Jump to content

anti-virus 2008 scanoline takes control of Firefox


Recommended Posts

Hello.

Recently have had a real problem with Firefox3 being taken over by a rip off anti-virus calle anti-virus 2008 scanonline.

In the middle of a surf session,firefox will collapse to a dialog box with the spiel your computer is infected,yada,yada.

If you try to close this dialog box,firefox opens back up with a scan,that shows a whopping big list of malware,and a download exec box pops up.

the only way to shut this dreck down is to terminate firefox in the process manager,and loose all of my tabs.

I have not of course downloaded the exec,and the following programs have not found any infection..

Anti-vir classic

SuperAntiSpyware(on demand)

Malwarebytes Anti-malware(on demand)

Rogue Remover.(on demand)

SptBotSearchansDestroy (tea timer off)

Also Eset on line scan

ad-aware2008 (no longer installed)

These above programs are (other than ad-aware and eset online) resident in my machine.

along with SpywareBlaster,Sandboxie and Kerio2.1.5 firewall and KeyScrambler for Firefox and IE7.

only the anti-vir and firewall are real time (I dont know if you call spywareblaster real-time or not)

I use windows XP pro SP3.

Below is Malwarebytes Anti-Malware log:

Malwarebytes' Anti-Malware 1.19

Database version: 910

Windows 5.1.2600 Service Pack 3

3:47:37 AM 7/2/2008

mbam-log-7-2-2008 (03-47-37).txt

Scan type: Full Scan (C:\|)

Objects scanned: 121274

Time elapsed: 37 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Panda on line to follow InshaAllah

Link to post
Share on other sites

The Panda scan format was nothing like the tutorial.

I was given a choice of three scans,one free the others paid.

It said in order to obtain a log of the scan,I was to use the first option,and register.

When I pushed this button a message came up with OOPs or whoops or something,and said this was out of order.

The regulatr scan,without registration is running now.

thanks

Yes you do need to disable Ant-virus.

I forgot and Avira is barking like a mad dog.

Link to post
Share on other sites

As william h macy said in the movie Fargo, "I am trying to cooperate here" but I just cant the panda scan to work. It locks up and says failed.

ESET does not generate a log does it?

Here is the Hi-Jack this log:thanks

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 04:19:40, on 7/2/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Kerio\Personal Firewall\persfw.exe

C:\Program Files\Sandboxie\SbieSvc.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Windows NT\Accessories\wordpad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O2 - BHO: PDF-XChange Viewer IE-Plugin - {C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F} - C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCviewIEPlugin.dll

O4 - HKLM\..\Run: [Clean System Memory 120 Sec. After Startup] C:\Windows\system32\CleanMem.exe 120

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll

O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1212447511828

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Avira AntiVir Personal

Link to post
Share on other sites

Hi there normanishmael and welcome to Malwarebytes. It's the malware locking up the online scans. Yes ESET creates a log that's why we have it as an alternative.

Review this article here how to use ComboFix

Be sure you cover the section on How to install and use the Windows XP Recovery Console and make sure it is installed on your machine. This is important should anything go wrong and we need to recover your PC and not lose all the data.

1. Download this file :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe save it to your desktop.

2. Double click combofix.exe. It will be a red icon with a white X on your desktop.

Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter.

3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt.

Post that log and a HiJack log in your next reply

Note:

Do not mouseclick combofix's window while its running. That may cause it to stall.

Link to post
Share on other sites

Here is Combo Fix Log,followed by Hijack this Log>

Am i instructed to run ESET online scan?

ComboFix 08-07-01.5 - norman ishmael 2008-07-02 13:55:27.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.495 [GMT -5:00]

Running from: C:\Documents and Settings\norman ishmael\Desktop\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))

.

