Jump to content

zen21

Members
 View Profile  See their activity

  • Posts

    13

  • Joined

  • Last visited

 Content Type 

Everything posted by zen21

  1. zen21
    OTScanit log attached. OTScanIt.Txt OTScanIt.Txt
  2. zen21
    Here is Lop S&D. Ill post the other one in a few. --------------------\\ Lop S&D 4.2.5-0 XP/Vista Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 3 X86-based PC ( Multiprocessor Free : Intel® Pentium® 4 CPU 3.20GHz ) BIOS : Phoenix ROM BIOS PLUS Version 1.10 A08 USER : MyComputer ( Administrator ) BOOT : Normal boot C:\ (Local Disk) - NTFS - Total:70 Go (Free:40 Go) D:\ (CD or DVD) - CDFS - Total:0 Go (Free:0 Go) E:\ (Local Disk) - NTFS - Total:232 Go (Free:181 Go) "C:\Lop SD" ( MAJ : 19-12-2008|23:40 ) Option : [1] ( Fri 01/02/2009|15:03 ) --------------------\\ Listing folders in APPLIC~1 [12/23/2008|01:49] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Malwarebytes [09/22/2007|01:54] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Microsoft [12/19/2008|11:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> {3276BE95_AF08_429F_A64F_CA64CB79BCF6} [12/23/2008|12:52] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe [09/22/2007|04:10] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL [09/22/2007|04:08] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL Downloads [09/22/2007|06:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple [09/22/2007|06:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer [11/07/2008|07:22] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> ATI [09/22/2007|05:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> BVRP Software [12/22/2008|08:49] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Malwarebytes [09/22/2007|01:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft [12/23/2008|02:15] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Spybot - Search & Destroy [12/23/2008|01:06] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SUPERAntiSpyware.com [09/22/2007|02:14] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage [11/07/2007|09:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> WinZip [09/22/2007|01:54] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft [09/23/2007|12:53] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft [12/23/2008|12:51] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> Adobe [09/22/2007|04:12] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> Aim [10/25/2007|08:29] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> Apple Computer [11/07/2008|07:22] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> ATI [01/02/2009|07:11] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> Azureus [09/22/2007|08:52] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> DivX [03/31/2008|05:23] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> dvdcss [12/05/2007|03:56] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> Google [10/26/2007|08:17] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> Hewlett-Packard [09/22/2007|01:58] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> Identities [09/23/2007|10:53] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> ImgBurn [09/22/2007|03:13] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> InstallShield [09/22/2007|03:11] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> Macromedia [12/22/2008|08:49] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> Malwarebytes [11/18/2007|06:45] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> Media Player Classic [02/09/2008|05:41] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> Microsoft [09/22/2007|04:08] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> Mozilla [09/22/2007|10:27] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> Real [09/23/2007|03:16] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> Sun [12/23/2008|02:00] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> SUPERAntiSpyware.com [09/22/2007|08:55] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> vlc [11/11/2007|09:10] C:\DOCUME~1\MYCOMP~1\APPLIC~1\<DIR> WinRAR [09/22/2007|01:54] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft --------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks [08/10/2008 05:18 PM][--a------] C:\WINDOWS\tasks\AppleSoftwareUpdate.job [12/13/2007 10:24 PM][--a------] C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1197602648.job [09/23/2007 07:50 AM][--ah-----] C:\WINDOWS\tasks\SA.DAT [08/12/2004 09:01 AM][-r-h-----] C:\WINDOWS\tasks\desktop.ini --------------------\\ Listing Folders in C:\Program Files [11/26/2007|05:15] C:\Program Files\<DIR> Activision [12/07/2008|06:16] C:\Program Files\<DIR> Adobe [09/22/2007|04:21] C:\Program Files\<DIR> AIM [04/15/2008|06:48] C:\Program Files\<DIR> Apollo DVD Copy [08/10/2008|05:18] C:\Program Files\<DIR> Apple Software Update [08/02/2008|02:18] C:\Program Files\<DIR> Aspyr [11/07/2008|07:18] C:\Program Files\<DIR> ATI [11/07/2008|07:00] C:\Program Files\<DIR> ATI Technologies [11/22/2008|02:08] C:\Program Files\<DIR> Avanquest update [03/30/2008|08:02] C:\Program Files\<DIR> AVI MPEG RM WMV Joiner [12/06/2008|01:42] C:\Program Files\<DIR> Azureus [08/08/2008|06:18] C:\Program Files\<DIR> BitPim [12/19/2008|11:26] C:\Program Files\<DIR> Bonjour [09/22/2007|02:10] C:\Program Files\<DIR> Broadcom [12/12/2008|10:12] C:\Program Files\<DIR> BugsysClub Software [12/28/2008|04:01] C:\Program Files\<DIR> Common Files [09/22/2007|08:17] C:\Program Files\<DIR> Creative [09/23/2007|10:44] C:\Program Files\<DIR> DivX [09/23/2007|05:22] C:\Program Files\<DIR> EA GAMES [12/05/2007|03:56] C:\Program Files\<DIR> Google [10/26/2007|08:10] C:\Program Files\<DIR> Hewlett-Packard [09/23/2007|10:53] C:\Program Files\<DIR> ImgBurn [11/07/2008|07:00] C:\Program Files\<DIR> InstallShield Installation Information [12/22/2008|08:12] C:\Program Files\<DIR> Internet Explorer [12/19/2008|11:26] C:\Program Files\<DIR> iPod [12/19/2008|11:26] C:\Program Files\<DIR> iTunes [09/22/2007|05:26] C:\Program Files\<DIR> Java [09/22/2007|11:03] C:\Program Files\<DIR> K-Lite Codec Pack [12/23/2008|12:53] C:\Program Files\<DIR> Malwarebytes' Anti-Malware [08/23/2008|02:00] C:\Program Files\<DIR> Messenger [09/27/2007|08:36] C:\Program Files\<DIR> Microsoft ActiveSync [09/22/2007|01:55] C:\Program Files\<DIR> microsoft frontpage [12/04/2008|07:31] C:\Program Files\<DIR> Microsoft Office [12/16/2007|07:31] C:\Program Files\<DIR> Motorola [11/22/2008|02:10] C:\Program Files\<DIR> Motorola Phone Tools [08/21/2008|07:33] C:\Program Files\<DIR> Movie Maker [01/02/2009|02:59] C:\Program Files\<DIR> Mozilla Firefox [12/04/2008|07:31] C:\Program Files\<DIR> MSECache [08/21/2008|07:33] C:\Program Files\<DIR> msn [09/22/2007|01:52] C:\Program Files\<DIR> MSN Gaming Zone [11/12/2008|03:00] C:\Program Files\<DIR> MSXML 4.0 [09/23/2007|10:50] C:\Program Files\<DIR> NCH Swift Sound [12/13/2007|09:11] C:\Program Files\<DIR> Netflix [08/21/2008|07:32] C:\Program Files\<DIR> NetMeeting [09/22/2007|04:23] C:\Program Files\<DIR> No1 DVD Ripper [08/21/2008|07:32] C:\Program Files\<DIR> Outlook Express [12/23/2008|02:51] C:\Program Files\<DIR> Panda Security [11/20/2008|09:48] C:\Program Files\<DIR> QuickTime [09/22/2007|03:13] C:\Program Files\<DIR> Razer [09/23/2007|01:57] C:\Program Files\<DIR> Real [09/23/2007|01:58] C:\Program Files\<DIR> RealMedia [11/20/2008|09:44] C:\Program Files\<DIR> Safari [12/23/2008|02:14] C:\Program