1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Some phoney anti-virus program has taken over the computer!

Discussion in 'Malware and Virus Removal Archive' started by frayedknotarts, 2010/01/25.

Page 1 of 2
  1. 2010/01/25
    frayedknotarts Lifetime Subscription

    frayedknotarts Well-Known Member Thread Starter

    Joined:
    2006/08/12
    Messages:
    455
    Likes Received:
    4
    [Resolved] Some phoney anti-virus program has taken over the computer!

    Something called "Antivirus Live" managed to sneak in under the guise of a picture (jpg) that my wife sent me via email. (I think. I hadn't opened anything this morning other that a quick look at Ebay and a message posting here on a different issue.)

    Suddenly I am unable to open just about anything on the computer. I can't get to the restore points, but I can open Firefox, get online and post here.


    Everything else that I click tells me that "the (operating program) is infected and do I wnat to activate my AV program now? "

    I have CA installed and *thought* I had re-installed spyware blaster, spamguard and winpatrol but theres no evidence of those anywhere I can get to, nor do I see "Scotty" in the tool-bar.


    What info do you need from me?
     
    frayedknotarts,
    #1
  2. 2010/01/25
    wildfire

    wildfire Getting Old

    Joined:
    2008/04/21
    Messages:
    4,649
    Likes Received:
    124
    Hi, frayedknotarts,

    If you cans, please read this and post requested logs in this thread.

    Be aware that only Malware analysts will advise and they are extremly busy at the moment. Your post will be taken on a first come first served basis and it may take a few days before you receive a reply.
     
    wildfire,
    #2


  3. to hide this advert.

  4. 2010/01/25
    Admin.

    Admin. Administrator Administrator Staff

    Joined:
    2001/12/30
    Messages:
    6,687
    Likes Received:
    107
    Running IE6 un-patched perhaps?
     
    Admin.,
    #3
  5. 2010/01/25
    frayedknotarts Lifetime Subscription

    frayedknotarts Well-Known Member Thread Starter

    Joined:
    2006/08/12
    Messages:
    455
    Likes Received:
    4
    Hi, Arie! No, don't use IE at all, only Firefox, altho IE is on the system and I recently updated to IE7, "just in case ".

    As to the DDS logs, I am unable to run the program as the hijacking (whatever) continually blocks the .exe files. I suspect this is going to happen to Combofix as well...

    So far the only thing that works is Firefox.
     
    frayedknotarts,
    #4
  6. 2010/01/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.pif
    * Rkill.exe

    * Double-click on the Rkill desktop icon to run the tool.
    * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    * If not, delete the file, then download and use the one provided in Link 2.
    * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    * Do not reboot until instructed.
    * If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following.

    Now download and Run exeHelper.

    * Please download exeHelper from Raktor to your desktop.
    * Double-click on exeHelper.com to run the fix.
    * A black window should pop up, press any key to close once the fix is completed.
    * A log file named log.txt will be created in the directory where you ran exeHelper.com
    * Attach the log.txt file to your next message.[/LIST]

    Note: If the window shows a message that says "Error deleting file ", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.


    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Please, never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!


    Download HijackThis:
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    by clicking on Installer under Version 2.0.2
    [DO NOT download version 2.0.3 (beta)]
    Install, and run it.
    Post HijackTHis log.
    Do NOT attempt to fix anything!

    NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
     
    broni,
    #5
  7. 2010/01/25
    frayedknotarts Lifetime Subscription

    frayedknotarts Well-Known Member Thread Starter

    Joined:
    2006/08/12
    Messages:
    455
    Likes Received:
    4
    Okay! That seemed to work pretty well:

    Logs:
    EXEHELPER

    exeHelper by Raktor
    Build 20091220
    Run at exeHelper by Raktor
    Build 20091220
    Run at 13:13:04exeHelper by Raktor
    Build 20091220
    Run at 13:19:47 on 01/25/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    COMBOFIX

    ComboFix 10-01-24.05 - Administrator 01/25/2010 13:32:01.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2520 [GMT -5:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    AV: CA Anti-Virus *On-access scanning disabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\recycler\S-1-5-21-1544189222-531907074-3551900700-500
    c:\windows\system32\wintab.dll
    F:\AUTORUN.INF . . . . failed to delete
    H:\AUTORUN.INF . . . . failed to delete
    I:\AUTORUN.INF . . . . failed to delete

    .
    ((((((((((((((((((((((((( Files Created from 2009-12-25 to 2010-01-25 )))))))))))))))))))))))))))))))
    .

    2010-01-25 15:00 . 2010-01-25 18:19 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\bcdgni
    2010-01-23 11:55 . 2010-01-23 12:08 -------- d-----w- c:\program files\Reimage
    2010-01-19 03:08 . 2010-01-19 03:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\pdf995
    2010-01-18 22:45 . 2010-01-23 00:54 60 ----a-w- c:\windows\wpd99.drv
    2010-01-18 22:45 . 2010-01-22 12:51 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
    2010-01-18 22:45 . 2010-01-18 22:45 51716 ----a-w- c:\windows\system32\pdf995mon.dll
    2010-01-18 22:45 . 2010-01-18 22:45 249856 ----a-w- c:\windows\system32\pdfmona.dll
    2010-01-18 22:45 . 2010-01-18 22:46 -------- d-----w- C:\pdf995
    2010-01-17 04:52 . 2010-01-17 04:52 -------- d-----w- c:\program files\NoteWorthy Player
    2010-01-14 17:33 . 2010-01-14 17:33 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-01-14 17:32 . 2010-01-14 17:32 -------- d-----w- c:\program files\Microsoft Works
    2010-01-14 17:31 . 2010-01-14 17:31 -------- d-----r- C:\MSOCache
    2010-01-14 17:31 . 2010-01-14 17:31 -------- d-----w- c:\program files\Activation Assistant for the 2007 Microsoft Office suites
    2010-01-14 16:11 . 2010-01-25 03:51 -------- d-----w- C:\TempInstall-clean often
    2010-01-14 14:17 . 2010-01-14 14:17 -------- d-----w- c:\program files\American Systems
    2010-01-09 01:06 . 2010-01-09 01:06 -------- d-----w- c:\windows\Sun
    2010-01-07 04:18 . 2010-01-07 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security
    2010-01-07 04:18 . 2010-01-07 04:18 -------- d-----w- c:\program files\Panda USB Vaccine
    2010-01-07 01:18 . 2010-01-25 13:30 1 ----a-w- c:\documents and settings\Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2010-01-07 01:17 . 2010-01-07 01:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\OpenOffice.org
    2010-01-07 01:16 . 2010-01-07 01:16 -------- d-----w- c:\program files\JRE
    2010-01-07 01:16 . 2010-01-07 01:16 -------- d-----w- c:\program files\OpenOffice.org 3
    2010-01-07 01:15 . 2010-01-07 01:15 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-01-02 00:12 . 2010-01-02 00:12 -------- d-----w- c:\program files\RyTech Software
    2009-12-30 01:51 . 2010-01-25 18:36 12660 ----a-w- c:\windows\system32\tablet.dat
    2009-12-30 01:51 . 2009-12-30 01:51 -------- d-----w- c:\windows\system32\WTablet
    2009-12-30 01:51 . 2003-12-04 22:00 634880 ----a-w- c:\windows\system32\Tablet.exe
    2009-12-30 01:51 . 2003-12-04 21:49 102400 ----a-w- c:\windows\system32\Wintab32.dll
    2009-12-30 01:51 . 2003-12-04 21:46 44544 ----a-w- c:\windows\system32\TabHook.dll
    2009-12-30 01:51 . 2003-12-04 19:16 65536 ----a-w- c:\windows\system32\TabUnst.dll
    2009-12-30 01:51 . 2001-04-09 17:45 8138 ----a-w- c:\windows\system32\drivers\penclass.sys
    2009-12-30 01:51 . 2009-12-30 01:51 -------- d-----w- c:\program files\Wacom
    2009-12-30 01:43 . 2001-07-31 14:19 13408 ----a-w- c:\windows\system32\tabinst.dll
    2009-12-30 01:43 . 2000-01-05 19:14 36864 ----a-w- c:\windows\system32\pencls32.dll
    2009-12-30 01:43 . 1999-04-15 18:41 4032 ----a-w- c:\windows\system32\tabins16.dll
    2009-12-29 21:23 . 2009-12-29 21:27 -------- d---a-w- C:\Yahoo SiteBuilder
    2009-12-29 21:21 . 2009-12-29 21:21 -------- d---a-w- c:\documents and settings\Administrator\PamPics for email
    2009-12-29 20:09 . 2009-12-29 20:09 -------- d-s-a-w- c:\documents and settings\Cookies
    2009-12-29 20:09 . 2009-12-25 21:53 65536 ----a-w- c:\documents and settings\Cookies\index.dat