2008-07-02 03:56 . 2008-07-02 03:56 <DIR> d-------- C:\WINDOWS\LastGood

2008-07-02 03:55 . 2008-07-02 06:44 <DIR> d-------- C:\Program Files\Panda Security

2008-07-02 03:16 . 2008-07-02 03:16 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy

2008-07-02 03:16 . 2008-07-02 08:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-07-01 19:04 . 2008-07-01 19:04 <DIR> d-------- C:\Deckard

2008-07-01 16:45 . 2008-07-01 16:45 <DIR> d-------- C:\Program Files\Tracker Software

2008-07-01 05:01 . 2008-07-01 05:01 <DIR> d-------- C:\_OTMoveIt

2008-06-30 05:01 . 2008-06-30 05:01 <DIR> d-------- C:\Program Files\KellySoftware

2008-06-29 21:23 . 2008-06-29 21:23 <DIR> d-------- C:\Program Files\Avira

2008-06-28 00:13 . 2008-06-28 00:34 <DIR> d-------- C:\Documents and Settings\norman ishmael\Application Data\Spycar

2008-06-27 02:31 . 2008-06-27 02:31 23,600 --a------ C:\WINDOWS\system32\drivers\tvichw32.sys

2008-06-27 02:17 . 2008-04-30 17:32 107,596 --a------ C:\toolkit_widget.gif

2008-06-27 01:53 . 2008-06-27 01:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles

2008-06-27 01:51 . 2008-06-27 01:51 <DIR> d-------- C:\NVIDIA

2008-06-27 01:37 . 2008-06-27 01:37 <DIR> d-------- C:\Program Files\SystemRequirementsLab

2008-06-27 01:37 . 2008-06-27 01:37 <DIR> d-------- C:\Documents and Settings\norman ishmael\Application Data\SystemRequirementsLab

2008-06-26 22:51 . 2008-06-26 22:51 <DIR> d-------- C:\Documents and Settings\Administrator.SLOWJOE3

2008-06-26 21:34 . 2008-06-26 21:34 <DIR> d-------- C:\Program Files\Trend Micro

2008-06-26 20:39 . 2008-06-26 20:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-06-26 04:19 . 2008-06-26 05:50 <DIR> d-------- C:\Program Files\Common Files\Filseclab

2008-06-26 03:48 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe

2008-06-26 03:48 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2008-06-26 03:48 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe

2008-06-26 03:48 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2008-06-26 03:48 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe

2008-06-23 23:09 . 2008-06-23 23:09 <DIR> d-------- C:\WINDOWS\CleanMem

2008-06-23 23:09 . 2008-06-23 23:09 <DIR> d-------- C:\Program Files\CleanMem

2008-06-23 23:09 . 2008-06-17 13:15 28,672 --a------ C:\WINDOWS\system32\CleanMem.exe

2008-06-23 08:45 . 2008-06-23 08:45 <DIR> d-------- C:\Program Files\Astonsoft

2008-06-22 00:17 . 2008-06-22 00:19 <DIR> d-------- C:\Program Files\MSECACHE

2008-06-21 23:43 . 2008-06-22 00:14 <DIR> d-------- C:\Program Files\Add Remove Pro

2008-06-20 21:31 . 2008-07-02 00:57 2,932 --a------ C:\WINDOWS\Sandboxie.ini

2008-06-20 20:51 . 2008-03-22 16:37 113,896 --a------ C:\WINDOWS\system32\drivers\keyscrambler.sys

2008-06-20 20:26 . 2008-06-20 21:31 <DIR> d-------- C:\Program Files\Sandboxie

2008-06-20 20:25 . 2008-06-20 20:26 <DIR> d--h----- C:\Documents and Settings\norman ishmael\Recent(2)

2008-06-20 20:25 . 2008-06-20 20:25 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}

2008-06-20 12:32 . 2007-12-22 18:03 91,472 --a------ C:\WINDOWS\system32\Erasext.dll

2008-06-19 23:49 . 2008-06-19 23:49 <DIR> d-------- C:\Program Files\Recuva

2008-06-19 07:19 . 2008-06-25 05:32 <DIR> d-------- C:\Program Files\KeyScrambler

2008-06-19 06:58 . 2008-06-25 05:08 <DIR> d-------- C:\Documents and Settings\norman ishmael\Application Data\Flock

2008-06-19 04:19 . 2008-06-20 20:26 <DIR> d-------- C:\Program Files\Sandboxie(2)

2008-06-18 02:43 . 2008-06-18 02:43 <DIR> d-------- C:\Documents and Settings\norman ishmael\DoctorWeb

2008-06-17 12:26 . 2008-07-02 06:48 <DIR> d-------- C:\Sandbox

2008-06-15 05:04 . 2008-07-02 06:46 <DIR> d-------- C:\Program Files\Google

2008-06-14 14:28 . 2008-06-14 14:28 <DIR> d-------- C:\Program Files\Alarm Clock

2008-06-12 06:58 . 2008-06-25 20:38 <DIR> d-------- C:\Program Files\RogueRemover FREE

2008-06-12 06:49 . 2008-06-12 06:49 2,014 -r-h----- C:\WINDOWS\system32\drivers\hosts

2008-06-11 06:18 . 2008-07-02 00:54 <DIR> d-------- C:\Program Files\SpywareBlaster

2008-06-11 06:18 . 2008-07-02 00:54 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

2008-06-11 06:18 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL

2008-06-11 06:18 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX

2008-06-11 05:30 . 2008-05-08 09:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys

2008-06-11 05:29 . 2008-06-13 06:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

2008-06-09 23:26 . 2008-06-10 06:23 <DIR> d-------- C:\Program Files\UltimateZip 2.7

2008-06-09 12:50 . 2008-04-22 23:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll

2008-06-09 12:50 . 2007-04-17 04:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat

2008-06-09 12:50 . 2007-03-08 00:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui

2008-06-09 12:50 . 2008-04-22 23:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll

2008-06-09 12:50 . 2008-04-22 23:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll

2008-06-09 12:50 . 2008-04-22 23:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll

2008-06-09 12:50 . 2008-04-22 23:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll

2008-06-09 12:50 . 2008-04-22 23:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll

2008-06-09 12:50 . 2008-04-22 02:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe

2008-06-09 07:22 . 2008-03-28 09:17 212,728 --a------ C:\WINDOWS\CMDLIC.DLL

2008-06-09 07:22 . 2008-03-28 09:16 205,560 --a------ C:\WINDOWS\UNBOC.EXE

2008-06-09 07:22 . 2008-04-13 19:12 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb

2008-06-08 10:32 . 2008-06-08 10:32 <DIR> d-------- C:\Documents and Settings\norman ishmael\Application Data\Yahoo!

2008-06-08 03:29 . 2008-06-08 07:48 <DIR> d-------- C:\Program Files\Common Files\AVSMedia

2008-06-08 03:29 . 2008-06-08 07:47 <DIR> d-------- C:\Program Files\AVSMedia

2008-06-08 00:56 . 2008-06-08 12:13 <DIR> d-------- C:\Program Files\Yahoo!

2008-06-06 18:34 . 2008-06-06 18:34 <DIR> d-------- C:\Program Files\Defraggler

2008-06-06 18:12 . 2008-06-06 18:12 <DIR> d-------- C:\Documents and Settings\norman ishmael\Application Data\JAM Software

2008-06-05 09:53 . 2008-06-05 09:53 <DIR> d-------- C:\Documents and Settings\norman ishmael\Application Data\elefundesktops

2008-06-05 08:49 . 2008-06-05 08:49 <DIR> d-------- C:\Documents and Settings\Tiles

2008-06-03 20:37 . 2008-06-03 20:37 2,262,648 --a------ C:\WINDOWS\system32\Flash9b.ocx

2008-06-03 14:08 . 2008-06-03 14:08 <DIR> d-------- C:\Program Files\Kerio

2008-06-03 14:08 . 2002-04-15 12:28 102,912 --------- C:\WINDOWS\system32\drivers\FWDRV.SYS

2008-06-03 13:41 . 2008-06-03 13:41 60 --a------ C:\WINDOWS\wininit.ini

2008-06-03 12:45 . 2008-06-03 12:45 <DIR> d-------- C:\Program Files\Analog Devices

2008-06-03 12:45 . 2001-09-11 15:20 1,285,632 --------- C:\WINDOWS\system32\SMMedia.dll

2008-06-03 12:45 . 2001-09-19 00:47 765,952 -ra------ C:\WINDOWS\system\crlds3d.dll

2008-06-03 12:45 . 2005-08-11 00:49 393,088 -ra------ C:\WINDOWS\system32\drivers\senfilt.sys

