . 2004-10-16 01:32 14568 ----a-w- c:\windows\system32\drivers\wg5n.sys
2009-07-03 14:14 . 2004-10-16 01:32 14568 ----a-w- c:\windows\system32\drivers\wg4n.sys
2009-07-03 14:14 . 2004-10-16 01:32 14568 ----a-w- c:\windows\system32\drivers\wg3n.sys
2009-07-03 14:14 . 2004-10-16 01:18 21075 ----a-w- c:\windows\system32\drivers\wpsdrvnt.sys
2009-07-03 14:14 . 2004-10-16 01:17 60496 ----a-w- c:\windows\system32\drivers\Teefer.sys
2009-07-03 14:14 . 2004-10-16 01:32 83096 ----a-w- c:\windows\system32\SSSensor.dll
2009-07-03 14:13 . 2009-07-03 14:13
d
w- c:\program files\Sygate
2009-07-03 14:12 . 2009-07-04 09:27
d
w- c:\program files\Common Files\Wise Installation Wizard
2009-07-03 13:44 . 2009-07-03 13:44
d-s---w- c:\documents and settings\johnny\UserData
2009-06-30 11:37 . 2009-06-30 11:37
d-s---w- c:\windows\system32\Microsoft
2009-06-30 11:27 . 2009-06-30 11:27
d
w- c:\documents and settings\johnny\Application Data\MSN6
2009-06-30 11:27 . 2009-06-30 11:27
d
w- c:\documents and settings\All Users\Application Data\MSN6
2009-06-30 11:24 . 2003-03-31 12:00 3584 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\USMT\iconlib.dll
2009-06-30 11:01 . 2003-03-31 12:00 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys
2009-06-30 11:00 . 2003-03-31 12:00 44032 -c--a-w- c:\windows\system32\dllcache\imekrmig.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-04 09:11 . 2009-06-30 10:59 70691 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-06-30 11:00 . 2009-06-30 11:00
d
w- c:\program files\microsoft frontpage
2009-06-30 10:56 . 2009-06-30 10:56 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-06-24 14:37 . 2009-07-09 10:56 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.
Sigcheck
[-] 2004-08-04 06:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ip6fw.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\ctfmon.exe" [2003-03-31 13312]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-11-15 1670144]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-04 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-16 2577632]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2009-07-04 32881]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-03-17 32768]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-25 339968]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-07-04 122368]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-07-22 88361]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2003-03-31 13312]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [14/04/2004 00:52 5632]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [04/07/2009 04:53 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/06/2009 11:01 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23/06/2009 11:01 72944]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23/06/2009 11:01 7408]
S3 DOSMEMIO;MEMIO;\??\d:\memio.sys --> d:\MEMIO.SYS [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [09/07/2009 11:41 38160]
.
Contents of the 'Scheduled Tasks' folder
.
.
Supplementary Scan
.
uStart Page = https://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
FF - ProfilePath - c:\documents and settings\johnny\Application Data\Mozilla\Firefox\Profiles\b2vgctu6.default\
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-14 03:40
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(612)
c:\windows\system32\ODBC32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
- - - - - - - > 'lsass.exe'(668)
c:\windows\System32\dssenh.dll
- - - - - - - > 'explorer.exe'(3524)
c:\windows\System32\msi.dll
c:\program files\Google\Quick Search Box\bin\1.2.1137.3514\qsb.dll
c:\windows\System32\SSSensor.dll
.
Other Running Processes
.
c:\windows\system32\ati2evxx.exe
c:\program files\Sygate\SPF\Smc.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
.
**************************************************************************
.
Completion time: 2009-07-14 3:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-14 10:43
Pre-Run: 24,790,491,136 bytes free
Post-Run: 24,908,873,728 bytes free
winxpsp1_en_hom_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
280 --- E O F --- 2009-07-14 09:430 -
Please open malwarebytes and goto LOGS and post the logfile with the nasty in it:idea:0
-
Ok, I'm posting two logs. One from a scan I did a few days ago, the other from today, which found nothing. This is from a few days ago:
Malwarebytes' Anti-Malware 1.38
Database version: 2399
Windows 5.1.2600 Service Pack 1
09/07/2009 12:04:48
mbam-log-2009-07-09 (12-04-48).txt
Scan type: Full Scan (C:\|)
Objects scanned: 105486
Time elapsed: 21 minute(s), 56 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BNDMSS (Trojan.Backdoor) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\32nfg94-h61-2sf-n1p-5m1erh6l6 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12cfg515-k641-55sf-n66p (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12cfg515-k641-55sf-n55p (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spooler SubSystem App (Backdoor.Bot) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556 (Backdoor.Bot) -> Quarantined and deleted successfully.
Files Infected:
c:\RECYCLER\s-1-5-21-0243636035-3055115376-381863306-1556\Desktop.ini (Backdoor.Bot) -> Quarantined and deleted successfully.
This from today:
Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 1
14/07/2009 04:28:30
mbam-log-2009-07-14 (04-28-30).txt
Scan type: Full Scan (C:\|)
Objects scanned: 107607
Time elapsed: 29 minute(s), 34 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)0 -
Id suggest running the kaspersky online scan Jaffa posted next. Post the complete log from that and ill peruse the combofix log proper at some point
Once your clean the nest thing you need to do is update to SERVICE PACK 2 (NOT before your machines clean though else you might kill it):idea:0 -
Update: I ran the online kaspersky scan. It picked up ziltch. Ditto malwarebytes. However Superantispyware picked it up again.0
-
Please goto console and LOGS in SAS and post the log it created:idea:0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 353.5K Banking & Borrowing
- 254.1K Reduce Debt & Boost Income
- 455K Spending & Discounts
- 246.6K Work, Benefits & Business
- 602.9K Mortgages, Homes & Bills
- 178.1K Life & Family
- 260.6K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards