TechSpot

Generic files found on computer

By Milkshake
Nov 11, 2010
  1. Note: I have posted multiple times due to my GMER file being over 200KB and over 50K character limit... sorry if this causes any trouble :(

    I have windows XP
    so my brother put a virus on my computer... again...
    I accessed a hidden folder and McAfee immediately notified me that it deleted a file called "SecurityCheck.exe" from the folder i was looking at and said it was a trojan. I scanned my computer after that and found 2 weird generic files which were also designated as trojans...

    I assume that these might come back so i am wondering if i can get help disinfecting my computer...
    Do these trojans steal information??

    GMER is copy/pasted, the rest of the logs are attached.

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2010-11-11 08:10:04
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST9120822AS rev.3.CLF
    Running: 9rvd6sgn.exe; Driver: C:\DOCUME~1\PETERC~1\LOCALS~1\Temp\pxtdakog.sys


    ---- System - GMER 1.0.15 ----

    SSDT spbi.sys ZwCreateKey [0xB9EB50E0]
    SSDT spbi.sys ZwEnumerateKey [0xB9ECDDA4]
    SSDT spbi.sys ZwEnumerateValueKey [0xB9ECE132]
    SSDT spbi.sys ZwOpenKey [0xB9EB50C0]
    SSDT spbi.sys ZwQueryKey [0xB9ECE20A]
    SSDT spbi.sys ZwQueryValueKey [0xB9ECE08A]
    SSDT spbi.sys ZwSetValueKey [0xB9ECE29C]
    SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB734C620]

    INT 0x62 ? 8A6D8BF8
    INT 0x63 ? 8A4DFBF8
    INT 0x73 ? 8A4DFBF8
    INT 0x74 ? 8A4DFBF8
    INT 0x82 ? 8A6D8BF8
    INT 0x83 ? 8A4DFBF8
    INT 0x84 ? 8A4DFBF8
    INT 0x94 ? 8A4DFBF8
    INT 0xB4 ? 8A4DFBF8

    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB4ABD1B1]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB4ABD1DB]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB4ABD145]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB4ABD171]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB4ABD205]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB4ABD1C5]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB4ABD15B]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB4ABD19D]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB4ABD21B]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB4ABD1EF]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP B4ABD1F3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP B4ABD1B5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtMapViewOfSection 805B1FE6 7 Bytes JMP B4ABD209 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2DF4 5 Bytes JMP B4ABD21F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83CA 7 Bytes JMP B4ABD1C9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateProcess 805D11EA 5 Bytes JMP B4ABD1DF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwTerminateProcess 805D2982 5 Bytes JMP B4ABD1A1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwRenameKey 806231EA 7 Bytes JMP B4ABD15F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwDeleteKey 80623C64 7 Bytes JMP B4ABD149 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E34 7 Bytes JMP B4ABD175 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    ? spbi.sys The system cannot find the file specified. !
    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8B6B360, 0x388D2D, 0xE8000020]
    .text USBPORT.SYS!DllUnload B8B0A8AC 5 Bytes JMP 8A4DF1D8
    .text aspvqz95.SYS B89C9386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
    .text aspvqz95.SYS B89C93AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
    .text aspvqz95.SYS B89C93C4 3 Bytes [00, 80, 02]
    .text aspvqz95.SYS B89C93C9 1 Byte [30]
    .text aspvqz95.SYS B89C93C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
    .text ...

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\svchost.exe[312] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A10000
    .text C:\WINDOWS\system32\svchost.exe[312] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A10062
    .text C:\WINDOWS\system32\svchost.exe[312] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A10051
    .text C:\WINDOWS\system32\svchost.exe[312] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A10036
    .text C:\WINDOWS\system32\svchost.exe[312] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A10F83
    .text C:\WINDOWS\system32\svchost.exe[312] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A10F94
    .text C:\WINDOWS\system32\svchost.exe[312] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A1008E
    .text C:\WINDOWS\system32\svchost.exe[312] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A1007D
    .text C:\WINDOWS\system32\svchost.exe[312] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A10F10
    .text C:\WINDOWS\system32\svchost.exe[312] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A10F21
    .text C:\WINDOWS\system32\svchost.exe[312] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A10EFF
    .text C:\WINDOWS\system32\svchost.exe[312] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A1001B
    .text C:\WINDOWS\system32\svchost.exe[312] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A10FDB
    .text C:\WINDOWS\system32\svchost.exe[312] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A10F52
    .text C:\WINDOWS\system32\svchost.exe[312] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A10FAF
    .text C:\WINDOWS\system32\svchost.exe[312] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A10FC0
    .text C:\WINDOWS\system32\svchost.exe[312] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A1009F
    .text C:\WINDOWS\system32\svchost.exe[312] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A00FC3
    .text C:\WINDOWS\system32\svchost.exe[312] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A00F97
    .text C:\WINDOWS\system32\svchost.exe[312] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A00FD4
    .text C:\WINDOWS\system32\svchost.exe[312] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A00FE5
    .text C:\WINDOWS\system32\svchost.exe[312] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A00054
    .text C:\WINDOWS\system32\svchost.exe[312] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A0000A
    .text C:\WINDOWS\system32\svchost.exe[312] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A00039
    .text C:\WINDOWS\system32\svchost.exe[312] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A00FB2
    .text C:\WINDOWS\system32\svchost.exe[312] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009F0047
    .text C:\WINDOWS\system32\svchost.exe[312] msvcrt.dll!system 77C293C7 5 Bytes JMP 009F0FBC
    .text C:\WINDOWS\system32\svchost.exe[312] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009F0011
    .text C:\WINDOWS\system32\svchost.exe[312] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009F0FE3
    .text C:\WINDOWS\system32\svchost.exe[312] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009F002C
    .text C:\WINDOWS\system32\svchost.exe[312] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009F0000
    .text C:\WINDOWS\system32\svchost.exe[312] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006C000A
    .text C:\WINDOWS\Explorer.EXE[1120] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0439000A
    .text C:\WINDOWS\Explorer.EXE[1120] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 04390091
    .text C:\WINDOWS\Explorer.EXE[1120] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 04390F9C
    .text C:\WINDOWS\Explorer.EXE[1120] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 04390080
    .text C:\WINDOWS\Explorer.EXE[1120] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0439006F
    .text C:\WINDOWS\Explorer.EXE[1120] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0439004A
    .text C:\WINDOWS\Explorer.EXE[1120] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 043900DA
    .text C:\WINDOWS\Explorer.EXE[1120] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 043900BD
    .text C:\WINDOWS\Explorer.EXE[1120] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 043900FF
    .text C:\WINDOWS\Explorer.EXE[1120] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 04390F66
    .text C:\WINDOWS\Explorer.EXE[1120] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 04390F4B
    .text C:\WINDOWS\Explorer.EXE[1120] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 04390FCD
    .text C:\WINDOWS\Explorer.EXE[1120] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0439001B
    .text C:\WINDOWS\Explorer.EXE[1120] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 043900AC
    .text C:\WINDOWS\Explorer.EXE[1120] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 04390FDE
    .text C:\WINDOWS\Explorer.EXE[1120] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 04390FEF
    .text C:\WINDOWS\Explorer.EXE[1120] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 04390F77
    .text C:\WINDOWS\Explorer.EXE[1120] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 04380FE5
    .text C:\WINDOWS\Explorer.EXE[1120] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 04380076
    .text C:\WINDOWS\Explorer.EXE[1120] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0438002C
    .text C:\WINDOWS\Explorer.EXE[1120] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0438001B
    .text C:\WINDOWS\Explorer.EXE[1120] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 04380FAF
    .text C:\WINDOWS\Explorer.EXE[1120] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0438000A
    .text C:\WINDOWS\Explorer.EXE[1120] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0438005B
    .text C:\WINDOWS\Explorer.EXE[1120] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 04380FD4
    .text C:\WINDOWS\Explorer.EXE[1120] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 04370070
    .text C:\WINDOWS\Explorer.EXE[1120] msvcrt.dll!system 77C293C7 5 Bytes JMP 0437005F
    .text C:\WINDOWS\Explorer.EXE[1120] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 04370FE5
    .text C:\WINDOWS\Explorer.EXE[1120] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0437000C
    .text C:\WINDOWS\Explorer.EXE[1120] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 04370044
    .text C:\WINDOWS\Explorer.EXE[1120] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0437001D
    .text C:\WINDOWS\Explorer.EXE[1120] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 02660FEF
    .text C:\WINDOWS\Explorer.EXE[1120] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 02660FDE
    .text C:\WINDOWS\Explorer.EXE[1120] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 0266000A
    .text C:\WINDOWS\Explorer.EXE[1120] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 02660FB9
    .text C:\WINDOWS\Explorer.EXE[1120] WS2_32.dll!socket 71AB4211 5 Bytes JMP 04360000
    .text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0FEF
    .text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE005B
    .text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0F70
    .text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE004A
    .text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0F8D
    .text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0FB2
    .text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE008A
    .text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0F38
    .text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE0EF1
    .text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE0F16
    .text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE00AF
    .text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE002F
    .text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0FDE
    .text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0F55
    .text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0FC3
    .text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0014
    .text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE0F27
    .text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00660FA8
    .text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00660036
    .text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00660FB9
    .text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00660FCA
    .text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0066001B
    .text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00660FE5
    .text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00660F79
    .text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [86, 88]
    .text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0066000A
    .text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00650FA6
    .text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!system 77C293C7 5 Bytes JMP 00650FB7
    .text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00650FE3
    .text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00650000
    .text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00650FD2
    .text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0065001D
    .text C:\WINDOWS\system32\svchost.exe[1272] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00630000
    .text C:\WINDOWS\system32\svchost.exe[1272] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00630011
    .text C:\WINDOWS\system32\svchost.exe[1272] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00630022
    .text C:\WINDOWS\system32\svchost.exe[1272] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00630047
    .text C:\WINDOWS\system32\svchost.exe[1272] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00640000
    .text C:\WINDOWS\system32\services.exe[1372] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FE0FE5
    .text C:\WINDOWS\system32\services.exe[1372] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FE0F26
    .text C:\WINDOWS\system32\services.exe[1372] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FE0F4B
    .text C:\WINDOWS\system32\services.exe[1372] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FE0F68
    .text C:\WINDOWS\system32\services.exe[1372] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FE0F79
    .text C:\WINDOWS\system32\services.exe[1372] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FE0FAF
    .text C:\WINDOWS\system32\services.exe[1372] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FE0F04
    .text C:\WINDOWS\system32\services.exe[1372] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FE004C
    .text C:\WINDOWS\system32\services.exe[1372] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FE0EDF
    .text C:\WINDOWS\system32\services.exe[1372] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FE0078
    .text C:\WINDOWS\system32\services.exe[1372] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FE0089
    .text C:\WINDOWS\system32\services.exe[1372] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FE0F94
    .text C:\WINDOWS\system32\services.exe[1372] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FE0000
    .text C:\WINDOWS\system32\services.exe[1372] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FE0F15
    .text C:\WINDOWS\system32\services.exe[1372] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FE0FC0
    .text C:\WINDOWS\system32\services.exe[1372] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FE0011
    .text C:\WINDOWS\system32\services.exe[1372] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FE0067
    .text C:\WINDOWS\system32\services.exe[1372] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FD0FCA
    .text C:\WINDOWS\system32\services.exe[1372] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FD0040
    .text C:\WINDOWS\system32\services.exe[1372] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FD0025
    .text C:\WINDOWS\system32\services.exe[1372] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FD000A
    .text C:\WINDOWS\system32\services.exe[1372] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FD0F83
    .text C:\WINDOWS\system32\services.exe[1372] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FD0FEF
    .text C:\WINDOWS\system32\services.exe[1372] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FD0F94
    .text C:\WINDOWS\system32\services.exe[1372] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1D, 89]
    .text C:\WINDOWS\system32\services.exe[1372] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FD0FB9
     

    Attached Files:

  2. Milkshake

    Milkshake TS Rookie Topic Starter

    GMER Cont. (4th)

    .text C:\WINDOWS\system32\svchost.exe[3336] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B90FE5
    .text C:\WINDOWS\system32\svchost.exe[3336] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B9006C
    .text C:\WINDOWS\system32\svchost.exe[3336] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B90F6D
    .text C:\WINDOWS\system32\svchost.exe[3336] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B90047
    .text C:\WINDOWS\system32\svchost.exe[3336] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B9002C
    .text C:\WINDOWS\system32\svchost.exe[3336] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B90FA5
    .text C:\WINDOWS\system32\svchost.exe[3336] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B90098
    .text C:\WINDOWS\system32\svchost.exe[3336] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B90F50
    .text C:\WINDOWS\system32\svchost.exe[3336] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B90F35
    .text C:\WINDOWS\system32\svchost.exe[3336] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B900C4
    .text C:\WINDOWS\system32\svchost.exe[3336] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B900DF
    .text C:\WINDOWS\system32\svchost.exe[3336] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B90F8A
    .text C:\WINDOWS\system32\svchost.exe[3336] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B90FD4
    .text C:\WINDOWS\system32\svchost.exe[3336] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B90087
    .text C:\WINDOWS\system32\svchost.exe[3336] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B9001B
    .text C:\WINDOWS\system32\svchost.exe[3336] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B9000A
    .text C:\WINDOWS\system32\svchost.exe[3336] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B900A9
    .text C:\WINDOWS\system32\svchost.exe[3336] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B80FC0
    .text C:\WINDOWS\system32\svchost.exe[3336] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B80051
    .text C:\WINDOWS\system32\svchost.exe[3336] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B80011
    .text C:\WINDOWS\system32\svchost.exe[3336] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B80000
    .text C:\WINDOWS\system32\svchost.exe[3336] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B80036
    .text C:\WINDOWS\system32\svchost.exe[3336] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B80FEF
    .text C:\WINDOWS\system32\svchost.exe[3336] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B80F94
    .text C:\WINDOWS\system32\svchost.exe[3336] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D8, 88]
    .text C:\WINDOWS\system32\svchost.exe[3336] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B80FA5
    .text C:\WINDOWS\system32\svchost.exe[3336] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B7002E
    .text C:\WINDOWS\system32\svchost.exe[3336] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B70FAD
    .text C:\WINDOWS\system32\svchost.exe[3336] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B7001D
    .text C:\WINDOWS\system32\svchost.exe[3336] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B70FEF
    .text C:\WINDOWS\system32\svchost.exe[3336] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B70FC8
    .text C:\WINDOWS\system32\svchost.exe[3336] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B7000C

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EB6042] spbi.sys
    IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EB613E] spbi.sys
    IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EB60C0] spbi.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EB6800] spbi.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EB66D6] spbi.sys
    IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EC5B90] spbi.sys
    IAT \SystemRoot\System32\Drivers\aspvqz95.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
    IAT \SystemRoot\System32\Drivers\aspvqz95.SYS[HAL.dll!READ_PORT_UCHAR] 1C959E88
    IAT \SystemRoot\System32\Drivers\aspvqz95.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
    IAT \SystemRoot\System32\Drivers\aspvqz95.SYS[HAL.dll!KfRaiseIrql] 00001CB1
    IAT \SystemRoot\System32\Drivers\aspvqz95.SYS[HAL.dll!KfLowerIrql] 0E798366
    IAT \SystemRoot\System32\Drivers\aspvqz95.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
    IAT \SystemRoot\System32\Drivers\aspvqz95.SYS[HAL.dll!HalTranslateBusAddress] 8986C636
    IAT \SystemRoot\System32\Drivers\aspvqz95.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
    IAT \SystemRoot\System32\Drivers\aspvqz95.SYS[HAL.dll!KfReleaseSpinLock] 1C8B86C6
    IAT \SystemRoot\System32\Drivers\aspvqz95.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
    IAT \SystemRoot\System32\Drivers\aspvqz95.SYS[HAL.dll!READ_PORT_USHORT] 001C9686
    IAT \SystemRoot\System32\Drivers\aspvqz95.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
    IAT \SystemRoot\System32\Drivers\aspvqz95.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CB2
    IAT \SystemRoot\System32\Drivers\aspvqz95.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
    IAT \SystemRoot\System32\Drivers\aspvqz95.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB99E

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs 8A6641F8

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

    Device \FileSystem\Fastfat \FatCdrom 8A1BF1F8

    AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

    Device \Driver\usbuhci \Device\USBPDO-0 8A4001F8
    Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A6661F8
    Device \Driver\dmio \Device\DmControl\DmConfig 8A6661F8
    Device \Driver\dmio \Device\DmControl\DmPnP 8A6661F8
    Device \Driver\dmio \Device\DmControl\DmInfo 8A6661F8
    Device \Driver\usbuhci \Device\USBPDO-1 8A4001F8
    Device \Driver\usbehci \Device\USBPDO-2 8A3F31F8
    Device \Driver\usbuhci \Device\USBPDO-3 8A4001F8
    Device \Driver\usbuhci \Device\USBPDO-4 8A4001F8

    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

    Device \Driver\usbuhci \Device\USBPDO-5 8A4001F8
    Device \Driver\usbehci \Device\USBPDO-6 8A3F31F8
    Device \Driver\Ftdisk \Device\HarddiskVolume1 8A6D91F8
    Device \Driver\PCI_PNP9256 \Device\00000064 spbi.sys
    Device \Driver\Cdrom \Device\CdRom0 8A3AD1F8
    Device \Driver\Ftdisk \Device\HarddiskVolume2 8A6D91F8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9DEBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort0 [B9DEBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort1 [B9DEBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [B9DEBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\Cdrom \Device\CdRom1 8A3AD1F8
    Device \Driver\NetBT \Device\NetBt_Wins_Export 89D001F8
    Device \Driver\NetBT \Device\NetbiosSmb 89D001F8

    AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

    Device \Driver\usbuhci \Device\USBFDO-0 8A4001F8
    Device \Driver\usbuhci \Device\USBFDO-1 8A4001F8
    Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89CEA1F8
    Device \Driver\usbehci \Device\USBFDO-2 8A3F31F8
    Device \FileSystem\MRxSmb \Device\LanmanRedirector 89CEA1F8
    Device \Driver\usbuhci \Device\USBFDO-3 8A4001F8
    Device \Driver\usbuhci \Device\USBFDO-4 8A4001F8
    Device \Driver\Ftdisk \Device\FtControl 8A6D91F8
    Device \Driver\usbuhci \Device\USBFDO-5 8A4001F8
    Device \Driver\usbehci \Device\USBFDO-6 8A3F31F8
    Device \Driver\sptd \Device\3616359256 spbi.sys
    Device \Driver\aspvqz95 \Device\Scsi\aspvqz951Port2Path0Target0Lun0 8A48F1F8
    Device \Driver\aspvqz95 \Device\Scsi\aspvqz951 8A48F1F8
    Device \FileSystem\Fastfat \Fat 8A1BF1F8

    AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

    Device \FileSystem\Cdfs \Cdfs 8A1C0500
    Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x08 0x8D 0x80 0xD4 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x34 0xC2 0xD4 0xE8 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x73 0x6B 0x12 0x90 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x08 0x8D 0x80 0xD4 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x34 0xC2 0xD4 0xE8 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x73 0x6B 0x12 0x90 ...
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot. I'll help with the malware.

    Sorry, a part of the GMER instructions appears to have gone missing! It said to be sure not to check Show All The length of the log is why. I won't have you repost the logs you attached- I've checked them and I won't have to do a lot of copy and paste. But I would like all of the following logs to be pasted in, use multiple posts if needed.
    ==================================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ======================================
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    ================================
    FYI: We do use a program named Security Check It is a legitimate program that allows us to see all of the security programs and if they are current. The download that is saved to the desktop is SecurityCheck.exe. McAfee sometimes gives us a fit flagging legitimate processes. So be sure you disable it per the instructions for both the Eset online scanner and Combofix.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Stop! No more GMER entries! Due to a missing edit in the GMER instructions, an excess of entries are being displayed. I have reviewed all of the GMER log sections and deleted the excess sections.

    Any section with appropriate content has been preserved. Sorry you had this trouble.

    You should be able to post easier now. I'm checking the other logs. In the meantime, please run the Eset online scan and Combofix.
     
  5. Milkshake

    Milkshake TS Rookie Topic Starter

    ok

    Sorry for all the trouble, i wasn't sure what to do when the forums wouldn't let me post for 3-4 hours...

    I haven't done combofix yet, kind of busy these last couple days. I'll post as soon as i get the chance too.

    Here's the ESET

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=7.00.6000.17055 (vista_gdr.100414-0533)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=af3bf7b3dcfb0f4d896950d307cf3eea
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-08-03 02:40:31
    # local_time=2010-08-02 10:40:31 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=166378
    # found=7
    # cleaned=0
    # scan_time=5904
    C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP485\A0097185.dll a variant of Win32/Kryptik.FSJ trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP485\A0097232.dll a variant of Win32/Kryptik.FSJ trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP485\A0097312.dll a variant of Win32/Kryptik.FSJ trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP485\A0097351.dll a variant of Win32/Kryptik.FSJ trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP489\A0098210.dll Win32/Agent.QXV trojan 00000000000000000000000000000000 I
    C:\YourStuffz\Media Stuffs\FreeRIP_AudioConverter\freeripmp3.exe a variant of Win32/Adware.ADON application 00000000000000000000000000000000 I
    # version=7
    # iexplore.exe=7.00.6000.17080 (vista_gdr.100616-0452)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=af3bf7b3dcfb0f4d896950d307cf3eea
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2010-08-14 12:19:19
    # local_time=2010-08-13 08:19:19 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 273867 273867 0 0
    # compatibility_mode=8192 67108863 100 0 21050 21050 0 0
    # scanned=151595
    # found=0
    # cleaned=0
    # scan_time=5789
    # version=7
    # iexplore.exe=7.00.6000.17091 (vista_gdr.100824-1500)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=af3bf7b3dcfb0f4d896950d307cf3eea
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-11-13 11:47:58
    # local_time=2010-11-13 06:47:58 (-0500, Eastern Standard Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 8220562 8220562 0 0
    # compatibility_mode=8192 67108863 100 0 7967745 7967745 0 0
    # scanned=183015
    # found=0
    # cleaned=0
    # scan_time=6015
     
  6. Milkshake

    Milkshake TS Rookie Topic Starter

    Combofix!

    ComboFix 10-11-12.04 - Peter Cha-zam 11/14/2010 15:53:49.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.1231 [GMT -5:00]
    Running from: c:\documents and settings\Peter Cha-zam\Desktop\ComboFix.exe
    AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\Thumbs.db

    .
    ((((((((((((((((((((((((( Files Created from 2010-10-14 to 2010-11-14 )))))))))))))))))))))))))))))))
    .

    No new files created in this timespan

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-18 16:23 . 2006-04-30 06:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2006-04-30 06:55 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2006-04-30 06:55 954368 ------w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2006-04-30 06:55 953856 ------w- c:\windows\system32\mfc40u.dll
    2010-09-09 13:38 . 2006-04-30 06:56 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-09-09 13:38 . 2006-04-30 06:55 1830912 ------w- c:\windows\system32\inetcpl.cpl
    2010-09-09 13:38 . 2006-04-30 06:55 78336 ------w- c:\windows\system32\ieencode.dll
    2010-09-09 13:38 . 2006-04-30 06:55 17408 ------w- c:\windows\system32\corpol.dll
    2010-09-08 15:57 . 2006-04-30 06:55 389120 ------w- c:\windows\system32\html.iec
    2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-09-01 11:51 . 2006-04-30 06:55 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42 . 2006-04-30 06:55 1852800 ------w- c:\windows\system32\win32k.sys
    2010-08-29 03:21 . 2010-08-29 03:21 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
    2010-08-27 08:02 . 2006-04-30 06:56 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57 . 2006-04-30 06:55 99840 ------w- c:\windows\system32\srvsvc.dll
    2010-08-26 13:39 . 2006-04-30 06:55 357248 ------w- c:\windows\system32\drivers\srv.sys
    2010-08-26 12:52 . 2009-04-17 16:25 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12 . 2006-04-30 06:55 617472 ------w- c:\windows\system32\comctl32.dll
    2010-08-17 13:17 . 2006-04-30 06:55 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2008-03-09 11:25 . 2010-06-07 16:15 236 ----a-w- c:\program files\Common Files\dx.reg
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
    "Google Update"="c:\documents and settings\Peter Cha-zam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-18 135664]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
    "PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-09-21 200704]
    "BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-09-21 208896]
    "TpShocks"="TpShocks.exe" [2007-09-28 181544]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 1015808]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13549568]
    "TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
    "AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
    "LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-03-22 120368]
    "AMSG"="c:\progra~1\THINKV~1\AMSG\amsg.exe" [2007-02-01 419376]
    "DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 196696]
    "ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 126976]
    "cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-08-03 2630968]
    "V0380Mon.exe"="c:\windows\V0380Mon.exe" [2007-04-05 32768]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-10-07 111952]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-23 185896]
    "TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-09 58416]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

    c:\documents and settings\Peter Cha-zam\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
    2007-03-15 05:17 89600 ------w- c:\windows\system32\psqlpwd.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
    backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-03-26 05:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
    2004-08-04 02:31 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
    2010-07-06 14:01 2634048 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\YourStuffz\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Valve\\Steam\\steamapps\\xsouldragonx\\age of chivalry\\hl2.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\EXCEL.EXE"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Documents and Settings\\Peter Cha-zam\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
    "c:\\Documents and Settings\\Peter Cha-zam\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\AIM\\aim.exe"=
    "c:\\Valve\\Steam\\steamapps\\xsouldragonx\\condition zero\\hl.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
    "c:\\Valve\\Steam\\steamapps\\common\\alien swarm\\srcds.exe"=
    "c:\\Valve\\Steam\\steamapps\\common\\alien swarm\\swarm.exe"=
    "c:\\Valve\\Steam\\steamapps\\xsouldragonx\\counter-strike source\\hl2.exe"=
    "c:\\Valve\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "9842:TCP"= 9842:TCP:SolidNetworkManager
    "9842:UDP"= 9842:UDP:SolidNetworkManager
    "3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009

    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/28/2010 10:21 PM 691696]
    R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [9/28/2007 4:28 PM 19504]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
    R2 msftesql$CSSQL05;SQL Server FullText Search (CSSQL05);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe [6/22/2007 8:22 AM 95592]
    R2 MSSQL$CSSQL05;SQL Server (CSSQL05);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [5/27/2009 2:27 AM 29262680]
    R2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [3/15/2007 12:10 AM 11152]
    R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2/8/2007 3:11 PM 569344]
    R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\drivers\livecamv.sys [2/28/2008 2:08 PM 31616]
    R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [9/13/2006 2:42 PM 30336]
    S3 V0380Afx;Creative Camera VF0380 Audio Effects Driver;c:\windows\system32\drivers\V0380Afx.sys [2/28/2008 2:19 PM 142656]
    S3 V0380Aud;Creative Camera VF0380 Noise Cancellation APO;c:\windows\system32\drivers\V0380Aud.sys [2/28/2008 2:19 PM 94976]
    S3 V0380Dev;Creative Camera VF0380 Driver;c:\windows\system32\drivers\V0380Vid.sys [2/28/2008 2:18 PM 273152]
    S3 V0380Vfx;Creative Camera VF0380 Video VFX Driver;c:\windows\system32\drivers\V0380Vfx.sys [2/28/2008 2:18 PM 7168]
    S3 vtany;vtany;\??\c:\windows\vtany.sys --> c:\windows\vtany.sys [?]
    S3 xhunter1;xhunter1;\??\c:\windows\xhunter1.sys --> c:\windows\xhunter1.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-07-20 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

    2010-11-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4215469638-1473632133-3761401410-1008Core.job
    - c:\documents and settings\Peter Cha-zam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-18 03:35]

    2010-11-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4215469638-1473632133-3761401410-1008UA.job
    - c:\documents and settings\Peter Cha-zam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-18 03:35]

    2010-11-14 c:\windows\Tasks\PMTask.job
    - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-08-02 05:19]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
    .
    .
    ------- File Associations -------
    .
    JSEFile=NOTEPAD.EXE %1
    .
    - - - - ORPHANS REMOVED - - - -

    AddRemove-Zoo Tycoon 1.0 - e:\zootycoon\UNINSTAL.EXE



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-14 16:43
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql$CSSQL05]
    "ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe\" -s:MSSQL.2 -f:CSSQL05"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(684)
    c:\windows\system32\vrlogon.dll
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\windows\system32\psqlpwd.dll
    c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
    c:\program files\ThinkVantage Fingerprint Software\infra.dll
    c:\program files\ThinkVantage Fingerprint Software\homepass.dll
    c:\program files\ThinkVantage Fingerprint Software\bio.dll
    c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
    c:\program files\ThinkVantage Fingerprint Software\remote.dll
    c:\program files\ThinkVantage Fingerprint Software\pscssint.dll
    c:\program files\ThinkVantage Fingerprint Software\crypto.dll

