Jump to content

Trojans undetected by malwarebyte.


Recommended Posts

ok that messed up my whole computer. Not your fault but it was a bit of waste of time.

anyways ill make this quick, i got exams and stuff to get on with.

1) I installed avast, it installed but then when scanning it froze, whole pc froze, had to manually shut down

2) When i restarted in normal mode, it froze after 5 or so seconds of showing the desktop (i.e. all the icons, task bar)

3) The task bar was the first to freeze, then the icons. It was really slow and just froze

4) I went into safemode, everything worked fine, i disabled eset nod32 and avast, rebooted into normal mode, still froze

5) Finally did a system, restore and it finally worked. It uninstalled avast i think :)

So i dont know what to do, eset works fine, avast doesnt. Infact eset WITH comodo works fine.

here are my system specs if your interested. (it is bad because this computer is like 5 years old but im buying a new one soon :D)

intel pentium 4 2.8 ghz

756 mb of ram

160 gb hdd

integrated graphics card

Windows xp sp3 professional

so any help?

Link to post
Share on other sites
  • Replies 81
  • Created
  • Last Reply

Top Posters In This Topic

I recommend you uninstall ESET Nod 32 from your system before you install any other AV to use. Also make sure the Comodo AV is disabled and only the firewall is turned on.

avast! should work fine, so I am thinking the freezes were due to having ESET installed, and if the Comodo AV was on.

Link to post
Share on other sites

i know im being annoying, and im sorry but what do you think of comodo internet security. It includes firewall and antivirus. Do you think its fine to keep comodo internet security or do you REALLY REALLY reccomend i switch to avast or avira? (btw i used avira before, wasnt bad)

Link to post
Share on other sites
i know im being annoying, and im sorry

No need to apologize, you are not being annoying. That is what I am here for ;)

Also, welcome to the Honorary Members group!

Comodo Internet Security is a solid application and has a great firewall. I am not sure about their AntiVirus because I have never used it, but it all comes down to a few things:

  • Useability - How it runs on your computer alongside your other software
  • Performance - How it does on system resources/system slow down and speed
  • Protection - How well it protects you
  • Ease of use - How user friendly the program is

I like Avira and OnlineArmor because I have used both in the past, and can speak for the level of protection they offer.

But in the end, I would go with the application that works best for you. All of the programs I mentioned and Comodo Internet Security are great security applications, so I would choose what is best for you.

Hope that makes sense :)

Link to post
Share on other sites

ok i installed avira antivirus, i really like it. But after i installed it it came up with malware...

Here is what it said.

Virus or unwanted program 'TR/Patched.Gen2 [trojan]'

detected in file 'C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp\CAV1E.tmp.

Action performed: Allow access

Virus or unwanted program 'TR/Patched.Gen2 [trojan]'

detected in file 'C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp\CAV19.tmp.

Action performed: Allow access

Virus or unwanted program 'TR/Patched.Gen2 [trojan]'

detected in file 'C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp\CAV15.tmp.

Action performed: Allow access

Virus or unwanted program 'TR/Crypt.CFI.Gen [trojan]'

detected in file 'C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp\CAVF.tmp.

Action performed: Allow access

Virus or unwanted program 'TR/Crypt.CFI.Gen [trojan]'

detected in file 'C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp\CAVA.tmp.

Action performed: Allow access

I have disabled comodo antivirus in the internet security settings, and i have set configurations to firewall instead of proactive.

so i did a malwarebytes scan:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6556

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

11/05/2011 19:08:05

mbam-log-2011-05-11 (19-08-04).txt

Scan type: Quick scan

Objects scanned: 149032

Time elapsed: 11 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

whats going on? thanks

Link to post
Share on other sites

What Avira is detecting is the malware that was already caught by Comodo and stored in quarantine.

So there is no need to worry. You can do one of two things. Completely clean out the files in Comodo Quarantine, or have Avira remove what it detects.

Also, you can re-enable Comodo.

Link to post
Share on other sites

i looked in comodo and there is nothing in there, i looked in the quarintine. Nothing in there yet avira every now and then keeps saying theres a trojan or osmething.