Files\<DIR> Spybot - Search & Destroy [11/11/2008|08:03] C:\Program Files\<DIR> Starcraft [09/22/2007|01:58] C:\Program Files\<DIR> Uninstall Information [09/22/2007|06:54] C:\Program Files\<DIR> VideoLAN [09/23/2007|04:42] C:\Program Files\<DIR> Windows Media Connect 2 [08/21/2008|07:32] C:\Program Files\<DIR> Windows Media Player [08/21/2008|07:32] C:\Program Files\<DIR> Windows NT [09/22/2007|01:54] C:\Program Files\<DIR> WindowsUpdate [11/17/2007|08:46] C:\Program Files\<DIR> WinRAR [11/07/2007|09:57] C:\Program Files\<DIR> WinZip [09/22/2007|01:55] C:\Program Files\<DIR> xerox [09/22/2007|09:52] C:\Program Files\<DIR> Zero G Registry [12/27/2008|11:13] C:\Program Files\<DIR> Zoom Player --------------------\\ Listing Folders in C:\Program Files\Common Files [02/29/2008|07:20] C:\Program Files\Common Files\<DIR> Adobe [12/19/2008|11:16] C:\Program Files\Common Files\<DIR> Apple [10/18/2008|06:14] C:\Program Files\Common Files\<DIR> Blizzard Entertainment [09/22/2007|09:06] C:\Program Files\Common Files\<DIR> Designer [10/26/2007|08:10] C:\Program Files\Common Files\<DIR> Hewlett-Packard [09/22/2007|02:59] C:\Program Files\Common Files\<DIR> InstallShield [09/22/2007|05:26] C:\Program Files\Common Files\<DIR> Java [12/04/2008|07:31] C:\Program Files\Common Files\<DIR> Microsoft Shared [09/22/2007|05:38] C:\Program Files\Common Files\<DIR> Motorola Shared [09/22/2007|01:53] C:\Program Files\Common Files\<DIR> MSSoap [09/22/2007|09:46] C:\Program Files\Common Files\<DIR> ODBC [09/22/2007|10:27] C:\Program Files\Common Files\<DIR> Real [09/22/2007|01:53] C:\Program Files\Common Files\<DIR> Services [09/22/2007|09:45] C:\Program Files\Common Files\<DIR> SpeechEngines [08/21/2008|07:32] C:\Program Files\Common Files\<DIR> System [09/22/2007|10:27] C:\Program Files\Common Files\<DIR> xing shared --------------------\\ Process ( 30 Processes ) ... OK ! --------------------\\ Searching with S_Lop No Lop folder found ! --------------------\\ Searching for Lop Files - Folders C:\DOCUME~1\MYCOMP~1\Cookies\mycomputer@advertising[2].txt C:\DOCUME~1\MYCOMP~1\Cookies\mycomputer@adopt.euroclick[2].txt --------------------\\ Searching within the Registry ..... OK ! --------------------\\ Checking the Hosts file Hosts file CLEAN --------------------\\ Searching for hidden files with Catchme catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-02 15:04:22 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden files ... C:\WINDOWS\System32\win32x.exe 26112 bytes executable C:\WINDOWS\System32\drivers\win32x.sys 12544 bytes executable C:\WINDOWS\System32\userinit.exe 74240 bytes executable scan completed successfully hidden processes: 0 hidden files: 3 --------------------\\ Searching for other infections --------------------\\ Cracks & Keygens .. C:\DOCUME~1\MYCOMP~1\Recent\[isoHunt] WinRar 3.71 final keygen (Works 100% ).torrent.lnk [F:43][D:4]-> C:\DOCUME~1\MYCOMP~1\LOCALS~1\Temp [F:151][D:0]-> C:\DOCUME~1\MYCOMP~1\Cookies [F:501][D:4]-> C:\DOCUME~1\MYCOMP~1\LOCALS~1\TEMPOR~1\content.IE5 1 - "C:\Lop SD\LopR_1.txt" - Fri 01/02/2009|15:05 - Option : [1] --------------------\\ Scan completed at 15:05:17
  3. zen21
    Heres the latest logs. Still showing the same. I updated and removed. Malwarebytes' Anti-Malware 1.31 Database version: 1589 Windows 5.1.2600 Service Pack 3 1/1/2009 5:31:09 PM mbam-log-2009-01-01 (17-31-09).txt Scan type: Quick Scan Objects scanned: 51776 Time elapsed: 3 minute(s), 48 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 4 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\MyComputer\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\Default User\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> Delete on reboot.
