Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Hi. My computer seems to be infected with something-- it has been running very slowly, opening popups, and giving error messages at startup. The Microsoft Malicious Software program detected Backdoor:win32/zonebac.gen!F yesterday.
I read the previous posts, downloaded the HiJackThis and FindAWF, created the logs, and will post the logs if someone is willing to help.
Thank you!
Thank you! I'm posting the log files below; however, between now and when I posted the original log file, I deleted everything on my computer associated w/ Norton AV/Symantec and now the AWF won't generate a log (error message reads that it can't find the installable driver "c:\PROGRA~1\symantec\s32EVNT1.DLL") I have the log from before I went on the deleting spree, but I don't want to waste your time looking at it if I've now done something that will make it invalid. I really appreciate the help!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24:11 PM, on 3/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rebecca\Desktop\HiJackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uci.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/hli...
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: BlackBerry Desktop Redirector.lnk = C:\Program Files\Research In Motion\BlackBerry\Redirector.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/re...
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewo...
O20 - AppInit_DLLs: c:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe--
End of file - 7095 bytesFind AWF report by noahdfear ©2006
Version 1.40The current date is: Sat 03/15/2008
The current time is: 9:24:56.48
bak folders found
~~~~~~~~~~~
Directory of C:\PROGRA~1\ITUNES\BAK11/02/2007 07:36 PM 267,048 iTunesHelper.exe
1 File(s) 267,048 bytesDirectory of C:\PROGRA~1\QUICKT~1\BAK
10/19/2007 09:16 PM 286,720 QTTask.exe
1 File(s) 286,720 bytesDirectory of C:\PROGRA~1\SYMNET~1\BAK
05/15/2005 07:41 AM 100,056 SNDMon.exe
1 File(s) 100,056 bytesDirectory of C:\WINDOWS\SYSTEM32\BAK
08/04/2004 01:00 AM 15,360 ctfmon.exe
09/20/2005 11:32 AM 77,824 hkcmd.exe
09/20/2005 11:36 AM 114,688 igfxpers.exe
09/20/2005 11:35 AM 94,208 igfxtray.exe
4 File(s) 302,080 bytesDirectory of C:\PROGRA~1\GOOGLE\GOOGLE~1\BAK
01/01/2007 02:22 PM 3,739,648 googletalk.exe
1 File(s) 3,739,648 bytesDirectory of C:\PROGRA~1\HPQ\DEFAUL~1\BAK
10/13/2004 06:34 PM 229,438 cpqset.exe
1 File(s) 229,438 bytesDirectory of C:\PROGRA~1\HPQ\QUICKL~1\BAK
09/17/2004 05:19 PM 290,816 EabServr.exe
1 File(s) 290,816 bytesDirectory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK
11/04/2004 07:38 PM 688,218 SynTPEnh.exe
11/04/2004 07:40 PM 98,394 SynTPLpr.exe
2 File(s) 786,612 bytesDirectory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK
10/10/2007 08:51 PM 39,792 Reader_sl.exe
1 File(s) 39,792 bytesDirectory of C:\PROGRA~1\COMMON~1\ADOBE\UPDATER5\BAK
03/01/2007 10:37 AM 2,321,600 AdobeUpdater.exe
1 File(s) 2,321,600 bytesDirectory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK
08/19/2003 02:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytesDirectory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK
09/25/2007 02:11 AM 132,496 jusched.exe
1 File(s) 132,496 bytesDirectory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.2\APPS\BAK
03/09/2007 11:09 AM 63,712 apdproxy.exe
1 File(s) 63,712 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~14348 Feb 28 2008 "C:\Program Files\iTunes\iTunesHelper.exe"
54326568 Nov 15 2007 "C:\Documents and Settings\Rebecca\Desktop\iTunes75Setup.exe"
267048 Nov 2 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Nov 15 2007 "C:\WINDOWS\Installer\{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}\iTunesIco.exe"
116008 Nov 2 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe"
14348 Feb 28 2008 "C:\Program Files\QuickTime\QTTask.exe"
