have this popup on my computer,antivirus2009.want to delete it.here is my hijackthis log.Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:34:58, on 05/08/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe C:\WINDOWS\system32\IoctlSvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe C:\Program Files\Microsoft Windows OneCare Live\winss.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/ O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe -- End of file - 4847 bytes
Hi aldan, Your HJT Log doesn’t show the infection, but that don’t mean it’s not there… This just may be the new variant of Vundo Trojan and the new antivirus 2009. Let’s do this: Please download Malwarebytes' Anti-Malware to your desktop. • Double-click mbam-setup.exe and follow the prompts to install the program. • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. • If an update is found, it will download and install the latest version. • Once the program has loaded, select Perform full scan, then click Scan. • When the scan is complete, click OK, then Show Results to view the results. • Be sure that everything is checked, and click Remove Selected. • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt • Please post contents of that file in your next reply. And then do this: Download ComboFix from Here to your Desktop. • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". • Double click combofix.exe and follow the prompts. • When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall. 2OG
im back.here are my logs.thanks very much for your help.if you ever nLogfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:44:20, on 06/08/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe C:\WINDOWS\system32\IoctlSvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe C:\Program Files\Microsoft Windows OneCare Live\winss.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe -- End of file - 5035 bytes eed advice on car repairs,im a licensed auto mechanic.Malwarebytes' Anti-Malware 1.24 Database version: 1030 Windows 5.1.2600 Service Pack 3 2:26:05 PM 06/08/2008 mbam-log-8-6-2008 (14-26-05).txt Scan type: Full Scan (C:\|) Objects scanned: 94209 Time elapsed: 45 minute(s), 56 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 1 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\WINDOWS\system32\Fonts (Trojan.Agent) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\system32\Fonts\ocraext.ttf (Trojan.Agent) -> Quarantined and deleted successfully. ComboFix 08-08-06.01 - al daniels 2008-08-06 14:30:54.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.565 [GMT -7:00] Running from: C:\Documents and Settings\al daniels\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 ))))))))))))))))))))))))))))))) . 2008-08-06 13:29 . 2008-08-06 13:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-08-06 13:29 . 2008-08-06 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-08-06 13:29 . 2008-08-06 13:29 <DIR> d-------- C:\Documents and Settings\al daniels\Application Data\Malwarebytes 2008-08-06 13:29 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-08-06 13:29 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-08-05 17:32 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2008-08-05 17:32 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2008-08-05 17:32 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe 2008-08-05 17:32 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe 2008-08-05 17:32 . 2008-07-02 13:33 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe 2008-08-05 17:32 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe 2008-08-05 17:32 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe 2008-08-05 17:32 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2008-08-05 17:32 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2008-07-25 23:15 . 2008-07-25 23:15 <DIR> d-------- C:\Program Files\TouchStoneSoftware 2008-07-25 22:44 . 