Solved Backdoor.SdBot.gen and WinAntispyware2008 Problems

It appears to be an orphaned registry entry.


Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt " including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


In your next reply post:
ComboFix.txt
New HJT log


Anti-Virus Still finding the entry?

How's the computer?

 

ComboFix Log

ComboFix 09-04-04.01 - Compaq_Owner 2009-04-10 19:19:27.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.206 [GMT -6:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
AV: Authentium Antivirus *On-access scanning enabled* (Updated)
AV: PeoplePC Antivirus *On-access scanning enabled* (Updated)
FW: PeoplePC Firewall *disabled*
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\system\

.
((((((((((((((((((((((((( Files Created from 2009-03-11 to 2009-04-11 )))))))))))))))))))))))))))))))
.

2009-04-10 19:18 . 2006-03-03 00:42 73,728 --a------ C:\pv.exe
2009-04-08 23:03 . 2009-04-09 01:47 <DIR> d-------- C:\ComboFix
2009-04-08 23:03 . 2009-04-08 23:03 389,120 --a------ c:\windows\system32\CF32201.exe
2009-04-05 01:48 . 2009-04-05 01:48 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-05 01:48 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 01:48 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-31 03:43 . 2009-03-31 03:43 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\Windows Search
2009-03-31 03:33 . 2009-03-31 03:33 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\Windows Desktop Search
2009-03-31 03:32 . 2009-03-31 03:32 <DIR> d-------- c:\windows\system32\GroupPolicy
2009-03-31 03:32 . 2009-03-31 03:32 <DIR> d-------- c:\program files\Windows Desktop Search
2009-03-31 03:30 . 2008-03-07 11:02 192,000 -----c--- c:\windows\system32\dllcache\offfilt.dll
2009-03-31 03:30 . 2008-03-07 11:02 98,304 -----c--- c:\windows\system32\dllcache\nlhtml.dll
2009-03-31 03:30 . 2008-03-07 11:02 29,696 -----c--- c:\windows\system32\dllcache\mimefilt.dll
2009-03-15 13:31 . 2009-03-16 04:53 <DIR> d-------- c:\program files\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-10 10:14 --------- d-----w c:\program files\FXDD - MetaTrader 4
2009-04-05 10:44 --------- d-----w c:\program files\Smart PC Solutions
2009-04-05 10:44 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Smart PC Solutions
2009-03-16 23:50 --------- d-----w c:\program files\Max Registry Cleaner
2009-03-16 10:51 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-23 11:54 --------- d-----w c:\program files\CandleWorks
2009-02-22 08:48 --------- d-----w c:\program files\LSI SoftModem
2009-02-21 08:55 --------- d-----w c:\program files\PeoplePC
2009-02-13 12:59 --------- d-----w c:\program files\Alwil Software
2008-03-17 22:01 2,045 -c--a-w c:\program files\Deploy.log
2007-01-22 03:28 28,672 ----a-w c:\documents and settings\Compaq_Owner\atwbxdet.dll
2004-11-03 22:25 2,238 -c--a-w c:\program files\Common Files\emini.ico
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv "= "c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2008-12-11 136600]
"HPDJ Taskbar Utility "= "c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"KBD "= "c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"Bart Station "= "c:\program files\PeoplePC\ISP7230\BIN\PPCOLink.exe" [2008-05-27 25944]
"Recguard "= "c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"RCSystemTray "= "c:\program files\Max Registry Cleaner\MaxRCSystemTray.exe" [2009-02-23 925568]
"RCAutoLiveUpdate "= "c:\program files\Max Registry Cleaner\MaxLURC.exe" [2009-02-23 946048]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2004-10-13 278528]
"PeoplePC Internet Security Pack "= "c:\program files\PeoplePC\PeoplePC Internet Security Pack\bin\ppc_isp2.exe" [2007-10-26 46568]
"AGRSMMSG "= "AGRSMMSG.exe" [2005-03-04 c:\windows\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting "= "c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-12-04 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-12-04 51984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
Compaq Connections.lnk - c:\program files\Compaq Connections\6750491\Program\Compaq Connections.exe [2004-08-09 16423]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0lsdelete