2008-06-03 12:45 . 2005-10-05 04:21 141,312 -ra------ C:\WINDOWS\system32\drivers\ADIHdAud.sys

2008-06-03 12:45 . 2005-03-04 07:53 127,872 -ra------ C:\WINDOWS\system32\drivers\aeaudio.sys

2008-06-03 12:45 . 2005-05-04 09:20 53,248 --------- C:\WINDOWS\system32\wdmioctl.dll

2008-06-03 12:45 . 2005-09-26 16:20 49,152 --a------ C:\WINDOWS\system32\DSndUp.exe

2008-06-03 12:45 . 2002-04-17 15:05 45,056 --------- C:\WINDOWS\system32\CleanUp.exe

2008-06-03 00:54 . 2008-06-22 06:01 <DIR> d-------- C:\WINDOWS\system32\SuperAdBlocker.com

2008-06-02 18:27 . 2008-04-13 19:12 1,306,624 -----c--- C:\WINDOWS\system32\dllcache\msxml6.dll

2008-06-02 18:26 . 2007-07-27 07:00 381,425 -----c--- C:\WINDOWS\system32\dllcache\copycd.wmv

2008-06-02 17:01 . 2008-04-13 19:11 571,392 --a--c--- C:\WINDOWS\system32\dllcache\tintlgnt.ime

2008-06-02 17:00 . 2007-07-27 07:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex

2008-06-02 16:59 . 2008-04-13 19:09 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll

2008-06-02 16:58 . 2007-07-27 07:00 169,984 --a--c--- C:\WINDOWS\system32\dllcache\iisui.dll

2008-06-02 16:58 . 2007-07-27 07:00 94,720 --a--c--- C:\WINDOWS\system32\dllcache\certmap.ocx

2008-06-02 16:58 . 2007-07-27 07:00 19,968 --a--c--- C:\WINDOWS\system32\dllcache\inetsloc.dll

2008-06-02 16:58 . 2007-07-27 07:00 14,336 --a--c--- C:\WINDOWS\system32\dllcache\iisreset.exe

2008-06-02 16:58 . 2007-07-27 07:00 7,680 --a--c--- C:\WINDOWS\system32\dllcache\inetmgr.exe

2008-06-02 16:58 . 2007-07-27 07:00 7,168 --a--c--- C:\WINDOWS\system32\dllcache\wamregps.dll

2008-06-02 16:58 . 2007-07-27 07:00 6,144 --a--c--- C:\WINDOWS\system32\dllcache\ftpsapi2.dll

2008-06-02 16:58 . 2007-07-27 07:00 5,632 --a--c--- C:\WINDOWS\system32\dllcache\iisrstap.dll

2008-06-02 16:57 . 2007-07-27 07:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe

2008-06-02 16:57 . 2008-06-02 16:57 749 -rah----- C:\WINDOWS\WindowsShell.Manifest

2008-06-02 16:57 . 2008-06-02 16:57 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest

2008-06-02 16:57 . 2008-06-02 16:57 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest

2008-06-02 16:57 . 2008-06-02 16:57 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest

2008-06-02 16:57 . 2008-06-02 16:57 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest

2008-06-02 16:57 . 2008-06-02 16:57 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest

2008-06-02 16:39 . 2007-07-27 07:00 1,086,058 -ra------ C:\WINDOWS\SET36.tmp

2008-06-02 16:39 . 2007-07-27 07:00 1,056,254 -ra------ C:\WINDOWS\SET33.tmp

2008-06-02 12:05 . 2008-06-03 19:30 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2008-06-02 12:05 . 2008-06-02 12:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2008-06-02 04:49 . 2008-06-02 04:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET

2008-06-02 02:06 . 2008-06-02 10:41 <DIR> d---s---- C:\Documents and Settings\Administrator

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-01 21:51 --------- d-----w C:\Program Files\Common Files\Adobe

2008-06-30 02:54 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware

2008-06-30 02:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira

2008-06-28 19:16 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys

2008-06-28 19:16 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys

2008-06-27 02:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-06-26 09:19 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-06-21 21:36 --------- d-----w C:\Documents and Settings\norman ishmael\Application Data\Malwarebytes