    2009-12-29 19:56 . 2009-12-29 19:56 -------- d-----w- c:\program files\IrfanView
    2009-12-29 19:25 . 1998-10-29 21:45 306688 ----a-w- c:\windows\IsUninst.exe
    2009-12-29 19:09 . 2009-12-29 19:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\gtk-2.0
    2009-12-29 19:08 . 2009-12-29 19:08 -------- d-----w- c:\documents and settings\Administrator\.thumbnails
    2009-12-29 19:07 . 2010-01-02 00:04 -------- d-----w- c:\documents and settings\Administrator\.gimp-2.6
    2009-12-29 18:47 . 2009-12-29 18:47 -------- d-----w- c:\program files\GIMPshop
    2009-12-29 18:39 . 2009-12-29 18:39 -------- d-----w- c:\program files\GIMP-2.0
    2009-12-29 18:38 . 2009-12-29 18:39 -------- d-----w- c:\program files\PhotoScape
    2009-12-29 18:19 . 2009-12-29 18:19 -------- d-----w- c:\program files\NfoDiz 6.0
    2009-12-29 17:26 . 2009-12-29 18:20 -------- d-----w- c:\program files\Games
    2009-12-29 16:39 . 2009-12-29 16:39 -------- d-----w- c:\program files\Claris Corp
    2009-12-29 16:38 . 1999-03-23 14:12 299520 ----a-w- c:\windows\uninst.exe
    2009-12-29 16:38 . 2009-12-29 16:38 -------- d-----w- c:\documents and settings\Administrator\WINDOWS
    2009-12-29 11:20 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
    2009-12-29 11:12 . 2010-01-05 10:00 52224 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
    2009-12-29 11:12 . 2010-01-05 10:00 459264 ------w- c:\windows\system32\dllcache\msfeeds.dll
    2009-12-29 11:12 . 2010-01-05 10:00 268288 ------w- c:\windows\system32\dllcache\iertutil.dll
    2009-12-29 11:12 . 2010-01-05 10:00 63488 ------w- c:\windows\system32\dllcache\icardie.dll
    2009-12-29 11:12 . 2010-01-05 10:00 380928 ------w- c:\windows\system32\dllcache\ieapfltr.dll
    2009-12-29 11:12 . 2009-12-31 15:33 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
    2009-12-29 11:12 . 2009-06-29 08:33 2452872 ------w- c:\windows\system32\dllcache\ieapfltr.dat
    2009-12-29 11:12 . 2010-01-05 10:00 6067200 ------w- c:\windows\system32\dllcache\ieframe.dll
    2009-12-29 00:54 . 2009-12-29 00:54 -------- d-----w- c:\windows\system32\NtmsData
    2009-12-28 02:07 . 2009-12-28 02:07 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
    2009-12-28 02:03 . 2008-04-14 05:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
    2009-12-28 02:03 . 2008-04-14 05:17 25856 ----a-w- c:\windows\system32\dllcache\usbprint.sys
    2009-12-27 16:56 . 2009-08-13 15:16 512000 ------w- c:\windows\system32\dllcache\jscript.dll
    2009-12-27 13:30 . 2007-08-13 23:54 33792 ----a-w- c:\windows\system32\dllcache\custsat.dll
    2009-12-27 13:11 . 2003-06-25 21:05 266360 ----a-w- c:\windows\system32\TweakUI.exe
    2009-12-27 12:35 . 2009-12-27 13:30 -------- d-----w- c:\windows\ServicePackFiles
    2009-12-27 09:27 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
    2009-12-27 09:27 . 2008-12-11 10:57 333952 ------w- c:\windows\system32\dllcache\srv.sys
    2009-12-27 09:27 . 2008-05-08 14:02 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
    2009-12-27 09:27 . 2008-05-01 14:33 331776 ------w- c:\windows\system32\dllcache\msadce.dll
    2009-12-27 09:27 . 2008-04-11 19:04 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll
    2009-12-27 09:25 . 2009-08-05 01:44 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
    2009-12-27 09:24 . 2009-06-10 14:19 2066432 ------w- c:\windows\system32\dllcache\mstscax.dll
    2009-12-27 00:44 . 1997-06-23 02:34 74203 ----a-w- c:\windows\MOIRE.SCR
    2009-12-26 23:07 . 2009-12-26 23:07 -------- d-----w- c:\program files\Program Shortcuts