  4. zen21
    Heres the new log. That same stuff is still showing. Malwarebytes' Anti-Malware 1.31 Database version: 1587 Windows 5.1.2600 Service Pack 3 12/31/2008 7:52:48 PM mbam-log-2008-12-31 (19-52-42).txt Scan type: Quick Scan Objects scanned: 51631 Time elapsed: 3 minute(s), 38 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 4 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> No action taken. Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> No action taken. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> No action taken. C:\Documents and Settings\MyComputer\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> No action taken. C:\Documents and Settings\Default User\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> No action taken.
  5. zen21
    New Log Malwarebytes' Anti-Malware 1.31 Database version: 1582 Windows 5.1.2600 Service Pack 3 12/31/2008 7:18:48 AM mbam-log-2008-12-31 (07-18-48).txt Scan type: Quick Scan Objects scanned: 51598 Time elapsed: 3 minute(s), 55 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 4 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\MyComputer\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\Default User\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> Delete on reboot.
  6. zen21
    COMBO FIX LOG ComboFix 08-12-28.01 - MyComputer 2008-12-28 15:59:46.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1542 [GMT -5:00] Running from: c:\documents and settings\MyComputer\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\0EB9F12C_6E6B_4c03_AEBA_8C04CFA98AA4.gif c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\15913497_F86C_4218_8817_F50940D1E1B2.gif c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\29887DDE_00B9_4011_9CF7_59511F1ECC1B.gif c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\35B7DFFA_884F_4fbc_8E60_DA601BDC7BF7.gif c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\362FD6E8_8CDA_4c2a_A8AA-BDA22B321711.gif c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\3DF04940_9866_4241_A998_0CDDFAFD147A.gif c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\426500D7_0FF3_426c_828D_065DBAEA0581.gif c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\478BD4AE_2691_438d_BDCA_3485DC022700.gif c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\5C6C645F_BAA8_4149_BFEB_2031230FF0FD.gif c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\61EA7D69_19D4_421a_A899_0DF4D58CD119.gif c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\777FDAFB_83CF_4960_AA71_4E5D7BCD8E57.gif c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\8DA878D5_E80B_4721_B75A_17EFFAF1A700.gif c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\98F6DF79_7171_452d_9C26_C0193E12DBDF.gif c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\A2B240D6_0386_419e_91C5_3F7D90437CD0.gif c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\C75CEF8D_5AF4_4563_8594_C45A45E14E63.gif c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\E21285C1_40E6_435c_A69F_3387E7BD89CB.gif c:\documents and settings\MyComputer\Local Settings\Temporary Internet Files\E9A4D648_ED73_4ea7_88B2_18332DBA4F3E.38 c:\windows\system32\au3305adc.dll c:\windows\wiaserviv.log . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_CBEVTSVC -------\Legacy_TDSSSERV.SYS -------\Service_TDSSserv.sys ((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-28 ))))))))))))))))))))))))))))))) . 2008-12-23 14:51 . 2008-12-23 14:51 <DIR> d-------- c:\program files\Panda Security 2008-12-23 14:51 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys 2008-12-23 14:11 . 2008-12-23 14:11 61,440 --a------ c:\windows\system32\drivers\sdnmctyw.sys 2008-12-23 14:02 . 2008-12-23 14:14 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-12-23 13:49 . 2008-12-23 13:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes 2008-12-23 13:06 . 2008-12-23 14:00 <DIR> d-------- c:\documents and settings\MyComputer\Application Data\SUPERAntiSpyware.com 2008-12-23 13:06 . 2008-12-23 13:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2008-12-23 12:53 . 2008-12-23 12:53 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-12-23 12:53 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-23 12:53 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-12-22 20:49 . 2008-12-22 20:49 <DIR> d-------- c:\documents and settings\MyComputer\Application Data\Malwarebytes 2008-12-22 20:49 . 2008-12-22 20:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-12-22 20:31 . 2008-12-22 20:31 <DIR> d-------- c:\documents and settings\Administrator 2008-12-19 11:34 . 2008-12-19 11:34 32 --a-s---- c:\windows\system32\283363896.dat 2008-12-19 11:26 . 2008-12-19 11:26 <DIR> d-------- c:\program files\iTunes 2008-12-19 11:26 . 2008-12-19 11:26 <DIR> d-------- c:\program files\iPod 2008-12-19 11:26 . 2008-12-19 11:26 <DIR> d-------- c:\program files\Bonjour 2008-12-19 11:26 . 2008-12-19 11:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-12-19 11:26 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll 2008-12-19 11:26 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys 2008-12-04 19:31 . 2008-12-04 19:31 <DIR> d-------- c:\program files\MSECache . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-28 14:22 --------- d-----w c:\documents and settings\MyComputer\Application Data\Azureus 2008-12-28 04:13 --------- d-----w c:\program files\Zoom Player 2008-12-28 02:03 140,216 ----a-w c:\windows\system32\drivers\PnkBstrK.sys 2008-12-23 19:15 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-12-23 19:11 676 ----a-w c:\program files\pmzluicz.txt 2008-12-19 16:16 --------- d-----w c:\program files\Common Files\Apple 2008-12-13 03:12 --------- d-----w c:\program files\BugsysClub Software 2008-12-06 18:42 --------- d-----w c:\program files\Azureus 2008-11-22 19:10 --------- d-----w c:\program files\Motorola Phone Tools 2008-11-22 19:08 --------- d-----w c:\program files\Avanquest update 2008-11-21 02:48 --------- d-----w c:\program files\QuickTime 2008-11-21 02:44 --------- d-----w c:\program files\Safari 2008-11-12 08:00 --------- d-----w c:\program files\MSXML 4.0 2008-11-12 01:03 --------- d-----w c:\program files\Starcraft 2008-11-08 00:22 --------- d-----w c:\documents and settings\MyComputer\Application Data\ATI 2008-11-08 00:22 --------- d-----w c:\documents and settings\All Users\Application Data\ATI 2008-11-08 00:18 --------- d-----w c:\program files\ATI 2008-11-08 00:00 --------- d--h--w c:\program files\InstallShield Installation Information 2008-11-08 00:00 --------- d-----w c:\program files\ATI Technologies 2008-10-18 04:38 94,208 ----a-w c:\windows\ScUnin.exe 2007-11-08 03:52 22,328 ----a-w c:\documents and settings\MyComputer\Application Data\PnkBstrK.sys 2007-10-12 03:10 24,192 ----a-w c:\documents and settings\MyComputer\usbsermptxp.sys 2007-10-12 03:10 22,768 ----a-w c:\documents and settings\MyComputer\usbsermpt.sys 2008-08-22 00:40 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082120080822\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Copperhead"="c:\program files\Razer\Copperhead\razerhid.exe" [2005-11-25 155648] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater] -ra------ 2008-09-26 11:02 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM] --a------ 2006-08-01 14:35 67112 c:\program files\AIM\aim.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier] --a------ 2008-10-01 11:57 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare] --a------ 2007-10-04 18:38 307200 c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2007-09-22 22:27 185632 c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPod Service"=3 (0x3) "Schedule"=2 (0x2) "WMPNetworkSvc"=3 (0x3) "WmdmPmSN"=3 (0x3) "Apple Mobile Device"=2 (0x2) "Bonjour Service"=2 (0x2) "mnmsrvc"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Azureus\\Azureus.exe"= "c:\\Program Files\\Motorola\\Software Update\\msu.exe"= "c:\\Program Files\\EA GAMES\\Battlefield 2\\BF21.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"= "c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"= "c:\\Program Files\\Starcraft\\StarCraft.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= . Contents of the 'Scheduled Tasks' folder 2008-08-10 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2007-12-14 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1197602648.job - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 17:56] . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-lsass driver - c:\windows\msauc.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.netflix.com/MemberHome uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\MyComputer\Application Data\Mozilla\Firefox\Profiles\qi4vmjhw.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.surfinfo.com . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-28 16:04:05 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\windows\system32\drivers\win32x.sys 12544 bytes executable c:\windows\system32\win32x.exe 26112 bytes executable c:\windows\system32\userinit.exe 74240 bytes executable scan completed successfully hidden files: 3 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\win32x] "ImagePath"="\??\c:\windows\system32\drivers\win32x.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTPFilterNetman] "ImagePath"="c:\windows\system32\wpv301229732492.cpx srv" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(680) c:\windows\system32\Ati2evxx.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\windows\system32\ati2evxx.exe c:\windows\system32\PnkBstrA.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\program files\Razer\Copperhead\razertra.exe c:\program files\Razer\Copperhead\razerofa.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe c:\windows\system32\imapi.exe . ************************************************************************** . Completion time: 2008-12-28 16:10:12 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-28 21:09:34 Pre-Run: 42,992,156,672 bytes free Post-Run: 43,528,630,272 bytes free 202 --- E O F --- 2008-12-18 21:49:05 =========================== Hijackthis LOG =========================== Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:34:31 PM, on 12/28/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Razer\Copperhead\razerhid.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Razer\Copperhead\razertra.exe C:\Program Files\Razer\Copperhead\razerofa.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Documents and Settings\MyComputer\Desktop\HiJackThis.exe C:\WINDOWS\system32\wuauclt.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/MemberHome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O4 - HKLM\..\Run: [Copperhead] C:\Program Files\Razer\Copperhead\razerhid.exe O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: HTTP SSL HTTPFilterNetman (HTTPFilterNetman) - Unknown owner - C:\WINDOWS\system32\wpv301229732492.cpx.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe -- End of file - 4278 bytes On a side note should I have recovery console installed??? Thanks
  7. zen21
    No problem. Yes, it would be great if you could look through the logs I posted and tell me if there is anything else I should do. I will say my computer has been much better since I ran all the scans and cleared out whatever they found. Thanks
