Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Contracted the sinowal.trojan yesterday. Been through several sites to try and find help. Hopefully you can help. I've run Malewarebytes several times - it erased a few things the first time through but now doesn't detect anything but I still have the virus. I've also run Hijack This but am computer ignorant and don't know what to do. Please help.
Sinowal Trojan is a information stealing trojan. It also drops other malicious files into infected computer. It injects its dll into other processes to monitor them.
Ok, i have manual removal information for sinowal trojan. Go to http://darfuns.com/sinowal-trojan-r... to remove sinowal trojan
0 
Actually, what the virus that I've got tells me that I've got the Sinowal.trojan, then gives me a pop up that takes me to a Defender 2009 site - it also kills my IE and email and won't let me download things to try and kill it.
Logfile of HijackThis v1.99.1
Scan saved at 6:41:06 AM, on 12/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsEditor.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\Cleaners\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.exe /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/...
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/Co...
O16 - DPF: {46C66BBD-E667-4DAD-9683-58050E7C9FDC} (CDPass Class) - http://www.cdpass.com/cdkey/CDPass.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrows...
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.scrapbookpictures.com/Im...
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - http://a248.e.akamai.net/f/248/5462...
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.exe
O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
0
Go to start> control panel> add/remove programs and uninstall all old versions of java keeping only the newest version which should be version 6 update 11.
Please download ComboFix to the desktop from one of the following links:
Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.In your case to run Combofix do the following:
1. Go offline turn off your Noryons antivirus, Spybot and other antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.
Remember to re-enable the protection again afterwards before connecting to the Internet.
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.
0
Here's my Combofix log:
ComboFix 08-12-06.06 - Owner 2008-12-07 9:06:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.192 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.c:\documents and settings\Owner\Application Data\Google\ggqjh22510678.exe
c:\windows\system32\iAlmcoin.dll
c:\windows\system32\mcdoc.dll
c:\windows\system32\TDSSwytvqpsx.dat
D:\Autorun.inf.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys
((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.2008-12-07 08:50 . 2008-12-07 08:49 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-06 15:57 . 2008-12-06 15:57 <DIR> d----c--- c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-12-06 14:28 . 2008-12-06 14:28 <DIR> d-------- C:\_OTMoveIt
2008-12-04 19:12 . 2008-12-04 19:12 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-04 19:12 . 2008-12-04 19:12 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2008-12-04 19:12 . 2008-12-04 19:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-04 19:12 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 19:12 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 17:24 . 2008-12-07 08:48 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-04 13:57 . 2008-12-04 13:57 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-04 13:57 . 2008-12-04 13:57 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-04 13:57 . 2008-12-04 13:57 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-04 13:56 . 2008-12-04 13:56 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy).
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 16:16 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-07 15:48 --------- d-----w c:\program files\Java
2008-12-07 01:14 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-07 01:14 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-07 01:03 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-06 23:34 --------- d-----w c:\program files\Google
2008-12-03 02:35 --------- d-----w c:\documents and settings\Owner\Application Data\Move Networks
2008-11-04 03:45 --------- d-----w c:\program files\Avanquest update
2008-11-04 03:45 --------- d-----w c:\documents and settings\All Users\Application Data\BVRP Software
2008-11-04 03:43 --------- d-----w c:\program files\Sony Ericsson
2008-11-04 03:43 --------- d-----w c:\documents and settings\Owner\Application Data\InstallShield
2008-11-04 03:43 --------- d-----w c:\documents and settings\All Users\Application Data\Sony Ericsson
2008-11-04 03:02 --------- d-----w c:\program files\Norton 360
2008-11-04 02:53 --------- d-----w c:\program files\Sony
2008-11-04 02:51 --------- d-----w c:\program files\Sony Setup
2008-11-04 02:00 --------- d-----w c:\documents and settings\Owner\Application Data\Sony
2008-11-04 02:00 --------- d-----w c:\documents and settings\All Users\Application Data\Sony
2008-11-04 01:49 --------- d-----w c:\program files\Common Files\Sony Shared
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-21 13:15 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-14 01:05 --------- d-----w c:\program files\Scolasoft Edutainment
2008-06-05 22:10 24,837 ----a-w c:\program files\Uninstal.log
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-07-02 393216]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"NVIEW"="nview.dll" [2003-05-02 c:\windows\system32\nview.dll][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.exe" [2003-06-04 99840]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-04 180269]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-02-27 135168]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-07 136600]c:\documents and settings\Administrator\Start Menu\Programs\Startup\
mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-07 27136][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2003-02-21 03:50 40960 c:\program files\Softex\OmniPass\OPXPGina.dll[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=c:\windows\pss\HP Organize.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=c:\windows\pss\spamsubtract.lnkStartup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTKit]
--a------ 2003-06-18 19:19 53248 c:\hp\bin\AUTOTKIT.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-08-20 16:51 118784 c:\windows\system32\hkcmd.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
--a------ 2003-05-23 02:55 483328 c:\windows\system32\hphmon05.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
--a------ 2003-05-23 03:03 49152 c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2003-02-11 20:02 61440 c:\hp\KBD\kbd.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 09:24 1694208 c:\program files\Messenger\msmsgs.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-10-16 16:57 81920 c:\windows\system32\ps2.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2002-09-13 21:42 212992 c:\windows\SMINST\Recguard.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a------ 2003-02-13 08:01 155648 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-04-04 10:01 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 14:47 57344 c:\windows\ALCXMNTR.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
--a------ 2003-05-02 23:19 835654 c:\windows\system32\nview.dll[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\DRIVERS\sonyhcb.sys [2006-09-22 6097]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 98304]
R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2008-02-18 149352]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 118784]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-04 99376]
S2 mrtRate;mrtRate; []
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2008-01-12 23888]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\DRIVERS\s0016bus.sys [2008-11-03 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s0016mdfl.sys [2008-11-03 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s0016mdm.sys [2008-11-03 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s0016mgmt.sys [2008-11-03 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\DRIVERS\s0016nd5.sys [2008-11-03 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s0016obex.sys [2008-11-03 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\DRIVERS\s0016unic.sys [2008-11-03 115752]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\DRIVERS\sonyhcs.sys [2006-09-22 299923][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\Shell\AutoRun\command - L:\Frogger.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a60e4d4-b061-11da-b61d-000c6ee143ce}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76b16b70-ab66-11dc-b6d2-000c6ee143ce}]
\Shell\AutoRun\command - L:\Frogger.exe*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder2008-11-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]2008-12-07 c:\windows\Tasks\User_Feed_Synchronization-{822BAC88-085F-4BC9-94AD-157F793FAFAC}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 12:58]
.
