Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

New Member: Can't get rid of malware! Please analyze my log.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: New Member: Can't get rid of malware! Please analyze my log.

Unread postby gerrym » August 22nd, 2008, 8:55 pm

The only backups I do are manually every few months. Nothing automated.
gerrym
Regular Member
 
Posts: 28
Joined: August 9th, 2008, 12:14 am
Advertisement
Register to Remove

Re: New Member: Can't get rid of malware! Please analyze my log.

Unread postby ndmmxiaomayi » August 22nd, 2008, 11:02 pm

How about the second question? Have any backups been restored recently?
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: New Member: Can't get rid of malware! Please analyze my log.

Unread postby gerrym » August 22nd, 2008, 11:14 pm

Sorry, no.

Ok, I completed the scan of drive C and D. Below are the logs. I am now scanning the 1TB drive.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, August 22, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, August 22, 2008 18:44:27
Records in database: 1124860
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Folder:
C:\

Scan statistics:
Files scanned: 100113
Threat name: 8
Infected objects: 21
Suspicious objects: 0
Duration of the scan: 01:57:59


File name / Threat name / Threats count
C:\Documents and Settings\gerrym\Desktop\MalwareRemoval\[4]-Submit_2008-08-16@7.26.zip Infected: Trojan-Proxy.Win32.Agent.awk 2
C:\Documents and Settings\gerrym\Local Settings\Application Data\Microsoft\Outlook\Outlook_Pre2005.pst Infected: Email-Worm.Win32.Tanatos.b 1
C:\Documents and Settings\gerrym\My Documents\LISA\!Email Backup\mailbox.pst Infected: Email-Worm.VBS.KakWorm 11
C:\QooBox\Quarantine\C\WINDOWS\system32\Nobicyt.exe.vir Infected: Trojan.Win32.Agent.yxr 1
C:\QooBox\Quarantine\C\WINDOWS\system32\perfs.exe.vir Infected: Trojan.Win32.Agent.yjy 1
C:\QooBox\Quarantine\C\WINDOWS\system32\Proxy.dll.vir Infected: Trojan-Proxy.Win32.Agent.awk 1
C:\QooBox\Quarantine\C\WINDOWS\system32\routing.exe.vir Infected: Trojan.Win32.Agent.yhe 1
C:\QooBox\Quarantine\C\WINDOWS\system32\sobicyt.exe.vir Infected: Trojan.Win32.Agent.zbc 1
C:\QooBox\Quarantine\C\WINDOWS\system32\_reproxy.dll.vir Infected: Trojan-Proxy.Win32.Agent.awk 1
C:\WINDOWS\system32\cfexfst.sys Infected: Trojan-Clicker.Win32.VB.bnu 1

The selected area was scanned.



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, August 22, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, August 22, 2008 18:44:27
Records in database: 1124860
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Folder:
D:\

Scan statistics:
Files scanned: 40398
Threat name: 2
Infected objects: 12
Suspicious objects: 0
Duration of the scan: 00:29:45


File name / Threat name / Threats count
D:\!Backup\Computer Backups\062208\My Documents\LISA\!Email Backup\mailbox.pst Infected: Email-Worm.VBS.KakWorm 11
D:\!Backup\Computer Backups\062208\Outlook\Outlook_Pre2005.pst Infected: Email-Worm.Win32.Tanatos.b 1

The selected area was scanned.
gerrym
Regular Member
 
Posts: 28
Joined: August 9th, 2008, 12:14 am

Re: New Member: Can't get rid of malware! Please analyze my log.

Unread postby ndmmxiaomayi » August 24th, 2008, 1:24 am

Hello,

Please delete your current copy of Combofix and download the latest from one of the links below:

Bleeping Computer
Forospyware
Geeks to Go

Save it to your desktop. Double click on ComboFix.exe to run it.

Follow the prompts. When done, a log will be produced. Please post this log in your next reply.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: New Member: Can't get rid of malware! Please analyze my log.