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-01-25 16:17 . 2009-12-26 22:47 77264 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-01-20 15:12 . 2009-12-26 22:40 -------- d-----w- c:\program files\Common Files\InstallShield
    2010-01-17 06:17 . 2009-12-26 22:27 -------- d-----w- c:\program files\microsoft frontpage
    2010-01-14 17:32 . 2009-12-26 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-01-14 17:31 . 2009-12-26 22:50 -------- d-----w- c:\documents and settings\All Users\Application Data\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}
    2010-01-07 01:15 . 2009-12-26 22:39 -------- d-----w- c:\program files\Java
    2010-01-05 10:00 . 2004-08-04 07:56 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-01-05 10:00 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-01-05 10:00 . 2004-08-04 07:56 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-01-02 00:12 . 2010-01-02 00:12 4 ----a-w- c:\windows\absacc.tmp
    2009-12-29 07:04 . 2009-12-29 07:04 -------- d-----w- c:\program files\MSBuild
    2009-12-29 07:04 . 2009-12-29 07:04 -------- d-----w- c:\program files\Reference Assemblies
    2009-12-28 02:38 . 2009-12-26 22:50 -------- d-----w- c:\program files\Microsoft Small Business
    2009-12-27 13:33 . 2006-04-26 00:31 88207 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
    2009-12-26 22:52 . 2009-12-26 22:52 1805 --sha-r- c:\windows\system32\drivers\103C_HP_BPC_HP Compaq dc5750 Microtower_YB_0Comp_Q2UA902_EU_48_I0A64h_SHP_V_B786E3 v02.34_T080402_WXP2_L409_M3071_J250_7AMD_8Athlon Dual Core 4450B_92.29_#091226_N14E4167B_(KR706UT#ABA)_X_CD6_Z_2_G10025974.MRK
    2009-12-26 22:52 . 2009-12-26 22:38 -------- d-----w- c:\program files\Hewlett-Packard
    2009-12-26 22:51 . 2009-12-26 22:41 -------- d-----w- c:\program files\Broadcom
    2009-12-26 22:51 . 2009-12-26 22:51 -------- d-----w- c:\program files\Compaq
    2009-12-26 22:50 . 2009-12-26 22:50 -------- d-----w- c:\program files\PDF Complete
    2009-12-26 22:48 . 2009-12-26 22:45 -------- d-----w- c:\program files\Microsoft.NET
    2009-12-26 22:48 . 2009-12-26 22:48 -------- d-----w- c:\program files\Microsoft SQL Server
    2009-12-26 22:48 . 2009-12-26 22:48 -------- d-----w- c:\program files\MSXML 6.0
    2009-12-26 22:42 . 2009-12-26 22:42 -------- d-----w- c:\program files\HPQ
    2009-12-26 22:41 . 2009-12-26 22:41 -------- d-----w- c:\program files\Realtek
    2009-12-26 22:41 . 2009-12-26 22:41 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{38DD9AAA-A09A-42FF-A9EE-DA9C84B2E036}\ARPPRODUCTICON.exe
    2009-12-26 22:41 . 2009-12-26 22:41 -------- d-----w- c:\program files\AMD
    2009-12-26 22:40 . 2009-12-26 22:40 -------- d-----w- c:\program files\Common Files\ATI Technologies
    2009-12-26 22:40 . 2009-12-26 22:40 -------- d-----w- c:\program files\ATI Technologies
    2009-12-26 22:40 . 2009-12-26 22:40 -------- d-----w- c:\program files\DIFX
    2009-12-26 22:39 . 2009-12-26 22:39 -------- d-----w- c:\program files\Common Files\Java
    2009-12-26 22:07 . 2009-12-26 22:06 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
    2009-12-26 22:06 . 2009-12-26 22:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Logitech
    2009-12-26 22:06 . 2009-12-26 22:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Leadertech
    2009-12-26 22:06 . 2009-12-26 22:04 -------- d-----w- c:\program files\Common Files\Logishrd
    2009-12-26 22:04 . 2009-12-26 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
    2009-12-26 22:04 . 2009-12-26 22:04 -------- d-----w- c:\program files\Logitech
    2009-12-26 21:54 . 2009-12-26 21:54 0 ----a-w- c:\windows\nsreg.dat
    2009-12-26 21:21 . 2009-12-26 20:17 739696 ----a-w- c:\windows\system32\drivers\vetefile.sys
    2009-12-26 21:21 . 2009-12-26 20:17 133520 ----a-w- c:\windows\system32\drivers\veteboot.sys
    2009-12-26 20:18 . 2009-12-26 20:17 99568 ----a-w- c:\windows\system32\isafeif.dll
    2009-12-26 20:18 . 2009-12-26 20:17 91376 ----a-w- c:\windows\system32\isafprod.dll
    2009-12-26 20:18 . 2009-12-26 20:17 83256 ----a-w- c:\windows\system32\vetredir.dll
    2009-12-26 20:18 . 2009-12-26 20:17 26352 ----a-w- c:\windows\system32\drivers\vet-filt.sys
    2009-12-26 20:18 . 2009-12-26 20:17 21488 ----a-w- c:\windows\system32\drivers\vetfddnt.sys
    2009-12-26 20:18 . 2009-12-26 20:17 21104 ----a-w- c:\windows\system32\drivers\vet-rec.sys
    2009-12-26 20:18 . 2009-12-26 20:17 161008 ----a-w- c:\windows\system32\drivers\vetmonnt.sys
    2009-12-26 20:17 . 2009-12-26 20:17 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
    2009-12-26 20:17 . 2009-12-26 20:17 -------- d-----w- c:\program files\CA
    2009-12-25 05:05 . 2009-12-29 20:08 41520 ----a-w- c:\documents and settings\test\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-11-21 15:51 . 2004-08-04 07:56 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "High Definition Audio Property Page Shortcut "= "HDAShCut.exe" [2005-01-08 61952]
    "ATIPTA "= "c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-05-24 344064]
    "amd_dc_opt "= "c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-03-14 77824]
    "RTHDCPL "= "RTHDCPL.EXE" [2006-08-01 16049664]
    "PDF Complete "= "c:\program files\PDF Complete\pdfsty.exe" [2007-08-07 331288]
    "SetRefresh "= "c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
    "cctray "= "c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-12-26 181488]
    "CAVRID "= "c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2009-12-26 230640]
    "Kernel and Hardware Abstraction Layer "= "KHALMNPR.EXE" [2009-06-17 55824]