2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys

2008-06-02 19:30 --------- d-----w C:\Program Files\CCleaner

2008-06-02 16:55 --------- d-----w C:\Program Files\Common Files\InstallShield

2008-06-01 12:23 --------- d-----w C:\Documents and Settings\norman ishmael\Application Data\SUPERAntiSpyware.com

2008-05-28 18:19 --------- d-----w C:\Documents and Settings\norman ishmael\Application Data\DeepBurner

2008-05-27 20:10 --------- d-----w C:\Documents and Settings\norman ishmael\Application Data\Apple Computer

2008-05-26 04:34 --------- d-----w C:\Program Files\Common Files\Scanner

2008-05-25 20:08 --------- d-----w C:\Program Files\Windows Media Connect 2

2008-05-21 20:44 --------- d-----w C:\Documents and Settings\norman ishmael\Application Data\Desktopicon

2008-05-21 20:35 --------- d-----w C:\Program Files\Unlocker

2008-05-21 15:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound

2008-05-21 14:58 --------- d-----w C:\Documents and Settings\norman ishmael\Application Data\FinalBurner MP3

2008-05-20 08:56 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys

2008-05-20 08:53 --------- d-----w C:\Program Files\Java

2008-05-20 08:50 --------- d-----w C:\Program Files\Common Files\Java

2008-05-20 04:01 --------- d-----w C:\Program Files\MSConfig CleanUp

2008-05-19 17:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier

2008-05-19 12:38 --------- d-----w C:\Program Files\Auslogics

2008-05-19 12:38 --------- d-----w C:\Documents and Settings\norman ishmael\Application Data\Auslogics

2008-05-19 11:35 --------- d-----w C:\Program Files\Eusing Free Registry Cleaner

2008-05-19 11:13 --------- d-----w C:\Program Files\Common Files\xing shared

2008-05-19 11:13 --------- d-----w C:\Program Files\Common Files\Real

2008-05-19 11:12 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll

2008-05-19 11:12 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll

2008-05-19 11:12 --------- d-----w C:\Program Files\Real

2008-05-19 11:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-05-19 10:01 --------- d-----w C:\Program Files\AMD

2008-05-19 09:31 --------- d-----w C:\Program Files\Common Files\SupportSoft

2008-05-19 09:14 --------- d-----w C:\Program Files\microsoft frontpage

2008-05-16 16:48 446,464 ----a-w C:\WINDOWS\system32\NVUNINST.EXE

2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys

2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll

2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2008-04-14 10:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll

2008-04-14 10:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe

2008-04-14 10:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll

2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin

2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe

2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll

2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll

2008-04-14 00:13 299,520 ----a-w C:\WINDOWS\system32\drmclien.dll

2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll

2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll

2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll

2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll

2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll

2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys

2008-04-13 19:24 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe

2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys

2008-04-13 18:43 9,728 ----a-w C:\WINDOWS\system32\comsdupd.exe

2008-04-13 18:43 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe

2008-04-13 18:31 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll

2008-04-13 18:31 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe

2008-04-13 18:30 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll

2008-04-13 18:14 76,800 ----a-w C:\WINDOWS\system32\msshavmsg.dll

2008-04-13 17:39 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll

2008-04-13 17:39 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll

2008-04-13 17:39 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll

2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll

2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll

2008-04-13 17:28 2,940,928 ----a-w C:\WINDOWS\system32\wmploc.dll

2008-04-13 17:27 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll

2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll

2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll

2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll

2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll

2008-04-13 17:23 8,192 ----a-w C:\WINDOWS\system32\asferror.dll

2008-04-13 17:23 168,448 ----a-w C:\WINDOWS\system32\wmerror.dll

2008-04-13 17:21 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll

2008-04-13 17:09 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll

2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\system32\browselc.dll

2008-04-13 17:03 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll

2008-04-13 16:48 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll

2008-04-13 16:45 216,064 ----a-w C:\WINDOWS\system32\moricons.dll

2008-04-13 16:23 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll

2008-04-13 16:22 48,128 ----a-w C:\WINDOWS\system32\inetres.dll

2008-04-13 15:39 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F}]