Unread postby gerrym » August 24th, 2008, 12:10 pm

ComboFix 08-08-23.03 - gerrym 2008-08-24 9:04:05.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2752 [GMT -7:00]
Running from: C:\Documents and Settings\gerrym\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\gerrym\Cookies\gerrym@ad.yieldmanager[2].txt

----- BITS: Possible infected sites -----

http://www.spiralfrog.com
.
((((((((((((((((((((((((( Files Created from 2008-07-24 to 2008-08-24 )))))))))))))))))))))))))))))))
.

2008-08-20 19:27 . 2008-08-20 19:27 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-20 19:26 . 2008-08-20 19:26 <DIR> d-------- C:\Program Files\iTunes
2008-08-20 19:26 . 2008-08-20 19:26 <DIR> d-------- C:\Program Files\iPod
2008-08-20 19:24 . 2008-08-20 19:24 <DIR> d-------- C:\Program Files\Bonjour
2008-08-17 05:43 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-17 05:42 . 2008-08-17 05:42 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-16 09:27 . 2008-08-16 11:21 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-08-13 20:27 . 2008-05-01 07:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-13 20:26 . 2008-04-11 12:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-12 22:24 . 2008-08-12 22:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-08-09 10:38 . 2008-08-09 10:38 <DIR> d-------- C:\Deckard
2008-08-08 22:52 . 2008-04-13 17:12 14,336 --a------ C:\WINDOWS\system32\svchost.exe
2008-08-08 22:52 . 2008-04-13 17:12 14,336 --a------ C:\WINDOWS\system32\dllcache\svchost.exe
2008-08-08 21:03 . 2008-08-08 21:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-08 20:12 . 2008-08-14 19:58 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-08 20:12 . 2008-08-14 19:58 <DIR> d-------- C:\Documents and Settings\gerrym\Application Data\SUPERAntiSpyware.com
2008-08-08 20:12 . 2008-08-08 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-07 21:57 . 2008-08-07 21:57 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-07 21:57 . 2008-08-07 21:57 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-07 21:57 . 2008-08-07 21:57 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-07 21:57 . 2008-08-07 21:57 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-07 21:54 . 2008-08-07 21:54 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-07 21:42 . 2008-04-13 17:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-08-06 20:00 . 2008-08-06 20:06 <DIR> d-------- C:\sdat
2008-08-06 20:00 . 2008-08-06 20:00 63,186,610 --a------ C:\sdat5355.exe
2008-08-06 19:25 . 2008-08-06 19:25 61,224 --a------ C:\Documents and Settings\gerrym\GoToAssistDownloadHelper.exe
2008-08-06 19:24 . 2008-08-06 19:24 <DIR> d-------- C:\Documents and Settings\gerrym\Application Data\McAfee
2008-08-04 20:45 . 2008-08-22 07:07 15,741 --a------ C:\WINDOWS\system32\Config.MPF
2008-08-04 20:42 . 2008-08-04 20:42 <DIR> d-------- C:\Program Files\McAfee.com
2008-08-04 20:42 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-08-04 20:42 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-08-04 20:42 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-08-04 20:42 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-08-04 20:42 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-08-04 20:42 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-08-04 20:41 . 2008-08-06 17:59 <DIR> d-------- C:\Program Files\McAfee
2008-08-04 20:41 . 2008-08-04 20:42 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-08-04 20:08 . 2008-08-08 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-24 12:51 --------- d-----w C:\Program Files\SpiralFrog
2008-08-17 12:43 --------- d-----w C:\Program Files\Java
2008-08-16 14:46 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-15 02:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-14 04:44 --------- d-----w C:\Program Files\MSN Messenger
2008-08-14 03:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-13 07:06 --------- d-----w C:\Documents and Settings\gerrym\Application Data\Yahoo!
2008-08-13 05:23 --------- d-----w C:\Program Files\Yahoo!
2008-08-13 05:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-08-08 05:36 14,336 ----a-w C:\WINDOWS\system32\svchostold.exe
2008-07-26 18:38 --------- d-----w C:\Program Files\QuickTime
2008-07-26 16:27 --------- d-----w C:\Program Files\WinFax
2008-07-14 01:40 --------- d-----w C:\Program Files\TiVo
2008-07-14 01:40 --------- d-----w C:\Program Files\Common Files\TiVo Shared
2008-07-14 01:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\TiVo
2008-07-12 17:00 --------- d-----w C:\Program Files\radio SHARK
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 17:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:43 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
.

