Support Forum for TrojanHunter anti-malware remover and other products, including freeware

Welcome, Guest. Please Login or Register.

Search

Members

Login

Register

   Mischel Internet Security Forum
   Malware
   Adware, Browser Hijackers and other Malware (Moderators: Helena, Gavin_Coe, Magnus)
   help

« Previous topic | Next topic »

Pages: 1 2

Notify of replies

Send Topic

Author

Topic: help (Read 1458 times)

Thomas
Full Member

Gender:

Posts: 233

help
« on: Sep 19^th, 2009, 1:41am »

Quote

Modify

i got my pc to work again and i ran a combofix scan and it deleteing 2 things

ComboFix 09-09-18.02 - Tom 09/19/2009 1:34.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.222.92 [GMT -4:00]
Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Service_Iprip

((((((((((((((((((((((((( Files Created from 2009-08-19 to 2009-09-19 )))))))))))))))))))))))))))))))
.

2009-09-18 19:18 . 2009-03-30 14:3396104----a-w-c:\windows\system32\drivers\avipbb.sys
2009-09-18 19:18 . 2009-02-13 16:2922360----a-w-c:\windows\system32\drivers\avgntmgr.sys
2009-09-18 19:18 . 2009-02-13 16:1745416----a-w-c:\windows\system32\drivers\avgntdd.sys
2009-09-18 19:18 . 2009-09-18 19:18--------d-----w-c:\program files\Avira
2009-09-18 19:18 . 2009-09-18 19:18--------d-----w-c:\documents and settings\All Users\Application Data\Avira
2009-09-18 14:32 . 2009-09-18 14:32--------d-----w-c:\documents and settings\Tom\Application Data\TrojanHunter
2009-09-18 14:26 . 2009-09-18 19:11--------d-----w-c:\program files\TrojanHunter 5.2
2009-09-18 11:43 . 2009-09-18 14:06--------d---a-w-c:\documents and settings\All Users\Application Data\TEMP
2009-09-18 09:37 . 2009-09-18 09:35411368----a-w-c:\windows\system32\deploytk.dll
2009-09-18 09:34 . 2009-09-18 09:34--------d-----w-c:\program files\Java
2009-09-18 09:13 . 2008-10-16 18:06268648----a-w-c:\windows\system32\mucltui.dll
2009-09-17 23:58 . 2009-09-17 23:58--------d-----w-c:\documents and settings\Tom\Local Settings\Application Data\Yahoo
2009-09-17 23:52 . 2009-09-17 23:52--------d-----w-c:\documents and settings\LocalService\Application Data\PeerNetworking
2009-09-17 23:50 . 2009-09-17 23:51--------d-----w-c:\documents and settings\All Users\Application Data\Yahoo!
2009-09-17 23:50 . 2009-09-17 23:50--------d-----w-c:\program files\Yahoo!
2009-09-17 23:35 . 2009-07-28 20:3355656----a-w-c:\windows\system32\drivers\avgntflt.sys
2009-09-17 23:31 . 2009-09-17 23:31--------d-sh--w-c:\documents and settings\LocalService\IETldCache
2009-09-17 23:17 . 2009-09-17 23:17--------d-----w-c:\program files\YTK Enhanced
2009-09-17 23:17 . 2009-09-17 23:57--------d-----w-c:\documents and settings\Tom\Application Data\YTK Enhanced
2009-09-17 23:10 . 2009-09-17 23:12--------d-----w-c:\program files\CCleaner
2009-09-17 22:19 . 2009-09-17 22:19--------d-----w-c:\windows\system32\scripting
2009-09-17 22:19 . 2009-09-17 22:19--------d-----w-c:\windows\l2schemas
2009-09-17 22:19 . 2009-09-17 22:19--------d-----w-c:\windows\system32\en
2009-09-17 22:19 . 2009-09-17 22:19--------d-----w-c:\windows\system32\bits
2009-09-17 21:46 . 2009-09-17 21:46--------d-----w-c:\windows\EHome
2009-09-17 21:33 . 2009-09-18 11:40--------d-----w-c:\documents and settings\Tom\Tracing
2009-09-17 21:31 . 2009-09-17 21:31--------d-----w-c:\program files\Microsoft Silverlight
2009-09-17 21:28 . 2009-09-17 21:28--------d-----w-c:\program files\Microsoft
2009-09-17 21:27 . 2009-09-17 21:27--------d-----w-c:\program files\Windows Live SkyDrive
2009-09-17 21:26 . 2009-09-17 21:28--------d-----w-c:\program files\Windows Live
2009-09-17 21:22 . 2009-09-17 21:22--------d-----w-c:\program files\Common Files\Windows Live
2009-09-17 21:22 . 2009-09-17 23:4813688----a-w-c:\documents and settings\Tom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-17 21:01 . 2009-09-17 21:04--------d-----w-c:\documents and settings\Tom\Local Settings\Application Data\ApplicationHistory
2009-09-17 20:40 . 2009-09-17 20:40--------d-----w-c:\windows\system32\Adobe
2009-09-17 20:20 . 2006-08-01 19:0249152----a-w-c:\windows\system32\ChCfg.exe
2009-09-17 20:19 . 2008-09-24 14:404122368----a-r-c:\windows\system32\drivers\alcxwdm.sys
2009-09-17 20:18 . 2009-09-17 20:19--------d-----w-c:\program files\Realtek AC97
2009-09-17 20:18 . 2006-12-08 19:2010528768----a-w-c:\windows\system32\RTLCPL.exe
2009-09-17 20:18 . 2007-04-16 19:28577536----a-w-c:\windows\soundman.exe
2009-09-17 20:18 . 2006-10-18 06:53147456----a-w-c:\windows\system32\RtlCPAPI.dll
2009-09-17 20:18 . 2006-07-31 15:27217088----a-w-c:\windows\Alcrmv.exe
2009-09-17 20:18 . 2006-07-31 15:19315392----a-w-c:\windows\alcupd.exe
2009-09-17 19:08 . 2008-04-14 00:1273796------w-c:\windows\system32\slserv.exe
2009-09-17 19:07 . 2004-08-04 02:291897408------w-c:\windows\system32\drivers\nv4_mini.sys
2009-09-17 19:06 . 2008-04-14 00:1233792------w-c:\windows\system32\mmcperf.exe
2009-09-17 19:06 . 2008-04-14 00:11397312------w-c:\windows\system32\mmcex.dll
2009-09-17 19:06 . 2008-04-14 00:11106496------w-c:\windows\system32\mmcfxcommon.dll
2009-09-17 19:06 . 2008-04-14 00:11184320------w-c:\windows\system32\microsoft.managementconsole.dll
2009-09-17 19:06 . 2008-04-14 00:1137376------w-c:\windows\system32\l2gpstore.dll
2009-09-17 19:06 . 2008-04-14 00:1161440------w-c:\windows\system32\kmsvc.dll
2009-09-17 19:06 . 2008-04-14 00:096144------w-c:\windows\system32\kbdpash.dll
2009-09-17 19:06 . 2008-04-14 00:096144------w-c:\windows\system32\kbdnepr.dll
2009-09-17 19:06 . 2008-04-14 00:096144------w-c:\windows\system32\kbdiultn.dll
2009-09-17 19:06 . 2008-04-14 00:096144------w-c:\windows\system32\kbdbhc.dll
2009-09-17 19:04 . 2008-04-14 00:119216------w-c:\windows\system32\dot3dlg.dll
2009-09-17 18:41 . 2009-09-17 18:41--------d-----w-c:\windows\system32\XPSViewer
2009-09-17 18:41 . 2009-09-17 18:41--------d-----w-c:\program files\MSBuild
2009-09-17 18:40 . 2009-09-17 18:40--------d-----w-c:\program files\Reference Assemblies
2009-09-17 18:39 . 2008-07-06 12:0689088-c----w-c:\windows\system32\dllcache\filterpipelineprintproc.d ll
2009-09-17 18:39 . 2008-07-06 12:06117760------w-c:\windows\system32\prntvpt.dll
2009-09-17 18:39 . 2008-07-06 12:06575488-c----w-c:\windows\system32\dllcache\xpsshhdr.dll
2009-09-17 18:39 . 2008-07-06 12:06575488------w-c:\windows\system32\xpsshhdr.dll
2009-09-17 18:39 . 2008-07-06 12:061676288-c----w-c:\windows\system32\dllcache\xpssvcs.dll
2009-09-17 18:39 . 2008-07-06 12:061676288------w-c:\windows\system32\xpssvcs.dll
2009-09-17 18:39 . 2008-07-06 10:50597504-c----w-c:\windows\system32\dllcache\printfilterpipelinesvc.e xe
2009-09-17 18:38 . 2009-09-17 18:40--------d-----w-C:\2f9546c3a7bc03242437542a4e818ed4
2009-09-17 18:32 . 2009-09-17 18:32--------d-----w-c:\program files\MSXML 6.0
2009-09-17 18:30 . 2009-09-17 18:30--------d-----w-c:\documents and settings\Tom\Application Data\Windows Search
2009-09-17 18:29 . 2009-09-17 18:29--------d-----w-c:\documents and settings\Tom\Local Settings\Application Data\Identities
2009-09-17 18:29 . 2009-09-17 18:29--------d-----w-c:\documents and settings\Tom\Application Data\Windows Desktop Search
2009-09-17 18:28 . 2009-09-17 21:04--------d-----w-c:\program files\Windows Desktop Search
2009-09-17 18:28 . 2009-09-17 18:28--------d-----w-c:\windows\system32\GroupPolicy
2009-09-17 18:26 . 2009-09-17 18:26--------d-----w-c:\program files\Windows Media Connect 2
2009-09-17 18:21 . 2009-09-17 18:23--------d-----w-c:\windows\system32\drivers\UMDF
2009-09-17 18:15 . 2008-04-13 18:395504----a-w-c:\windows\system32\drivers\mstee.sys
2009-09-17 18:15 . 2008-04-13 18:4610880----a-w-c:\windows\system32\drivers\ndisip.sys
2009-09-17 18:14 . 2008-04-13 18:4615232----a-w-c:\windows\system32\drivers\streamip.sys
2009-09-17 18:14 . 2008-04-13 18:4611136----a-w-c:\windows\system32\drivers\slip.sys
2009-09-17 18:14 . 2008-04-13 18:4619200----a-w-c:\windows\system32\drivers\wstcodec.sys
2009-09-17 18:14 . 2008-04-13 18:4685248----a-w-c:\windows\system32\drivers\nabtsfec.sys
2009-09-17 18:14 . 2008-04-13 18:4617024----a-w-c:\windows\system32\drivers\ccdecode.sys
2009-09-17 18:13 . 2008-04-14 00:1253760----a-w-c:\windows\system32\vfwwdm32.dll
2009-09-17 18:09 . 2009-09-17 18:09--------d-----w-c:\windows\system32\URTTEMP
2009-09-17 18:04 . 2008-04-14 00:1253248------w-c:\windows\system32\tsgqec.dll
2009-09-17 18:04 . 2008-04-14 00:12290304------w-c:\windows\system32\rhttpaa.dll
2009-09-17 18:04 . 2008-04-14 00:11136192------w-c:\windows\system32\aaclient.dll
2009-09-17 17:56 . 2009-09-17 17:56--------d-----w-c:\program files\CONEXANT
2009-09-17 17:56 . 2009-09-17 17:56--------d-----w-c:\program files\ATI Technologies
2009-09-17 17:56 . 2006-04-05 01:05520192------w-c:\windows\system32\ati2sgag.exe
2009-09-17 16:51 . 2009-09-17 20:18--------d--h--w-c:\program files\InstallShield Installation Information
2009-09-17 16:51 . 2009-09-17 17:56--------d-----w-c:\program files\Common Files\InstallShield
2009-09-17 16:51 . 2009-09-17 16:51--------d-----w-C:\ATI
2009-09-17 16:46 . 2009-09-17 16:46--------d-sh--w-c:\documents and settings\Tom\IECompatCache
2009-09-17 16:46 . 2009-09-17 16:46--------d-sh--w-c:\documents and settings\Tom\PrivacIE
2009-09-17 16:40 . 2009-09-17 16:40--------d-sh--w-c:\documents and settings\NetworkService\IETldCache
2009-09-17 16:39 . 2009-09-17 16:39--------d-sh--w-c:\documents and settings\Tom\IETldCache
2009-09-17 16:37 . 2009-08-07 08:48100352-c----w-c:\windows\system32\dllcache\iecompat.dll
2009-09-17 16:36 . 2009-09-17 18:56--------d-----w-c:\windows\ie8updates
2009-09-17 16:35 . 2009-07-03 17:0912800-c----w-c:\windows\system32\dllcache\xpshims.dll
2009-09-17 16:35 . 2009-07-03 17:09594432-c----w-c:\windows\system32\dllcache\msfeeds.dll
2009-09-17 16:35 . 2009-07-03 17:0955296-c----w-c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-17 16:35 . 2009-07-03 17:091985536-c----w-c:\windows\system32\dllcache\iertutil.dll
2009-09-17 16:35 . 2009-07-03 17:09246272-c----w-c:\windows\system32\dllcache\ieproxy.dll
2009-09-17 16:34 . 2009-07-19 22:4811067392-c----w-c:\windows\system32\dllcache\ieframe.dll
2009-09-17 16:32 . 2009-09-17 16:34--------dc-h--w-c:\windows\ie8
2009-09-17 15:48 . 2009-09-18 12:12--------d-----w-c:\windows\system32\LogFiles
2009-09-17 15:36 . 2009-09-17 22:11--------d-----w-c:\windows\ServicePackFiles
2009-09-03 03:22 . 2009-09-03 03:22--------d-----w-c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-09-02 16:16 . 2009-09-17 20:41--------d-----w-c:\windows\system32\FxsTmp
2009-09-02 16:08 . 2008-06-13 11:05272128-c----w-c:\windows\system32\dllcache\bthport.sys
2009-09-02 16:08 . 2008-06-13 11:05272128------w-c:\windows\system32\drivers\bthport.sys
2009-09-02 16:07 . 2009-03-06 14:22284160-c----w-c:\windows\system32\dllcache\pdh.dll
2009-09-02 16:07 . 2009-02-09 12:10401408-c----w-c:\windows\system32\dllcache\rpcss.dll