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\WINDOWS\\SMINST\\INSTALL_APP.EXE "=
"c:\\hp\\support\\HPSysInfo.exe "=
"c:\\Program Files\\CandleWorks\\FXTS2\\FXTSpp.exe "=
"c:\\Program Files\\Microsoft Office\\Office\\EXCEL.EXE "=
"c:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\wkscal.exe "=
"c:\\Program Files\\Microsoft Works\\msworks.exe "=
"c:\\Program Files\\Microsoft Works\\wkssb.exe "=
"c:\\Program Files\\Online Services\\MSN90\\LaunchMsn.exe "=
"c:\\Program Files\\Outlook Express\\msimn.exe "=
"c:\\Program Files\\PC-Doctor for Windows\\Pcdrw32.exe "=
"c:\\Program Files\\QuickTime\\PictureViewer.exe "=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe "=
"c:\\Program Files\\QuickTime\\QuickTimeUpdater.exe "=
"c:\\Program Files\\Outlook Express\\wab.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Forexgrail\\ForexGrail.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009

R0 GRFILTER;CS NDIS Driver;c:\windows\system32\drivers\GRFilter.sys [2006-11-10 22584]
R2 GRTdiMon;GR TDI Mon;c:\windows\system32\drivers\GRTdiMon.sys [2006-11-10 42040]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 ADSFilter;ADSFilter - (Aluria Filter Driver);c:\windows\system32\drivers\ADSFilter.sys [2006-11-20 56728]
R3 ADSMonitor;ADSMonitor - (EarthLink Monitor Driver);c:\windows\system32\drivers\ADSMonitor.sys [2006-11-20 35352]
S3 EarthLinkSafeConnectDriver;EarthLinkSafeConnectDriver;c:\program files\PeoplePC\PeoplePC Internet Security Pack\Sana\Driver\platform_XP\SafeConnectDriver.sys [2007-04-26 151832]
S3 EarthLinkSafeConnectFilter;EarthLinkSafeConnectFilter;c:\program files\PeoplePC\PeoplePC Internet Security Pack\Sana\Driver\platform_XP\SafeConnectFilter.sys [2007-04-26 31000]
S3 EarthLinkSafeConnectShim;EarthLinkSafeConnectShim;c:\program files\PeoplePC\PeoplePC Internet Security Pack\Sana\Driver\platform_XP\SafeConnectShim.sys [2006-10-16 38632]
.
Contents of the 'Scheduled Tasks' folder

2009-04-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 20:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://msn.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.symantecstore.com/promo=44984
uInternet Settings,ProxyServer = http=localhost:8080
uInternet Settings,ProxyOverride = <local>
IE: Refresh Pa&ge with Full Quality - c:\program files\PeoplePC Accelerated\pac-page.html
IE: Refresh Pi&cture with Full Quality - c:\program files\PeoplePC Accelerated\pac-image.html
TCP: {151DAF64-54CF-4C69-9B0D-B956AA7053C2} = 209.244.0.3 209.244.0.4
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-10 19:20:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-10 19:22:27
ComboFix-quarantined-files.txt 2009-04-11 01:22:11
ComboFix2.txt 2009-04-09 07:59:22

Pre-Run: 69,165,658,112 bytes free
Post-Run: 69,155,737,600 bytes free

148 --- E O F --- 2009-03-13 10:56:42

 

HiJackthis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:43 PM, on 4/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\PeoplePC\PeoplePC Internet Security Pack\bin\UpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PeoplePC\PeoplePC Internet Security Pack\bin\ProtectionService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\PeoplePC\ISP7230\Browser\Bartshel.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\PeoplePC\ISP7230\Browser\PPShared.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PeoplePC\ISP7230\Browser\Bartshel.exe
C:\Program Files\PeoplePC Accelerated\PeoplePC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Compaq_Owner\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.symantecstore.com/promo=44984
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: Accelerator Plugin - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\PROGRA~1\PEOPLE~1\PRPL_I~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP7230\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RCSystemTray] C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
O4 - HKLM\..\Run: [RCAutoLiveUpdate] C:\Program Files\Max Registry Cleaner\MaxLURC.exe -AUTO
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [PeoplePC Internet Security Pack] "C:\Program Files\PeoplePC\PeoplePC Internet Security Pack\bin\ppc_isp2.exe" /tray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{151DAF64-54CF-4C69-9B0D-B956AA7053C2}: NameServer = 209.244.0.3 209.244.0.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{151DAF64-54CF-4C69-9B0D-B956AA7053C2}: NameServer = 209.244.0.3 209.244.0.4
O23 - Service: ADSService - Aluria Software, a division of EarthLink, Inc. - C:\Program Files\Common Files\ADS\ADSService.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: EarthLinkSafeConnectAgent - Unknown owner - C:\Program Files\PeoplePC\PeoplePC Internet Security Pack\Sana\Bin\SanaAgent.exe
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - C:\Program Files\PeoplePC\PeoplePC Internet Security Pack\bin\UpdateService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ProtectionService - EarthLink, Inc. - C:\Program Files\PeoplePC\PeoplePC Internet Security Pack\bin\ProtectionService.exe

