possible infection.. hjt log

kaspersky security suite keeps finding this:: will be quarantined when the computer is restarted: new threat Hidden.Object (modification) File: C:\WINDOWS:CABFCAE96AE78894

here is the hjt log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:34:53 PM, on 7/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\IObit\Advanced WindowsCare 3 Beta\AWC.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Advanced WindowsCare 3] "C:\Program Files\IObit\Advanced WindowsCare 3 Beta\AWC.exe" /startup
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B8292E5-964F-4187-8A65-68045FF6DB07}: NameServer = 216.45.34.2 216.45.33.130
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 2805 bytes

 

Hi mesa101,

From this Log, I see nothing that would cause problems except maybe one line that I am unsure of.
This may be a deep rooted Trojan that’s replacing that file each time kaspersky deletes it.
Let’s look deeper than HJT and see if we can catch it….

Be sure to disable your kaspersky before running the following program….

Download ComboFix from Here to your Desktop.
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post the Combofix log log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist.


Post the Combofix log and a Fresh HiJackthis log in your next reply

Regards

 

i clicked on the combofix link and kaspersky said it was a virus catchme.exe another link?

 

ComboFix 08-07-20.A0 - Owner 2008-07-21 15:24:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1099 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\inst.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-06-21 to 2008-07-21 )))))))))))))))))))))))))))))))
.

2008-07-20 14:49 . 2008-07-20 14:49 <DIR> d-------- C:\Program Files\IObit
2008-07-20 14:49 . 2008-07-20 14:58 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\IObit
2008-07-20 14:49 . 2008-04-17 16:19 90,668 --a------ C:\WINDOWS\system32\vobis32.dll
2008-07-19 18:11 . 2008-07-19 18:11 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Samsung
2008-07-18 22:46 . 2008-07-18 23:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-18 22:45 . 2008-07-18 22:45 <DIR> d-------- C:\Program Files\Safer Networking
2008-07-18 22:06 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-07-18 22:04 . 2008-07-18 22:04 <DIR> d-------- C:\Program Files\Panda Security
2008-07-17 18:09 . 2008-07-17 18:09 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-07-17 00:19 . 2007-07-11 11:11 888,832 --a------ C:\WINDOWS\system32\securenet.dll
2008-07-16 17:01 . 2008-07-16 17:01 24,392 --a------ C:\WINDOWS\system32\drivers\ElbyCDIO.sys
2008-07-16 09:45 . 2008-07-16 09:45 99,648 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2008-07-15 17:06 . 2008-07-15 17:07 <DIR> d-------- C:\Neurostar
2008-07-14 18:27 . 2008-07-20 14:58 <DIR> d-------- C:\Program Files\DVDFab 5
2008-07-08 22:02 . 2008-07-08 22:02 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-07-08 22:02 . 2008-07-08 22:02 <DIR> d-------- C:\WINDOWS\system32\en
2008-07-08 22:02 . 2008-07-08 22:02 <DIR> d-------- C:\WINDOWS\system32\bits
2008-07-08 22:02 . 2008-07-08 22:02 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-08 21:58 . 2008-07-08 21:58 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-08 21:50 . 2008-07-08 21:50 <DIR> d-------- C:\WINDOWS\EHome
2008-07-08 21:39 . 2008-04-13 20:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-07-03 18:51 . 2008-07-03 18:51 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Template
2008-07-03 18:50 . 2008-07-03 18:50 0 --a------ C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-06-30 22:55 . 2008-06-30 22:55 <DIR> d-------- C:\Program Files\LG Software Innovations
2008-06-30 01:29 . 2008-06-30 01:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Anonymizer
2008-06-30 01:29 . 2008-06-30 01:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Anonymizer
2008-06-28 21:08 . 2008-06-28 21:08 <DIR> d-------- C:\Program Files\QuickTime
2008-06-28 16:09 . 2006-05-20 17:16 1,184,984 --a------ C:\WINDOWS\system32\wvc1dmod.dll
2008-06-28 16:09 . 2006-05-11 20:21 626,688 --a------ C:\WINDOWS\system32\vp7vfw.dll
2008-06-27 17:32 . 2008-07-20 14:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\1Click DVD Copy
2008-06-26 07:06 . 2008-06-26 07:06 93,128 --a------ C:\WINDOWS\system32\ElbyCDIO.dll
2008-06-24 00:08 . 2008-06-24 00:08 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MysteryStudio
2008-06-23 20:16 . 2008-07-20 14:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Fashion Solitaire 1.2
2008-06-21 14:59 . 2006-05-03 22:53 174,592 --a------ C:\WINDOWS\system32\framedyn.dll
2008-06-21 14:57 . 2008-06-21 14:58 <DIR> d-------- C:\WINDOWS\system32\Samsung_USB_Drivers
2008-06-21 14:57 . 2008-06-21 14:57 <DIR> d-------- C:\Program Files\Samsung
2008-06-21 14:57 . 2006-07-24 16:05 5,632 --a------ C:\WINDOWS\system32\drivers\StarOpen.sys
2008-06-21 14:57 . 2005-08-28 20:51 766 --a------ C:\WINDOWS\system32\Uninstall.ico