2009-09-02 16:07 . 2009-02-06 11:11110592-c----w-c:\windows\system32\dllcache\services.exe
2009-09-02 16:07 . 2009-06-25 08:25730112-c----w-c:\windows\system32\dllcache\lsasrv.dll
2009-09-02 16:07 . 2009-02-09 12:10714752-c----w-c:\windows\system32\dllcache\ntdll.dll
2009-09-02 16:07 . 2009-02-09 12:10617472-c----w-c:\windows\system32\dllcache\advapi32.dll
2009-09-02 16:07 . 2009-02-09 12:10473600-c----w-c:\windows\system32\dllcache\fastprox.dll
2009-09-02 16:07 . 2009-02-09 12:10453120-c----w-c:\windows\system32\dllcache\wmiprvsd.dll
2009-09-02 16:07 . 2009-02-06 11:062145280-c----w-c:\windows\system32\dllcache\ntkrnlmp.exe
2009-09-02 16:07 . 2009-02-06 10:10227840-c----w-c:\windows\system32\dllcache\wmiprvse.exe
2009-09-02 16:07 . 2009-02-06 11:082189056-c----w-c:\windows\system32\dllcache\ntoskrnl.exe
2009-09-02 16:07 . 2009-02-06 10:322023936-c----w-c:\windows\system32\dllcache\ntkrpamp.exe
2009-09-02 16:06 . 2008-10-24 11:21455296-c----w-c:\windows\system32\dllcache\mrxsmb.sys
2009-09-02 16:06 . 2008-05-08 14:02203136-c----w-c:\windows\system32\dllcache\rmcast.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-18 09:56 . 2009-09-02 15:47--------d-----w-c:\documents and settings\Tom\Application Data\uTorrent
2009-09-02 15:56 . 2009-09-02 15:56--------d-----w-c:\program files\7-Zip
2009-09-02 15:50 . 2009-09-02 15:50--------d-----w-c:\program files\Trend Micro
2009-09-02 15:48 . 2009-09-02 15:48--------d-----w-c:\program files\uTorrent
2009-09-02 15:30 . 2009-09-02 15:30--------d-----w-c:\program files\microsoft frontpage
2009-09-02 15:26 . 2009-09-02 15:2621640----a-w-c:\windows\system32\emptyregdb.dat
2009-08-05 09:01 . 2004-08-04 12:00204800----a-w-c:\windows\system32\mswebdvd.dll
2009-08-03 19:07 . 2009-08-03 19:07403816----a-w-c:\windows\system32\OGACheckControl.DLL
2009-07-31 12:47 . 2009-07-31 12:47499712----a-w-c:\windows\system32\msvcp71.dll
2009-07-31 12:47 . 2009-07-31 12:47348160----a-w-c:\windows\system32\msvcr71.dll
2009-07-29 04:37 . 2004-08-04 12:0081920----a-w-c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2004-08-04 12:00119808----a-w-c:\windows\system32\t2embed.dll
2009-07-26 20:44 . 2009-07-26 20:4448448----a-w-c:\windows\system32\sirenacm.dll
2009-07-17 19:01 . 2004-08-04 12:0058880----a-w-c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 12:00286208----a-w-c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-04 12:00915456----a-w-c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-04 12:00730112----a-w-c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:0056832----a-w-c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:0054272----a-w-c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00301568----a-w-c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00147456----a-w-c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00136192----a-w-c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:0092928----a-w-c:\windows\system32\drivers\ksecdd.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-18 149280]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2007-04-16 577536]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/18/2009 3:18 PM 108289]
R3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [9/2/2009 12:24 PM 96256]
R3 DCamUSBVeo532;Veo Stingray/Connect Web Camera;c:\windows\system32\drivers\ubVeo532.sys [7/1/2002 6:30 PM 95232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvcREG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-19 c:\windows\Tasks\User_Feed_Synchronization-{251E221E-3C61-4C5B-A8CA-5097 9EF2581A}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
.