Virus or unwanted program 'TR/Patched.Gen2 [trojan]'

detected in file 'C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp\CAV466.tmp.

Action performed: Allow access

thats what it says...

Link to post
Share on other sites

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**

These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Link to post
Share on other sites

GMER 1.0.15.15627 - http://www.gmer.net

Rootkit quick scan 2011-05-24 12:55:59

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-17 ST3160812AS rev.3.ADJ

Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\axtdypow.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateKey [0xAA76A864]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateValueKey [0xAA76AABA]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

---- EOF - GMER 1.0.15 ----

no rootkit...

Link to post
Share on other sites

Hi Otherguyx,

Please download Dr.Web CureIt . Save it to your desktop:

  • Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in the pop-up window to allow the scan.
  • This will scan the files currently running in memory and if something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, select Complete scan.
  • Click the green arrow drweb.jpg at the right, and the scan will start.
  • Click Yes to all if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Note:this report may need to be renamed to Dr.Web.txt in order to post it on the forum.
  • Please post the Dr.Web.txt report in your next reply
  • Close Dr.Web Cureit.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on the X in the upper right corner.

Link to post
Share on other sites
  • 2 weeks later...

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member.

This applies only to the original topic starter. Everyone else please begin a New Topic.

Link to post
Share on other sites
  • 2 weeks later...

ok here is the log file for the DR WEB

GoogleDesktopSetup.exe;C:\Documents and Settings\Administrator\Desktop\Firefox Downloads;Trojan.DownLoader3.14089;Incurable.Moved.;

A0000229.exe;C:\Program Files\COMODO\COMODO Internet Security\Quarantine;Trojan.Inject.26087;;

A0009974.exe;C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP37;Trojan.DownLoader3.14089;Incurable.Moved.;

few words of notice... I havnt had time to do the full scan but i tried doing the scan a few times before. First time i did it it found a virus during the express scan but i forgot to save it :/ Second time i did a full scan but my mom turned it off because she wanted to go on, so whether it found any viruses or not im not sure. Third time i did it i did an express scan which found nothing and then a full scan which found what is in the log.

Also after this, my antiviruses started going all weird. My comodo kept conflicting with the Dr web cureit quarintine and kept asking to quarintine what was in the quarintine so i pressed ok twice then ignored forever the 3rd time. Now that its in the quarintine of Comodo, my antivir keeps conflicting with the virus within the comodo internet security quarintine...

this is very confusing. Also every time it find it and if i press remove, it sometimes brings up a "scanning" box that has just a tiny box with a progress bar and it says scanning...

Its very annoying, please help. (i dont think i can do another scan.... so many exams and so little time which is why there was a lack of feedback -_-)I recently did a full scan with malwarebytes and nothing came up.

Link to post
Share on other sites

ok my anivir just detected spr hacktool or something, im getting very worried, and then my comodo firewall just detected a trojware.win32.patcher. Its all in c:\system volume information\restore{ something }. Please help im getting worried.

Link to post
Share on other sites

Ok i been looking through antivir, and it finds a virus every few seconds, although it doesnt report it it says they are all in comodo quarintine. I just looked in my antivir quarintine and it has one of he dr cureit web quarintined files quarintined in antivir. Its the TR\Crypt.ZPack one.... there are also 2 files from the system restore area that are trojans in the comodo quarintine. this is worrying.

Link to post
Share on other sites

ComboFix 11-06-17.04 - Administrator 18/06/2011 11:28:21.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.759.497 [GMT 1:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

AV: COMODO Antivirus *Disabled/Updated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}

FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

.

.

((((((((((((((((((((((((( Files Created from 2011-05-18 to 2011-06-18 )))))))))))))))))))))))))))))))

.

.