((((((((((((((((((((((((((((( snapshot_2008-08-14_ 7.34.22.98 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-21 02:27:02 102,400 ----a-r C:\WINDOWS\Installer\{3DE0053C-FD9A-483E-B7C9-B06E4392206E}\iTunesIco.exe
+ 2008-08-21 02:25:00 86,016 ----a-r C:\WINDOWS\Installer\{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}\PrntWzrdIco.exe
+ 2008-08-21 02:28:00 27,136 ----a-r C:\WINDOWS\Installer\{6956856F-B6B3-4BE0-BA0B-8F495BE32033}\AppleSoftwareUpdateIco.exe
- 2008-08-14 10:34:32 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-24 11:40:10 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-08-14 10:34:32 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-24 11:40:10 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-07-24 22:17:08 81,920 ----a-w C:\WINDOWS\system32\dns-sd.exe
+ 2007-07-24 22:17:08 61,440 ----a-w C:\WINDOWS\system32\dnssd.dll
- 2008-02-22 08:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 08:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2008-02-22 08:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 08:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2008-02-22 09:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 09:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-07-27 21:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
+ 2007-07-27 21:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
+ 2005-12-06 02:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
+ 2005-12-05 19:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
+ 2008-02-11 16:39:26 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
+ 2008-02-11 16:39:18 237,568 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
+ 2008-02-08 20:53:46 110,592 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
+ 2008-02-05 15:48:04 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
- 2008-08-14 03:42:15 72,152 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-22 14:11:24 72,152 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-14 03:42:15 444,528 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-22 14:11:24 444,528 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
"TivoTransfer"="C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2008-04-04 10:54 1193984]
"TivoNotify"="C:\Program Files\TiVo\Desktop\TiVoNotify.exe" [2008-04-04 10:54 394240]
"TivoServer"="C:\Program Files\TiVo\Desktop\TiVoServer.exe" [2008-04-04 10:56 1879552]
"EPSON Stylus Photo R320 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE" [2004-04-26 03:00 98304]
"AOL Fast Start"="C:\Program Files\AOL 9.1\AOL.EXE" [2007-10-27 10:44 50528]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 05:34 69632]
"PDF Complete"="C:\Program Files\PDF Complete\pdfsty.exe" [2004-02-18 07:56 177152]
"HostManager"="C:\Program Files\Common Files\AOL\1192916523\ee\AOLSoftware.exe" [2007-05-25 10:16 42032]
"EPSON Stylus Photo R320 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE" [2004-04-26 03:00 98304]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 07:55 61440]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 10:21 116224]
"WFXSwtch"="C:\PROGRA~1\WinFax\WFXSWTCH.exe" [2002-10-15 18:42 27648]
"EEventManager"="C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-10-12 15:57 102400]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-03-19 07:15 7634944]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-03-19 07:15 86016]
"SpiralFrog"="C:\Program Files\SpiralFrog\Spiralfrog.exe" [2007-10-15 14:38 163128]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 10:19 15872]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 17:12 110592 C:\WINDOWS\system32\bthprops.cpl]
"WinFaxAppPortStarter"="wfxsnt40.exe" [2002-10-15 18:42 45568 C:\WINDOWS\system32\WFXSNT40.EXE]
"nwiz"="nwiz.exe" [2007-03-19 07:15 1622016 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\gerrym\Start Menu\Programs\Startup\
radio SHARK Scheduler.lnk - C:\Program Files\radio SHARK\radioSHARKScheduler.exe [2006-08-07 18:10:44 40960]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Controller.LNK - C:\Program Files\WinFax\WFXCTL32.EXE [2007-10-21 15:38:10 549376]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-12-16 01:39:06 67128]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "C:\PROGRA~1\WinFax\WfxSeh32.Dll" [1998-07-27 04:54 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\aol\\1192916523\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"C:\\Documents and Settings\\gerrym\\Desktop\\BL-NetCamera-EasyConfig.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Cyberlink\\PowerDirector\\PDR.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"C:\\Program Files\\AOL 9.1\\waol.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 IFP300;iriver Internet Audio Player IFP-300;C:\WINDOWS\system32\DRIVERS\ifp300.sys [2004-03-29 18:28]
R2 TivoBeacon2;TiVo Beacon;C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [2008-04-04 10:53]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 14:38]
R2 wfxsvc;WinFax PRO;C:\WINDOWS\system32\WFXSVC.EXE [2000-09-28 23:58]
R3 HCWBT8XX;Hauppauge WinTV 848/9 WDM Video Driver;C:\WINDOWS\system32\drivers\HCWBT8XX.sys [2005-03-02 12:44]
R3 MovRVDrv32;MovRVDrv32;C:\WINDOWS\system32\DRIVERS\MovRVDrv32.sys [2007-10-09 13:52]
R3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2007-10-09 18:04]
S3 SoundMovieServer;SoundMovieServer;C:\WINDOWS\system32\snmvtsvc.exe [2007-10-09 13:42]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-08-23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-08-15 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-08-05 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\gerrym\Application Data\Mozilla\Firefox\Profiles\wsgypzfj.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://my.yahoo.com/
FF -: plugin - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\browser\nppdf32.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.1.0.30401.0.dll
FF -: plugin - C:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-24 09:06:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-24 9:08:00
ComboFix-quarantined-files.txt 2008-08-24 16:07:44
ComboFix2.txt 2008-08-16 14:30:04
ComboFix3.txt 2008-08-16 00:29:06
ComboFix4.txt 2008-08-14 14:34:54
ComboFix5.txt 2008-08-24 16:03:21