************************************************************************ **

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-19 01:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************************************ **
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c .exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(236 Cool

c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\snmp.exe
c:\windows\system32\searchindexer.exe
.
************************************************************************ **
.
Completion time: 2009-09-19 1:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-19 05:57

Pre-Run: 64,509,505,536 bytes free
Post-Run: 64,868,618,240 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

271--- E O F ---2009-09-18 09:20

IP Logged

Windows 7 Home Premium (64 Bit)
Yahoo! Messenger Version 11.0.0 Build 2014
Y!TunnelPro Version 2.6 Build 736
YTK Enhanced Version 2.6 Build 108
Mozilla Firefox Version 8.0 (Beta)
Internet Explorer Version 9.0.8112.16421
TrojanHunter Version 5.3 Build 994
HijackThis Version 2.0 Build 4
Wireless
avast! Free Antivirus
Malwarebytes' Anti-Malware
SUPERAntiSpyware Professional

Thomas
Full Member

Gender:

Posts: 233

Re: help
« Reply #1 on: Sep 19^th, 2009, 1:43am »

Quote

Modify

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:02:55 AM, on 9/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/ muweb_site.cab?1253222312734
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4139 bytes

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 7357

Re: help
« Reply #2 on: Sep 19^th, 2009, 2:23am »

Quote

Modify

Your Hijackthis log is showing nothing malicious.

As for the Combofix deletions of IPRIP, this does look like a valid malicious (possibly) find by Combofix.

Would you please zip your Qoobox folder and email it to Gavin so that he can examine these deletions. This is a case where the name IPRIP may or may not be a malicious file. Send to submit@trojanhunter.com

Thanks in advance for the submission.

IP Logged

______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.

Thomas
Full Member

Gender:

Posts: 233

Re: help
« Reply #3 on: Sep 19^th, 2009, 3:19am »

Quote

Modify

Malwarebytes' Anti-Malware 1.41
Database version: 2823
Windows 5.1.2600 Service Pack 3

9/19/2009 3:36:32 AM
mbam-log-2009-09-19 (03-36-32).txt

Scan type: Full Scan (C:\|H:\|)
Objects scanned: 137381
Time elapsed: 1 hour(s), 2 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

IP Logged

Thomas
Full Member

Gender:

Posts: 233

Re: help
« Reply #4 on: Sep 19^th, 2009, 3:21am »

Quote

Modify

i will send them to gavin and i will also put the thread tittle in the email aswell but i just want make sure there aint nothing bad in my pc

« Last Edit: Sep 19^th, 2009, 3:22am by Thomas »

IP Logged

Thomas
Full Member

Gender:

Posts: 233

Re: help
« Reply #5 on: Sep 19^th, 2009, 3:33am »

Quote

Modify

hey tom can i delete the Qoobox folder and text

IP Logged

Thomas
Full Member

Gender:

Posts: 233

Re: help
« Reply #6 on: Sep 19^th, 2009, 4:10am »