2011-06-16 12:52 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys

2011-06-15 16:52 . 2011-06-15 16:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-15 16:46 . 2011-06-17 18:46 -------- d-----w- c:\windows\system32\NtmsData

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-29 08:11 . 2011-02-24 12:25 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 08:11 . 2011-02-24 12:25 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-10 18:29 . 2010-12-29 01:42 284744 ----a-w- c:\windows\system32\guard32.dll

2011-05-10 18:29 . 2011-01-06 17:37 97504 ----a-w- c:\windows\system32\drivers\inspect.sys

2011-05-10 18:29 . 2011-01-06 17:37 29400 ----a-w- c:\windows\system32\drivers\cmdhlp.sys

2011-05-10 18:29 . 2011-01-06 17:37 17416 ----a-w- c:\windows\system32\drivers\cmderd.sys

2011-05-10 18:29 . 2011-01-06 17:37 242472 ----a-w- c:\windows\system32\drivers\cmdGuard.sys

2011-05-02 15:31 . 2004-08-04 07:56 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 16:19 . 2004-08-04 06:15 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:11 . 2004-08-04 07:56 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11 . 2004-08-04 07:56 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-04-25 16:11 . 2004-08-04 07:56 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-04-25 12:01 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec

2011-04-21 13:37 . 2004-08-04 06:15 105472 ----a-w- c:\windows\system32\drivers\mup.sys

2011-04-20 10:42 . 2011-04-20 10:42 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-04-20 10:42 . 2011-04-20 10:42 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-04-01 16:07 . 2011-05-11 17:44 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-04-01 16:07 . 2009-11-06 11:16 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-04-29 11:34 . 2011-03-23 16:57 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2009-12-23 15:40 . 2009-12-23 15:40 151392 ----a-w- c:\program files\mozilla firefox\components\FFConnectorLauncher.dll

2009-12-23 15:40 . 2009-12-23 15:40 296800 ----a-w- c:\program files\mozilla firefox\components\FFSource.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]

"Taskbar Shuffle"="c:\program files\Taskbar Shuffle\taskbarshuffle.exe" [2008-04-17 818176]

"OpenDNS Updater"="c:\program files\OpenDNS Updater\OpenDNSUpdater.exe" [2010-06-16 839680]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MAKTray"="MAKTray.exe" [2004-08-28 287232]

"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]

"LayoutM"="KLayMgr.exe" [2004-08-17 45056]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]

"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-05-10 2552648]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Dropbox.lnk - c:\documents and settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp WinStyler\WinStyler\tu_logonui.exe"

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\guard32.dll

.

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Thoosje Sevenbar.lnk]

backup=c:\windows\pss\Thoosje Sevenbar.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]

backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Nokia Ovi Suite.lnk]

backup=c:\windows\pss\Nokia Ovi Suite.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]

c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DrvIcon]

2008-04-13 12:39 49152 ----a-w- c:\program files\Vista Drive Icon\DrvIcon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-01-15 22:15 135664 ----atw- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

2008-10-25 11:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDDHealth]

2008-06-15 12:14 1692672 ----a-w- c:\program files\HDD Health\hddhealth.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2009-07-26 16:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerBlock]

2010-11-06 22:24 1867888 ----a-w- c:\program files\PeerBlock\peerblock.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

2008-11-02 08:38 167936 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-09-05 01:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"TwonkyMedia"=2 (0x2)

"gusvc"=3 (0x3)

"gupdate"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Nokia\\Nokia Home Media Server\\Media Server\\twonkymedia.exe"=

"c:\\Program Files\\Nokia\\Nokia Home Media Server\\Media Server\\twonkymediaserver.exe"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Opera\\opera.exe"=

"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=

"c:\\Documents and Settings\\Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

.

R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [06/01/2011 18:37 17416]

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [06/01/2011 18:37 242472]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [06/01/2011 18:37 29400]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/05/2011 18:44 136360]

R2 isposure_svc;IsposureAgent;c:\program files\isposure\IsposureAgent.exe [23/10/2008 09:43 761856]

S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [07/11/2009 05:04 133104]

S4 TwonkyMedia;TwonkyMedia;c:\program files\Nokia\Nokia Home Media Server\Media Server\TwonkyMedia.exe -serviceversion 0 --> c:\program files\Nokia\Nokia Home Media Server\Media Server\TwonkyMedia.exe -serviceversion 0 [?]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

.