    - - - - - - - > 'explorer.exe'(1452)
    c:\windows\system32\WININET.dll
    c:\program files\Lenovo\Client Security Solution\tvtpwm_windows_hook.dll
    c:\program files\Lenovo\Client Security Solution\tvt_passwordmanager.dll
    c:\program files\Lenovo\Client Security Solution\css_banner.dll
    c:\program files\Lenovo\Client Security Solution\csswait.dll
    c:\windows\system32\cssuserdatadispatcher.dll
    c:\program files\Lenovo\Client Security Solution\css_dlgcustompolicy.dll
    c:\windows\system32\tvttsp.dll
    c:\windows\system32\tcsrpc.dll
    c:\program files\Common Files\Lenovo\tvt_think_res.dll
    c:\program files\Lenovo\Client Security Solution\css_think_res.dll
    c:\progra~1\WINDOW~1\wmpband.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\btncopy.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\ibmpmsvc.exe
    c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
    c:\windows\system32\IPSSVC.EXE
    c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    c:\windows\system32\acs.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
    c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\McAfee\Common Framework\FrameworkService.exe
    c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
    c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
    c:\windows\system32\nvsvc32.exe
    c:\program files\McAfee\Common Framework\naPrdMgr.exe
    c:\windows\system32\PnkBstrA.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    c:\windows\System32\TPHDEXLG.exe
    c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
    c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
    c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
    c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe
    c:\windows\system32\UAService7.exe
    c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
    c:\program files\lenovo\system update\suservice.exe
    c:\program files\Common Files\Lenovo\Logger\logmon.exe
    c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\TpShocks.exe
    c:\windows\system32\RUNDLL32.EXE
    c:\program files\McAfee\Common Framework\McTray.exe
    c:\program files\Lenovo\Client Security Solution\tvtpwm_tray.exe
    .
    **************************************************************************
    .
    Completion time: 2010-11-14 16:48:55 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-11-14 21:48

    Pre-Run: 23,993,565,184 bytes free
    Post-Run: 23,805,579,264 bytes free

    - - End Of File - - 4D669D61CE2BF41EC52DDE4A3E58E1AE
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    A comment: The Eset log shows that 2 scans were done as follows:
    Eset Scan #1:# utc_time=2010-08-03 02:40:31
    # local_time=2010-08-02 10:40:31 (-0500, Eastern Daylight Time)
    # scanned=166378
    # found=7
    # cleaned=0
    2 of the entries showed active infections, with none cleaned. The other entries are not active, just in restore points.
    C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe
    C:\YourStuffz\Media Stuffs\FreeRIP_AudioConverter\freeripmp3.exe
    ======================
    Eset Scan #2:# utc_time=2010-08-14 12:19:19
    # local_time=2010-08-13 08:19:19 (-0500, Eastern Daylight Time)
    # country="United States"
    scanned=151595
    # found=0
    # cleaned=0
    There were no entries, either active or elsewhere. The number of files scanned in the second scan was almost 15,000 less.
    You do not indicate anything was done between these scans, but I have to wonder where the previous entries went and what 15,000 files were removed. It indicate that the restore points were dropped and possibly there may have been a reformat/reinstall.

    I also noted that while there are many current restore points set, there has been very little activity on this system for 2010.

    The Mbam log shows it was run on 11/11/2010 and Combofix was run on 11/14/2010. So the Eset log is not current. Please repeat the Eset Online AV scan and leave the new log in your next reply.
    ================================================
    Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\xhunter1.sys 
    c:\windows\vtany.sys
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    
    Driver::
    xhunter1
    vtany
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
     
  8. Milkshake

    Milkshake TS Rookie Topic Starter

    that's weird

    I haven't done any reformat or reinstall or anything with restore points recently. The only thing i've done since posting on this forum was following the 8 steps and running eset and combofix

    I will run Combofix and try to post by tonight

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=7.00.6000.17055 (vista_gdr.100414-0533)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=af3bf7b3dcfb0f4d896950d307cf3eea
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-08-03 02:40:31
    # local_time=2010-08-02 10:40:31 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=166378
    # found=7
    # cleaned=0
    # scan_time=5904
    C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP485\A0097185.dll a variant of Win32/Kryptik.FSJ trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP485\A0097232.dll a variant of Win32/Kryptik.FSJ trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP485\A0097312.dll a variant of Win32/Kryptik.FSJ trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP485\A0097351.dll a variant of Win32/Kryptik.FSJ trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP489\A0098210.dll Win32/Agent.QXV trojan 00000000000000000000000000000000 I
    C:\YourStuffz\Media Stuffs\FreeRIP_AudioConverter\freeripmp3.exe a variant of Win32/Adware.ADON application 00000000000000000000000000000000 I
    # version=7
    # iexplore.exe=7.00.6000.17080 (vista_gdr.100616-0452)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=af3bf7b3dcfb0f4d896950d307cf3eea
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2010-08-14 12:19:19
    # local_time=2010-08-13 08:19:19 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 273867 273867 0 0
    # compatibility_mode=8192 67108863 100 0 21050 21050 0 0
    # scanned=151595
    # found=0
    # cleaned=0
    # scan_time=5789
    # version=7
    # iexplore.exe=7.00.6000.17091 (vista_gdr.100824-1500)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=af3bf7b3dcfb0f4d896950d307cf3eea
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-11-13 11:47:58
    # local_time=2010-11-13 06:47:58 (-0500, Eastern Standard Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 8220562 8220562 0 0
    # compatibility_mode=8192 67108863 100 0 7967745 7967745 0 0
    # scanned=183015
    # found=0
    # cleaned=0
    # scan_time=6015
    # version=7
    # iexplore.exe=7.00.6000.17091 (vista_gdr.100824-1500)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=af3bf7b3dcfb0f4d896950d307cf3eea
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-11-15 10:53:54
    # local_time=2010-11-15 05:53:54 (-0500, Eastern Standard Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 8390230 8390230 0 0
    # compatibility_mode=8192 67108863 100 0 8137413 8137413 0 0
    # scanned=183552
    # found=0
    # cleaned=0
    # scan_time=5906
     
  9. Milkshake

    Milkshake TS Rookie Topic Starter

    Combofix w/ Script

    ComboFix 10-11-15.05 - Peter Cha-zam 11/15/2010 18:26:14.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.1429 [GMT -5:00]
    Running from: c:\documents and settings\Peter Cha-zam\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Peter Cha-zam\Desktop\CFScript.txt
    AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

    FILE ::
    "c:\windows\vtany.sys"
    "c:\windows\xhunter1.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_VTANY
    -------\Legacy_XHUNTER1
    -------\Service_vtany
    -------\Service_xhunter1


    ((((((((((((((((((((((((( Files Created from 2010-10-15 to 2010-11-15 )))))))))))))))))))))))))))))))
    .

    No new files created in this timespan

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-18 16:23 . 2006-04-30 06:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2006-04-30 06:55 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2006-04-30 06:55 954368 ------w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2006-04-30 06:55 953856 ------w- c:\windows\system32\mfc40u.dll
    2010-09-09 13:38 . 2006-04-30 06:56 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-09-09 13:38 . 2006-04-30 06:55 1830912 ------w- c:\windows\system32\inetcpl.cpl
    2010-09-09 13:38 . 2006-04-30 06:55 78336 ------w- c:\windows\system32\ieencode.dll
    2010-09-09 13:38 . 2006-04-30 06:55 17408 ------w- c:\windows\system32\corpol.dll
    2010-09-08 15:57 . 2006-04-30 06:55 389120 ------w- c:\windows\system32\html.iec
    2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-09-01 11:51 . 2006-04-30 06:55 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42 . 2006-04-30 06:55 1852800 ------w- c:\windows\system32\win32k.sys
    2010-08-29 03:21 . 2010-08-29 03:21 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
    2010-08-27 08:02 . 2006-04-30 06:56 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57 . 2006-04-30 06:55 99840 ------w- c:\windows\system32\srvsvc.dll
    2010-08-26 13:39 . 2006-04-30 06:55 357248 ------w- c:\windows\system32\drivers\srv.sys
    2010-08-26 12:52 . 2009-04-17 16:25 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12 . 2006-04-30 06:55 617472 ------w- c:\windows\system32\comctl32.dll
    2008-03-09 11:25 . 2010-06-07 16:15 236 ----a-w- c:\program files\Common Files\dx.reg
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
    "Google Update"="c:\documents and settings\Peter Cha-zam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-18 135664]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
    "PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-09-21 200704]
    "BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-09-21 208896]
    "TpShocks"="TpShocks.exe" [2007-09-28 181544]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 1015808]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13549568]
    "TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
    "AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
    "LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-03-22 120368]
    "AMSG"="c:\progra~1\THINKV~1\AMSG\amsg.exe" [2007-02-01 419376]
    "DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 196696]
    "ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 126976]
    "cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-08-03 2630968]
    "V0380Mon.exe"="c:\windows\V0380Mon.exe" [2007-04-05 32768]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-10-07 111952]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-23 185896]
    "TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-09 58416]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

    c:\documents and settings\Peter Cha-zam\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
    2007-03-15 05:17 89600 ------w- c:\windows\system32\psqlpwd.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
    backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-03-26 05:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
    2004-08-04 02:31 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
    2010-07-06 14:01 2634048 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\YourStuffz\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Valve\\Steam\\steamapps\\xsouldragonx\\age of chivalry\\hl2.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\EXCEL.EXE"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Documents and Settings\\Peter Cha-zam\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
    "c:\\Documents and Settings\\Peter Cha-zam\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\AIM\\aim.exe"=
    "c:\\Valve\\Steam\\steamapps\\xsouldragonx\\condition zero\\hl.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
    "c:\\Valve\\Steam\\steamapps\\common\\alien swarm\\srcds.exe"=
    "c:\\Valve\\Steam\\steamapps\\common\\alien swarm\\swarm.exe"=
    "c:\\Valve\\Steam\\steamapps\\xsouldragonx\\counter-strike source\\hl2.exe"=
    "c:\\Valve\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "9842:TCP"= 9842:TCP:SolidNetworkManager
    "9842:UDP"= 9842:UDP:SolidNetworkManager
    "3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009

