Articles

i have some sort of virus

December 1, 2007 at 04:07:25
Specs: windows xp, 256mb

i downloaded and installed a program since then my computer has being very slow and internet explorer keeps starting up going to porn sites and a site called zedo

See More: i have some sort of virus

Report •


#1
December 1, 2007 at 10:03:53

Please download and install the latest version of HijackThis v2.0.2:

Download the HijackThis Installer from this link: HijackThis

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Please download SmitFraudFix from this link http://siri.urz.free.fr/Fix/Smitfra... Then extract the contents to your desktop.

!!!! Only run option #1 as runing the other options on an uninfected computer will damage the desktop.!!!!


Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd"
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.


Report •

#2
December 1, 2007 at 13:40:55

SmitFraudFix v2.256

Scan done at 19:38:38.17, Sat 12/01/2007
Run from C:\Documents and Settings\fionn\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\fionn


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\fionn\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\fionn\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="MsgPlusLoader.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Belkin Wireless G USB Network Adapter - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{A1C8CFEC-5B9B-4FDD-BD22-6CD645C06863}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{32749C20-8C28-4CC4-AF10-542C6CB9C65B}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A5248A82-8F41-48FC-A8B3-F4D2979551B7}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E048A8D9-10D5-4B77-BB00-830E9FB09928}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{A1C8CFEC-5B9B-4FDD-BD22-6CD645C06863}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{A1C8CFEC-5B9B-4FDD-BD22-6CD645C06863}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:40:37 PM, on 12/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20661)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\fionn00.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://fr.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 5095 bytes


Report •

#3
December 1, 2007 at 14:46:50

Looks better after SDFix was run.

Your java is out of date and can be exploited.

Download the latest version of http://java.sun.com/javase/downloads/index.jsp

Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".

Click the "Download" button to the right.

Check the box that says: "Accept License Agreement". The page will refresh.

Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.

Close any programs you may have running - especially your web browser.

Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.

Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.

Reboot your computer once all Java components are removed

. Then from your desktop double-click on jre-1_6_3-windowsi586-p.exe to install the newest version.

Please download ComboFix to the desktop from this link:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)

Please post the log it produces.


Report •

Related Solutions

#4
December 1, 2007 at 16:06:46

ComboFix 07-11-19.4C - fionn 2007-12-01 21:58:37.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.83 [GMT 0:00]
Running from: C:\Documents and Settings\fionn\My Documents\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-01 to 2007-12-01 )))))))))))))))))))))))))))))))
.