2008-06-30 05:46 1095360 --a------ C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCviewIEPlugin.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Clean System Memory 120 Sec. After Startup"="C:\Windows\system32\CleanMem.exe" [2008-06-17 13:15 28672]

"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 fwdrv;Kerio Personal Firewall Driver;C:\WINDOWS\system32\Drivers\fwdrv.sys [2002-04-15 12:28]

R3 KeyScrambler;KeyScrambler;C:\WINDOWS\system32\drivers\keyscrambler.sys [2008-03-22 16:37]

R3 SbieDrv;SbieDrv;C:\Program Files\Sandboxie\SbieDrv.sys [2008-06-30 17:06]

S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\14.tmp []

*Newly Created Service* - CATCHME

*Newly Created Service* - RKPAVPROC

.

Contents of the 'Scheduled Tasks' folder

"2008-07-02 18:36:00 C:\WINDOWS\Tasks\Clean System Memory.job"

- C:\WINDOWS\system32\CleanMem.exe

"2008-07-02 10:49:58 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"

- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-02 13:56:42

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\C:\WINDOWS\system32\14.tmp"

.

Completion time: 2008-07-02 13:57:22

ComboFix-quarantined-files.txt 2008-07-02 18:57:18

Pre-Run: 228,113,899,520 bytes free

Post-Run: 228,106,289,152 bytes free

262 --- E O F --- 2008-06-21 01:30:46

Here is Hijack this log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:59:22, on 7/2/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Sandboxie\SbieSvc.exe

C:\Program Files\Windows NT\Accessories\WORDPAD.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Windows NT\Accessories\wordpad.exe

C:\Program Files\Kerio\Personal Firewall\PERSFW.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O2 - BHO: PDF-XChange Viewer IE-Plugin - {C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F} - C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCviewIEPlugin.dll

O4 - HKLM\..\Run: [Clean System Memory 120 Sec. After Startup] C:\Windows\system32\CleanMem.exe 120

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll

O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1212447511828

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Avira AntiVir Personal

Link to post
Share on other sites

I see some specialized tools on your system. Deckard and OT Move-It. Are you getting help at another forum? Have you used them?

Please locate the following files and put them into a zip folder and upload to here http://uploads.malwarebytes.org/

C:\WINDOWS\system32\Erasext.dll

C:\WINDOWS\system32\drivers\tvichw32.sys

C:\Program Files\Common Files\Filseclab

C:\Documents and Settings\Administrator.SLOWJOE3

C:\Documents and Settings\norman ishmael\Application Data\Spycar

C:\Program Files\Tracker Software

C:\Program Files\KellySoftware

If you can get an ESET scan yes do it. You have the Panda scan on your system but I suspect the malware is preventing it.

Link to post
Share on other sites

I have asked for help from bleeping computer.

I have ran both of things you noticed and submited them with no reply.

I have found these files and sent them to Malware bytes.

I know what each of them are,other than C:\WINDOWS\system32\drivers\tvichw32.sys.

Erassex is left over from a secure delete program.

Filseclab is left over from a trial instalation of either their firewall or Twister Anti-virus.

SLOWJOE3 is the name of my computer from Windows instalation.

Spycar is a Trojan test program.

Tracker software makes my PDF viewing program

and Kelly software makes my Matrix screensaver.

Eset scanner is running but look like awhile.

If "double dipping" with Bleeping Computer is a problem,please tell me so we can rap this up.

thanks

Link to post
Share on other sites

I do not find a log generated by ESET on line.

In fact I cant copy/paste the GUI.

Here is the transcribed contence of the GUI screen:

ESET Online scanner

Scan Results:no threats found

files scanned:177542

threats found:0

total scan time:00:54:17

Scan Status: finished

it is highly recomended to instal ESET NOD32 Antivirus

this service detects and removes threats already on your computer.

It does not prevent from(sic)them.

To get fully protected ,purchase the full version of ESET NOD32 antivirus

below that are two buttons,

information and buy.

both direct to a sales pitch for NOD32

thanks

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.