Pre-Run: 7,590,268,928 bytes free
Post-Run: 7,737,704,448 bytes free

245 --- E O F --- 2008-08-08 05:24:14
gerrym
Regular Member
 
Posts: 28
Joined: August 9th, 2008, 12:14 am

Re: New Member: Can't get rid of malware! Please analyze my log.

Unread postby ndmmxiaomayi » August 25th, 2008, 8:34 am

Hello,

Please open Notepad and copy and paste the following in the Code box into Notepad:

Code: Select all
http://malwareremoval.com/forum/viewtopic.php?f=11&t=33541

Collect::
C:\WINDOWS\system32\cfexfst.sys


Warning: The above script is just for gerrym. If you are not gerrym, please do not use this script as it may damage the workings of your system.

Click on File > Save As....

In the File Name field, copy and paste in CFScript.txt. Do not change the file name.

Click Save.

Referring to the picture below, drag CFScript into Combofix.

Image

Combofix will start running. When done, a log will be produced. Please post this log in your next reply.

In addition, it will prompt you to submit some files for analyzing.

Image

Click OK.

Copy and paste the file path into the text box next to the Browse button (boxed up in red).

Image

Click on Send File.

Do not mouse click on Combofix while it is running. That may cause it to stall.

In your next reply, please post:

  1. Combofix log (C:\Combofix.txt)
  2. A new HijackThis log
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: New Member: Can't get rid of malware! Please analyze my log.

Unread postby gerrym » August 25th, 2008, 8:42 pm

Ok, below are the combofix and hijack logs. Also, I've posted the results of the Kaspersky scan of my X drive. It finally finished after 21 hours! :) Looks like most of the files are outlook files.

ComboFix 08-08-23.03 - gerrym 2008-08-25 17:25:04.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2768 [GMT -7:00]
Running from: C:\Documents and Settings\gerrym\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\gerrym\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cfexfst.sys

.
((((((((((((((((((((((((( Files Created from 2008-07-26 to 2008-08-26 )))))))))))))))))))))))))))))))
.