286720 Oct 19 2007 "C:\Program Files\QuickTime\bak\QTTask.exe"
111840 Mar 5 2008 "C:\Program Files\SymNetDrv\SNDMon.exe"
100056 May 15 2005 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
118784 Jun 17 2004 "C:\swsetup\Video\hkcmd.exe"
14348 Feb 28 2008 "C:\WINDOWS\system32\hkcmd.exe"
118784 Jun 17 2004 "C:\swsetup\Video\Win2000\hkcmd.exe"
77824 Sep 20 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"
118784 Jun 17 2004 "C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\hkcmd.exe"
77824 Sep 20 2005 "C:\Documents and Settings\Rebecca\Local Settings\Temp\Temporary Directory 1 for win2k_xp1417[1].zip\Win2000\hkcmd.exe"
77824 Sep 20 2005 "C:\Documents and Settings\Rebecca\Local Settings\Temp\Temporary Directory 4 for win2k_xp1417[1].zip\Win2000\hkcmd.exe"
14348 Feb 28 2008 "C:\WINDOWS\system32\igfxpers.exe"
114688 Sep 20 2005 "C:\WINDOWS\system32\bak\igfxpers.exe"
114688 Sep 20 2005 "C:\Documents and Settings\Rebecca\Local Settings\Temp\Temporary Directory 1 for win2k_xp1417[1].zip\Win2000\igfxpers.exe"
114688 Sep 20 2005 "C:\Documents and Settings\Rebecca\Local Settings\Temp\Temporary Directory 4 for win2k_xp1417[1].zip\Win2000\igfxpers.exe"
155648 Jun 17 2004 "C:\swsetup\Video\igfxtray.exe"
14348 Feb 28 2008 "C:\WINDOWS\system32\igfxtray.exe"
155648 Jun 17 2004 "C:\swsetup\Video\Win2000\igfxtray.exe"
94208 Sep 20 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 Jun 17 2004 "C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\igfxtray.exe"
94208 Sep 20 2005 "C:\Documents and Settings\Rebecca\Local Settings\Temp\Temporary Directory 1 for win2k_xp1417[1].zip\Win2000\igfxtray.exe"
94208 Sep 20 2005 "C:\Documents and Settings\Rebecca\Local Settings\Temp\Temporary Directory 4 for win2k_xp1417[1].zip\Win2000\igfxtray.exe"
14348 Feb 28 2008 "C:\Program Files\Google\Google Talk\googletalk.exe"
3739648 Jan 1 2007 "C:\Program Files\Google\Google Talk\bak\googletalk.exe"
1606064 Jan 7 2007 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.104\googletalk-setup-upgrade.exe"
14348 Feb 28 2008 "C:\Program Files\HPQ\Default Settings\cpqset.exe"
229438 Oct 13 2004 "C:\Program Files\HPQ\Default Settings\bak\cpqset.exe"
14348 Feb 28 2008 "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe"
290816 Sep 17 2004 "C:\Program Files\HPQ\Quick Launch Buttons\bak\EabServr.exe"
688218 Oct 5 2004 "C:\swsetup\Touchpad\SynTPEnh.exe"
14348 Feb 28 2008 "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
688218 Nov 4 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
688218 Oct 5 2004 "C:\Program Files\Synaptics\SynTP\Media\SynTPEnh.exe"
688218 Oct 5 2004 "C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\SynTPEnh.exe"
98394 Oct 5 2004 "C:\swsetup\Touchpad\SynTPLpr.exe"
14348 Feb 28 2008 "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
98394 Nov 4 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
98394 Oct 5 2004 "C:\Program Files\Synaptics\SynTP\Media\SynTPLpr.exe"
98394 Oct 5 2004 "C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\SynTPLpr.exe"
14348 Feb 28 2008 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
140920 May 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\AdobeUpdateCheck.exe"
45760 Mar 1 2007 "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdaterInstallMgr.exe"
2321600 Mar 1 2007 "C:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
14348 Feb 28 2008 "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
32881 Jun 3 2004 "C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe"
144784 Feb 22 2008 "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"
14348 Feb 28 2008 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
63712 Mar 9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"
end of report
0 
And just in case it is helpful, here is the new AWF log file (I just assumed it wasn't working because of the error message and minimal content). Thank you!