2007-12-01 21:47 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-01 21:46 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-01 14:18 <DIR> d-------- C:\VundoFix Backups
2007-12-01 13:18 <DIR> d-------- C:\Program Files\Managed DirectX (0900)
2007-12-01 13:12 <DIR> d-------- C:\Program Files\Microsoft Visual Studio .NET
2007-12-01 13:12 <DIR> d-------- C:\DXSDK
2007-12-01 13:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-01 10:31 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-30 23:34 <DIR> d-------- C:\WINDOWS\SDFIX
2007-11-30 20:24 <DIR> d-------- C:\Program Files\Act-3D
2007-11-30 20:04 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2007-11-30 19:42 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-11-29 22:37 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2007-11-29 22:37 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2007-11-29 22:37 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2007-11-29 22:37 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2007-11-29 22:37 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2007-11-29 22:37 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2007-11-29 22:37 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2007-11-29 22:37 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2007-11-29 22:37 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2007-11-29 22:37 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2007-11-29 22:37 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2007-11-29 22:37 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2007-11-29 22:37 17,928 --a------ C:\WINDOWS\system32\X3DAudio1_2.dll
2007-11-28 22:08 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2007-11-28 22:08 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2007-11-26 19:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-11-25 22:01 58,952 --a------ C:\WINDOWS\system32\MsgPlusLoader.dll
2007-11-25 21:59 <DIR> d-------- C:\Program Files\Belkin
2007-11-25 21:54 402,944 -ra------ C:\WINDOWS\system32\drivers\BLKWGU.sys
2007-11-25 21:05 <DIR> d-------- C:\Program Files\Rolling Dice Productions
2007-11-25 21:04 <DIR> d-------- C:\Documents and Settings\fionn\WINDOWS
2007-11-25 21:04 312,320 --a------ C:\WINDOWS\IsUninst.exe
2007-11-25 21:03 286,720 --------- C:\WINDOWS\Setup1.exe
2007-11-25 21:03 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-11-25 12:26 <DIR> d-------- C:\Program Files\Great Game Products
2007-11-25 11:26 <DIR> d-------- C:\Program Files\Learn to Play Bridge 2
2007-11-24 12:53 <DIR> d-------- C:\ltpb
2007-11-23 21:39 <DIR> d-------- C:\Program Files\MessengerPlus! 3
2007-11-22 20:37 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-22 18:51 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-22 18:51 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-22 18:51 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-22 18:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-21 17:52 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-21 17:52 <DIR> d-------- C:\Documents and Settings\fionn\Application Data\Lavasoft
2007-11-21 15:09 684,377 --a------ C:\WINDOWS\unins000.exe
2007-11-21 15:09 3,448 --a------ C:\WINDOWS\unins000.dat
2007-11-21 14:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-19 22:08 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-11-19 19:55 10,047 --a------ C:\WINDOWS\system32\mspriv32.dll
2007-11-19 19:52 <DIR> d-------- C:\Program Files\Advanced Spyware Remover Pro
2007-11-18 16:57 <DIR> d-------- C:\Program Files\Trojan Remover
2007-11-18 16:57 <DIR> d-------- C:\Documents and Settings\fionn\Application Data\Simply Super Software
2007-11-18 16:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2007-11-18 16:57 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2007-11-18 16:57 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2007-11-18 16:57 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2007-11-18 11:22 <DIR> d-------- C:\Program Files\Total Video Converter
2007-11-18 11:22 608,448 --a------ C:\WINDOWS\system32\comctl32.ocx
2007-11-17 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2007-11-17 17:37 <DIR> d-------- C:\Program Files\Prima Games
2007-11-17 17:36 <DIR> d-------- C:\Program Files\Eidos Interactive
2007-11-17 17:28 <DIR> d-------- C:\Program Files\Datel
2007-11-14 21:22 <DIR> d-------- C:\Program Files\Team17
2007-11-10 12:07 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2007-11-10 11:02 <DIR> d-------- C:\Program Files\Windows Live
2007-11-10 11:02 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-10 11:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-08 17:21 <DIR> d-------- C:\Documents and Settings\fionn\Application Data\Nero
2007-11-08 17:17 <DIR> d-------- C:\Program Files\Nero
2007-11-08 17:17 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-11-08 17:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-11-07 21:44 <DIR> d-------- C:\Documents and Settings\fionn\Application Data\Talkback
2007-11-07 21:43 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-07 21:42 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-11-07 21:41 <DIR> d-------- C:\Program Files\Real
2007-11-07 21:41 <DIR> d-------- C:\Program Files\Common Files\Real
2007-11-07 21:11 <DIR> d-------- C:\Program Files\Yahoo!
2007-11-07 21:09 <DIR> d-------- C:\Program Files\RM-X Player V5.0
2007-11-07 20:44 <DIR> d-------- C:\Program Files\GustoSoft
2007-11-07 20:32 <DIR> d-------- C:\Program Files\QuickTime
2007-11-07 17:41 <DIR> d-------- C:\Downloaded Videos
2007-11-07 16:18 <DIR> d-------- C:\Documents and Settings\oisin\Application Data\ErrorSmart
2007-11-07 15:57 <DIR> d-------- C:\Program Files\BulletProofSoft.com
2007-11-07 15:57 1,435,272 --a------ C:\WINDOWS\system32\Flash.ocx
2007-11-07 15:57 1,140,472 --a------ C:\WINDOWS\system32\IGUltraGrid20.ocx
2007-11-07 15:57 131,856 --a------ C:\WINDOWS\system32\MSADODC.ocx
2007-11-07 15:31 <DIR> d-------- C:\WINDOWS\Replay Media Catcher
2007-11-07 15:31 <DIR> d-------- C:\Program Files\Replay Media Catcher
2007-11-07 15:02 <DIR> d-------- C:\Documents and Settings\fionn\Application Data\Bearshare Premium P2P
2007-11-05 20:26 <DIR> d-------- C:\Documents and Settings\fionn\Application Data\ErrorSmart
2007-11-05 18:37 <DIR> d--h----- C:\WINDOWS\PIF
2007-11-03 11:16 12,924 --ah----- C:\WINDOWS\system32\mlfcache.dat
2007-11-03 09:50 <DIR> d--hs---- C:\found.000
2007-11-01 20:07 <DIR> d-------- C:\Program Files\Godlike Developers
2007-11-01 20:07 28 --a------ C:\WINDOWS\system32\autoscan0.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-01 21:47 --------- d-----w C:\Program Files\Java
2007-12-01 21:38 --------- d-----w C:\Documents and Settings\fionn\Application Data\Azureus
2007-11-30 23:44 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-25 22:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-25 21:53 --------- d-----w C:\Program Files\Google
2007-11-24 21:52 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-19 21:46 --------- d-----w C:\Program Files\FlashGet
2007-11-18 10:08 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-18 09:38 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2007-11-17 20:03 --------- d-----w C:\Documents and Settings\fionn\Application Data\LimeWire
2007-11-07 15:58 --------- d-----w C:\Program Files\Azureus
2007-11-01 21:17 --------- d-----w C:\Documents and Settings\fionn\Application Data\DVD Flick
2007-10-29 09:09 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-25 17:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2007-10-24 01:06 585,728 ----a-w C:\WINDOWS\WLXPGSS.SCR
2007-10-15 19:13 --------- d-----w C:\Documents and Settings\fionn\Application Data\Uniblue
2007-10-13 09:41 --------- d-----w C:\Program Files\SystemDefender
2007-10-12 19:48 --------- d-----w C:\Program Files\Trymedia
2007-10-12 12:37 --------- d-----w C:\Documents and Settings\morgan\Application Data\Apple Computer
2007-10-11 19:40 --------- d-----w C:\Program Files\LimeWire
2007-10-06 11:09 --------- d-----w C:\Program Files\Game_Maker7
2007-10-03 23:36 25,600 ----a-w C:\WINDOWS\system32\WS2Fix.exe
2007-10-01 18:46 2,321,792 ----a-w C:\WINDOWS\system32\TUKernel.exe
2007-10-01 18:20 --------- d-----w C:\Documents and Settings\fionn\Application Data\TuneUp Software
2007-10-01 18:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2007-10-01 18:19 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-09-28 20:47 445,440 --sha-w C:\WINDOWS\system32\msdp.dll
2007-09-20 17:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-09-20 17:55 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-09-20 17:55 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-09-05 23:22 289,144 ----a-w C:\WINDOWS\system32\VCCLSID.exe
.