--
End of file - 7298 bytes

 

Anti-Virus Software Scan Results

Start Scan Session: 4/7/2009 4:41:22 PM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

End Scan Session: 4/7/2009 4:42:49 PM
=======================================================================

Spyware Quarantined: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

Active Spyware Scan Detected: Backdoor.SdBot.gen [4/7/2009 8:46:40 PM]
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ctfmon.exe
Action Taken: Quarantined

Active Spyware Scan Detected: WinAntiSpyware [4/7/2009 8:50:10 PM]
HKEY_LOCAL_MACHINE\software\antivirus
Action Taken: Quarantined

=======================================================================
Start Scan Session: 4/7/2009 10:20:49 PM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

End Scan Session: 4/7/2009 10:22:07 PM
=======================================================================

Spyware Quarantined: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

=======================================================================
Start Scan Session: 4/8/2009 5:52:27 AM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

End Scan Session: 4/8/2009 5:54:21 AM
=======================================================================

Spyware Quarantined: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

=======================================================================
Start Scan Session: 4/9/2009 2:46:04 AM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

End Scan Session: 4/9/2009 2:48:26 AM
=======================================================================

Spyware Quarantined: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

=======================================================================
Start Scan Session: 4/9/2009 6:10:26 AM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

End Scan Session: 4/9/2009 6:12:00 AM
=======================================================================

Active Spyware Scan Detected: WinAntiSpyware [4/9/2009 6:38:43 AM]
HKEY_LOCAL_MACHINE\software\antivirus
Action Taken: Quarantined

=======================================================================
Start Scan Session: 4/10/2009 12:55:46 AM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: Backdoor.SdBot.gen
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ctfmon.exe

Spyware Scan Detected: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

End Scan Session: 4/10/2009 1:14:34 AM
=======================================================================

Spyware Quarantined: Backdoor.SdBot.gen
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ctfmon.exe

Spyware Quarantined: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

=======================================================================
Start Scan Session: 4/10/2009 1:27:17 AM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

End Scan Session: 4/10/2009 1:27:38 AM
=======================================================================

=======================================================================
Start Scan Session: 4/10/2009 4:08:13 AM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin File Scan:

End Scan Session: 4/10/2009 4:08:21 AM
=======================================================================

=======================================================================
Start Scan Session: 4/10/2009 4:17:24 AM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

End Scan Session: 4/10/2009 4:24:45 AM
=======================================================================

Spyware Quarantined: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

=======================================================================
Start Scan Session: 4/10/2009 7:35:19 PM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

End Scan Session: 4/10/2009 7:37:23 PM
=======================================================================

Spyware Quarantined: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

=======================================================================
Start Scan Session: 4/10/2009 7:49:39 PM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

Spyware Scan Detected: Backdoor.SdBot.gen
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ctfmon.exe

End Scan Session: 4/10/2009 7:51:20 PM
=======================================================================

Spyware Quarantined: Backdoor.SdBot.gen
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ctfmon.exe

Spyware Quarantined: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

=======================================================================
Start Scan Session: 4/10/2009 8:05:37 PM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

End Scan Session: 4/10/2009 8:06:31 PM
=======================================================================

The Anti-Virus caught these 2 again after the script was run. Do you think this malware is programmed into the WindowsXP System Restore feature and regenerates them after reboot?

 

Thats what I'm starting to think.
Scans we've run that generally pick up the WinAntiSpyware files and folders aren't finding it.


Let's run the below online scan.
Don't freak if you see it found something, kinda expecting it to in quarantine folders.

Perform an online scan with Panda ActiveScan
* Click on Scan Your PC Now
* A "pop up" window will appear, or a new tab will open.
* Click on Register
* Choose the option you like most, but we recommend the Free Registration.

