Jump to content

Cleo

Members
  • Posts

    7
  • Joined

  • Last visited

Everything posted by Cleo

  1. Hi Chris, Sorry for the delay in response. I typed in 'Combofix /u' as asked and I think it removed itself, it seemed to run again. I've still got the .exe on my desktop, I'm assuming I'm ok to delete that also. I've deleted checkup and updated Java and Adobe, replacing those old versions you mentioned. There are no more erors left, except this outlook one. I've also taken a look at that link you sent me, re outlook. I'm not sure that's my problem because what's confusing me about the outlook error is the fact I don't use outlook on this computer at all? So I'm a little concerned to be receiving error messages from a program I've never used. This is the exact error, it only pops up on start-up: "to free up disk space, outlook express can compact messages. This may take up to a few minutes. OK/Cancel" Why would this happen if I do not use the program? Thanks again, Cleo
  2. Hi Chris, That site confused me a little but here's a link to the results when I re-ran it just now: http://www.virustotal.com/analisis/c98adbd...58bf-1258374365 and here's the results as I ATTEMPTED to copy-paste them yesterday: File atiide.sys received on 2009.11.15 23:54:46 (UTC) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 0/41 (0%) Loading server information... Your file is queued in position: 2. Estimated start time is between 52 and 75 seconds. Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result. If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment, results will be shown as they're generated. Compact Compact Print results Print results Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time. You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result a-squared 4.5.0.41 2009.11.10 - AhnLab-V3 5.0.0.2 2009.11.06 - AntiVir 7.9.1.61 2009.11.10 - Antiy-AVL 2.0.3.7 2009.11.10 - Authentium 5.2.0.5 2009.11.10 - Avast 4.8.1351.0 2009.11.10 - AVG 8.5.0.423 2009.11.10 - BitDefender 7.2 2009.11.10 - CAT-QuickHeal 10.00 2009.11.10 - ClamAV 0.94.1 2009.11.10 - Comodo 2905 2009.11.10 - DrWeb 5.0.0.12182 2009.11.10 - eSafe 7.0.17.0 2009.11.10 - eTrust-Vet 35.1.7113 2009.11.10 - F-Prot 4.5.1.85 2009.11.10 - F-Secure 9.0.15370.0 2009.11.09 - Fortinet 3.120.0.0 2009.11.10 - GData 19 2009.11.10 - Ikarus T3.1.1.74.0 2009.11.10 - Jiangmin 11.0.800 2009.11.10 - K7AntiVirus 7.10.892 2009.11.09 - Kaspersky 7.0.0.125 2009.11.10 - McAfee 5797 2009.11.09 - McAfee+Artemis 5797 2009.11.09 - McAfee-GW-Edition 6.8.5 2009.11.10 - Microsoft 1.5202 2009.11.10 - NOD32 4592 2009.11.10 - Norman 6.03.02 2009.11.09 - nProtect 2009.1.8.0 2009.11.10 - Panda 10.0.2.2 2009.11.09 - PCTools 7.0.3.5 2009.11.10 - Prevx 3.0 2009.11.16 - Rising 22.21.01.09 2009.11.10 - Sophos 4.47.0 2009.11.10 - Sunbelt 3.2.1858.2 2009.11.10 - Symantec 1.4.4.12 2009.11.10 - TheHacker 6.5.0.2.064 2009.11.09 - TrendMicro 9.0.0.1003 2009.11.10 - VBA32 3.12.10.11 2009.11.09 - ViRobot 2009.11.10.2029 2009.11.10 - VirusBuster 4.6.5.0 2009.11.09 - Additional information File size: 5632 bytes MD5...: 899c9f94ed5ec5eff71aa6e17a084419 SHA1..: d0ee636952be2368e6abbf0392deadedc58bde2b SHA256: c98adbd906afdbe541bffa05798e04efb0464c4028f8fbeac9c219ef0d0958bf ssdeep: 96:Nbe9h9T9OxE2Gv9f+73XDWza+XABc3GouPOsqqjbkI30fVI4LRvES9Gj:he9h 9T9Hnv9+DH0smifis PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0xe58 timedatestamp.....: 0x40609e07 (Tue Mar 23 20:28:55 2004) machinetype.......: 0x14c (I386) ( 6 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x300 0xb84 0xc00 6.31 64a344a5283cb2eb5961a491b6cf1b26 .rdata 0xf00 0xad 0x100 4.09 a7a647fe85110f30e877a767d45b1da6 .data 0x1000 0x2 0x80 0.00 f09f35a5637839458e462e6350ecbce4 INIT 0x1080 0x80 0x80 3.73 bc6d0604d805230d661f7f06079dafac .rsrc 0x1100 0x468 0x480 3.21 eb54e685b7f8c671a7687c4c2339b402 .reloc 0x1580 0x52 0x80 3.31 46cf3771960da20b71390417cc2cd0f2 ( 1 imports ) > PCIIDEX.SYS: PciIdeXSetBusData, PciIdeXInitialize, PciIdeXGetBusData ( 0 exports ) RDS...: NSRL Reference Data Set - pdfid.: - trid..: Generic Win/DOS Executable (49.9%) DOS Executable Generic (49.8%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%) sigcheck: publisher....: ATI Technologies Inc. copyright....: Copyright© ATI Technologies Inc. 2000-2004 product......: ATI IDE BUS Master Controller Driver description..: ATI IDE BUS Master Controller Driver original name: Atiide.sys internal name: Atiide.sys file version.: 1.00.0000.2 built by: WinDDK comments.....: n/a signers......: - signing date.: - verified.....: Unsigned Here is F-Secure's online scanner report: Scanning Report Monday, November 16, 2009 00:19:36 - 11:52:16 Computer name: FRED Scanning type: Scan system for malware, spyware and rootkits Target: C:\ E:\ 13 malware found TrackingCookie.Questionmarket (spyware) * System (Disinfected) TrackingCookie.2o7 (spyware) * System (Disinfected) TrackingCookie.Advertising (spyware) * System (Disinfected) TrackingCookie.Atdmt (spyware) * System (Disinfected) TrackingCookie.Adtech (spyware) * System (Disinfected) TrackingCookie.Adform (spyware) * System (Disinfected) TrackingCookie.Doubleclick (spyware) * System (Disinfected) TrackingCookie.Revsci (spyware) * System (Disinfected) TrackingCookie.Adbrite (spyware) * System (Disinfected) TrackingCookie.Mediaplex (spyware) * System (Disinfected) TrackingCookie.Atwola (spyware) * System (Disinfected) TrackingCookie.Yieldmanager (spyware) * System (Disinfected) TrackingCookie.Imrworldwide (spyware) * System (Disinfected) Statistics Scanned: * Files: 176482 * System: 3332 * Not scanned: 100 Actions: * Disinfected: 13 * Renamed: 0 * Deleted: 0 * Not cleaned: 0 * Submitted: 0 Files not scanned: * C:\PAGEFILE.SYS * C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT * C:\WINDOWS\SYSTEM32\CONFIG\SAM * C:\WINDOWS\SYSTEM32\CONFIG\SECURITY * C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE * C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM * C:\WINDOWS\$NTUNINSTALLKB837001$\DAO360.DLL * C:\WINDOWS\$NTUNINSTALLKB837001$\EXPSRV.DLL * C:\WINDOWS\$NTUNINSTALLKB837001$\MSEXCL40.DLL * C:\WINDOWS\$NTUNINSTALLKB837001$\MSEXCH40.DLL * C:\WINDOWS\$NTUNINSTALLKB837001$\MSJETOL1.DLL * C:\WINDOWS\$NTUNINSTALLKB837001$\MSJET40.DLL * C:\WINDOWS\$NTUNINSTALLKB837001$\MSJETOLEDB40.DLL * C:\WINDOWS\$NTUNINSTALLKB837001$\MSJINT40.DLL * C:\WINDOWS\$NTUNINSTALLKB837001$\MSJTER40.DLL * C:\WINDOWS\$NTUNINSTALLKB837001$\MSJTES40.DLL * C:\WINDOWS\$NTUNINSTALLKB837001$\MSLTUS40.DLL * C:\WINDOWS\$NTUNINSTALLKB837001$\MSRD2X40.DLL * C:\WINDOWS\$NTUNINSTALLKB837001$\MSPBDE40.DLL * C:\WINDOWS\$NTUNINSTALLKB837001$\MSRD3X40.DLL * C:\WINDOWS\$NTUNINSTALLKB837001$\MSREPL40.DLL * C:\WINDOWS\$NTUNINSTALLKB837001$\MSWDAT10.DLL * C:\WINDOWS\$NTUNINSTALLKB837001$\MSTEXT40.DLL * C:\WINDOWS\$NTUNINSTALLKB837001$\MSWSTR10.DLL * C:\WINDOWS\$NTUNINSTALLKB837001$\MSXBDE40.DLL * C:\WINDOWS\$NTUNINSTALLKB837001$\VBAJET32.DLL * C:\WINDOWS\$NTUNINSTALLKB835732$\GDI32.DLL * C:\WINDOWS\$NTUNINSTALLKB835732$\CALLCONT.DLL * C:\WINDOWS\$NTUNINSTALLKB835732$\H323.TSP * C:\WINDOWS\$NTUNINSTALLKB835732$\HELPCTR.EXE * C:\WINDOWS\$NTUNINSTALLKB835732$\H323MSP.DLL * C:\WINDOWS\$NTUNINSTALLKB835732$\IPNATHLP.DLL * C:\WINDOWS\$NTUNINSTALLKB835732$\LSASRV.DLL * C:\WINDOWS\$NTUNINSTALLKB835732$\MF3216.DLL * C:\WINDOWS\$NTUNINSTALLKB835732$\MSASN1.DLL * C:\WINDOWS\$NTUNINSTALLKB835732$\MST120.DLL * C:\WINDOWS\$NTUNINSTALLKB835732$\MSGINA.DLL * C:\WINDOWS\$NTUNINSTALLKB835732$\NMCOM.DLL * C:\WINDOWS\$NTUNINSTALLKB835732$\NETAPI32.DLL * C:\WINDOWS\$NTUNINSTALLKB835732$\SCHANNEL.DLL * C:\WINDOWS\$NTUNINSTALLKB835732$\RTCDLL.DLL * C:\WINDOWS\$NTUNINSTALLKB830680$\KEYMGR.DLL * C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRVUT.DLL * C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRV.DLL * C:\WINDOWS\$NTUNINSTALLKB828741$\CLBCATEX.DLL * C:\WINDOWS\$NTUNINSTALLKB828741$\COLBACT.DLL * C:\WINDOWS\$NTUNINSTALLKB828741$\CLBCATQ.DLL * C:\WINDOWS\$NTUNINSTALLKB828741$\COMADMIN.DLL * C:\WINDOWS\$NTUNINSTALLKB828741$\COMREPL.EXE * C:\WINDOWS\$NTUNINSTALLKB828741$\COMSVCS.DLL * C:\WINDOWS\$NTUNINSTALLKB828741$\COMUID.DLL * C:\WINDOWS\$NTUNINSTALLKB828741$\ES.DLL * C:\WINDOWS\$NTUNINSTALLKB828741$\MIGREGDB.EXE * C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCPRX.DLL * C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCTM.DLL * C:\WINDOWS\$NTUNINSTALLKB828741$\MTXCLU.DLL * C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCUIU.DLL * C:\WINDOWS\$NTUNINSTALLKB828741$\MTXOCI.DLL * C:\WINDOWS\$NTUNINSTALLKB828741$\OLE32.DLL * C:\WINDOWS\$NTUNINSTALLKB828741$\RPCRT4.DLL * C:\WINDOWS\$NTUNINSTALLKB828741$\RPCSS.DLL * C:\WINDOWS\$NTUNINSTALLKB828741$\TXFLOG.DLL * C:\WINDOWS\$NTUNINSTALLKB828035$\WKSSVC.DLL * C:\WINDOWS\$NTUNINSTALLKB828035$\MSGSVC.DLL * C:\WINDOWS\$NTUNINSTALLKB828028$\MSASN1.DLL * C:\WINDOWS\$NTUNINSTALLKB828012$\NTKRNLPA.EXE * C:\WINDOWS\$NTUNINSTALLKB828012$\NTKRNLMP.EXE * C:\WINDOWS\$NTUNINSTALLKB828012$\NTKRPAMP.EXE * C:\WINDOWS\$NTUNINSTALLKB828012$\NTOSKRNL.EXE * C:\WINDOWS\$NTUNINSTALLKB826939$\CRYPT32.DLL * C:\WINDOWS\$NTUNINSTALLKB826939$\ACCWIZ.EXE * C:\WINDOWS\$NTUNINSTALLKB826939$\CRYPTSVC.DLL * C:\WINDOWS\$NTUNINSTALLKB826939$\HHCTRL.OCX * C:\WINDOWS\$NTUNINSTALLKB826939$\HH.EXE * C:\WINDOWS\$NTUNINSTALLKB826939$\HHSETUP.DLL * C:\WINDOWS\$NTUNINSTALLKB826939$\ITSS.DLL * C:\WINDOWS\$NTUNINSTALLKB826939$\HTML32.CNV * C:\WINDOWS\$NTUNINSTALLKB826939$\MAGNIFY.EXE * C:\WINDOWS\$NTUNINSTALLKB826939$\LOCATOR.EXE * C:\WINDOWS\$NTUNINSTALLKB826939$\MIGWIZ.EXE * C:\WINDOWS\$NTUNINSTALLKB826939$\MSCONV97.DLL * C:\WINDOWS\$NTUNINSTALLKB826939$\MRXSMB.SYS * C:\WINDOWS\$NTUNINSTALLKB826939$\NARRATOR.EXE * C:\WINDOWS\$NTUNINSTALLKB826939$\NEWDEV.DLL * C:\WINDOWS\$NTUNINSTALLKB826939$\NTDLL.DLL * C:\WINDOWS\$NTUNINSTALLKB826939$\OLE32.DLL * C:\WINDOWS\$NTUNINSTALLKB826939$\OSK.EXE * C:\WINDOWS\$NTUNINSTALLKB826939$\PCHSHELL.DLL * C:\WINDOWS\$NTUNINSTALLKB826939$\RASPPTP.SYS * C:\WINDOWS\$NTUNINSTALLKB826939$\RPCRT4.DLL * C:\WINDOWS\$NTUNINSTALLKB826939$\RPCSS.DLL * C:\WINDOWS\$NTUNINSTALLKB826939$\SHELL32.DLL * C:\WINDOWS\$NTUNINSTALLKB826939$\SHMEDIA.DLL * C:\WINDOWS\$NTUNINSTALLKB826939$\SRRSTR.DLL * C:\WINDOWS\$NTUNINSTALLKB826939$\SRV.SYS * C:\WINDOWS\$NTUNINSTALLKB826939$\WINSRV.DLL * C:\WINDOWS\$NTUNINSTALLKB826939$\ZIPFLDR.DLL * C:\WINDOWS\$NTUNINSTALLKB824141$\USER32.DLL * C:\WINDOWS\$NTUNINSTALLKB824141$\WIN32K.SYS * C:\WINDOWS\$NTUNINSTALLKB822624$\HAL.DLL Options Scanning engines: Scanning options: * Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR * Use advanced heuristics And here is your security check's check up thing: Results of screen317's Security Check version 0.99.0 Windows XP Service Pack 3 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! Avira AntiVir Personal - Free Antivirus ESET Online Scanner v3 McAfee Security Scan Avira updated! `````````````````````````````` Anti-malware/Other Utilities Check: HijackThis 2.0.2 Java 6 Update 15 Java 6 Update 3 Java 6 Update 7 Java 2 Runtime Environment, SE v1.4.2_04 Out of date Java installed! Adobe Flash Player 10 Adobe Reader 6.0.1 Out of date Adobe Reader installed! `````````````````````````````` Process Check: objlist.exe by Laurent Avira Antivir avgnt.exe Avira Antivir avguard.exe `````````````````````````````` DNS Vulnerability Check: GREAT! (Not vulnerable to DNS cache poisoning) `````````End of Log``````````` As for what issues remain: It's pretty much all cleared up, thank you! Sort of in dribs and drabs. The second error message on start-up cleared after the first round, I was able to open my windows security centre and firewall after the most recent round except this. It's still slow but it was before so that's nothing new. I think combofix managed to get rid of what was really worrying me, the tr/dropper.gen one because antivir hasn't detected it for ages now. The only thing still outsstanding is on re-start I get a message from outlook express saying it can compact files to save disc space, which fair enough but I don't use outlook express at all so still find that weird. Thank you again for all your help, Cleo
  3. Hi, No worries. Here is the new Combofix log: ComboFix 09-11-15.01 - Cleo 15/11/2009 1:28.2.1 - FAT32x86 Running from: c:\documents and settings\Cleo\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Cleo\Desktop\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . --------------- FCopy --------------- c:\windows\ServicePackFiles\i386\eventlog.dll --> c:\windows\system32\eventlog.dll . ((((((((((((((((((((((((( Files Created from 2009-10-15 to 2009-11-15 ))))))))))))))))))))))))))))))) . 2009-11-15 01:28 . 2008-04-14 00:11 56320 -c--a-w- c:\windows\system32\dllcache\eventlog.dll 2009-11-15 01:28 . 2008-04-14 00:11 56320 ----a-w- c:\windows\system32\eventlog.dll 2009-11-07 17:30 . 2009-11-07 17:27 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-11-07 17:19 . 2009-11-07 17:19 152576 ----a-w- c:\documents and settings\Cleo\Application Data\Sun\Java\jre1.6.0_15\lzma.dll 2009-11-07 17:15 . 2009-11-08 13:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2009-11-07 17:14 . 2009-09-23 16:37 34112 ----a-w- c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe 2009-11-07 17:14 . 2009-09-23 16:37 32448 ----a-w- c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll 2009-11-07 17:14 . 2009-09-23 16:37 22352 ----a-w- c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe 2009-11-07 15:52 . 2009-11-07 15:52 -------- d-----w- c:\program files\Trend Micro 2009-11-07 13:07 . 2009-11-07 13:07 -------- d-----w- c:\documents and settings\Cleo\Application Data\Malwarebytes 2009-11-07 13:06 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-07 13:06 . 2009-11-07 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-11-07 13:06 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-07 13:06 . 2009-11-07 13:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-07 12:58 . 2009-11-07 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2009-11-07 12:26 . 2009-11-07 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan 2009-11-07 12:24 . 2009-11-07 12:24 -------- d-----w- c:\program files\McAfee Security Scan 2009-10-27 18:44 . 2009-10-27 18:44 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2009-10-26 07:57 . 2009-10-26 07:57 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-10-25 21:25 . 2009-10-25 21:25 -------- d-----w- c:\program files\ESET . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-10 18:33 . 2008-10-12 14:20 1 ----a-w- c:\documents and settings\Cleo\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys 2009-11-10 18:33 . 2008-10-12 14:18 -------- d-----w- c:\documents and settings\Cleo\Application Data\OpenOffice.org2 2009-11-07 17:26 . 2004-05-18 07:12 -------- d-----w- c:\program files\Java 2009-11-02 00:42 . 2008-10-17 14:02 -------- d-----w- c:\documents and settings\Cleo\Application Data\uTorrent 2009-09-11 14:18 . 2004-05-18 05:27 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-04 21:03 . 2004-05-18 05:27 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-09-01 22:46 . 2009-10-27 18:42 38208 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe 2009-09-01 22:46 . 2009-09-01 22:47 38208 ----a-w- c:\documents and settings\Cleo\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe 2009-08-29 08:08 . 2006-06-23 10:33 916480 ------w- c:\windows\system32\wininet.dll 2009-08-28 18:42 . 2009-09-20 23:37 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll 2009-08-28 18:42 . 2008-09-03 02:02 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2009-08-26 08:00 . 2004-05-18 05:27 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-25 00:30 . 2009-10-11 12:11 13312 ----a-w- c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\twitternotifier@naan.net\components\nsTwitterFoxSign.dll . ((((((((((((((((((((((((((((( SnapShot@2009-11-09_23.45.45 ))))))))))))))))))))))))))))))))))))))))) . + 2009-11-14 08:58 . 2009-11-14 08:58 16384 c:\windows\Temp\Perflib_Perfdata_84.dat + 2004-05-18 07:31 . 2009-11-12 23:25 166712 c:\windows\system32\FNTCACHE.DAT - 2004-05-18 07:31 . 2009-07-14 13:29 166712 c:\windows\system32\FNTCACHE.DAT + 2004-05-18 05:27 . 2009-08-14 13:21 1850624 c:\windows\system32\win32k.sys + 2008-10-16 23:21 . 2009-08-14 13:21 1850624 c:\windows\system32\dllcache\win32k.sys + 2008-09-02 23:42 . 2009-11-05 17:36 26768832 c:\windows\system32\MRT.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 65536] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-09 335872] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-01-22 98304] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-01-22 495616] "THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2004-04-30 430080] "ACU"="c:\program files\Atheros\ACU.exe" [2004-04-16 282624] "SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-04-27 118784] "PadTouch"="c:\program files\TOSHIBA\PadTouch\PadExe.exe" [2004-02-12 1019904] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-07 149280] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2004-04-29 266240] "AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2004-02-20 88363] c:\documents and settings\All Users\Start Menu\Programs\Startup\ McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-28 199184] Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] Wireless Utility.lnk - c:\program files\EDIMAX\Common\RaUI.exe [2009-7-20 1601536] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\AIM\\aim.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [02/09/2008 19:50 5632] R2 ANISERVICE;Airgo Networks NIC Service;c:\windows\system32\aniServ.exe [30/09/2004 12:16 143360] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [22/07/2009 22:51 108289] R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\EDIMAX\Common\RalinkRegistryWriter.exe [20/07/2009 10:37 69632] S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [20/07/2009 10:36 619136] --- Other Services/Drivers In Memory --- *Deregistered* - mbr *Deregistered* - PROCEXP113 . Contents of the 'Scheduled Tasks' folder 2009-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2008-09-02 c:\windows\Tasks\Registration reminder 3.job - c:\windows\System32\OOBE\oobebaln.exe [2004-05-18 00:12] . . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = *.local FF - ProfilePath - c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.livejournal.com/ FF - component: c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\twitternotifier@naan.net\components\nsTwitterFoxSign.dll FF - plugin: c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-15 01:53 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\}
  4. Hi, thank you for your prompt response. I've updated MBAM, here is the log: Malwarebytes' Anti-Malware 1.41 Database version: 3130 Windows 5.1.2600 Service Pack 3 08/11/2009 23:20:29 mbam-log-2009-11-08 (23-20-29).txt Scan type: Quick Scan Objects scanned: 107204 Time elapsed: 20 minute(s), 25 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) I then ran Combofix, first turning off my virus scanners as instructed. However, partway through Combofix restarted my computer as a rootkit (?) was found and when the computer restarted Avira Antivir restarted too. Anyway, here is the log for Combofix: ComboFix 09-11-08.03 - Cleo 09/11/2009 23:20.1.1 - NTFSx86 Running from: c:\documents and settings\Cleo\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\recycler\S-1-5-21-117609710-1500820517-682003330-1003 c:\recycler\S-1-5-21-1192141612-79458676-1314586074-1003 c:\recycler\S-1-5-21-331646997-3410284032-914650695-1003 E:\resycled e:\resycled\boot.com Infected copy of c:\windows\System32\DRIVERS\atapi.sys was found and disinfected Restored copy from - Kitty ate it . ((((((((((((((((((((((((( Files Created from 2009-10-09 to 2009-11-09 ))))))))))))))))))))))))))))))) . 2009-11-07 17:30 . 2009-11-07 17:27 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-11-07 17:19 . 2009-11-07 17:19 152576 ----a-w- c:\documents and settings\Cleo\Application Data\Sun\Java\jre1.6.0_15\lzma.dll 2009-11-07 17:15 . 2009-11-08 13:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2009-11-07 17:14 . 2009-09-23 16:37 34112 ----a-w- c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe 2009-11-07 17:14 . 2009-09-23 16:37 32448 ----a-w- c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll 2009-11-07 17:14 . 2009-09-23 16:37 22352 ----a-w- c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe 2009-11-07 15:52 . 2009-11-07 15:52 -------- d-----w- c:\program files\Trend Micro 2009-11-07 13:07 . 2009-11-07 13:07 -------- d-----w- c:\documents and settings\Cleo\Application Data\Malwarebytes 2009-11-07 13:06 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-07 13:06 . 2009-11-07 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-11-07 13:06 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-07 13:06 . 2009-11-07 13:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-07 12:58 . 2009-11-07 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2009-11-07 12:26 . 2009-11-07 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan 2009-11-07 12:24 . 2009-11-07 12:24 -------- d-----w- c:\program files\McAfee Security Scan 2009-10-27 18:44 . 2009-10-27 18:44 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2009-10-26 07:57 . 2009-10-26 07:57 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-10-25 21:25 . 2009-10-25 21:25 -------- d-----w- c:\program files\ESET 2009-10-11 12:11 . 2009-08-25 00:30 13312 ----a-w- c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\twitternotifier@naan.net\components\nsTwitterFoxSign.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-08 16:28 . 2008-10-12 14:20 1 ----a-w- c:\documents and settings\Cleo\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys 2009-11-08 16:28 . 2008-10-12 14:18 -------- d-----w- c:\documents and settings\Cleo\Application Data\OpenOffice.org2 2009-11-07 17:26 . 2004-05-18 07:12 -------- d-----w- c:\program files\Java 2009-11-02 00:42 . 2008-10-17 14:02 -------- d-----w- c:\documents and settings\Cleo\Application Data\uTorrent 2009-09-11 14:18 . 2004-05-18 05:27 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-04 21:03 . 2004-05-18 05:27 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-09-01 22:46 . 2009-10-27 18:42 38208 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe 2009-09-01 22:46 . 2009-09-01 22:47 38208 ----a-w- c:\documents and settings\Cleo\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe 2009-08-29 08:08 . 2006-06-23 10:33 916480 ----a-w- c:\windows\system32\wininet.dll 2009-08-28 18:42 . 2009-09-20 23:37 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll 2009-08-28 18:42 . 2008-09-03 02:02 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2009-08-26 08:00 . 2004-05-18 05:27 247326 ----a-w- c:\windows\system32\strmdll.dll . ------- Sigcheck ------- [7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll [7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll [7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\eventlog.dll c:\windows\system32\eventlog.dll ... is missing !! . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 65536] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-09 335872] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-01-22 98304] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-01-22 495616] "THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2004-04-30 430080] "ACU"="c:\program files\Atheros\ACU.exe" [2004-04-16 282624] "SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-04-27 118784] "PadTouch"="c:\program files\TOSHIBA\PadTouch\PadExe.exe" [2004-02-12 1019904] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-07 149280] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2004-04-29 266240] "AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2004-02-20 88363] c:\documents and settings\All Users\Start Menu\Programs\Startup\ McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-28 199184] Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] Wireless Utility.lnk - c:\program files\EDIMAX\Common\RaUI.exe [2009-7-20 1601536] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\AIM\\aim.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\DRIVERS\rt2870.sys [2008-07-29 619136] S0 atiide;atiide;c:\windows\System32\DRIVERS\atiide.sys [2004-04-14 5632] S2 ANISERVICE;Airgo Networks NIC Service;c:\windows\System32\aniServ.exe [2004-09-30 143360] S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289] S2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\EDIMAX\Common\RalinkRegistryWriter.exe [2008-05-12 69632] --- Other Services/Drivers In Memory --- *NewlyCreated* - MBR *Deregistered* - mbr *Deregistered* - PROCEXP113 . Contents of the 'Scheduled Tasks' folder 2009-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2008-09-02 c:\windows\Tasks\Registration reminder 3.job - c:\windows\System32\OOBE\oobebaln.exe [2004-05-18 00:12] . . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = *.local FF - ProfilePath - c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.livejournal.com/ FF - component: c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\twitternotifier@naan.net\components\nsTwitterFoxSign.dll FF - plugin: c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); . - - - - ORPHANS REMOVED - - - - HKLM-Run-TkBellExe - realsched.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-09 23:45 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\}
  5. Hi, I'm sorry about my previous post, I should have read more clearly before posting. I'm reposting the things still happening after I ran MBAM and Hijackthis. "Antivir keeps popping up with TR/Dropper.Gen (trojan), found at c:\windows\system32\tldwsp.dll and it can't seem to delete it or quarantine it, just deny it access. My internet SOMETIMES seems to redirect itself but not often? There's some things in the running processes I'm not sure should be and at start up there're a couple of errors, one about outlook express even though I don't use it." "my firewall (I use the windows one) is turned off and can't turn on again when I try." I can't turn on the entire windows security entre for that matter. MBAM log: Malwarebytes' Anti-Malware 1.41 Database version: 3115 Windows 5.1.2600 Service Pack 3 07/11/2009 15:24:55 mbam-log-2009-11-07 (15-24-55).txt Scan type: Quick Scan Objects scanned: 106993 Time elapsed: 20 minute(s), 58 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 9 Registry Values Infected: 1 Registry Data Items Infected: 1 Folders Infected: 1 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\sexvid (Trojan.DNSChanger) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\poprock (Trojan.Downloader) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poprock (Trojan.Downloader) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe pqrs.tmo printer) Good: (Explorer.exe) -> Quarantined and deleted successfully. Folders Infected: C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully. Files Infected: C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully. C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully. HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:55:35, on 07/11/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\ACS.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\WINDOWS\System32\aniServ.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\Program Files\EDIMAX\Common\RalinkRegistryWriter.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Atheros\ACU.exe C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe C:\Program Files\EDIMAX\Common\RaUI.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe C:\Program Files\Avira\AntiVir Desktop\update.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-21-2419218687-2945963250-3034659895-1006\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (User '?') O4 - HKUS\S-1-5-21-2419218687-2945963250-3034659895-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?') O4 - S-1-5-21-2419218687-2945963250-3034659895-1006 Startup: BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe (User '?') O4 - Startup: BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe O4 - Global Startup: McAfee Security Scan.lnk = ? O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe O4 - Global Startup: Wireless Utility.lnk = C:\Program Files\EDIMAX\Common\RaUI.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe O23 - Service: Airgo Networks NIC Service (ANISERVICE) - Airgo Networks, Inc. - C:\WINDOWS\System32\aniServ.exe O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Ralink Registry Writer (RalinkRegistryWriter) - Ralink Technology, Corp. - C:\Program Files\EDIMAX\Common\RalinkRegistryWriter.exe -- End of file - 7921 bytes
  6. Ok, now I'm quite worried, I've just noticed my firewall (I use the windows one) is turned off and can't turn on again when I try.
  7. Hi, I'm sorry not to be able to post a lot of detail but I think I have a virus. Antivir keeps popping up with TR/Dropper.Gen (trojan), found at c:\windows\system32\tldwsp.dll and it can't seem to delete it or quarantine it, just deny it access. My internet SOMETIMES seems to redirect itself but not often? There's some things in the running processes I'm not sure should be and at start up there're a couple of errors, one about outlook express even though I don't use it. What should I do? Thanks, Cleo
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.