    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Absolute Accessories.lnk - c:\program files\RyTech Software\Absolute Accessories\AbsAcc.exe [2010-1-1 311296]
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2001-12-29 110592]
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-12-26 813584]
    TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2009-12-29 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
    2009-07-20 17:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
    @=" "

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=

    R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [9/21/2006 11:30 AM 120320]
    R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [9/13/2006 1:06 PM 3840]
    R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [12/26/2009 5:06 PM 10384]
    R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [12/26/2009 5:50 PM 540184]
    S3 cpuz128;cpuz128;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\cpuz_x32.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\cpuz_x32.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-01-25 c:\windows\Tasks\PandaUSBVaccine.job
    - c:\program files\Panda USB Vaccine\RunInteractiveWin.exe [2010-01-07 21:45]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    LSP: c:\windows\system32\VetRedir.dll
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ql8q5tfq.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-vymhlhdw - c:\documents and settings\Administrator\Local Settings\Application Data\bcdgni\eseksysguard.exe
    HKLM-Run-vymhlhdw - c:\documents and settings\Administrator\Local Settings\Application Data\bcdgni\eseksysguard.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-01-25 13:36
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\pdfcDispatcher]
    "ImagePath "= "c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService "
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1548)
    c:\windows\system32\Ati2evxx.dll
    c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
    c:\program files\common files\logishrd\bluetooth\LBTServ.dll