Click on Register
# Enter your e-mail address, and create a password.
# Select "I do not want to receive any type of information ". (unless you want to receive such information)
# Click on Send
# Confirm registration, and continue by entering your user name and password, then click on Enter
# Select Full Scan, then Click on Scan Now
# Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
# If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
# Please ignore the offer to buy the program. Click on Export To


* Export the log and save it to your desktop.
* Please attach the contents of that log in your next reply.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


Please post your Panda log.


How's your computer?

 

Panda Log Results

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-04-11 20:01:10
PROTECTIONS: 2
MALWARE: 2
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Authentium Antivirus 4.305 Yes Yes
PeoplePC Antivirus 3.93 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00132734 adware/24-7-search Adware No 0 Yes No c:\windows\system32\unppc.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{A85EC1FF-58D4-4723-A09B-E5784A945816}\RP3\A0001154.sys
;===================================================================================================================================================================================
SUSPECTS
Sent Location ƒ
;===================================================================================================================================================================================
No C:\Program Files\Interbank FX Trader 4\terminal.exe ƒ
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description ƒ
;===================================================================================================================================================================================
;===================================================================================================================================================================================

 

Active Scan Disinfection

The report pasted with the text jumbled. I'm not sure if it is going to be clear. The report sent to my Desktop states that the Rootkit/Booto.c was disinfected. The adware/24-7-search was not disiinfected. The Panda program allowed one free disinfection. I sent the suspicious file to their lab.

 

Anti-Virus Scan after Panda

Start Scan Session: 4/7/2009 4:41:22 PM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

End Scan Session: 4/7/2009 4:42:49 PM
=======================================================================

Spyware Quarantined: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

Active Spyware Scan Detected: Backdoor.SdBot.gen [4/7/2009 8:46:40 PM]
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ctfmon.exe
Action Taken: Quarantined

Active Spyware Scan Detected: WinAntiSpyware [4/7/2009 8:50:10 PM]
HKEY_LOCAL_MACHINE\software\antivirus
Action Taken: Quarantined

=======================================================================
Start Scan Session: 4/7/2009 10:20:49 PM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

End Scan Session: 4/7/2009 10:22:07 PM
=======================================================================

Spyware Quarantined: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

=======================================================================
Start Scan Session: 4/8/2009 5:52:27 AM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

End Scan Session: 4/8/2009 5:54:21 AM
=======================================================================

Spyware Quarantined: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

=======================================================================
Start Scan Session: 4/9/2009 2:46:04 AM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

End Scan Session: 4/9/2009 2:48:26 AM
=======================================================================

Spyware Quarantined: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

=======================================================================
Start Scan Session: 4/9/2009 6:10:26 AM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

End Scan Session: 4/9/2009 6:12:00 AM
=======================================================================

Active Spyware Scan Detected: WinAntiSpyware [4/9/2009 6:38:43 AM]
HKEY_LOCAL_MACHINE\software\antivirus
Action Taken: Quarantined

=======================================================================
Start Scan Session: 4/10/2009 12:55:46 AM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: Backdoor.SdBot.gen
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ctfmon.exe

Spyware Scan Detected: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

End Scan Session: 4/10/2009 1:14:34 AM
=======================================================================

Spyware Quarantined: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

Spyware Quarantined: Backdoor.SdBot.gen
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ctfmon.exe

=======================================================================
Start Scan Session: 4/10/2009 1:27:17 AM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

End Scan Session: 4/10/2009 1:27:38 AM
=======================================================================

=======================================================================
Start Scan Session: 4/10/2009 4:08:13 AM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin File Scan:

End Scan Session: 4/10/2009 4:08:21 AM
=======================================================================

=======================================================================
Start Scan Session: 4/10/2009 4:17:24 AM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

End Scan Session: 4/10/2009 4:24:45 AM
=======================================================================

Spyware Quarantined: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

=======================================================================
Start Scan Session: 4/10/2009 7:35:19 PM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

End Scan Session: 4/10/2009 7:37:23 PM
=======================================================================

Spyware Quarantined: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

=======================================================================
Start Scan Session: 4/10/2009 7:49:39 PM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: Backdoor.SdBot.gen
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ctfmon.exe

Spyware Scan Detected: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

End Scan Session: 4/10/2009 7:51:20 PM
=======================================================================

Spyware Quarantined: Backdoor.SdBot.gen
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ctfmon.exe

Spyware Quarantined: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

=======================================================================
Start Scan Session: 4/10/2009 8:05:37 PM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

End Scan Session: 4/10/2009 8:06:31 PM
=======================================================================