  8. zen21
    Hello, I was finally able to get logs without getting blue screened. I ran malwarebytes 2 times once in save mode and once when i rebooted in normal mode. I had to do it this way because I would get blue screened in both malwarebytes and spybot when running from win xp in normal mode. I will post both malwarebytes logs and the other below. I would greatly appreciate any help provided. Thanks in advance. First Malwarebytes scan done in safe mode Malwarebytes' Anti-Malware 1.31 Database version: 1537 Windows 5.1.2600 Service Pack 3 12/23/2008 1:56:04 PM mbam-log-2008-12-23 (13-56-04).txt Scan type: Quick Scan Objects scanned: 53723 Time elapsed: 5 minute(s), 45 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 10 Registry Values Infected: 1 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 51 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\crypts.dll (Trojan.Agent) -> Delete on reboot. Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{1408e208-2ac1-42d3-9f10-78a5b36e05ac} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{a744f16c-b2d5-4138-81a2-085cdfcde83a} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{a744f16c-b2d5-4138-81a2-085cdfcde83a} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\43f7cbdd (Rootkit.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\43f7cbdd (Rootkit.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\43f7cbdd (Rootkit.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc (Trojan.MyDoom) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\webproxy (Trojan.BHO) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: digeste.dll -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\CbEvtSvc.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wpv681229976527.cpx (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\43f7cbdd.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\TDSSpaxt.sys (Trojan.TDSS) -> Quarantined and deleted successfully. C:\Program Files\Mozilla Firefox\setupapi.dll (Spyware.Passwords) -> Quarantined and deleted successfully. C:\Program Files\Internet Explorer\setupapi.dll (Spyware.Passwords) -> Quarantined and deleted successfully. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0RCTO5OV\install[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QR2PM1A7\ftp[1].exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\LocalService\Application Data\638097440.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\msauc.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\shell31.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wpv071229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wpv111229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wpv131229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wpv171229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wpv271229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wpv291229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wpv301229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wpv301229732492.cpx (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wpv331229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wpv341229999452.cpx (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wpv381229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wpv421229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wpv461229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wpv521229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wpv561229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wpv611229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wpv681229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wpv731229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wpv781229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wpv821229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wpv871229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wpv941229732464.cpx (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wpv951229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wpv961229732545.cpx (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wpv971229670606.cpx (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\digeste.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\homepage.html (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\crypts.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\pharma.txt (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\other.txt (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\finance.txt (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\adult.txt (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\lt.res (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\sft.res (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\aol.com-error.html (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\gmail.com-error.html (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\google.com-error.html (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\live.com-error.html (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\search.yahoo.com-error.html (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\index.html (Trojan.FakeAlert) -> Quarantined and deleted successfully. Second Scan done after rebooting in normal mode Malwarebytes' Anti-Malware 1.31 Database version: 1537 Windows 5.1.2600 Service Pack 3 12/23/2008 2:11:08 PM mbam-log-2008-12-23 (14-11-08).txt Scan type: Quick Scan Objects scanned: 54338 Time elapsed: 5 minute(s), 34 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 4 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\MyComputer\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\Default User\Start Menu\Programs\Startup\userinit.exe (Trojan.Agent) -> Delete on reboot. Active Scan Log ;******************************************************************************* ******************************************************************************** * ******************* ANALYSIS: 2008-12-23 15:57:31 PROTECTIONS: 0 MALWARE: 13 SUSPECTS: 1 ;******************************************************************************* ******************************************************************************** * ******************* PROTECTIONS Description Version Active Updated ;=============================================================================== ================================================================================ = =================== ;=============================================================================== ================================================================================ = =================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=============================================================================== ================================================================================ = =================== 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\MyComputer\Cookies\mycomputer@atdmt[2].txt 00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\MyComputer\Cookies\mycomputer@247realmedia[1].txt 00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\MyComputer\Cookies\mycomputer@tribalfusion[2].txt 00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\MyComputer\Cookies\mycomputer@com[1].txt 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\MyComputer\Cookies\mycomputer@serving-sys[2].txt 00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\MyComputer\Cookies\mycomputer@bs.serving-sys[2].txt 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\MyComputer\Cookies\mycomputer@advertising[2].txt 00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\MyComputer\Cookies\mycomputer@ads.pointroll[1].txt 00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\MyComputer\Cookies\mycomputer@realmedia[2].txt 00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\MyComputer\Cookies\mycomputer@questionmarket[2].txt 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\MyComputer\Cookies\mycomputer@go[1].txt 00444112 Bck/Tdss.C Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{37F2E228-8618-4D5D-8031-13E4B18ABD0D}\RP108\A0041778.sys 04373460 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{37F2E228-8618-4D5D-8031-13E4B18ABD0D}\RP108\A0041777.sys ;=============================================================================== ================================================================================ = =================== SUSPECTS Sent Location ;=============================================================================== ================================================================================ = =================== No C:\Program Files\AIM\Backup\uninstall.exe ;=============================================================================== ================================================================================ = =================== VULNERABILITIES Id Severity Description ;=============================================================================== ================================================================================ = =================== ;=============================================================================== ================================================================================ = =================== Hijackthis Log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:01:11 PM, on 12/23/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Razer\Copperhead\razerhid.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Razer\Copperhead\razertra.exe C:\Program Files\Razer\Copperhead\razerofa.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\MyComputer\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/MemberHome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O4 - HKLM\..\Run: [Copperhead] C:\Program Files\Razer\Copperhead\razerhid.exe O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: HTTP SSL HTTPFilterNetman (HTTPFilterNetman) - Unknown owner - C:\WINDOWS\system32\wpv301229732492.cpx.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 4287 bytes
  9. zen21
    Thanks Elite360 Following the links above does not work because I get bluescreened halfway though the scan on spybot and i get a critical error with malwarebytes. Ive tried uninstalling and reinstalling but with the same result. I use my mac to download the programs and run them off a flash drive just incase the download could have been corrupted on my PC.
  10. zen21
    How do I run Malwarebytes in safemode? Thanks
  11. zen21
    Hi, Hopefully someone can help me. I believe my machine is infected with that 2009 virus going around. I read the instructions on how to scan and post logs. However, Malwarebytes and Spybot freeze during the scan. With Malwarebytes I get the windows error report and with Spybot I get blue screened. Thanks
  12. zen21
    Hi, Hopefully someone can help me. I believe my machine is infected with that 2009 virus going around. I read the instructions on how to scan and post logs. However, Malwarebytes and Spybot freeze during the scan. With Malwarebytes I get the windows error report and with Spybot I get blue screened. Thanks
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.