    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/28/2010 10:21 PM 691696]
    R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [9/28/2007 4:28 PM 19504]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
    R2 msftesql$CSSQL05;SQL Server FullText Search (CSSQL05);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe [6/22/2007 8:22 AM 95592]
    R2 MSSQL$CSSQL05;SQL Server (CSSQL05);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [5/27/2009 2:27 AM 29262680]
    R2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [3/15/2007 12:10 AM 11152]
    R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2/8/2007 3:11 PM 569344]
    R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\drivers\livecamv.sys [2/28/2008 2:08 PM 31616]
    R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [9/13/2006 2:42 PM 30336]
    S3 V0380Afx;Creative Camera VF0380 Audio Effects Driver;c:\windows\system32\drivers\V0380Afx.sys [2/28/2008 2:19 PM 142656]
    S3 V0380Aud;Creative Camera VF0380 Noise Cancellation APO;c:\windows\system32\drivers\V0380Aud.sys [2/28/2008 2:19 PM 94976]
    S3 V0380Dev;Creative Camera VF0380 Driver;c:\windows\system32\drivers\V0380Vid.sys [2/28/2008 2:18 PM 273152]
    S3 V0380Vfx;Creative Camera VF0380 Video VFX Driver;c:\windows\system32\drivers\V0380Vfx.sys [2/28/2008 2:18 PM 7168]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-07-20 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

    2010-11-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4215469638-1473632133-3761401410-1008Core.job
    - c:\documents and settings\Peter Cha-zam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-18 03:35]

    2010-11-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4215469638-1473632133-3761401410-1008UA.job
    - c:\documents and settings\Peter Cha-zam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-18 03:35]

    2010-11-15 c:\windows\Tasks\PMTask.job
    - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-08-02 05:19]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-15 18:38
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql$CSSQL05]
    "ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe\" -s:MSSQL.2 -f:CSSQL05"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1288)
    c:\windows\system32\vrlogon.dll
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\windows\system32\psqlpwd.dll
    c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
    c:\program files\ThinkVantage Fingerprint Software\infra.dll
    c:\program files\ThinkVantage Fingerprint Software\homepass.dll
    c:\program files\ThinkVantage Fingerprint Software\bio.dll
    c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
    c:\program files\ThinkVantage Fingerprint Software\remote.dll
    c:\program files\ThinkVantage Fingerprint Software\pscssint.dll
    c:\program files\ThinkVantage Fingerprint Software\crypto.dll

    - - - - - - - > 'explorer.exe'(2128)
    c:\windows\system32\WININET.dll
    c:\program files\Lenovo\Client Security Solution\tvtpwm_windows_hook.dll
    c:\program files\Lenovo\Client Security Solution\tvt_passwordmanager.dll
    c:\program files\Lenovo\Client Security Solution\css_banner.dll
    c:\program files\Lenovo\Client Security Solution\csswait.dll
    c:\windows\system32\cssuserdatadispatcher.dll
    c:\program files\Lenovo\Client Security Solution\css_dlgcustompolicy.dll
    c:\windows\system32\tvttsp.dll
    c:\windows\system32\tcsrpc.dll
    c:\program files\Common Files\Lenovo\tvt_think_res.dll
    c:\program files\Lenovo\Client Security Solution\css_think_res.dll
    c:\progra~1\WINDOW~1\wmpband.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\btncopy.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\ibmpmsvc.exe
    c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
    c:\windows\system32\IPSSVC.EXE
    c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    c:\windows\system32\acs.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
    c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\McAfee\Common Framework\FrameworkService.exe
    c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
    c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\PnkBstrA.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files\McAfee\Common Framework\naPrdMgr.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    c:\windows\System32\TPHDEXLG.exe
    c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
    c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
    c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
    c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe
    c:\windows\system32\UAService7.exe
    c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
    c:\program files\lenovo\system update\suservice.exe
    c:\program files\Common Files\Lenovo\Logger\logmon.exe
    c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\TpShocks.exe
    c:\windows\system32\RUNDLL32.EXE
    c:\program files\McAfee\Common Framework\McTray.exe
    c:\program files\Lenovo\Client Security Solution\tvtpwm_tray.exe
    .
    **************************************************************************
    .
    Completion time: 2010-11-15 18:44:26 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-11-15 23:44
    ComboFix2.txt 2010-11-14 21:48

    Pre-Run: 23,781,711,872 bytes free
    Post-Run: 23,683,842,048 bytes free

    - - End Of File - - 7EA5A0BA2AF233677D2AA734A4FB7160
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, this might be gone, but I'd like to move it if it isn't:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      :Files 
      C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =========================================
    Otherwise, the Combofix log looks clean. Do any of the original malware related problems remain? I'd like you to run Hijackthis to make sure there are no bad entries running. After I check that, if there aren't any new problems, I'll have you remove the cleaning tools and logs they created.

    Download the HijackThis Installer and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  11. Milkshake

    Milkshake TS Rookie Topic Starter

    hmmm

    I won't argue on whether my computer is clean or not since you have more knowledge than me on the subject, but then I don't understand why my AV would suddenly find 3 viruses which have been known to duplicate multiple times :(
    Here are both the OTM and Hijackthis files.

    All processes killed
    ========== PROCESSES ==========
    ========== FILES ==========
    File/Folder C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Peter Cha-zam
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 244480 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 89403384 bytes
    ->Apple Safari cache emptied: 0 bytes
    ->Flash cache emptied: 21961 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 71668195 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 2540 bytes

    Total Files Cleaned = 154.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 11162010_112705

    Files moved on Reboot...
    File C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_114.dat not found!
    File C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_4e4.dat not found!

    Registry entries deleted on Reboot...

    -------------------------------------------------------------------------------------------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 11:44:01 AM, on 11/16/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.17091)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\IPSSVC.EXE
    C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    C:\WINDOWS\system32\acs.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    C:\WINDOWS\System32\TPHDEXLG.exe
    C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
    C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
    c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
    C:\WINDOWS\system32\UAService7.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    c:\program files\lenovo\system update\suservice.exe
    C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
    C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\TpShocks.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
    C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
    C:\PROGRA~1\THINKV~1\AMSG\amsg.exe
    C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
    C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
    C:\WINDOWS\V0380Mon.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Lenovo\Client Security Solution\tvtpwm_tray.exe
    C:\YourStuffz\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe
    C:\YourStuffz\Mozilla Firefox\plugin-container.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: CPwmIEBrowserHelper Object - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
    O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
    O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
    O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
    O4 - HKLM\..\Run: [AMSG] C:\PROGRA~1\THINKV~1\AMSG\amsg.exe
    O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
    O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
    O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
    O4 - HKLM\..\Run: [V0380Mon.exe] C:\WINDOWS\V0380Mon.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Peter Cha-zam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
    O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe
    O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
    O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
    O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
    O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
    O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
    O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
    O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

    --
    End of file - 14566 bytes
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please copy these lines from the McAfee log and paste them in next reply. But understand this:
    1. If a malware entry has been removed from the system and is not longer active in the system, it might be in a restore point. That will not infect the system unless you do a system restore and happen to choose that particular restore point.
    But McAfee will continue to show these entries and it will say in 'System Volume.'. I have you drop all the old restore points when cleaning is finished, but McAfee will continue to show them until them. So it's not a reinfection or recurrence.
    2. If a malware entry has been removed by Combofix, it will show in the Qoobox which is the name of the Combofix location. The entry is not active in the system but if you run McAfee, it's going to show the entry. When cleaning is through,and you uninstall Combofix, it will remove these entries also.

    So it makes a big difference where the McAfee location is. In either of the above cases, the malware has been removed from running in the system and is no longer active- but AV scan will still show them and users don't understand location, location, location!!
    ========================================
    Please reopen HijackThis to 'do system scan only.'. Check each of the following if present:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


    Close all Windows Except HijackThis and click on "Fix Checked."
    =============================================
    I will be glad to check those entries in McAfee if you want to paste them in. But otherwise, you system is clean.

    You might also want to share what the name of the ""2 weird generic files which were also designated as trojans... were.
     
  13. Milkshake

    Milkshake TS Rookie Topic Starter

    hi

    I unfortunately didn't write down the names of the generic files Mcafee found, which I should have done...
    I've looked into Mcafee's On-Access scan messages but there is nothing there, which I find weird since i'm pretty sure the On-Access scan was what found the trojan(s).