2008-08-20 19:27 . 2008-08-20 19:27 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-20 19:26 . 2008-08-20 19:26 <DIR> d-------- C:\Program Files\iTunes
2008-08-20 19:26 . 2008-08-20 19:26 <DIR> d-------- C:\Program Files\iPod
2008-08-20 19:24 . 2008-08-20 19:24 <DIR> d-------- C:\Program Files\Bonjour
2008-08-17 05:43 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-17 05:42 . 2008-08-17 05:42 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-16 09:27 . 2008-08-16 11:21 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-08-13 20:27 . 2008-05-01 07:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-13 20:26 . 2008-04-11 12:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-12 22:24 . 2008-08-12 22:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-08-09 10:38 . 2008-08-09 10:38 <DIR> d-------- C:\Deckard
2008-08-08 22:52 . 2008-04-13 17:12 14,336 --a------ C:\WINDOWS\system32\svchost.exe
2008-08-08 22:52 . 2008-04-13 17:12 14,336 --a------ C:\WINDOWS\system32\dllcache\svchost.exe
2008-08-08 21:03 . 2008-08-08 21:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-08 20:12 . 2008-08-14 19:58 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-08 20:12 . 2008-08-14 19:58 <DIR> d-------- C:\Documents and Settings\gerrym\Application Data\SUPERAntiSpyware.com
2008-08-08 20:12 . 2008-08-08 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-07 21:57 . 2008-08-07 21:57 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-07 21:57 . 2008-08-07 21:57 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-07 21:57 . 2008-08-07 21:57 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-07 21:57 . 2008-08-07 21:57 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-07 21:54 . 2008-08-07 21:54 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-07 21:42 . 2008-04-13 17:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-08-06 20:00 . 2008-08-06 20:06 <DIR> d-------- C:\sdat
2008-08-06 20:00 . 2008-08-06 20:00 63,186,610 --a------ C:\sdat5355.exe
2008-08-06 19:25 . 2008-08-06 19:25 61,224 --a------ C:\Documents and Settings\gerrym\GoToAssistDownloadHelper.exe
2008-08-06 19:24 . 2008-08-06 19:24 <DIR> d-------- C:\Documents and Settings\gerrym\Application Data\McAfee
2008-08-04 20:45 . 2008-08-24 09:14 15,907 --a------ C:\WINDOWS\system32\Config.MPF
2008-08-04 20:42 . 2008-08-04 20:42 <DIR> d-------- C:\Program Files\McAfee.com
2008-08-04 20:42 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-08-04 20:42 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-08-04 20:42 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-08-04 20:42 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-08-04 20:42 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-08-04 20:42 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-08-04 20:41 . 2008-08-06 17:59 <DIR> d-------- C:\Program Files\McAfee
2008-08-04 20:41 . 2008-08-04 20:42 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-08-04 20:08 . 2008-08-08 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-24 12:51 --------- d-----w C:\Program Files\SpiralFrog
2008-08-17 12:43 --------- d-----w C:\Program Files\Java
2008-08-16 14:46 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-15 02:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-14 04:44 --------- d-----w C:\Program Files\MSN Messenger
2008-08-14 03:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-13 07:06 --------- d-----w C:\Documents and Settings\gerrym\Application Data\Yahoo!
2008-08-13 05:23 --------- d-----w C:\Program Files\Yahoo!
2008-08-13 05:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-08-08 05:36 14,336 ----a-w C:\WINDOWS\system32\svchostold.exe
2008-07-26 18:38 --------- d-----w C:\Program Files\QuickTime
2008-07-26 16:27 --------- d-----w C:\Program Files\WinFax
2008-07-14 01:40 --------- d-----w C:\Program Files\TiVo
2008-07-14 01:40 --------- d-----w C:\Program Files\Common Files\TiVo Shared
2008-07-14 01:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\TiVo
2008-07-12 17:00 --------- d-----w C:\Program Files\radio SHARK
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 17:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:43 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
.