Quote

Modify

Avira AntiVir Personal
Report file date: Saturday, September 19, 2009 03:56

Scanning for 1729942 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : HOME

Version information:
BUILD.DAT : 9.0.0.408 17961 Bytes 8/26/2009 16:51:00
AVSCAN.EXE : 9.0.3.7 466689 Bytes 7/21/2009 18:36:14
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 14:21:42
ANTIVIR2.VDF : 7.1.6.1 3857920 Bytes 9/16/2009 19:23:36
ANTIVIR3.VDF : 7.1.6.13 181248 Bytes 9/18/2009 19:23:39
Engineversion : 8.2.1.19
AEVDF.DLL : 8.1.1.2 106867 Bytes 9/18/2009 19:24:05
AESCRIPT.DLL : 8.1.2.31 475513 Bytes 9/18/2009 19:24:04
AESCN.DLL : 8.1.2.5 127346 Bytes 9/18/2009 19:24:01
AERDL.DLL : 8.1.2.4 430452 Bytes 7/23/2009 14:59:39
AEPACK.DLL : 8.2.0.0 422261 Bytes 9/18/2009 19:24:01
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 14:59:39
AEHEUR.DLL : 8.1.0.155 1921400 Bytes 9/18/2009 19:23:58
AEHELP.DLL : 8.1.7.0 237940 Bytes 9/18/2009 19:23:47
AEGEN.DLL : 8.1.1.63 364916 Bytes 9/18/2009 19:23:46
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 19:32:40
AECORE.DLL : 8.1.8.1 184693 Bytes 9/18/2009 19:23:42
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 9/18/2009 19:29:23
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 20:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 15:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: high
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, H:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+SPR,
Expanded search settings............: 0x00001000

Start of the scan: Saturday, September 19, 2009 03:56

End of the scan: Saturday, September 19, 2009 04:25
Used time: 29:48 Minute(s)

The scan has been done completely.

3937 Scanned directories
167181 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
35 Files cannot be scanned
167146 Files not concerned
6711 Archives were scanned
40 Warnings
33 Notes
37351 Objects were scanned with rootkit scan
0 Hidden objects were found

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 7357

Re: help
« Reply #7 on: Sep 20^th, 2009, 12:30am »

Quote

Modify

Quote:

hey tom can i delete the Qoobox folder and text

Hold off deleting Qoobox until Gavin gets back on whether the files are in fact malicious. If they are not, then you will want to restore them.

IP Logged

Thomas
Full Member

Gender:

Posts: 233

Re: help
« Reply #8 on: Sep 20^th, 2009, 5:43am »

Quote

Modify

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/20/2009 at 06:38 AM

Application Version : 4.29.1002

Core Rules Database Version : 4112
Trace Rules Database Version: 2052

Scan type : Complete Scan
Total Scan Time : 01:04:49

Memory items scanned : 494
Memory threats detected : 0
Registry items scanned : 4141
Registry threats detected : 0
File items scanned : 25094
File threats detected : 39

Adware.Tracking Cookie
C:\Documents and Settings\Tom\Cookies\tom@apmebf[2].txt
C:\Documents and Settings\Tom\Cookies\tom@hurricanetrack[2].txt
C:\Documents and Settings\Tom\Cookies\tom@socialmedia[2].txt
C:\Documents and Settings\Tom\Cookies\tom@youporn[1].txt
C:\Documents and Settings\Tom\Cookies\tom@burstnet[1].txt
C:\Documents and Settings\Tom\Cookies\tom@content.yieldmanager[3].txt
C:\Documents and Settings\Tom\Cookies\tom@mediaplex[1].txt
C:\Documents and Settings\Tom\Cookies\tom@adbrite[1].txt
C:\Documents and Settings\Tom\Cookies\tom@eyewonder[1].txt
C:\Documents and Settings\Tom\Cookies\tom@cdn4.specificclick[2].txt
C:\Documents and Settings\Tom\Cookies\tom@www.burstnet[2].txt
C:\Documents and Settings\Tom\Cookies\tom@www.burstbeacon[1].txt
C:\Documents and Settings\Tom\Cookies\tom@serving-sys[1].txt
C:\Documents and Settings\Tom\Cookies\tom@specificclick[2].txt
C:\Documents and Settings\Tom\Cookies\tom@atdmt[1].txt
C:\Documents and Settings\Tom\Cookies\tom@fastclick[1].txt
C:\Documents and Settings\Tom\Cookies\tom@casalemedia[2].txt
C:\Documents and Settings\Tom\Cookies\tom@advertising[2].txt
C:\Documents and Settings\Tom\Cookies\tom@adlegend[2].txt
C:\Documents and Settings\Tom\Cookies\tom@tribalfusion[2].txt
C:\Documents and Settings\Tom\Cookies\tom@ads.ookla[2].txt
C:\Documents and Settings\Tom\Cookies\tom@oasn04.247realmedia[1].txt
C:\Documents and Settings\Tom\Cookies\tom@bs.serving-sys[1].txt
C:\Documents and Settings\Tom\Cookies\tom@richmedia.yahoo[1].txt
C:\Documents and Settings\Tom\Cookies\tom@media6degrees[1].txt
C:\Documents and Settings\Tom\Cookies\tom@realmedia[2].txt
C:\Documents and Settings\Tom\Cookies\tom@msnportal.112.2o7[1].txt
C:\Documents and Settings\Tom\Cookies\tom@ads-dev.youporn[2].txt
C:\Documents and Settings\Tom\Cookies\tom@doubleclick[2].txt
C:\Documents and Settings\Tom\Cookies\tom@247realmedia[1].txt
C:\Documents and Settings\Tom\Cookies\tom@ads.pointroll[2].txt
C:\Documents and Settings\Tom\Cookies\tom@ad.yieldmanager[2].txt
C:\Documents and Settings\Tom\Cookies\tom@brighthouse.122.2o7[1].txt
C:\Documents and Settings\Tom\Cookies\tom@kontera[2].txt
C:\Documents and Settings\Tom\Cookies\tom@specificmedia[2].txt
C:\Documents and Settings\Tom\Cookies\tom@burstbeacon[1].txt
C:\Documents and Settings\Tom\Cookies\tom@revsci[2].txt
C:\Documents and Settings\Tom\Cookies\tom@questionmarket[1].txt
C:\Documents and Settings\Tom\Cookies\tom@atdmt[2].txt

IP Logged

Thomas
Full Member

Gender:

Posts: 233

Re: help
« Reply #9 on: Sep 20^th, 2009, 5:44am »

Quote

Modify

on Sep 20^th, 2009, 12:30am, siliconman01 wrote:

Hold off deleting Qoobox until Gavin gets back on whether the files are in fact malicious. �If they are not, then you will want to restore them. �

ok and im going hold off on doing a trojanhunter scan

IP Logged

Thomas
Full Member

Gender:

Posts: 233

Re: help
« Reply #10 on: Sep 20^th, 2009, 5:50am »

Quote

Modify

Packed Driver Detector 0.9 Scan

Scanning C:\WINDOWS\system32\drivers\
No packed driver files were detected (268 files scanned).

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 7357

Re: help
« Reply #11 on: Sep 20^th, 2009, 2:35pm »

Quote

Modify

It looks to me like your system is clean....short of the tracking cookies that SAS detected....and which I assume that you let SAS quarantine them.

BTW, if you run CCleaner before you do the SAS scan, CCleaner should remove all those cookies.

IP Logged

Thomas
Full Member

Gender:

Posts: 233

Re: help
« Reply #12 on: Sep 21^st, 2009, 2:15am »

Quote

Modify

on Sep 20^th, 2009, 12:30am, siliconman01 wrote:

Hold off deleting Qoobox until Gavin gets back on whether the files are in fact malicious. �If they are not, then you will want to restore them. �

if there not malicious how can i restore them

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 7357

Re: help
« Reply #13 on: Sep 21^st, 2009, 3:01am »

Quote

Modify

First, open Qoobox and provide me the names of the files that are in Qoobox please...The full name with the extension.

« Last Edit: Sep 21^st, 2009, 3:03am by siliconman01 »

IP Logged

Thomas
Full Member

Gender:

Posts: 233

Re: help
« Reply #14 on: Sep 21^st, 2009, 7:06am »

Quote

Modify

on Sep 21^st, 2009, 3:01am, siliconman01 wrote:

First, open Qoobox and provide me the names of the files that are in Qoobox please...The full name with the extension.

you mean this?

2009-09-19 05:42:09 . 2009-09-19 05:42:09 3,674 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_Iprip.reg.dat
2009-09-19 05:42:08 . 2009-09-19 05:42:08 1,016 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_IPRIP.reg.dat
2009-09-19 05:41:51 . 2009-09-19 05:41:51 7,135 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-09-19 05:32:09 . 2009-09-19 05:32:10 51 ----a-w- C:\Qoobox\Quarantine\catchme.log

IP Logged

Pages: 1 2

Notify of replies

Send Topic


« Previous topic \| Next topic »