    Here are the on-access scan logs, but they don't seem to report anything except the files that the scan was timed out on:

    11/10/2010 2:54:00 AM Statistics:
    11/10/2010 2:54:00 AM Files scanned: 12041
    11/10/2010 2:54:00 AM Files detected: 1
    11/10/2010 2:54:00 AM Files cleaned: 0
    11/10/2010 2:54:00 AM Files deleted: 1
    11/10/2010 1:35:50 PM Engine version = 5400.1158
    11/10/2010 1:35:50 PM AntiVirus DAT version = 6161.0000
    11/10/2010 1:35:50 PM Number of detection signatures in EXTRA.DAT = None
    11/10/2010 1:35:50 PM Names of detection signatures in EXTRA.DAT = None
    11/10/2010 1:40:24 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
    11/10/2010 1:46:46 PM Engine version = 5400.1158
    11/10/2010 1:46:46 PM AntiVirus DAT version = 6163.0000
    11/10/2010 1:46:46 PM Number of detection signatures in EXTRA.DAT = None
    11/10/2010 1:46:46 PM Names of detection signatures in EXTRA.DAT = None
    11/10/2010 1:47:18 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
    11/10/2010 3:21:00 PM Not scanned (scan timed out) DARKNESSHADE\Peter Cha-zam C:\YourStuffz\Savage [SFE^star] [XR]\XR\Savage XR\silverback.exe C:\YourStuffz\Savage [SFE^star] [XR]\XR\Savage XR\game\savage0.s2z

    11/10/2010 8:18:58 PM Statistics:
    11/10/2010 8:18:58 PM Files scanned: 12737
    11/10/2010 8:18:58 PM Files detected: 0
    11/10/2010 8:18:58 PM Files cleaned: 0
    11/10/2010 8:18:58 PM Files deleted: 0
    11/10/2010 8:21:23 PM Engine version = 5400.1158
    11/10/2010 8:21:23 PM AntiVirus DAT version = 6163.0000
    11/10/2010 8:21:23 PM Number of detection signatures in EXTRA.DAT = None
    11/10/2010 8:21:23 PM Names of detection signatures in EXTRA.DAT = None
    11/10/2010 8:24:04 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
    11/10/2010 8:29:01 PM Not scanned (scan timed out) DARKNESSHADE\Peter Cha-zam C:\YourStuffz\Savage [SFE^star] [XR]\XR\Savage XR\silverback.exe C:\YourStuffz\Savage [SFE^star] [XR]\XR\Savage XR\game\savage0.s2z
    11/10/2010 8:48:13 PM Deleted DARKNESSHADE\Peter Cha-zam C:\WINDOWS\Explorer.EXE C:\DOCUMENTS AND SETTINGS\PETER CHA-ZAM\DESKTOP\LAME\VIRUSWAR\SECURITYCHECK.EXE Generic.dx!ujs (Trojan)
    11/10/2010 8:48:14 PM Deleted DARKNESSHADE\Peter Cha-zam C:\WINDOWS\Explorer.EXE C:\Documents and Settings\Peter Cha-zam\Desktop\Lame\VirusWar\SecurityCheck.exe Generic.dx!ujs (Trojan)
    11/10/2010 8:52:14 PM Engine version = 5400.1158
    11/10/2010 8:52:14 PM AntiVirus DAT version = 6163.0000
    11/10/2010 8:52:14 PM Number of detection signatures in EXTRA.DAT = None
    11/10/2010 8:52:14 PM Names of detection signatures in EXTRA.DAT = None
    11/10/2010 8:54:51 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
    11/11/2010 12:28:11 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
    11/11/2010 8:11:13 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
    11/11/2010 8:19:23 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
    11/12/2010 2:42:30 PM Engine version = 5400.1158
    11/12/2010 2:42:30 PM AntiVirus DAT version = 6163.0000
    11/12/2010 2:42:30 PM Number of detection signatures in EXTRA.DAT = None
    11/12/2010 2:42:30 PM Names of detection signatures in EXTRA.DAT = None
    11/12/2010 2:46:31 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
    11/12/2010 2:57:27 PM Engine version = 5400.1158
    11/12/2010 2:57:27 PM AntiVirus DAT version = 6165.0000
    11/12/2010 2:57:27 PM Number of detection signatures in EXTRA.DAT = None
    11/12/2010 2:57:27 PM Names of detection signatures in EXTRA.DAT = None
    11/12/2010 2:58:00 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
    11/12/2010 3:01:06 PM Not scanned (scan timed out) DARKNESSHADE\Peter Cha-zam C:\YourStuffz\Savage [SFE^star] [XR]\XR\Savage XR\a-u.exe C:\YourStuffz\Savage [SFE^star] [XR]\XR\Savage XR\game\savage0.s2z

    11/12/2010 7:04:16 PM Statistics:
    11/12/2010 7:04:16 PM Files scanned: 9751
    11/12/2010 7:04:16 PM Files detected: 0
    11/12/2010 7:04:16 PM Files cleaned: 0
    11/12/2010 7:04:16 PM Files deleted: 0
    11/13/2010 1:44:19 AM Engine version = 5400.1158
    11/13/2010 1:44:19 AM AntiVirus DAT version = 6165.0000
    11/13/2010 1:44:19 AM Number of detection signatures in EXTRA.DAT = None
    11/13/2010 1:44:19 AM Names of detection signatures in EXTRA.DAT = None
    11/13/2010 1:47:26 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
    11/13/2010 3:48:22 AM Not scanned (scan timed out) DARKNESSHADE\Peter Cha-zam C:\YourStuffz\Savage [SFE^star] [XR]\XR\Savage XR\silverback.exe C:\YourStuffz\Savage [SFE^star] [XR]\XR\Savage XR\game\savage0.s2z

    11/13/2010 5:15:24 AM Statistics:
    11/13/2010 5:15:24 AM Files scanned: 10533
    11/13/2010 5:15:24 AM Files detected: 0
    11/13/2010 5:15:24 AM Files cleaned: 0
    11/13/2010 5:15:24 AM Files deleted: 0
    11/13/2010 5:17:51 AM Engine version = 5400.1158
    11/13/2010 5:17:51 AM AntiVirus DAT version = 6165.0000
    11/13/2010 5:17:51 AM Number of detection signatures in EXTRA.DAT = None
    11/13/2010 5:17:51 AM Names of detection signatures in EXTRA.DAT = None
    11/13/2010 5:19:53 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
    11/13/2010 5:26:59 AM Not scanned (The file is encrypted) DARKNESSHADE\Peter Cha-zam C:\YourStuffz\Mozilla Firefox\firefox.exe C:\Documents and Settings\Peter Cha-zam\Local Settings\Temp\CikRzL1W.exe.part\SRIZBI.MD5

    11/13/2010 5:28:13 AM Statistics:
    11/13/2010 5:28:13 AM Files scanned: 6775
    11/13/2010 5:28:13 AM Files detected: 1
    11/13/2010 5:28:13 AM Files cleaned: 0
    11/13/2010 5:28:13 AM Files deleted: 0
    11/13/2010 2:06:12 PM Engine version = 5400.1158
    11/13/2010 2:06:12 PM AntiVirus DAT version = 6165.0000
    11/13/2010 2:06:12 PM Number of detection signatures in EXTRA.DAT = None
    11/13/2010 2:06:12 PM Names of detection signatures in EXTRA.DAT = None
    11/13/2010 2:09:46 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
    11/13/2010 5:05:28 PM Deleted DARKNESSHADE\Peter Cha-zam C:\Program Files\internet explorer\iexplore.exe C:\Documents and Settings\Peter Cha-zam\Cookies\peter_cha-zam@atdmt[1].txt\00000000.ie Cookie-Atdmt (Potentially Unwanted Program)
    11/13/2010 5:05:28 PM Deleted DARKNESSHADE\Peter Cha-zam C:\Program Files\internet explorer\iexplore.exe C:\Documents and Settings\Peter Cha-zam\Cookies\peter_cha-zam@atdmt[2].txt\00000000.ie Cookie-Atdmt (Potentially Unwanted Program)
    11/13/2010 6:50:57 PM Not scanned (scan timed out) DARKNESSHADE\Peter Cha-zam C:\WINDOWS\Explorer.EXE C:\Documents and Settings\Peter Cha-zam\Desktop\ComboFix.exe
    11/13/2010 6:51:29 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
    11/13/2010 7:57:01 PM Not scanned (scan timed out) DARKNESSHADE\Peter Cha-zam C:\YourStuffz\Savage [SFE^star] [XR]\XR\Savage XR\silverback.exe C:\YourStuffz\Savage [SFE^star] [XR]\XR\Savage XR\game\savage0.s2z
    11/13/2010 10:23:13 PM Not scanned (The file is encrypted) DARKNESSHADE\Peter Cha-zam C:\Program Files\Java\jre6\bin\javaw.exe C:\Documents and Settings\Peter Cha-zam\Desktop\_movie.hadung.net_SF4.2009.DVDRip.XviD.part1.rar.part\STREET.FIGHTER.IV.2009.DVDRIP.AC3.XVID-ACKOM.AVI

    11/14/2010 4:10:01 AM Statistics:
    11/14/2010 4:10:01 AM Files scanned: 13273
    11/14/2010 4:10:01 AM Files detected: 4
    11/14/2010 4:10:01 AM Files cleaned: 0
    11/14/2010 4:10:01 AM Files deleted: 3
    11/14/2010 2:21:51 PM Engine version = 5400.1158
    11/14/2010 2:21:51 PM AntiVirus DAT version = 6165.0000
    11/14/2010 2:21:51 PM Number of detection signatures in EXTRA.DAT = None
    11/14/2010 2:21:51 PM Names of detection signatures in EXTRA.DAT = None
    11/14/2010 2:24:18 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
    11/14/2010 2:32:30 PM Engine version = 5400.1158
    11/14/2010 2:32:30 PM AntiVirus DAT version = 6167.0000
    11/14/2010 2:32:30 PM Number of detection signatures in EXTRA.DAT = None
    11/14/2010 2:32:30 PM Names of detection signatures in EXTRA.DAT = None
    11/14/2010 2:33:02 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar

    11/14/2010 4:02:20 PM Statistics:
    11/14/2010 4:02:20 PM Files scanned: 6154
    11/14/2010 4:02:20 PM Files detected: 0
    11/14/2010 4:02:20 PM Files cleaned: 0
    11/14/2010 4:02:20 PM Files deleted: 0
    11/14/2010 4:04:24 PM Engine version = 5400.1158
    11/14/2010 4:04:24 PM AntiVirus DAT version = 6167.0000
    11/14/2010 4:04:24 PM Number of detection signatures in EXTRA.DAT = None
    11/14/2010 4:04:24 PM Names of detection signatures in EXTRA.DAT = None
    11/14/2010 4:05:11 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
    11/14/2010 4:51:35 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar

    11/14/2010 8:14:24 PM Statistics:
    11/14/2010 8:14:24 PM Files scanned: 8202
    11/14/2010 8:14:24 PM Files detected: 0
    11/14/2010 8:14:24 PM Files cleaned: 0
    11/14/2010 8:14:24 PM Files deleted: 0
    11/15/2010 1:56:34 AM Engine version = 5400.1158
    11/15/2010 1:56:34 AM AntiVirus DAT version = 6167.0000
    11/15/2010 1:56:34 AM Number of detection signatures in EXTRA.DAT = None
    11/15/2010 1:56:34 AM Names of detection signatures in EXTRA.DAT = None
    11/15/2010 1:59:10 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar

    11/15/2010 3:54:21 AM Statistics:
    11/15/2010 3:54:21 AM Files scanned: 8801
    11/15/2010 3:54:21 AM Files detected: 0
    11/15/2010 3:54:21 AM Files cleaned: 0
    11/15/2010 3:54:21 AM Files deleted: 0
    11/15/2010 2:39:10 PM Engine version = 5400.1158
    11/15/2010 2:39:10 PM AntiVirus DAT version = 6167.0000
    11/15/2010 2:39:10 PM Number of detection signatures in EXTRA.DAT = None
    11/15/2010 2:39:10 PM Names of detection signatures in EXTRA.DAT = None
    11/15/2010 2:43:18 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
    11/15/2010 2:53:08 PM Deleted DARKNESSHADE\Peter Cha-zam C:\Program Files\internet explorer\iexplore.exe C:\Documents and Settings\Peter Cha-zam\Cookies\peter_cha-zam@atdmt[1].txt\00000000.ie Cookie-Atdmt (Potentially Unwanted Program)
    11/15/2010 2:53:08 PM Deleted DARKNESSHADE\Peter Cha-zam C:\Program Files\internet explorer\iexplore.exe C:\Documents and Settings\Peter Cha-zam\Cookies\peter_cha-zam@atdmt[2].txt\00000000.ie Cookie-Atdmt (Potentially Unwanted Program)
    11/15/2010 2:53:20 PM Deleted DARKNESSHADE\Peter Cha-zam C:\Program Files\internet explorer\iexplore.exe C:\Documents and Settings\Peter Cha-zam\Cookies\peter_cha-zam@atdmt[1].txt\00000000.ie Cookie-Atdmt (Potentially Unwanted Program)
    11/15/2010 2:53:20 PM Deleted DARKNESSHADE\Peter Cha-zam C:\Program Files\internet explorer\iexplore.exe C:\Documents and Settings\Peter Cha-zam\Cookies\peter_cha-zam@atdmt[2].txt\00000000.ie Cookie-Atdmt (Potentially Unwanted Program)
    11/15/2010 2:53:20 PM Deleted DARKNESSHADE\Peter Cha-zam C:\Program Files\internet explorer\iexplore.exe C:\Documents and Settings\Peter Cha-zam\Cookies\peter_cha-zam@atdmt[1].txt\00000000.ie Cookie-Atdmt (Potentially Unwanted Program)
    11/15/2010 2:53:20 PM Deleted DARKNESSHADE\Peter Cha-zam C:\Program Files\internet explorer\iexplore.exe C:\Documents and Settings\Peter Cha-zam\Cookies\peter_cha-zam@atdmt[2].txt\00000000.ie Cookie-Atdmt (Potentially Unwanted Program)
    11/15/2010 2:53:24 PM Deleted DARKNESSHADE\Peter Cha-zam C:\Program Files\internet explorer\iexplore.exe C:\Documents and Settings\Peter Cha-zam\Cookies\peter_cha-zam@microsoftwindows.112.2o7[1].txt\00000000.ie Cookie-2O7 (Potentially Unwanted Program)
    11/15/2010 2:53:47 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
    11/15/2010 6:13:09 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar

    11/15/2010 6:35:06 PM Statistics:
    11/15/2010 6:35:06 PM Files scanned: 12862
    11/15/2010 6:35:06 PM Files detected: 15
    11/15/2010 6:35:06 PM Files cleaned: 0
    11/15/2010 6:35:06 PM Files deleted: 15
    11/15/2010 6:37:28 PM Engine version = 5400.1158
    11/15/2010 6:37:28 PM AntiVirus DAT version = 6167.0000
    11/15/2010 6:37:28 PM Number of detection signatures in EXTRA.DAT = None
    11/15/2010 6:37:28 PM Names of detection signatures in EXTRA.DAT = None
    11/15/2010 6:44:54 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
    11/15/2010 6:45:52 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar

    11/15/2010 6:50:07 PM Statistics:
    11/15/2010 6:50:07 PM Files scanned: 6339
    11/15/2010 6:50:07 PM Files detected: 0
    11/15/2010 6:50:07 PM Files cleaned: 0
    11/15/2010 6:50:07 PM Files deleted: 0
    11/15/2010 7:51:07 PM Engine version = 5400.1158
    11/15/2010 7:51:07 PM AntiVirus DAT version = 6167.0000
    11/15/2010 7:51:07 PM Number of detection signatures in EXTRA.DAT = None
    11/15/2010 7:51:07 PM Names of detection signatures in EXTRA.DAT = None
    11/15/2010 7:55:32 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
    11/15/2010 8:02:28 PM Deleted DARKNESSHADE\Peter Cha-zam C:\Program Files\internet explorer\iexplore.exe C:\Documents and Settings\Peter Cha-zam\Cookies\peter_cha-zam@atdmt[1].txt\00000000.ie Cookie-Atdmt (Potentially Unwanted Program)
    11/15/2010 8:02:28 PM Deleted DARKNESSHADE\Peter Cha-zam C:\Program Files\internet explorer\iexplore.exe C:\Documents and Settings\Peter Cha-zam\Cookies\peter_cha-zam@atdmt[2].txt\00000000.ie Cookie-Atdmt (Potentially Unwanted Program)
    11/15/2010 8:06:00 PM Deleted DARKNESSHADE\Peter Cha-zam C:\Program Files\internet explorer\iexplore.exe C:\Documents and Settings\Peter Cha-zam\Cookies\peter_cha-zam@atdmt[1].txt\00000000.ie Cookie-Atdmt (Potentially Unwanted Program)
    11/15/2010 8:06:00 PM Deleted DARKNESSHADE\Peter Cha-zam C:\Program Files\internet explorer\iexplore.exe C:\Documents and Settings\Peter Cha-zam\Cookies\peter_cha-zam@atdmt[2].txt\00000000.ie Cookie-Atdmt (Potentially Unwanted Program)
    11/15/2010 8:14:21 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_DARKNESSHADE.xml
    11/15/2010 8:14:21 PM Engine version = 5400.1158
    11/15/2010 8:14:21 PM AntiVirus DAT version = 6168.0000
    11/15/2010 8:14:21 PM Number of detection signatures in EXTRA.DAT = None
    11/15/2010 8:14:21 PM Names of detection signatures in EXTRA.DAT = None
    11/15/2010 8:14:22 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Current\BOCVSE__1000\DAT\0000\PkgCatalog.z
    11/15/2010 8:14:22 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\McAfee\Common Framework\McScript_InUse.exe C:\Program Files\Common Files\McAfee\Engine\avvscan.dat
    11/15/2010 8:14:22 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\McAfee\Common Framework\McScript_InUse.exe C:\Program Files\Common Files\McAfee\Engine\avvclean.dat
    11/15/2010 8:14:22 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\McAfee\Common Framework\McScript_InUse.exe C:\Program Files\Common Files\McAfee\Engine\avvnames.dat
    11/15/2010 8:15:32 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
    11/15/2010 10:24:12 PM Engine version = 5400.1158
    11/15/2010 10:24:12 PM AntiVirus DAT version = 6168.0000
    11/15/2010 10:24:12 PM Number of detection signatures in EXTRA.DAT = None
    11/15/2010 10:24:12 PM Names of detection signatures in EXTRA.DAT = None

    11/15/2010 10:24:20 PM Statistics:
    11/15/2010 10:24:20 PM Files scanned: 23
    11/15/2010 10:24:20 PM Files detected: 0
    11/15/2010 10:24:20 PM Files cleaned: 0
    11/15/2010 10:24:20 PM Files deleted: 0
    11/15/2010 11:32:45 PM Engine version = 5400.1158
    11/15/2010 11:32:45 PM AntiVirus DAT version = 6168.0000
    11/15/2010 11:32:45 PM Number of detection signatures in EXTRA.DAT = None
    11/15/2010 11:32:45 PM Names of detection signatures in EXTRA.DAT = None
    11/15/2010 11:35:03 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
    11/15/2010 11:59:57 PM Not scanned (scan timed out) DARKNESSHADE\Peter Cha-zam C:\YourStuffz\Savage [SFE^star] [XR]\XR\Savage XR\silverback.exe C:\YourStuffz\Savage [SFE^star] [XR]\XR\Savage XR\game\savage0.s2z

    11/16/2010 2:53:35 AM Statistics:
    11/16/2010 2:53:35 AM Files scanned: 9867
    11/16/2010 2:53:35 AM Files detected: 0
    11/16/2010 2:53:35 AM Files cleaned: 0
    11/16/2010 2:53:35 AM Files deleted: 0
    11/16/2010 4:40:43 AM Engine version = 5400.1158
    11/16/2010 4:40:43 AM AntiVirus DAT version = 6168.0000
    11/16/2010 4:40:43 AM Number of detection signatures in EXTRA.DAT = None
    11/16/2010 4:40:43 AM Names of detection signatures in EXTRA.DAT = None