((((((((((((((((((((((((((((( snapshot_2008-08-14_ 7.34.22.98 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-21 02:27:02 102,400 ----a-r C:\WINDOWS\Installer\{3DE0053C-FD9A-483E-B7C9-B06E4392206E}\iTunesIco.exe
+ 2008-08-21 02:25:00 86,016 ----a-r C:\WINDOWS\Installer\{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}\PrntWzrdIco.exe
+ 2008-08-21 02:28:00 27,136 ----a-r C:\WINDOWS\Installer\{6956856F-B6B3-4BE0-BA0B-8F495BE32033}\AppleSoftwareUpdateIco.exe
- 2008-08-14 10:34:32 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-25 23:18:31 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-08-14 10:34:32 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-25 23:18:31 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-07-24 22:17:08 81,920 ----a-w C:\WINDOWS\system32\dns-sd.exe
+ 2007-07-24 22:17:08 61,440 ----a-w C:\WINDOWS\system32\dnssd.dll
- 2008-02-22 08:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 08:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2008-02-22 08:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 08:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2008-02-22 09:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 09:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-07-27 21:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
+ 2007-07-27 21:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
+ 2005-12-06 02:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
+ 2005-12-05 19:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
+ 2008-02-11 16:39:26 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
+ 2008-02-11 16:39:18 237,568 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
+ 2008-02-08 20:53:46 110,592 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
+ 2008-02-05 15:48:04 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
- 2008-08-14 03:42:15 72,152 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-24 16:17:52 72,152 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-14 03:42:15 444,528 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-24 16:17:52 444,528 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
"TivoTransfer"="C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2008-04-04 10:54 1193984]
"TivoNotify"="C:\Program Files\TiVo\Desktop\TiVoNotify.exe" [2008-04-04 10:54 394240]
"TivoServer"="C:\Program Files\TiVo\Desktop\TiVoServer.exe" [2008-04-04 10:56 1879552]
"EPSON Stylus Photo R320 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE" [2004-04-26 03:00 98304]
"AOL Fast Start"="C:\Program Files\AOL 9.1\AOL.EXE" [2007-10-27 10:44 50528]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 05:34 69632]
"PDF Complete"="C:\Program Files\PDF Complete\pdfsty.exe" [2004-02-18 07:56 177152]
"HostManager"="C:\Program Files\Common Files\AOL\1192916523\ee\AOLSoftware.exe" [2007-05-25 10:16 42032]
"EPSON Stylus Photo R320 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE" [2004-04-26 03:00 98304]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 07:55 61440]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 10:21 116224]
"WFXSwtch"="C:\PROGRA~1\WinFax\WFXSWTCH.exe" [2002-10-15 18:42 27648]
"EEventManager"="C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-10-12 15:57 102400]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-03-19 07:15 7634944]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-03-19 07:15 86016]
"SpiralFrog"="C:\Program Files\SpiralFrog\Spiralfrog.exe" [2007-10-15 14:38 163128]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 10:19 15872]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 17:12 110592 C:\WINDOWS\system32\bthprops.cpl]
"WinFaxAppPortStarter"="wfxsnt40.exe" [2002-10-15 18:42 45568 C:\WINDOWS\system32\WFXSNT40.EXE]
"nwiz"="nwiz.exe" [2007-03-19 07:15 1622016 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\gerrym\Start Menu\Programs\Startup\
radio SHARK Scheduler.lnk - C:\Program Files\radio SHARK\radioSHARKScheduler.exe [2006-08-07 18:10:44 40960]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Controller.LNK - C:\Program Files\WinFax\WFXCTL32.EXE [2007-10-21 15:38:10 549376]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-12-16 01:39:06 67128]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "C:\PROGRA~1\WinFax\WfxSeh32.Dll" [1998-07-27 04:54 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\aol\\1192916523\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"C:\\Documents and Settings\\gerrym\\Desktop\\BL-NetCamera-EasyConfig.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Cyberlink\\PowerDirector\\PDR.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"C:\\Program Files\\AOL 9.1\\waol.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 IFP300;iriver Internet Audio Player IFP-300;C:\WINDOWS\system32\DRIVERS\ifp300.sys [2004-03-29 18:28]
R2 TivoBeacon2;TiVo Beacon;C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [2008-04-04 10:53]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 14:38]
R2 wfxsvc;WinFax PRO;C:\WINDOWS\system32\WFXSVC.EXE [2000-09-28 23:58]
R3 HCWBT8XX;Hauppauge WinTV 848/9 WDM Video Driver;C:\WINDOWS\system32\drivers\HCWBT8XX.sys [2005-03-02 12:44]
R3 MovRVDrv32;MovRVDrv32;C:\WINDOWS\system32\DRIVERS\MovRVDrv32.sys [2007-10-09 13:52]
R3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2007-10-09 18:04]
S3 SoundMovieServer;SoundMovieServer;C:\WINDOWS\system32\snmvtsvc.exe [2007-10-09 13:42]
.
Contents of the 'Scheduled Tasks' folder