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-21 19:29 7,497,760 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-21 19:28 353,312 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-21 19:28 34,124 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-21 19:28 101,396 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-21 17:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-21 07:52 --------- d-----w C:\Documents and Settings\Owner\Application Data\FrostWire
2008-07-20 18:58 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-07-20 18:58 --------- d-----w C:\Program Files\FrostWire
2008-07-20 18:58 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
2008-07-20 18:58 --------- d-----w C:\Documents and Settings\Owner\Application Data\VideoReDo-TVSuite
2008-07-20 18:58 --------- d-----w C:\Documents and Settings\Owner\Application Data\iolo
2008-07-20 18:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\1Click DVD Copy Pro
2008-07-17 05:36 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-17 05:34 --------- d-----w C:\Program Files\PeerGuardian2
2008-07-15 21:18 --------- d-----w C:\Program Files\Java
2008-07-14 22:27 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-07-14 22:27 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2008-07-14 21:54 --------- d-----w C:\Program Files\Common Files\Ahead
2008-07-14 21:36 --------- d-----w C:\Program Files\Ahead
2008-06-29 01:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-28 20:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-06-28 20:10 827 ----a-w C:\Program Files\Common Files\ConvertXtoDvd 3.lnk
2008-06-27 00:56 --------- d-----w C:\Program Files\Shockwave.com
2008-06-21 18:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 23:38 --------- d-----w C:\Documents and Settings\Owner\Application Data\Gamelab
2008-06-17 18:28 96,966 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-06-17 18:28 88,774 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-06-17 18:28 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-06-17 18:24 --------- d-----w C:\Program Files\CCleaner
2008-06-17 18:13 --------- d-----w C:\Program Files\Kaspersky Lab
2008-06-17 12:45 --------- d-----w C:\Documents and Settings\Administrator.YOUR-D9B2E5A77E\Application Data\iolo
2008-06-17 00:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\iolo
2008-06-17 00:20 --------- d-----w C:\Documents and Settings\LocalService\Application Data\iolo
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 02:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-06-07 15:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-02 20:14 --------- d-----w C:\Program Files\VideoLAN
2008-05-23 23:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Go Go Gourmet
2008-05-23 21:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\My Games
2008-05-22 06:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-05-21 16:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-11 15:58 74,703 ----a-w C:\WINDOWS\system32\mfc45.dll
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-05 03:15 1,566 ----a-w C:\Program Files\Common Files\VideoReDo TVSuite.lnk
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced WindowsCare 3"="C:\Program Files\IObit\Advanced WindowsCare 3 Beta\AWC.exe" [2008-07-20 18:01 2037624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-23 12:52 185896]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2008-02-08 18:36 227856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"nolowdiskspaceckecks"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
--a------ 2008-02-08 18:36 227856 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
.
Contents of the 'Scheduled Tasks' folder
"2008-07-08 15:43:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-21 15:29:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-21 15:34:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-21 19:33:52

Pre-Run: 187,187,810,304 bytes free
Post-Run: 187,160,547,328 bytes free

167 --- E O F --- 2008-07-09 21:31:26






HIJACK THIS LOG..........

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:06 PM, on 7/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [Advanced WindowsCare 3] "C:\Program Files\IObit\Advanced WindowsCare 3 Beta\AWC.exe" /startup
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B8292E5-964F-4187-8A65-68045FF6DB07}: NameServer = 216.45.34.2 216.45.33.130
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 2438 bytes

 

mesa101,

It is NOT a virus.. It uses some of the same coding as Trojans, but it uses it to defeat them.. (Good usage)

That’s why I asked you to disable kaspersky. Disable kaspersky and continue with the instructions in the order presented to you.

Thanks for asking.. Thumbs up!

2OG

 

mesa101,

It will take me some time to go over the Logs so hang in there.
I’ll be back as soon as I can..
2OG

 

thanks alot 2og

 

mesa101, you're more than welcome.

You look clean.. If you are having any problems, please describe them and we’ll see what we can do..

We found:
inst.exe
Description: Listed as TrojanDropper.Small.LG by SpywareBlaster.

I strongly recommend installing the following application:

• Spywareblaster <= SpywareBlaster will prevent malware like this from being installed.


UnInstall Combofix <-- This is a very powerful tool and not a general cleaning tool, if you run this on your own without supervision you could bork your system.

ComboFix is being updated all the time and if you ever need it again, you will want to use the latest version..

This may or may not work if you did not follow the instructions and download it to your desktop, if it does not work, then go to where you have Combofix and drag it to the trash.
• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
• When shown the disclaimer, Select "2"

The above procedure will:
• Delete the following:
o ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Reset System Restore.


2OG

 

everything seems fine except that kaspersky keeps finding this :
new threat Hidden.Object (modification) File: C:\WINDOWS:CABFCAE96AE78894

what is this?...should i just ad it to the trusted zone so it wont keep popping up?... thanks for your help.

 

mesa101,

That’s STRANGE……… I can find nothing in your logs…

Let’s try this
Use your windows explorer and navigate to C:\windows then see if you can locate the file -> CABFCAE96AE78894

Also use the search function in windows explorer (be sure to search hidden files) and search the C:\windows folder for it.

Let me know if you find it…….

 

Hi mesa

Just wanted to say that the detection by Kaspersky is not a signature or heuristic detection of any malware, just one of the extra ways which Kaspersky protects your system. Apparently, C:\Windows was modified in some way, possibly the atributes. It probably isn't something to be worried about, and if you want to be sure, you can always scan your computer with Kaspersky in safe mode, and quarantine it.

Also, another thing to be noted is this: even though modification protection and such can be attractive, Kaspersky alters your system in ways so that it cannot be reversed, such as attaching the md5 of each file to the file itself. That is why I will not recommend it, but if you are fine with it, that's good.

Best Regards

 

it turns out it was runanalyzer that i downloaded with spybot awhile back... i uninstalled it and im fine now.. thanks.

 

Thanks cdavfrew, where you been?

@ mesa101,
Looks like you’re good to go.. unless you have something else beating you up… : )

2OG

 

many thanks 2og...

 

You're Welcome.

 

Hey 2oldgeek

I was gone because of summer and holiday! Glad to be back!

I speak too deeply? Strange, because other malware experts speak like this, like those from MRU! You too do, with your analogies

Best Regards