    - - - - - - - > 'explorer.exe'(2532)
    c:\windows\system32\WININET.dll
    c:\windows\system32\tabhook.dll
    c:\program files\Logitech\SetPoint\lgscroll.dll
    c:\windows\system32\ieframe.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Panda USB Vaccine\USBVaccine.exe
    c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    c:\windows\RTHDCPL.EXE
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\windows\system32\Tablet.exe
    c:\program files\OpenOffice.org 3\program\soffice.exe
    c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
    c:\windows\System32\spool\DRIVERS\W32X86\3\HPZENG09.exe
    c:\program files\OpenOffice.org 3\program\soffice.bin
    c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    c:\program files\CA\CA Internet Security Suite\ccprovsp.exe
    .
    **************************************************************************
    .
    Completion time: 2010-01-25 13:39:46 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-01-25 18:39

    Pre-Run: 212,556,795,904 bytes free
    Post-Run: 212,872,638,464 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

    - - End Of File - - 10D028D722505A6FE8F7F933B5F10401


    HIJACKTHIS
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:54:26 PM, on 1/25/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16981)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Panda USB Vaccine\USBVaccine.exe
    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\PDF Complete\pdfsvc.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\PDF Complete\pdfsty.exe
    C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\WINDOWS\system32\WTablet\TabUserW.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZENG09.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
    O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe "
    O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
    O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe "
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe "
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
    O4 - Global Startup: Absolute Accessories.lnk = C:\Program Files\RyTech Software\Absolute Accessories\AbsAcc.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
    O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
    O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

    --
    End of file - 5334 bytes
     
    frayedknotarts,
    #6
  8. 2010/01/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Reimage? I strongly suggest, you avoid this service.

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start> "Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall "
    Restart computer.

    ===============================================================

    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

    STEP 1. Download SUPERAntiSpyware Free for Home Users:
    http://www.superantispyware.com/

    * Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes ". If not, update the definitions before scanning by selecting "Check for Updates ". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
    * Close SUPERAntiSpyware.

    PHYSICALLY DISCONNECT FROM THE INTERNET

    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    * Open SUPERAntiSpyware.
    * Click Scan your Computer... button.
    * Click Scanning Preferences/Control Center... button.
    * Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):
    - Close browsers before scanning.
    - Terminate memory threats before quarantining.
    * Click the Close button to leave the control center screen.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, choose Perform Complete Scan.
    * Click Next to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
    * Make sure everything has a checkmark next to it and click Next.
    * A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
    * If asked if you want to reboot, click Yes.
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.
    - Click Preferences, then click the Statistics/Logs tab.
    - Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    - If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    - Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.
    Post SUPERAntiSpyware log.

    RECONNECT TO THE INTERNET

    RESTART COMPUTER!

    STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform full scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 3.
    Post fresh HijackThis log.
    NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #7
  9. 2010/01/25
    frayedknotarts Lifetime Subscription

    frayedknotarts Well-Known Member Thread Starter

    Joined:
    2006/08/12
    Messages:
    455
    Likes Received:
    4
    Whoof! That took a while!

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 01/25/2010 at 07:09 PM

    Application Version : 4.33.1000

    Core Rules Database Version : 4515
    Trace Rules Database Version: 2327

    Scan type : Complete Scan
    Total Scan Time : 03:40:34

    Memory items scanned : 212
    Memory threats detected : 0
    Registry items scanned : 5582
    Registry threats detected : 0
    File items scanned : 115416
    File threats detected : 0




    Malwarebytes' Anti-Malware 1.44
    Database version: 3638
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    1/25/2010 8:50:50 PM
    mbam-log-2010-01-25 (20-50-50).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 256607
    Time elapsed: 1 hour(s), 4 minute(s), 16 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 5

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Documents and Settings\Administrator\My Documents\Downloads\ONeillsCD Copy\01-ReadThisFirst-PC_User\PC_WINDOWS_STUFF\freezip.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\My Documents\My Music\NEW CD ONEILL ALLAN\2009\01a-ReadThisFirst-PC_User\PC_WINDOWS_STUFF\freezip.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\My Documents\My Music\NEW CD ONEILL ALLAN\For Image\0000-read this stuff FIRST!\PC_WINDOWS_STUFF\freezip.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP107\A0007299.sys (Malware.Trace) -> Quarantined and deleted successfully.
    C:\Yahoo SiteBuilder\sites\oldmusictotal\OldMusicProject\Updates\ReadThisFirst-PC_User\PC_WINDOWS_STUFF\freezip.exe (Trojan.Agent) -> Quarantined and deleted successfully.



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:55:24 PM, on 1/25/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16981)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Panda USB Vaccine\USBVaccine.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\PDF Complete\pdfsty.exe
    C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\RyTech Software\Absolute Accessories\AbsAcc.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\WINDOWS\system32\WTablet\TabUserW.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\PDF Complete\pdfsvc.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
    O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe "
    O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
    O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe "
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe "
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
    O4 - Global Startup: Absolute Accessories.lnk = C:\Program Files\RyTech Software\Absolute Accessories\AbsAcc.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
    O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
    O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

    --
    End of file - 5611 bytes
     
    frayedknotarts,
    #8
  10. 2010/01/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    How is your computer doing at this moment?

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt before clicking on the Save button. Then post it here.
     
    broni,
    #9
  11. 2010/01/25
    frayedknotarts Lifetime Subscription

    frayedknotarts Well-Known Member Thread Starter

    Joined:
    2006/08/12
    Messages:
    455
    Likes Received:
    4
    It seems to be back to normal (well, as normal as anything associated with me could ever be, that is...)

    Once I get the TFC and Kaspersky done and a "clean bill of health ", may I then delete the logs and RKILL proggies from my desktop? I'm keeping SuperAntiSpyware and Malware Bytes fer sure, and I've also re-installed WinPatrol.

    I also *thought* I had a firewall re-installed, but since I recently had to re-install the OS due to a weird problem, I may not have done so. Suggestions for your favourite Firewall? I was using Zone Alarm's free version.
     
    frayedknotarts,
    #10
  12. 2010/01/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Yes.
    That's the way to go. Run TFC weekly.

    As for a firewall, I'm not a big fan of ZA. I prefer Comodo.
     
    broni,
    #11
  13. 2010/01/25
    frayedknotarts Lifetime Subscription

    frayedknotarts Well-Known Member Thread Starter

    Joined:
    2006/08/12
    Messages:
    455
    Likes Received:
    4
    Ah. Kaspersky is updating their online scanner, it seems, but it is temporarily unavailable.
     
    frayedknotarts,
    #12
  14. 2010/01/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please run a free online scan with the ESET Online Scanner

    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start
    • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, you may close the window
    • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic
     
    broni,
    #13
  15. 2010/01/25
    frayedknotarts Lifetime Subscription

    frayedknotarts Well-Known Member Thread Starter

    Joined:
    2006/08/12
    Messages:
    455
    Likes Received:
    4
    Disable my antivirus first?
     
    frayedknotarts,
    #14
  16. 2010/01/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Always a good idea.
     
    broni,
    #15
  17. 2010/01/25
    frayedknotarts Lifetime Subscription

    frayedknotarts Well-Known Member Thread Starter

    Joined:
    2006/08/12
    Messages:
    455
    Likes Received:
    4
    Installed Comodo. 'S OK?
     
    frayedknotarts,
    #16
  18. 2010/01/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    A whole suite?
    If so, did you uninstall CA?
     
    broni,
    #17
  19. 2010/01/26
    frayedknotarts Lifetime Subscription

    frayedknotarts Well-Known Member Thread Starter

    Joined:
    2006/08/12
    Messages:
    455
    Likes Received:
    4
    Nope. Installed the "standalone" option.

    "Snoozed" CA until I estimated the test would be done, and disabled Comodo... now have firewall security and defense setting at "safe" level. Advise if you think "paranoia" is warranted!


    Ran TFC (added it to my repeating event notices)

    ESET didn't complete.... probably ran past the "snooze" time I gave CA (3 hrs) so I'll try that again tonite when I get home.


    "Ah'll be Bach! "
     
    frayedknotarts,
    #18
  20. 2010/01/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I'm still not sure about your current security programs configuration.
    You installed standalone Comodo firewall, right?
    But what about CA firewall?
     
    broni,
    #19
  21. 2010/01/26
    frayedknotarts Lifetime Subscription

    frayedknotarts Well-Known Member Thread Starter

    Joined:
    2006/08/12
    Messages:
    455
    Likes Received:
    4
    Looks like the CA I got didn't include anything but the AV program... no firewall.

    Ran the ESET program and it came up clean... no logfile I could find to post. Found no threats.
     
    frayedknotarts,
    #20
Page 1 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...