Find AWF report by noahdfear ©2006
Version 1.40The current date is: Sat 03/15/2008
The current time is: 23:52:06.06
bak folders found
~~~~~~~~~~~Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~end of report
0
You have the newest java version "1.6.0-05" so go to start> control panel> add/remove programs and unistall those older versioms.
Also while in add/remove programs, if you did not uninstall Norton's antivirus try to uninstall it.
The first FindAWF log shows an infection and the second Logs does not show an infection, so that is a mystery to me.
Please download ComboFix to the desktop from one of the following links:
Link 3
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.
0
Thank you for looking at the logs. I removed the old java (just now) and did a Norton uninstall yesterday. As for the infection, during my deleting spree, I also used the online HiJack Analyzer and deleted some things that I didn't recognize. Also, my Sophos seems to have decided to start working, and it quarantined some things between the two scans. So maybe that's why the infection disappeared? I downloaded the combofix and tried to run it twice (which Sophos did not seem to like), but I received the following error message: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."
0
Sorry, I realized after posting that Sophos had quarantined the Combofix. Below is the log.
ComboFix 08-03-14.4 - Rebecca 2008-03-16 7:46:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.141 [GMT -7:00]
Running from: C:\Documents and Settings\Rebecca\Desktop\ComboFix.exe
* Created a new restore point[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\matrix.dll.
((((((((((((((((((((((((( Files Created from 2008-02-16 to 2008-03-16 )))))))))))))))))))))))))))))))
.2008-03-15 18:00 . 2008-03-15 18:00 <DIR> d-------- C:\WINDOWS\LastGood
2008-03-15 18:00 . 2008-03-15 18:26 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-03-14 07:28 . 2008-03-14 07:28 5,743 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-14 07:26 . 2008-03-14 07:26 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-10 20:44 . 2008-03-15 10:13 <DIR> d-------- C:\Program Files\eSoftware
2008-03-05 17:26 . 2008-03-05 17:26 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-03-05 17:26 . 2008-03-05 17:23 17,920 --a------ C:\WINDOWS\system32\sophosboottasks.exe
2008-03-05 17:25 . 2008-03-05 17:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sophos
2008-03-05 17:22 . 2008-03-05 17:22 <DIR> d--h----- C:\WINDOWS\PIF
2008-03-05 17:18 . 2008-03-05 17:25 <DIR> d-------- C:\Program Files\Sophos
2008-03-05 17:16 . 2008-03-05 17:16 <DIR> d-------- C:\savxpsa
2008-03-05 17:16 . 2008-03-05 17:24 101,120 --a------ C:\WINDOWS\system32\drivers\savonaccesscontrol.sys
2008-03-05 17:16 . 2008-03-05 17:23 33,408 --a------ C:\WINDOWS\system32\drivers\savonaccessfilter.sys
2008-03-01 00:08 . 2008-03-01 00:08 754 --a------ C:\WINDOWS\WORDPAD.INI
2008-02-22 21:57 . 2008-02-22 21:57 0 --a------ C:\WINDOWS\iPlayer.INI
2008-02-22 20:35 . 2008-02-22 20:35 <DIR> d-------- C:\Program Files\InterActual.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-16 14:17 --------- d-----w C:\Program Files\Java
2008-03-15 22:47 --------- d-----w C:\Program Files\Yahoo SiteBuilder
2008-02-28 18:23 --------- d-----w C:\Program Files\QuickTime
2008-02-28 18:23 --------- d-----w C:\Program Files\iTunes
2008-02-28 18:21 14,348 ----a-w C:\WINDOWS\system32\igfxtray.exe
2008-02-28 18:21 14,348 ----a-w C:\WINDOWS\system32\igfxpers.exe
2008-02-28 18:21 14,348 ----a-w C:\WINDOWS\system32\hkcmd.exe
2008-02-17 19:31 63,848 ----a-w C:\Documents and Settings\Rebecca\Application Data\GDIPFONTCACHEV1.DAT
2008-02-04 17:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
.((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 63,712 2007-03-09 18:09:58 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe
----a-w 14,348 2008-02-28 18:21:28 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe----a-w 39,792 2007-10-11 03:51:55 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
----a-w 14,348 2008-02-28 18:21:28 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe----a-r 2,321,600 2007-03-01 17:37:52 C:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe
----a-w 14,348 2008-02-28 18:21:28 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe----a-w 110,592 2003-08-19 09:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe
----a-w 14,348 2008-02-28 18:21:28 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe----a-w 3,739,648 2007-01-01 21:22:02 C:\Program Files\Google\Google Talk\bak\googletalk.exe
----a-w 14,348 2008-02-28 18:21:28 C:\Program Files\Google\Google Talk\googletalk.exe----a-w 229,438 2004-10-14 01:34:48 C:\Program Files\HPQ\Default Settings\bak\cpqset.exe
----a-w 14,348 2008-02-28 18:21:28 C:\Program Files\HPQ\Default Settings\cpqset.exe----a-w 290,816 2004-09-18 00:19:42 C:\Program Files\HPQ\Quick Launch Buttons\bak\EabServr.exe
----a-w 14,348 2008-02-28 18:21:28 C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe----a-w 267,048 2007-11-03 02:36:42 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 14,348 2008-02-28 18:21:28 C:\Program Files\iTunes\iTunesHelper.exe----a-w 132,496 2007-09-25 09:11:35 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe
----a-w 286,720 2007-10-20 04:16:26 C:\Program Files\QuickTime\bak\QTTask.exe
----a-w 14,348 2008-02-28 18:21:28 C:\Program Files\QuickTime\QTTask.exe----a-w 688,218 2004-11-05 02:38:54 C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe
----a-w 14,348 2008-02-28 18:21:28 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe----a-w 98,394 2004-11-05 02:40:08 C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe
----a-w 14,348 2008-02-28 18:21:28 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe----a-w 15,360 2004-08-04 08:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 13:00:00 C:\WINDOWS\system32\ctfmon.exe----a-r 77,824 2005-09-20 18:32:24 C:\WINDOWS\system32\bak\hkcmd.exe
----a-w 14,348 2008-02-28 18:21:28 C:\WINDOWS\system32\hkcmd.exe----a-r 114,688 2005-09-20 18:36:20 C:\WINDOWS\system32\bak\igfxpers.exe
----a-w 14,348 2008-02-28 18:21:28 C:\WINDOWS\system32\igfxpers.exe----a-r 94,208 2005-09-20 18:35:40 C:\WINDOWS\system32\bak\igfxtray.exe
----a-w 14,348 2008-02-28 18:21:28 C:\WINDOWS\system32\igfxtray.exe.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2008-02-28 11:21 14348]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-02-28 11:21 14348][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2008-02-28 11:21 14348]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2008-02-28 11:21 14348]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-02-28 11:21 14348]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2008-02-28 11:21 14348]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2008-02-28 11:21 14348]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2008-02-28 11:21 14348]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2008-02-28 11:21 14348]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2008-02-28 11:21 14348]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2008-02-28 11:21 14348]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-02-28 11:21 14348]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-28 11:21 14348]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-28 11:21 14348]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - C:\Program Files\Sophos\AutoUpdate\ALMon.exe [2008-03-05 17:24:51 245760]
BlackBerry Desktop Redirector.lnk - C:\Program Files\Research In Motion\BlackBerry\Redirector.exe [2006-09-07 12:53:10 1319024]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-12-15 12:25:43 1528880]
Clean Access Agent.lnk - C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2007-09-17 15:48:50 2056275]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2005-07-25 15:24:06 184320]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.exe [2001-02-13 00:01:04 83360][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fdd295c-a01a-11dc-9cb0-00c09f85848f}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 16:23:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-16 07:51:01
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe??????????M????|?????? ???B?????????????H<C? ??????scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2008-03-16 7:53:09
ComboFix-quarantined-files.txt 2008-03-16 14:52:52
.