2011-06-18 c:\windows\Tasks\User_Feed_Synchronization-{6A9071D3-A675-4FAE-A484-C92EDCEB6AC5}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com/

uDefault_Search_URL = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

Trusted Zone: kuaiche.com\software

TCP: DhcpNameServer = 208.67.222.222 208.67.220.220

TCP: Interfaces\{49A9F860-294F-47B0-8D00-D4EA9BAC7570}: NameServer = 208.67.222.222,208.67.220.220

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9surc6kn.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.startup.homepage - google.co.uk

FF - user.js: browser.cache.memory.capacity - 16000

FF - user.js: browser.chrome.favicons - fales

FF - user.js: browser.display.show_image_placeholders - true

FF - user.js: browser.turbo.enabled - true

FF - user.js: browser.urlbar.autocomplete.enabled - true

FF - user.js: browser.urlbar.autocomplete.enabled - true

FF - user.js: browser.urlbar.autofill - true

FF - user.js: content.max.tokenizing.time - 3000000

FF - user.js: content.maxtextrun - 4095

FF - user.js: content.notify.backoffcount - 5

FF - user.js: content.notify.interval - 1000000

FF - user.js: content.notify.ontimer - true

FF - user.js: content.switch.threshold - 1000000

FF - user.js: dom.disable_window_status_change - true

FF - user.js: network.http.max-connections - 48

FF - user.js: network.http.max-connections-per-server - 16

FF - user.js: network.http.max-persistent-connections-per-proxy - 16

FF - user.js: network.http.max-persistent-connections-per-server - 8

FF - user.js: network.http.pipelining - true

FF - user.js: network.http.pipelining.firstrequest - true

FF - user.js: network.http.pipelining.maxrequests - 8

FF - user.js: network.http.proxy.pipelining - true

FF - user.js: network.http.request.max-start-delay - 0

FF - user.js: nglayout.initialpaint.delay - 1000

FF - user.js: plugin.expose_full_path - true

FF - user.js: ui.submenuDelay - 0

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-18 11:35

Windows 5.1.2600 Service Pack 3 NTFS

.

detected NTDLL code modification:

ZwClose, ZwOpenFile

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1791258860-1228881605-2768951137-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a7,2b,8b,8b,d5,26,5a,4e,8e,49,ab,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,22,30,29,e6,2d,54,7e,48,9e,a8,62,\

"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a7,2b,8b,8b,d5,26,5a,4e,8e,49,ab,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(936)

c:\windows\system32\guard32.dll

.

- - - - - - - > 'lsass.exe'(992)

c:\windows\system32\guard32.dll

.

- - - - - - - > 'explorer.exe'(2320)

c:\windows\system32\WININET.dll

c:\windows\system32\guard32.dll

c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2011-06-18 11:38:40

ComboFix-quarantined-files.txt 2011-06-18 10:38

.

Pre-Run: 104,286,674,944 bytes free

Post-Run: 105,419,522,048 bytes free

.

- - End Of File - - 9D35621744C5A8D9524DA02D89813DF5

there you go :)

Link to post
Share on other sites

Sorry for the delay.

although it doesnt report it it says they are all in comodo quarintine. I just looked in my antivir quarintine and it has one of he dr cureit web quarintined files quarintined in antivir. Its the TR\Crypt.ZPack one.

Since they are in quarantine, they cannot harm your system. Avira is just detecting them from the DrWeb and Comodo quarantine. The best way to stop the popups is to delete the files in both DrWeb and Comodo quarantine.

there are also 2 files from the system restore area that are trojans in the comodo quarintine. this is worrying.

These are not worrisome because once we reset your restore points, they will be gone.

Please let me know if you are successful at deleting the files in Comodo and DrWeb quarantine.

Link to post
Share on other sites

Ok so i deleted the stuff in the comodo quaritine. I think i have. i just clicked delete.

How do i delete the stuff from the Dr Webcureit quarintine?

also how do i stop the antivir things? I have also deleted the one virus in the antivir quarintine. But every time it detects something it keeps coming up with that scanning box. It keeps saying it has found like 14 or 22 or something viruses...

How do i clean the system restore thing. Im worried about this because ive already cleaned it before (remember i cleaned it with you before when we reset everything), and even before this thread even started i cleaned it but the virus keeps coming back from the system restore.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.


Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.