2008-07-25 22:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-07-25 22:13 . 1998-09-17 05:20 393,216 --a------ C:\WINDOWS\system32\MSRDO20.DLL 2008-07-25 22:13 . 1998-09-17 05:20 151,552 --a------ C:\WINDOWS\system32\rdocurs.dll 2008-07-25 22:13 . 2008-07-25 22:13 6,144 --ahsc--- C:\WINDOWS\system32\access.ctl 2008-07-25 21:53 . 2008-07-26 21:02 <DIR> d-------- C:\Program Files\RegistryFix6 2008-07-25 21:13 . 2008-07-25 21:13 <DIR> d-------- C:\Program Files\Realtek AC97 2008-07-25 20:41 . 2008-07-25 20:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters 2008-07-25 19:42 . 2008-07-25 19:42 <DIR> d-------- C:\Program Files\SystemRequirementsLab 2008-07-25 19:12 . 2008-04-03 15:42 53,248 -ra------ C:\WINDOWS\system32\drivers\ViPrt.sys 2008-07-25 19:12 . 2008-05-26 16:14 18,432 -ra------ C:\WINDOWS\system32\vIdeInst.dll 2008-07-25 19:12 . 2008-04-03 15:42 16,896 -ra------ C:\WINDOWS\system32\drivers\ViBus.sys 2008-07-25 19:02 . 2008-07-25 19:02 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS 2008-07-25 18:32 . 2008-07-25 18:32 <DIR> d-------- C:\Program Files\VIA Technologies, Inc 2008-07-25 18:32 . 2003-06-16 11:05 765,952 --a------ C:\WINDOWS\system\crlds3d.dll 2008-07-25 18:32 . 2003-06-16 11:05 720,896 --a------ C:\WINDOWS\system32\a3d.dll 2008-07-25 18:32 . 2001-08-17 22:36 98,304 --a--c--- C:\WINDOWS\system32\dllcache\a3d.dll 2008-07-25 18:32 . 2003-07-04 23:14 32,768 --a------ C:\WINDOWS\system32\UnAudioNT.dll 2008-07-25 18:32 . 2003-05-27 16:45 3,351 --a------ C:\WINDOWS\system32\drivers\vsp.sys 2008-07-25 01:36 . 2008-07-25 01:36 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe 2008-07-25 01:36 . 2008-07-25 01:36 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb 2008-07-24 20:35 . 2008-07-24 20:38 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-07-24 15:23 . 2008-07-24 15:23 <DIR> d-------- C:\VundoFix Backups 2008-07-24 12:39 . 2008-07-24 12:39 <DIR> d-------- C:\WINDOWS\SQL9_KB948109_ENU 2008-07-23 20:26 . 2008-07-23 20:26 <DIR> d-------- C:\Program Files\Microsoft.NET 2008-07-23 20:20 . 2008-07-24 12:39 <DIR> d-------- C:\Program Files\Microsoft SQL Server 2008-07-23 09:50 . 2008-07-23 09:50 3,596,288 --a--c--- C:\WINDOWS\system32\qt-dx331.dll 2008-07-23 09:48 . 2008-07-23 09:48 1,044,480 --a--c--- C:\WINDOWS\system32\libdivx.dll 2008-07-23 09:48 . 2008-07-23 09:48 200,704 --a--c--- C:\WINDOWS\system32\ssldivx.dll 2008-07-23 09:47 . 2008-07-23 09:47 634,880 --a------ C:\WINDOWS\system32\divxdec.ax 2008-07-23 09:47 . 2008-07-23 09:47 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax 2008-07-23 09:47 . 2008-07-23 09:47 416 --a--c--- C:\WINDOWS\system32\dtu100.dll.manifest 2008-07-23 09:47 . 2008-07-23 09:47 416 --a--c--- C:\WINDOWS\system32\dpl100.dll.manifest 2008-07-23 09:46 . 2008-07-23 09:46 12,288 --a--c--- C:\WINDOWS\system32\DivXWMPExtType.dll 2008-07-19 15:13 . 2008-06-08 09:37 402,728 --a------ C:\WINDOWS\system32\ImageDrive.cpl 2008-07-15 19:35 . 2008-02-28 13:26 1,414,440 --a------ C:\WINDOWS\system32\ShellManager310E2D762.dll 2008-07-15 19:35 . 2008-02-28 13:01 774,144 --a------ C:\WINDOWS\system32\NEROINSTAEC43759.DB 2008-07-09 20:45 . 2008-07-09 20:45 196,043 --a------ C:\_crash.dmp 2008-07-09 20:45 . 2008-07-09 20:45 63,432 --a------ C:\report.zip 2008-07-09 18:20 . 2008-07-09 18:20 <DIR> d-------- C:\Program Files\Common Files\NSV 2008-07-09 13:10 . 2008-05-15 16:15 53,168 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys 2008-07-08 17:29 . 2008-07-08 17:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com 2008-07-08 17:28 . 2008-08-05 13:31 <DIR> d-------- C:\Documents and Settings\Administrator 2008-07-08 17:13 . 2008-08-05 17:25 1,766 --a------ C:\WINDOWS\system32\tmp.reg . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-06 20:14 --------- d-----w C:\Program Files\Microsoft Windows OneCare Live 2008-08-06 03:08 --------- d-----w C:\Program Files\PeerGuardian2 2008-08-05 20:05 --------- d-----w C:\Program Files\DivX 2008-08-02 02:38 --------- d-----w C:\Documents and Settings\al daniels\Application Data\OfficeUpdate12 2008-07-26 17:42 --------- d-----w C:\Program Files\QuickTime 2008-07-26 05:44 --------- d-----w C:\Documents and Settings\al daniels\Application Data\SUPERAntiSpyware.com 2008-07-26 05:14 --------- d-----w C:\Program Files\MyApp 2008-07-26 04:46 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-07-26 02:55 --------- d-----w C:\Program Files\EPSON 2008-07-26 01:32 --------- d-----w C:\Program Files\Setup Files 2008-07-16 03:07 --------- d-----w C:\Program Files\Common Files\Nero 2008-07-16 03:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero 2008-07-06 22:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan 2008-07-06 04:11 --------- d-----w C:\Program Files\Lavasoft 2008-07-05 03:23 --------- d-----w C:\Program Files\FirstClass 2008-07-04 01:56 --------- d-----w C:\Program Files\Common Files\Adobe AIR 2008-07-04 01:55 --------- d-----w C:\Program Files\Common Files\Adobe 2008-07-01 14:17 --------- d-----w C:\Program Files\AC3Filter 2008-06-24 23:06 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe 2008-06-21 16:26 --------- d-----w C:\Program Files\YourWare Solutions 2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll 2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-13 19:30 524,288 ----a-w C:\WINDOWS\opuc.dll 2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys 2008-06-13 00:42 --------- d-----w C:\Program Files\SUPERAntiSpyware 2008-06-10 01:47 --------- d-----w C:\Program Files\MSI 2008-06-08 16:37 132,904 ----a-w C:\WINDOWS\system32\drivers\imagesrv.sys 2008-06-08 16:37 11,304 ----a-w C:\WINDOWS\system32\drivers\imagedrv.sys 2008-06-07 04:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype 2008-06-07 03:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-06-06 21:54 972,072 ----a-w C:\WINDOWS\UNRecode.exe 2008-06-06 21:54 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll 2008-05-22 22:22 129,784 ------w C:\WINDOWS\system32\pxafs.dll 2008-05-16 18:48 446,464 -c--a-w C:\WINDOWS\system32\NVUNINST.EXE 2008-05-09 10:53 90,112 -c--a-w C:\WINDOWS\system32\wshext.dll 2008-05-09 10:53 430,080 -c--a-w C:\WINDOWS\system32\vbscript.dll 2008-05-09 10:53 180,224 -c--a-w C:\WINDOWS\system32\scrobj.dll 2008-05-09 10:53 172,032 -c--a-w C:\WINDOWS\system32\scrrun.dll 2008-05-08 11:24 155,648 -c--a-w C:\WINDOWS\system32\wscript.exe 2008-05-07 09:07 135,168 -c--a-w C:\WINDOWS\system32\cscript.exe 2008-05-07 05:12 1,288,192 -c--a-w C:\WINDOWS\system32\quartz.dll 2008-02-05 15:21 47,360 -c--a-w C:\Documents and Settings\al daniels\Application Data\pcouffin.sys 2007-10-22 10:49 867,848 -c--a-w C:\Program Files\NOV2007_d3dx10_36_x64.cab 2007-10-22 10:49 807,132 -c--a-w C:\Program Files\NOV2007_d3dx10_36_x86.cab 2007-10-22 10:49 49,392 -c--a-w C:\Program Files\NOV2007_X3DAudio_x64.cab 2007-10-22 10:49 21,744 -c--a-w C:\Program Files\NOV2007_X3DAudio_x86.cab 2007-10-22 10:49 200,010 -c--a-w C:\Program Files\NOV2007_XACT_x64.cab 2007-10-22 10:49 151,512 -c--a-w C:\Program Files\NOV2007_XACT_x86.cab 2007-10-22 10:49 1,805,306 -c--a-w C:\Program Files\NOV2007_d3dx9_36_x64.cab 2007-10-22 10:49 1,712,608 -c--a-w C:\Program Files\NOV2007_d3dx9_36_x86.cab 2007-10-22 10:31 855,886 -c--a-w C:\Program Files\AUG2007_d3dx10_35_x64.cab 2007-10-22 10:31 800,467 -c--a-w C:\Program Files\AUG2007_d3dx10_35_x86.cab 2007-10-22 10:31 702,644 -c--a-w C:\Program Files\JUN2007_d3dx10_34_x64.cab 2007-10-22 10:31 702,072 -c--a-w C:\Program Files\JUN2007_d3dx10_34_x86.cab 2007-10-22 10:31 201,696 -c--a-w C:\Program Files\AUG2007_XACT_x64.cab 2007-10-22 10:31 200,722 -c--a-w C:\Program Files\JUN2007_XACT_x64.cab 2007-10-22 10:31 156,612 -c--a-w C:\Program Files\AUG2007_XACT_x86.cab 2007-10-22 10:31 156,509 -c--a-w C:\Program Files\JUN2007_XACT_x86.cab 2007-10-22 10:31 1,803,760 -c--a-w C:\Program Files\AUG2007_d3dx9_35_x64.cab 2007-10-22 