Spyware Quarantined: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

=======================================================================
Start Scan Session: 4/10/2009 11:57:47 PM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin File Scan:

End Scan Session: 4/10/2009 11:58:06 PM
=======================================================================

=======================================================================
Start Scan Session: 4/11/2009 12:28:10 AM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin File Scan:

End Scan Session: 4/11/2009 12:28:14 AM
=======================================================================

=======================================================================
Start Scan Session: 4/11/2009 1:24:59 AM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin File Scan:

End Scan Session: 4/11/2009 1:25:04 AM
=======================================================================

=======================================================================
Start Scan Session: 4/11/2009 1:25:23 AM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin File Scan:

End Scan Session: 4/11/2009 1:25:27 AM
=======================================================================

=======================================================================
Start Scan Session: 4/11/2009 1:53:35 AM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: Backdoor.SdBot.gen
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ctfmon.exe

End Scan Session: 4/11/2009 1:54:55 AM
=======================================================================

Spyware Quarantined: Backdoor.SdBot.gen
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ctfmon.exe

=======================================================================
Start Scan Session: 4/11/2009 2:46:28 AM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: Backdoor.SdBot.gen
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ctfmon.exe

Spyware Scan Detected: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

End Scan Session: 4/11/2009 2:47:34 AM
=======================================================================

Spyware Quarantined: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

Spyware Quarantined: Backdoor.SdBot.gen
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ctfmon.exe

=======================================================================
Start Scan Session: 4/11/2009 5:59:16 AM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

End Scan Session: 4/11/2009 6:01:16 AM
=======================================================================

Spyware Quarantined: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

=======================================================================
Start Scan Session: 4/11/2009 8:34:43 PM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

Spyware Scan Detected: Backdoor.SdBot.gen
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ctfmon.exe

End Scan Session: 4/11/2009 9:31:26 PM
=======================================================================

Spyware Quarantined: Backdoor.SdBot.gen
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ctfmon.exe

Spyware Quarantined: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

=======================================================================
Start Scan Session: 4/11/2009 10:18:26 PM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

End Scan Session: 4/11/2009 10:19:05 PM
=======================================================================


My Anti-Virus program caught these 2 again after the Panda scan.

 

Welcome back

c:\windows\system32\unPPC.exe - This belongs to PeoplePC, which I assume is your ISP?

The other item was found in system restore points as expected.


Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.

Go to Start > Run > copy and paste the full text path in the run box


"%userprofile%\desktop\combofix.exe" /u


Run your antivirus scan again and let's see if it still finds anything.

 

Loaded new Anti-Virus Software

On Saturday April 11th, I received an anti-virus software update disk from my ISP. It is supported by Kaspersky. I deleted the previous version and loaded the new one. I ran a scan and it did not find anything. I then ran the script that you sent to me in your last post and I received a message that the file could not be located. I believe everything is now cleared. My computer seems to be working fine now. Are their any other programs you would like for me to run?

 

Thats good news.


Couple of folders and files I want you to look for and if found delete.

C:\Qoobox<--delete
C:\ComboFix <--delete
C:\ComboFix.txt <--delete this file.


You should be good to go now, good job!


Please take the time to read over a few of my preventive tips.


Please navigate to Microsoft Windows Updates and download all the "Critical Updates " for Windows.


Firefox 3
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 2, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

How to prevent Malware: Created by Miekiemoes

Here are some additional utilities that will further enhance your safety.
# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)


Read this article 'Safe Computing Practices'.
So how did I get infected in the first place.

Secure My Computer: A Layered Approach

Strong passwords: How to create and use them

Free Antivirus-AntiSpyware-Firewall Software
Slow Computer May Not Be Malware Related, Help! My computer is slow!
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html


PC Safety and Security--What Do I Need?
http://www.techsupportforum.com/sec...115548-pc-safety-security-what-do-i-need.html

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
This site offers people who have been (or are) victims of malware the opportunity to document their story.

Extra note:
Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/

 

Thank You.

I ran a search and found the Qoobox and ComboFix files and deleted them. The ComboFix.txt did not come up in the search. I checked for critical updates and downloaded them. The scan with Secunia.com was very helpful. It showed that my Java and Adobe need updating, so I will work on those next. The rest of the tips you included are very helpful and informative too.

Thank you for all of your help with fixing my problems. It is greatly appreciated!

 

Glad we could help

Safe Surfing