2008-08-23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-08-15 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-08-05 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-25 17:27:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-25 17:29:14
ComboFix-quarantined-files.txt 2008-08-26 00:28:54
ComboFix2.txt 2008-08-24 16:08:01
ComboFix3.txt 2008-08-16 14:30:04
ComboFix4.txt 2008-08-16 00:29:06
ComboFix5.txt 2008-08-26 00:24:12

Pre-Run: 7,816,753,152 bytes free
Post-Run: 7,846,813,696 bytes free

229 --- E O F --- 2008-08-08 05:24:14



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:40:04 PM, on 8/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\SAgent4.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\PDF Complete\pdfsty.exe
C:\Program Files\Common Files\AOL\1192916523\ee\AOLSoftware.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\Program Files\PDF Complete\pdfsaver.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\WinFax\WFXCTL32.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AOL 9.1\shellmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1192916523\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpiralFrog] C:\Program Files\SpiralFrog\Spiralfrog.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKCU\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /M "Stylus Photo R320" /EF "HKCU"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: radio SHARK Scheduler.lnk = C:\Program Files\radio SHARK\radioSHARKScheduler.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} (MetaStreamCtl Class) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 2911433140
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) - http://martinezfamily.viewnetcam.com:50 ... camera.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SoundMovieServer - SoundMovieServer - C:\WINDOWS\system32\snmvtsvc.exe
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\SAgent4.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

--
End of file - 12748 bytes



=========== Kaspersky Scan ===========
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, August 25, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, August 24, 2008 16:20:21
Records in database: 1140664
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Folder:
X:\

Scan statistics:
Files scanned: 73059
Threat name: 7
Infected objects: 67
Suspicious objects: 5
Duration of the scan: 21:39:02


File name / Threat name / Threats count
X:\Computer Backups\033008\My Documents\LISA\!Email Backup\mailbox.pst Infected: Email-Worm.VBS.KakWorm 11
X:\Computer Backups\062208\My Documents\LISA\!Email Backup\mailbox.pst Infected: Email-Worm.VBS.KakWorm 11
X:\Computer Backups\DadsComputer_Jan2007\jose\Desktop\vnc-4_1_2-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4
X:\Computer Backups\DadsComputer_Jan2007\jose\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 2
X:\Computer Backups\DadsComputer_Jan2007\jose\Local Settings\Temporary Internet Files\Content.IE5\74P5FKSS\e-chords[1].exe Infected: not-a-virus:AdWare.Win32.SearchIt.o 1
X:\Computer Backups\DadsComputer_Jan2007\jose\Local Settings\Temporary Internet Files\Content.IE5\98NU7V9B\vnc-4_1_2-x86_win32[1].exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4
X:\Computer Backups\DadsComputer_Jan2007\My Documents\LISA\!Email Backup\mailbox.pst Infected: Email-Worm.VBS.KakWorm 11
X:\Computer Backups\May_2007\Outlook_2005.pst Infected: Trojan-Spy.HTML.Bankfraud.ej 1
X:\Computer Backups\May_2007\Outlook_2005.pst Infected: Trojan-Spy.HTML.Paylap.ev 1
X:\Computer Backups\May_2007\Outlook_2005.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 3
X:\Computer Backups\100907\My Documents\LISA\!Email Backup\mailbox.pst Infected: Email-Worm.VBS.KakWorm 11
X:\Computer Backups\101907\My Documents\LISA\!Email Backup\mailbox.pst Infected: Email-Worm.VBS.KakWorm 11
X:\Computer Backups\DadsComp_2003\test1.zip Infected: not-virus:BadJoke.Win32.JepRuss 1

The selected area was scanned.
gerrym
Regular Member
 
Posts: 28
Joined: August 9th, 2008, 12:14 am

Re: New Member: Can't get rid of malware! Please analyze my log.

Unread postby ndmmxiaomayi » August 27th, 2008, 9:58 am

Hello,

You've quite a few infected mails. We'll need to get rid of them. Is McAfee able to scan them? If so, please let it scan your computer. Remember to update it before scanning your computer. ;)

You need to let it scan all your drives, including your backup drive (X drive).