- - - - ORPHANS REMOVED - - - -WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-vidxhp - c:\documents and settings\Owner\Application Data\Google\ggqjh22510678.exe
Notify-WgaLogon - (no file)
MSConfigStartUp-BackupNotify - c:\program files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
MSConfigStartUp-CamMonitor - c:\program files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
MSConfigStartUp-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd.exe
MSConfigStartUp-mmtask - c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://cm.my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osdO16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osdc:\windows\Downloaded Program Files\CDPass.dll - O16 -: {46C66BBD-E667-4DAD-9683-58050E7C9FDC}
hxxp://www.cdpass.com/cdkey/CDPass.cab
c:\windows\Downloaded Program Files\CDPass.infO16 -: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\1tn4gg0d.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
.**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 09:17:53
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(792)
c:\program files\Softex\OmniPass\opxpgina.dll
.
r Running Proce
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Softex\OmniPass\omniServ.exe
c:\windows\system32\RioMSC.exe
c:\program files\Softex\OmniPass\OPXPApp.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-07 9:31:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-07 16:29:25Pre-Run: 57,178,341,376 bytes free
Post-Run: 57,078,976,512 bytes free240 --- E O F --- 2008-11-12 10:10:12
0
Everything looks all clear. It's been about an hour since I ran Combofix and nothing has popped up and my browsers are working again. You kick ass.
0
Looks good but you need to do some clean up.
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Please run Esets online scanner from this link:
1. Note: You will need to use Internet explorer for this scan
2. Tick the box next to YES, I accept the Terms of Use.
3. Click Start
4. When asked, allow the activex control to install
5. Click Start
6. Make sure that the option Remove found threats is unticked ( I want to see what is found first), and the option Scan unwanted applications is checked
7. Click Scan
8. Wait for the scan to finish
9. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
10. Copy and paste that log in your next reply.
0
I was able to download and use ATF Cleaner with no problem. But when I tried to run the ESET program the page tells me that "The webpage cannot be found". What do you suggest?
0
Eset must be down.
Run an online scan with Kaspersky from the following link:
Kaspersky Online ScannerNote: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
0
Looks like something is still there. Also my Norton 360 keeps popping up with an alert that I have a risk titled Trojan.Fakeavalert. Here is the Kaspersky report:
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
L:\
Scan statistics
Files scanned 124532
Threat name 4
Infected objects 3
Suspicious objects 1
Duration of the scan 05:42:53File name Threat name Threats count
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\20\7af974d4-3ade5c81 Infected: Exploit.Java.ByteVerify 1
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\25\1d9a4d9-6e0d6db1 Infected: Trojan-Downloader.Java.OpenStream.ac 1
C:\Documents and Settings\Owner\Desktop\Cleaners\OTMoveIt3.exe Infected: Backdoor.Win32.SubSeven.asu 1
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\archive.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
The selected area was scanned.
0
Go to start> control panel> java> general tab> temporary internet files> settings> delete files> ok.
Navigate to and delete this file if found:
C:\Documents and Settings\Owner\Desktop\Cleaners\OTMoveIt3.exe
You can reinstall OTMoveIt3 later if needed.
The last file is probably a false positive, looks like your email backup files.
You computer appears to be clean with the exception of the above suggestions.
Go to start> run> combofix /u (note the space after combofix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.
Go to start> control panel> add/remove programs and uninstall these programs:
Hijack This
Malwarebytes
Kaspersky
You should keep AFT Cleaner and run it weekly.
You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link SpywareblasterJust download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.
How is the computer operating?
0
It's been running great. Actually faster than before I had the virus. You saved me. Thanks a million.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