    11/16/2010 4:58:19 AM Statistics:
    11/16/2010 4:58:19 AM Files scanned: 8262
    11/16/2010 4:58:19 AM Files detected: 0
    11/16/2010 4:58:19 AM Files cleaned: 0
    11/16/2010 4:58:19 AM Files deleted: 0
    11/16/2010 11:21:33 AM Engine version = 5400.1158
    11/16/2010 11:21:33 AM AntiVirus DAT version = 6168.0000
    11/16/2010 11:21:33 AM Number of detection signatures in EXTRA.DAT = None
    11/16/2010 11:21:33 AM Names of detection signatures in EXTRA.DAT = None
    11/16/2010 11:23:58 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
    11/16/2010 11:32:07 AM Engine version = 5400.1158
    11/16/2010 11:32:07 AM AntiVirus DAT version = 6168.0000
    11/16/2010 11:32:07 AM Number of detection signatures in EXTRA.DAT = None
    11/16/2010 11:32:07 AM Names of detection signatures in EXTRA.DAT = None
    11/16/2010 11:35:48 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
    11/16/2010 11:51:32 AM Not scanned (scan timed out) DARKNESSHADE\Peter Cha-zam C:\YourStuffz\Savage [SFE^star] [XR]\XR\Savage XR\silverback.exe C:\YourStuffz\Savage [SFE^star] [XR]\XR\Savage XR\game\savage0.s2z

    11/16/2010 12:40:07 PM Statistics:
    11/16/2010 12:40:07 PM Files scanned: 11070
    11/16/2010 12:40:07 PM Files detected: 0
    11/16/2010 12:40:07 PM Files cleaned: 0
    11/16/2010 12:40:07 PM Files deleted: 0
    11/16/2010 4:04:45 PM Engine version = 5400.1158
    11/16/2010 4:04:45 PM AntiVirus DAT version = 6168.0000
    11/16/2010 4:04:45 PM Number of detection signatures in EXTRA.DAT = None
    11/16/2010 4:04:45 PM Names of detection signatures in EXTRA.DAT = None
    11/16/2010 4:06:43 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar

    11/16/2010 6:34:09 PM Statistics:
    11/16/2010 6:34:09 PM Files scanned: 7995
    11/16/2010 6:34:09 PM Files detected: 0
    11/16/2010 6:34:09 PM Files cleaned: 0
    11/16/2010 6:34:09 PM Files deleted: 0
    11/16/2010 8:33:00 PM Engine version = 5400.1158
    11/16/2010 8:33:00 PM AntiVirus DAT version = 6168.0000
    11/16/2010 8:33:00 PM Number of detection signatures in EXTRA.DAT = None
    11/16/2010 8:33:00 PM Names of detection signatures in EXTRA.DAT = None
    11/16/2010 8:38:38 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
    11/16/2010 9:04:02 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\McAfee\Common Framework\McScript_InUse.exe C:\Program Files\Common Files\McAfee\Engine\avvclean.dat
    11/16/2010 9:04:02 PM Engine version = 5400.1158
    11/16/2010 9:04:02 PM AntiVirus DAT version = 6169.0000
    11/16/2010 9:04:02 PM Number of detection signatures in EXTRA.DAT = None
    11/16/2010 9:04:02 PM Names of detection signatures in EXTRA.DAT = None
    11/16/2010 9:04:03 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_DARKNESSHADE.xml
    11/16/2010 9:04:03 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\McAfee\Common Framework\McScript_InUse.exe C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Current\BOCVSE__1000\BocDet_VSE.McS
    11/16/2010 9:04:03 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\McAfee\Common Framework\McScript_InUse.exe C:\Program Files\Common Files\McAfee\Engine\avvnames.dat
    11/16/2010 9:04:03 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\McAfee\Common Framework\McScript_InUse.exe C:\Program Files\Common Files\McAfee\Engine\avvscan.dat
    11/16/2010 9:05:11 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
    11/16/2010 10:05:14 PM Not scanned (scan timed out) DARKNESSHADE\Peter Cha-zam C:\YourStuffz\Mozilla Firefox\plugin-container.exe C:\Documents and Settings\Peter Cha-zam\Desktop\ComboFix.exe

    11/16/2010 10:52:50 PM Statistics:
    11/16/2010 10:52:50 PM Files scanned: 9726
    11/16/2010 10:52:50 PM Files detected: 0
    11/16/2010 10:52:50 PM Files cleaned: 0
    11/16/2010 10:52:50 PM Files deleted: 0
    11/17/2010 12:41:52 AM Engine version = 5400.1158
    11/17/2010 12:41:52 AM AntiVirus DAT version = 6169.0000
    11/17/2010 12:41:52 AM Number of detection signatures in EXTRA.DAT = None
    11/17/2010 12:41:52 AM Names of detection signatures in EXTRA.DAT = None
    11/17/2010 12:43:02 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar

    11/17/2010 2:24:20 AM Statistics:
    11/17/2010 2:24:20 AM Files scanned: 5543
    11/17/2010 2:24:20 AM Files detected: 0
    11/17/2010 2:24:20 AM Files cleaned: 0
    11/17/2010 2:24:20 AM Files deleted: 0
    11/17/2010 4:25:47 PM Engine version = 5400.1158
    11/17/2010 4:25:47 PM AntiVirus DAT version = 6169.0000
    11/17/2010 4:25:47 PM Number of detection signatures in EXTRA.DAT = None
    11/17/2010 4:25:47 PM Names of detection signatures in EXTRA.DAT = None
    11/17/2010 4:29:41 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I really didn't want this full log. You're telling me something was called a Trojan and you keep removing it but it comes back.
    McAfee gives us a lot of problems when we try to run scans. As I explained, "SecurityCheck.exe" can be a valid program and McAfee could have flagged it as a False Positive. Unless I have something specific to work with, I can't go any further. As for the word v"generic"- that could mean 100 different things from the legitimate processes called Generic Host Processes for Win32 to malware with the word gen as part of it.

    So I still don't know anything about the 'generic' process you mentioned.
     
  15. Milkshake

    Milkshake TS Rookie Topic Starter

    Well I don't have a log for the scan messages so I felt like I had to post something at least slightly relevant. I understand that SecurityCheck.exe is a valid program, I was just unsure as to whether it was a virus disguised as that file or something.
    As for the generic files, it is my fault for not recording them. They were like Generic.ko!xtf (I picked random letters at the end, but that's the format)
    But again, I apologize for my rather vague and unclear explanation, I do appreciate the time you are committing.

    The 2 generic files were found in my System Volume though.
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    System Volume=System Restore points

    Note please in Eset scan dated 2010-08-03 02:40:31, the following entries were found:

    4 files were found to be infected in Restore Point #485. They all showed the same malware: variant of Win32/Kryptik.FSJ trojan

    C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP485\A0097185.dll
    C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP485\A0097232.dll
    C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP485\A0097312.dll
    C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP485\A0097351.dll

    1 files was found to be infected in Restore Point #489 with Win32/Agent.QXV trojan
    C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP489\A0098210.dll

    If the infections were only in these restore points at that time, they were no longer active in the system. They could only infect the system if you chose that particular restore point.

    2 new Active infections were found in the same scan:
    C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe>> probably a variant of Win32/Agent trojan
    C:\YourStuffz\Media Stuffs\FreeRIP_AudioConverter\freeripmp3.exe>> a variant of Win32/Adware.ADON application

    I asked about these because there was no indication of removal in the later scan. If you dropped the restore points, then they would no longer show. We wait until the end to drop old restore points and create a new clean restore point. It may be that your antivirus program removed the 2 new entries and there was no restore point done at that time.

    Do you understand?
     
  17. Milkshake

    Milkshake TS Rookie Topic Starter

    yes

    yes that makes sense
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Yes, it does, but few users bother to check what System Restore is, what it does, how it works with malware and how malware is removed from the restore points. One supposedly experienced member was instructing people to drop the restore points at the beginning of cleaning. His reason was that when the owner rebooted, a system restore point loaded. I tried for 6 months to make him understand that this was not correct and that a restore point only loads if someone does a System Restore and a reinfection could only happen if he choose an infected restore point!

    Sometime, on a badly infected computer, the only way in is a system restore- which is why we leave them until the end of cleaning.

    If there are no additional problems:
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    Let me know if you have any more questions.
     
  19. Milkshake

    Milkshake TS Rookie Topic Starter

    hurray all finished! I don't seem to be encountering any other problems so i think i'm set.
    Thank you thank you thank you.
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're very welcome! Here are some tips to help you stay clean:

    Tips for added security and safer browsing:
    Note: some of these programs may not work with Windows 7 or a 64bit OS.
    1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
      This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
    2. Have layered Security:
      • Antivirus Software(only one):Both of the following programs are free and known to be good:
        [o]Avira Free
        [o]Avast Home
      • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
        [o]Comodo
        [o]Zone Alarm
      • Antispyware: I recommend all of the following:
        [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
      [o]Download ZonedOut and save to your desktop. this replaces IE/Spyad and manages the Zones in Internet explorer. This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
      For IE7 and IE8, Windows 2000 thru Vista. No Windows 7 yet.
      IE/Spyad is not longer being supported. If you have this on your system, you should replace it with the following program. Make sure your IE8 is Up-to-date before adding sites to your restricted zone.
      Known issue: If you have "immunized" your computer with Spybot Search and Destroy, and use ZonedOut to "Remove All" restricted sites - ZonedOut will remove your trusted sites as well. Note that if you remove Spybot Search and Destroys Immunization the problem goes away...
      [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
      [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
    3. Stay current on updates:
      [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
      [o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
      [o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
    4. Reset Cookies to prevent Tracking Cookies:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
    5. Do regular Maintenance
      Remove Temporary Internet Files regularly:
      [o]ATF Cleaner by Atribune
      OR
      [o]TFC
      Disable and Enable System Restore:
      [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
    6. Practice Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...