When it's done, please check if it's able to tell which specific mail is infected. If it's able to tell, please delete the individual mails manually.

Before running a McAfee scan, please clean out your temp file folders so that McAfee doesn't get stuck there.

Download ATF Cleaner and save it to your desktop.

Double click on ATF-Cleaner.exe to run it.

  • Click on Main at the top.
  • Tick all the boxes except the Prefetch and Cookies box.
  • Click on Empty Selected button.

If you use Firefox

  • Click on Firefox at the top.
  • Tick all the boxes except Firefox Cookies and Firefox Saved Passwords.
  • Click on Empty Selected button.

If you use Opera

  • Click on Opera at the top.
  • Tick all the boxes except Opera Cookies and Opera Saved Passwords.
  • Click on Empty Selected button.

Close ATF Cleaner when you are done.

Please also run ATF Cleaner on your X drive.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: New Member: Can't get rid of malware! Please analyze my log.

Unread postby gerrym » August 30th, 2008, 11:00 am

This is really strange, Mcafee completely misses all of those files. Is there any chance they are false alarms? Probably not but wondering why Mcafee is not catching them. I tried contacting Mcafee but their support is not very good. Wonder if my only option is to just delete the whole .pst files?

Also, can I delete those other file that were quarantined in the Qoobox directory?
gerrym
Regular Member
 
Posts: 28
Joined: August 9th, 2008, 12:14 am

Re: New Member: Can't get rid of malware! Please analyze my log.

Unread postby ndmmxiaomayi » August 30th, 2008, 1:10 pm

Err... no. You don't delete your whole PST file. The whole PST file contains all your mails. You will be removing all your mails if you do that.

Let me think about it and I will get back to you.

Also, can I delete those other file that were quarantined in the Qoobox directory?


Please leave it alone for the moment. They are safe there, no worries about that. :)
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: New Member: Can't get rid of malware! Please analyze my log.

Unread postby ndmmxiaomayi » September 3rd, 2008, 8:16 am

Hello,

Sorry for the delay. I couldn't find any good solutions.

Please do the following:

  • Open Microsoft Outlook.
  • Click on View > Reading Pane > Off.
  • Look for mails whose senders which you don't recognize. Delete them.
  • Empty your Junk Email and Deleted Items box.

Re-scan with Kaspersky again. Please let mee know the results.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: New Member: Can't get rid of malware! Please analyze my log.

Unread postby gerrym » September 8th, 2008, 3:16 pm

Sorry it's taking so long I literally have hundreds of emails to go through and hard to know which ones could be suspect. Regardless, I'm going through and deleting any email I no longer need. In the meantime, I've also contacted Mcafee to figure out why they do not flag the individual emails or to see if they know a way to do this but while I'm waiting for them I'm continuing to go through these emails one by one... Again, thank you for your help with this!
gerrym
Regular Member
 
Posts: 28
Joined: August 9th, 2008, 12:14 am

Re: New Member: Can't get rid of malware! Please analyze my log.

Unread postby ndmmxiaomayi » September 8th, 2008, 8:31 pm

You're welcome. Thanks for letting me know. :)
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: New Member: Can't get rid of malware! Please analyze my log.

Unread postby gerrym » September 11th, 2008, 10:36 pm

Hello, ok I think I've cleared out all the emails. One interesting tidbit however, in the course of Mcafee's normal scan's it flagged a number of "Trojans".

They all seem to be located in c:\system volume information\_restore... there are several .dll (e.g. A0001003.DLL) files and that were flagged. Most of the detection names is "generic.dx"
gerrym
Regular Member
 
Posts: 28
Joined: August 9th, 2008, 12:14 am

Re: New Member: Can't get rid of malware! Please analyze my log.

Unread postby ndmmxiaomayi » September 12th, 2008, 7:48 am

Hi,

Those are your System Restore points. They are harmless as long as you don't restore them. We'll clear them once your computer is clean. :)

Please perform a scan with Kaspersky and post back the latest scan results. :)
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 306 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware