|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
|
Topic Tools |
#1
|
|||
|
|||
help my pc please?
Hello every one.
Recently i found out that my pc was infected with some things, like icthis.exe . I was told by a friend to download and run "combofix" and then get hijack this, and get a log file for both. He then said to post the logs here, bc he was not going to be able to finish helping me out.. So could you please take a look and see if there is still more junk that i need to get rid of?? ComboFix 08-01-20.1 - Rita 2008-01-19 22:44:38.1 - NTFSx86 Running from: C:\PC-protection\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\Video Add-on C:\Program Files\Video Add-on\icmntr.exe C:\Program Files\Video Add-on\icthis.exe C:\Program Files\Video Add-on\ictmdl.dll C:\Program Files\Video Add-on\ictun.exe C:\Program Files\Video Add-on\icun.exe C:\Program Files\Video Add-on\isfmdl.dll C:\Program Files\Video Add-on\isfmm.exe C:\Program Files\Video Add-on\isfmntr.exe C:\Program Files\Video Add-on\isfun.exe C:\Program Files\Video Add-on\ot.ico C:\Program Files\Video Add-on\ts.ico C:\Program Files\Video Add-on\uninst.exe C:\WINDOWS\system32\qhcvdw.dll . ((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 ))))))))))))))))))))))))))))))) . 2008-01-19 22:37 . 2008-01-19 22:37 <DIR> d-------- C:\WINDOWS\LastGood 2008-01-19 22:30 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-19 22:28 . 2008-01-19 22:28 <DIR> d-------- C:\VundoFix Backups 2008-01-19 21:58 . 2008-01-19 21:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo! 2008-01-11 19:43 . 2008-01-19 22:02 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-01-11 19:09 . 2008-01-11 19:10 <DIR> d-------- C:\Program Files\WinSpyKiller 2008-01-11 02:02 . 2008-01-11 02:02 <DIR> d-------- C:\Program Files\VirusProtect 3.9 2008-01-11 00:47 . 2008-01-11 01:24 45 --a------ C:\tmp.bat 2007-12-29 16:47 . 2007-12-29 16:48 <DIR> d-------- C:\Program Files\QuickTime . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-01-20 02:54 --------- d-----w C:\Program Files\McAfee 2008-01-20 02:53 --------- d-----w C:\Program Files\OneStepSearch 2007-12-30 19:52 --------- d--h--r C:\Documents and Settings\Rita\Application Data\yahoo! 2007-12-28 00:13 --------- d-----w C:\Documents and Settings\Rita\Application Data\iMesh 2007-11-23 05:40 --------- d-----w C:\Program Files\MalwareAlarm 2007-11-23 04:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee 2007-11-23 04:43 --------- d-----w C:\Program Files\Common Files\McAfee 2007-11-23 04:36 --------- d-----w C:\Program Files\McAfee.com . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA0BACB5-FC95-451E-94D2-4959AB0949D2}] C:\Program Files\Video Add-on\isfmdl.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "RamBooster"="C:\Program Files\RamBooster 2.0\Rambooster.exe" [ ] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 04:04 1415824] "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-01 20:11 4670968] "MalwareAlarm"="C:\Program Files\MalwareAlarm\MalwareAlarm.exe" [2007-11-11 08:26 0] "WinSpyKiller"="C:\Program Files\WinSpyKiller\WinSpyKiller.exe" [2008-01-11 19:10 432128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "RAMBooster.Net"="C:\Program Files\RAMBooster.Net\RAMBooster.exe" [ ] "NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe " [2001-07-09 13:50 155648] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 05:48 36975] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-29 16:48 286720] C:\Documents and Settings\Rita\Start Menu\Programs\Startup\ MRU-Blaster Silent Clean.lnk - C:\PC-protection\MRU-Blaster\mrublaster.exe [2004-03-28 18:07:48 1216512] *Newly Created Service* - PROCEXP90 . ************************************************** ************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-19 23:03:38 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ . Completion time: 2008-01-19 23:10:43 ComboFix-quarantined-files.txt 2008-01-20 04:10:35 . 2008-01-10 19:42:48 --- E O F --- ************************************************** ******* sorry, edit here, i just saw the sticky about posting hijack logs.. so i will leave that out unless you need it. Last edited by echohelper08; January 20th, 2008 at 05:48 AM. |
#2
|
|||
|
|||
icethis.exe subject
you have a trojan virus that seems to be your culprit if you can down load from this web site the icthis.exe Remover!"
from here this should help. The website is " icthis.exe-guide.com" should help or type in icthis.exe in your browser and its the first one on the list. good luck |
#3
|
|||
|
|||
@grumpydriver43
Being a new member here please familiarize with the guidelines here regarding posting in the Cyber Safety Forum. Thank you. ~~~~~~~~~ Echohelper08 welcome to CTH, Specialized tools like Combofix are not meant to be used unless you know how to use it and what it addresses or else more problems may arise. Combofix removed Smitfraud infection but there is more showing in your report. Let's have another look, please download HijackThis from here. Click on the downloaded file to run it and select "Do a system scan and save a logfile". Use copy/paste and post back here the log it creates for review. ~~~~~~~~~~~ I would also like to see another kind of scan, go here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your AV queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here. Please post back the HijackThis log and the Silent Runners log. |
#4
|
|||
|
|||
Hey Morfeasss,
Thanks for the help. im sorry it took so long, we had out internet down for awhile. Here are the logs you asked for. HiJack This Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:29:18 PM, on 1/27/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\System32\WScript.exe C:\Documents and Settings\Rita\Desktop\hijackthis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = :0 R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: (no name) - Aæ - (no file) O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file) O2 - BHO: (no name) - {474597C5-AB09-49d6-A4D5-2E8D7341384E} - (no file) O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file) O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file) O2 - BHO: (no name) - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - (no file) O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file) O2 - BHO: (no name) - @æ - (no file) O2 - BHO: (no name) - ¨æ - (no file) O2 - BHO: (no name) - Ð@æ - (no file) O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.updatesgate.com/redirect.php (file missing) O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.updatesgate.com/redirect.php (file missing) O16 - DPF: Yahoo! Poker - O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} - O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: McAfee Application Installer Cleanup (0271141200800174) (0271141200800174mcinstcleanup) - Unknown owner - C:\DOCUME~1\Rita\LOCALS~1\Temp\027114~1.EXE (file missing) O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing) O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing) O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing) O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe -- End of file - 3826 bytes ************************************ Silent Runners "Silent Runners.vbs", revision 55, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++} "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "SUPERAntiSpyware" = "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"] "Yahoo! Pager" = ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet" ["Yahoo! Inc."] HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ >{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer" \StubPath = "C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\ "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail" -> {HKLM...CLSID} = "YMailShellExt Class" \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."] "{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess" -> {HKLM...CLSID} = "DriveLetterAccess" \InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["VERITAS Software, Inc."] "{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band" -> {HKLM...CLSID} = "History Band" \InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\ <<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided) -> {HKLM...CLSID} = "SABShellExecuteHook Class" \InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <<!>> !SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandler s\ Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}" -> {HKLM...CLSID} = "YMailShellExt Class" \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\ "ClassicShell" = (REG_DWORD) dword:0x00000000 {Enable Classic Shell / Turn on Classic Shell} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\ "NoCDBurning" = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\System\ "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Loca l Settings\Application Data\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\Rita\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssmypics.scr" [MS] Enabled Scheduled Tasks: ------------------------ "XoftSpySE 2" -> launches: "C:\Program Files\XoftSpySE\XoftSpy.exe ShowReminders" ["ParetoLogic"] "XoftSpySE" -> launches: "C:\Program Files\XoftSpySE\XoftSpy.exe -t" ["ParetoLogic"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ HKLM\SOFTWARE\Classes\CLSID\{51085E3D-A958-42A2-A6BE-A6A9B0BAF276}\(Default) = "AT&&T Yahoo! Sidebar" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\Program Files\Yahoo!\browser\ysidebarIE.dll" ["Yahoo! Inc."] Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {9034A523-D068-4BE8-A284-9DF278BE776E}\ "MenuText" = "IE Anti-Spyware" "Exec" = "http://www.updatesgate.com/redirect.php" [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ SupportSoft Sprocket Service (ddoctorv2), sprtsvc_ddoctorv2, ""C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe" /service /P ddoctorv2" ["SupportSoft, Inc."] ---------- (launch time: 2008-01-27 15:30:56) <<!>>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box. ---------- (total run time: 314 seconds, including 5 seconds for message boxes) |
#5
|
|||
|
|||
Hello echohelper08,
These logs don't show much of infection, but your last Combofix report shows traces of unwanted programs. Combofix has been updated for some of them so please delete the current copy of Combofix you have and download a fresh one from here and save it to your desktop. Disable all protective software. (Important!). Double click combofix.exe & follow the prompts. A window will open with a warning. Type "1" (and Enter) to start the fix. When the scan completes it will open a text window. Please copy/paste that log back here together with a new HijackThis log. A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. |
#6
|
|||
|
|||
new logs
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:32:16 PM, on 1/30/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\system32\wscntfy.exe C:\Documents and Settings\Rita\Desktop\hijackthis.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = :0 R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: (no name) - Aæ - (no file) O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file) O2 - BHO: (no name) - {474597C5-AB09-49d6-A4D5-2E8D7341384E} - (no file) O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file) O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file) O2 - BHO: (no name) - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - (no file) O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file) O2 - BHO: (no name) - @æ - (no file) O2 - BHO: (no name) - ¨æ - (no file) O2 - BHO: (no name) - Ð@æ - (no file) O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.updatesgate.com/redirect.php (file missing) O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.updatesgate.com/redirect.php (file missing) O16 - DPF: Yahoo! Poker - O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} - O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: McAfee Application Installer Cleanup (0271141200800174) (0271141200800174mcinstcleanup) - Unknown owner - C:\DOCUME~1\Rita\LOCALS~1\Temp\027114~1.EXE (file missing) O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing) O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing) O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing) O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe -- End of file - 3817 bytes ******************************* ComboFix 08-01-30.6 - Rita 2008-01-30 12:21:14.2 - NTFSx86 Running from: C:\Documents and Settings\Rita\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 ))))))))))))))))))))))))))))))) . 2008-01-27 15:51 . 2008-01-28 16:37 <DIR> d-------- C:\Program Files\Visual TimeAnalyzer 2008-01-27 15:51 . 2008-01-27 18:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Analyzer 2008-01-24 21:09 . 2008-01-24 21:09 <DIR> d-------- C:\WINDOWS\Sun 2008-01-20 09:27 . 2008-01-20 09:32 <DIR> d-------- C:\Program Files\RegScrubXP 2008-01-20 03:32 . 2008-01-22 09:06 <DIR> d-------- C:\Program Files\XoftSpySE 2008-01-20 00:13 . 2008-01-20 00:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-01-20 00:11 . 2008-01-20 00:17 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-01-20 00:10 . 2008-01-20 00:10 <DIR> d-------- C:\Documents and Settings\Rita\Application Data\SUPERAntiSpyware.com 2008-01-20 00:09 . 2008-01-20 00:09 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-01-19 22:28 . 2008-01-19 22:28 <DIR> d-------- C:\VundoFix Backups 2008-01-19 21:58 . 2008-01-19 21:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo! 2008-01-11 19:43 . 2008-01-19 22:02 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-01-11 00:47 . 2008-01-11 01:24 45 --a------ C:\tmp.bat 2007-12-29 16:47 . 2007-12-29 16:48 <DIR> d-------- C:\Program Files\QuickTime . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-01-20 04:57 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-01-20 04:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-01-20 02:54 --------- d-----w C:\Program Files\McAfee 2007-12-30 19:52 --------- d--h--r C:\Documents and Settings\Rita\Application Data\yahoo! 2007-12-28 00:13 --------- d-----w C:\Documents and Settings\Rita\Application Data\iMesh . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{474597C5-AB09-49d6-A4D5-2E8D7341384E}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 20:11 4670968] [hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\startupfolder\C:^Documents and Settings^Rita^Start Menu^Programs^Startup^MRU-Blaster Silent Clean.lnk] path=C:\Documents and Settings\Rita\Start Menu\Programs\Startup\MRU-Blaster Silent Clean.lnk backup=C:\WINDOWS\pss\MRU-Blaster Silent Clean.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntiVermeans] C:\Program Files\AntiVermeans\AntiVermeans.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2] --a------ 2007-04-19 16:21 198184 C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MalwareAlarm] C:\Program Files\MalwareAlarm\MalwareAlarm.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck] --------- 2001-07-09 13:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-12-29 16:48 286720 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RAMBooster.Net] C:\Program Files\RAMBooster.Net\RAMBooster.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2005-04-13 05:48 36975 C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader] C:\Windows\xpupdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSpyKiller] C:\Program Files\WinSpyKiller\WinSpyKiller.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] --a------ 2007-03-01 20:11 4670968 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe R1 weeCamke;weeCamke;C:\WINDOWS\system32\DRIVERS\WEEC AMKE.SYS [2000-04-05 14:26] R3 ES1370;Creative AudioPCI (ES1370), SB PCI 64/128 (WDM);C:\WINDOWS\system32\drivers\ES1370MP.sys [2001-08-17 15:19] S2 0271141200800174mcinstcleanup;McAfee Application Installer Cleanup (0271141200800174);C:\DOCUME~1\Rita\LOCALS~1\Temp\027114~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog [] S3 MTK;Media Technology Kernel Driver;C:\WINDOWS\system32\Drivers\fide.sys [] . Contents of the 'Scheduled Tasks' folder "2008-01-29 22:00:03 C:\WINDOWS\Tasks\XoftSpySE 2.job" - C:\Program Files\XoftSpySE\XoftSpy.exe "2008-01-29 15:05:52 C:\WINDOWS\Tasks\XoftSpySE.job" - C:\Program Files\XoftSpySE\XoftSpy.exe . ************************************************** ************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-30 12:25:25 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ . Completion time: 2008-01-30 12:28:10 ComboFix-quarantined-files.txt 2008-01-30 17:27:44 ComboFix2.txt 2008-01-20 04:10:44 . 2008-01-10 19:42:48 --- E O F --- ******************* |
#7
|
|||
|
|||
You are not helping me help you. You downloaded a fresh Combofix copy, ran it, downloaded SUPERAntispyware, XoftSpy, RegScrubXP, disabled items in msconfig and ran Combofix again and posted the new log. This way you only waste time.
If a member from this forum has been suggesting these steps to you, please feel free to pm me who it is. You will need to re-enable all items again in msconfig so that the cleaning will be more thorough. Go to Start> Run type msconfig and click OK. Under the Services tab click Enable All Under the Startup tab click Enable All> Apply> OK> Reboot now. ~~~~~~~~~~~~~~~~ After the reboot, disable SpyBot's TeaTimer, as this will interfere with repairs. 1) Run Spybot-S&D 2) Go to the Mode menu, and make sure "Advanced Mode" is selected 3) On the left hand side, choose Tools -> Resident 4) Uncheck "Resident TeaTimer" and OK any prompts 5) Restart your computer. You can re-enable TeaTimer once your system is clean. ~~~~~~~~~~~~~~~~~~~~ Run Combofix again and post back the new report. ~~~~~~~~~~~~~~~~~~~~ Download SmitfraudFix.zip. Unzip it to your desktop and doubleclick on smitfraudfix.cmd. Choose Option 1 and hit Enter to generate a report about the infected files. Please save the Log (it will save to C:\rapport.txt) and post it back here. ~~~~~~~~~~ Post back the Combofix report, along with the SmitfraudFix report, a fresh HijackThis log and a new Silent Runners report please. |
Bookmarks |
«
Previous Topic
|
Next Topic
»
Topic Tools | |
|
|
All times are GMT +1. The time now is 02:16 AM.