2008-03-14 14:30:08 --- E O F ---
0
Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option:Press 2 then Enter to restore files from bak folders
A text file opens called: files.txt
Copy/paste the following list of bolded files to be restored:
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QuickTime\bak\QTTask.exe"
"C:\Program Files\SymNetDrv\bak\SNDMon.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\igfxpers.exe"
"C:\WINDOWS\system32\bak\igfxpers.exe"
"C:\WINDOWS\system32\bak\igfxtray.exe"
"C:\Program Files\Google\Google Talk\bak\googletalk.exe"
"C:\Program Files\HPQ\Default Settings\bak\cpqset.exe"
"C:\Program Files\HPQ\Quick Launch Buttons\bak\EabServr.exe"
"C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
"C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
"C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
"C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"
Next, close and click Yes to save the changes.
Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder
When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
0
Hi. I ran the AWF, pasted in the files, and afterward received the same error message as earlier-- that it could not locate the c:\program~1\symantec\S32EVNT1.dll file-- and during the "enter 2" stage it also read that it could not locate one of the files (but it disappeared too quickly for me to write it down). It gave me the option to ignore or close, I chose ignore, and it produced the following log. Thank you!
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfullyThe current date is: Sun 03/16/2008
The current time is: 12:42:52.06
bak folders found
~~~~~~~~~~~Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~end of report
0
The symantec error is from an improper uninstall. There are several remedies on google for it.
Navigate to and manually delete these "bak" folders if found:
C:\Program Files\iTunes\bak
C:\Program Files\QuickTime\bak
C:\Program Files\SymNetDrv\bak
C:\WINDOWS\system32\bak
C:\Program Files\Google\Google Talk\bak
C:\Program Files\HPQ\Default Settings\bak
C:\Program Files\HPQ\Quick Launch Buttons\bak
C:\Program Files\Synaptics\SynTP\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Common Files\Adobe\Updater5\bak
C:\Program Files\Common Files\Sonic\Update Manager\bak
C:\Program Files\Java\jre1.6.0_03\bin\bak
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bakPost a new Combofix log please.
0
I deleted all the files. The only one that wasn't there was the C:Program Files\SymNetDrv\Bak, but I think that's because I deleted the entire SymNetDrv folder when I was trying to get rid of Norton. The combofix log is below. Thank you!!!
ComboFix 08-03-14.4 - Rebecca 2008-03-17 19:48:51.2 - NTFSx86
Running from: C:\Documents and Settings\Rebecca\Desktop\ComboFix.exe[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.((((((((((((((((((((((((( Files Created from 2008-02-18 to 2008-03-18 )))))))))))))))))))))))))))))))
.2008-03-15 18:00 . 2008-03-15 18:26 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-03-14 07:28 . 2008-03-14 07:28 5,743 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-14 07:26 . 2008-03-14 07:26 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-10 20:44 . 2008-03-15 10:13 <DIR> d-------- C:\Program Files\eSoftware
2008-03-05 17:26 . 2008-03-05 17:26 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-03-05 17:26 . 2008-03-05 17:23 17,920 --a------ C:\WINDOWS\system32\sophosboottasks.exe
2008-03-05 17:25 . 2008-03-05 17:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sophos
2008-03-05 17:22 . 2008-03-05 17:22 <DIR> d--h----- C:\WINDOWS\PIF
2008-03-05 17:18 . 2008-03-05 17:25 <DIR> d-------- C:\Program Files\Sophos
2008-03-05 17:16 . 2008-03-05 17:16 <DIR> d-------- C:\savxpsa
2008-03-05 17:16 . 2008-03-05 17:24 101,120 --a------ C:\WINDOWS\system32\drivers\savonaccesscontrol.sys
2008-03-05 17:16 . 2008-03-05 17:23 33,408 --a------ C:\WINDOWS\system32\drivers\savonaccessfilter.sys
2008-03-01 00:08 . 2008-03-01 00:08 754 --a------ C:\WINDOWS\WORDPAD.INI
2008-02-22 21:57 . 2008-02-22 21:57 0 --a------ C:\WINDOWS\iPlayer.INI
2008-02-22 20:35 . 2008-02-22 20:35 <DIR> d-------- C:\Program Files\InterActual.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-18 02:19 --------- d-----w C:\Program Files\QuickTime
2008-03-18 02:19 --------- d-----w C:\Program Files\iTunes
2008-03-16 14:17 --------- d-----w C:\Program Files\Java
2008-03-15 22:47 --------- d-----w C:\Program Files\Yahoo SiteBuilder
2008-02-17 19:31 63,848 ----a-w C:\Documents and Settings\Rebecca\Application Data\GDIPFONTCACHEV1.DAT
2008-02-04 17:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
.((((((((((((((((((((((((((((( snapshot@2008-03-16_ 7.51.53.78 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 13:00:00 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
+ 2004-08-04 08:00:00 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
- 2004-08-04 13:00:00 15,360 ----a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
+ 2004-08-04 08:00:00 15,360 ----a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
- 2008-02-28 18:21:28 14,348 ----a-w C:\WINDOWS\system32\hkcmd.exe
+ 2005-09-20 18:32:24 77,824 ----a-w C:\WINDOWS\system32\hkcmd.exe
- 2008-02-28 18:21:28 14,348 ----a-w C:\WINDOWS\system32\igfxpers.exe
+ 2005-09-20 18:36:20 114,688 ----a-w C:\WINDOWS\system32\igfxpers.exe
- 2008-02-28 18:21:28 14,348 ----a-w C:\WINDOWS\system32\igfxtray.exe
+ 2005-09-20 18:35:40 94,208 ----a-w C:\WINDOWS\system32\igfxtray.exe
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 14:22 3739648]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:00 15360]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 10:37 2321600][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01 110592]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 19:40 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 19:38 688218]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 17:19 290816]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-10-13 18:34 229438]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 11:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 11:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 11:36 114688]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 21:16 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 19:36 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - C:\Program Files\Sophos\AutoUpdate\ALMon.exe [2008-03-05 17:24:51 245760]
BlackBerry Desktop Redirector.lnk - C:\Program Files\Research In Motion\BlackBerry\Redirector.exe [2006-09-07 12:53:10 1319024]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-12-15 12:25:43 1528880]
Clean Access Agent.lnk - C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2007-09-17 15:48:50 2056275]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2005-07-25 15:24:06 184320]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.exe [2001-02-13 00:01:04 83360][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=R1 SAVOnAccessControl;SAVOnAccessControl;C:\WINDOWS\system32\DRIVERS\savonaccesscontrol.sys [2008-03-05 17:24]
R1 SAVOnAccessFilter;SAVOnAccessFilter;C:\WINDOWS\system32\DRIVERS\savonaccessfilter.sys [2008-03-05 17:23][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fdd295c-a01a-11dc-9cb0-00c09f85848f}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 16:23:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-17 19:52:40
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe??????????M????|?????? ???B?????????????H<C? ??????scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2008-03-17 19:53:34
ComboFix-quarantined-files.txt 2008-03-18 02:53:15
ComboFix2.txt 2008-03-16 14:53:09
.
2008-03-14 14:30:08 --- E O F ---
0
Much better, a little work yet to do.
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Download CCleaner from the following link:
http://filehippo.com/download_ccleaner/
After you download it to your desktop and begin installing it only allow the "install icon on desktop" to install . Then run it, use only as suggested, it's powerful use only the prechecked items.
Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zones
This removes all entries from the domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXIT
Next,
Launch Notepad, and copy/paste everything between the X's making "regedit4" the very top line.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXThen, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.
Delete the fixme.reg file just created.
0
Hi. I ran the CCleaner, FindAWF, (disconnected from net) created, used, and then deleted the fixme.reg file.
Everything seems to be working much better-- net and programs are all responding immediately (before they were all very sluggish and desktop icons would disappear when I tried to use different programs).
Thank you again, I really appreciate the help!
0  |
 Virus - Backdoor:Win32/Zo...
|
IE replicates, slow pc, m...
|
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