((((((((((((((((((((((((((((( snapshot@2007-12-01_14.42.03.61 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-07-12 08:22:00 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-24 22:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-07-12 08:22:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-24 22:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-07-12 09:22:38 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-24 23:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-12-01 18:36:21 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5dc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-05-25 14:20]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 10:06]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 21:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCpl"= 0 (0x0)
"DisableChangePassword"= 0 (0x0)
"DisableLockWorkstation"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuPinnedList"= 0 (0x0)
"NoStartMenuMFUprogramsList"= 0 (0x0)
"NoUserNameInStartMenu"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoRecentDocsMenu"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinters"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoShellSearchButton"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=MsgPlusLoader.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
"Windows Live Mail"=C:\Program Files\Windows Live\Mail\wlmail.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Flashget"=C:\Program Files\FlashGet\FlashGet.exe /min
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"TrojanScanner"=C:\Program Files\Trojan Remover\Trjscan.exe

R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3c4c212-69cc-11dc-aa04-806d6172696f}]
\Shell\AutoRun\command - E:\Autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-16 17:17:45 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2007-12-01 21:48:22 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-12-01 09:52:21 C:\WINDOWS\Tasks\User_Feed_Synchronization-{A6A7150C-E4AD-455C-ABCF-947B338FACF1}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-01 22:00:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-01 22:01:55
C:\ComboFix2.txt ... 2007-12-01 18:47
C:\ComboFix3.txt ... 2007-12-01 16:31
.
--- E O F ---


Report •

#5
December 2, 2007 at 13:30:29

Navigate to and delete this folder:

C:\Program Files\Trymedia

Other than the trimedia folder the logs look clean.

Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, a menu with options should appear;

Select the first option, to run Windows in Safe Mode, then press "Enter".

Choose your usual account.

Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Please run the BitDefender online scan this link BitDefender.com


You will need to allow an active x install for the scan to run.
Leave the scanning options at default and press "click here to scan"
When finished scanning, click on "click here to export the scan report"
Save it to your desktop, at "file name" type in "bdscan" then click save.
Post a log in your reply.


Report •


Ask Question