10:31 1,711,752 -c--a-w C:\Program Files\AUG2007_d3dx9_35_x86.cab 2007-10-22 10:31 1,611,374 -c--a-w C:\Program Files\JUN2007_d3dx9_34_x64.cab 2007-10-22 10:31 1,610,886 -c--a-w C:\Program Files\JUN2007_d3dx9_34_x86.cab 2007-04-05 02:04 702,212 -c--a-w C:\Program Files\APR2007_d3dx10_33_x64.cab 2007-04-05 02:04 699,465 -c--a-w C:\Program Files\APR2007_d3dx10_33_x86.cab 2007-04-05 02:04 56,902 -c--a-w C:\Program Files\APR2007_xinput_x86.cab 2007-04-05 02:04 45,305 -c--a-w C:\Program Files\dxdllreg_x86.cab 2007-04-05 02:04 199,366 -c--a-w C:\Program Files\APR2007_XACT_x64.cab 2007-04-05 02:04 154,825 -c--a-w C:\Program Files\APR2007_XACT_x86.cab 2007-04-05 02:04 100,417 -c--a-w C:\Program Files\APR2007_xinput_x64.cab 2007-04-05 02:04 1,610,958 -c--a-w C:\Program Files\APR2007_d3dx9_33_x64.cab 2007-04-05 02:04 1,609,639 -c--a-w C:\Program Files\APR2007_d3dx9_33_x86.cab . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2008-06-21 09:26 1591808] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360] "WeatherEye"="C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2008-05-30 14:54 4501912] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784] "OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2008-06-25 06:48 67112] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 14:01 86016] "SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe] "Logitech Utility"="Logi_MwX.Exe" [2002-11-08 03:50 19968 C:\WINDOWS\LOGI_MWX.EXE] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-13 17:12 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoResolveSearch"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.ac3filter"= ac3filter.acm [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AudioDeck.lnk] backup=C:\WINDOWS\pss\AudioDeck.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43] --a--c--- 2008-04-09 10:00 826880 C:\Program Files\dvd43\DVD43_Tray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2008-05-16 14:01 13529088 C:\WINDOWS\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware] --a------ 2008-05-28 10:33 1506544 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher] --a--c--- 2004-03-18 09:33 892928 C:\Program Files\Logitech\iTouch\iTouch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2008-05-16 14:01 1630208 C:\WINDOWS\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Nero BackItUp Scheduler 3"=2 (0x2) "NVSvc"=2 (0x2) "AresChatServer"=3 (0x3) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" "NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe "LVCOMSX"=C:\WINDOWS\system32\LVCOMSX.EXE [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\IEPro\\MiniDM.exe"= R0 ViBus;ViBus;C:\WINDOWS\system32\DRIVERS\ViBus.sys [2008-04-03 15:42] R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2007-09-21 17:49] R0 ViPrt;VIA SATA IDE Device Driver;C:\WINDOWS\system32\DRIVERS\ViPrt.sys [2008-04-03 15:42] R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-10-18 17:39] R2 OcHealthMon;Windows Live OneCare Health Monitor;C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe [2008-06-25 06:47] S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys [] S3 Vsp;Vsp;C:\WINDOWS\system32\drivers\Vsp.sys [2003-05-27 16:45] *Newly Created Service* - CATCHME . . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://sympatico.msn.ca/ R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s O8 -: E&xport to Microsoft Excel ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-06 14:33:16 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-08-06 14:34:23 ComboFix-quarantined-files.txt 2008-08-06 21:34:15 ComboFix2.txt 2008-02-03 01:00:46 Pre-Run: 60,223,479,808 bytes free Post-Run: 60,257,800,192 bytes free 238 --- E O F --- 2008-07-24 19:42:40
Good job aldan, Use HijackThis to fix this line, just a leftover: O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) Congratulations, your log looks CLEAN There are a few things you must do once you are completely clean: 1. Time for some housekeeping Please download the OTMoveIt2 by OldTimer • Save it to your desktop. • Run the tool by clicking on the icon. • Click the Cleanup button. • The tools that we used as well as this one will be removed from your system. 2. Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program. • Under Main "Select Files to Delete" choose: Select All. • Click the Empty Selected button. • If you use Firefox browser click Firefox at the top and choose: Select All • Click the Empty Selected button. If you would like to keep your saved passwords, please click No at the prompt. • If you use Opera browser click Opera at the top and choose: Select All • Click the Empty Selected button. If you would like to keep your saved passwords, please click No at the prompt. • Click Exit on the Main menu to close the program. 3. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update: • Download the latest version of Java Runtime Environment (JRE) 6 Update 7 and save it to your desktop. • Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications.. • Click the Download button to the right. • Select Windows on platform combobox and check the box that says: Accept License Agreement. Click continue. • The page will refresh. • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop. • Close any programs you may have running - especially your web browser. • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java. • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name. • Click the Remove or Change/Remove button. • Repeat as many times as necessary to remove each Java versions. • Reboot your computer once all Java components are removed. • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version. 4. Now Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state. The easiest and safest way to do this is: • Go to Start > Programs > Accessories > System Tools and click "System Restore". • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore. • Then go to Start > Run and type: Cleanmgr • Click "OK" Select the drive you want to clean usually C: Click OK When it completes the scan: • Click the "More Options" Tab. • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one. 5. Defragment your Hard Drive 1.Open My Computer. 2.Right-click the local disk volume that you want to defragment, and then click Properties. 3.On the Tools tab, click Defragment Now. 4.Click Defragment. And here are some tips to reduce the potential for spyware infection in the future: It is critical that you use a firewall to protect your computer from hackers. We don't recommend the firewall that comes built in to Windows. It doesn't block everything that may try to get in, and the entire firewall is written to the registry. As various kinds of malware hack the Registry in order to disable the Windows firewall, it's far preferable to install one of the excellent third party solutions. Two good ones are are Comodo Free and Online Armor Personal Firewall I have recently changed my firewall to Comodo, love it and highly recommend it.. Make sure you keep your Windows OS current by visiting Windows update regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open. I strongly recommend installing the following applications: • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. Go to these sites and read about these you may decide to use them, I do, because they work. • Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Malware, Cookies etc) from the sites listed, although you will still be able to connect to the sites. • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know Malware sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer And also see TonyKlein's good advice So how did I get infected in the first place? Enjoy your clean computer. Any questions? 2OG
thank you very much.if you ever need advice on car repairs,i am a licenced automotive mechanic.cheers al.
