Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

I is a takeover

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

I is a takeover

Unread postby Eli » June 18th, 2008, 5:37 am

Hi, my computer was borrowed to a friend, when the virus started attacking he downloaded all kind of Spywares and virus programs which resulted in a catastrophe. The Laptop came with Symantec that worked quite well normally. It seems that the virus took Symantec over, it keeps telling me there is a virus and pop up error messages all the time. I can not uninstall the program cause it does not give me the option in the add or remove programs. Half of the Symantec program files are missing in the folder.
The system is as if it keeps on rebooting then it closes all files opened.
There is a yellow and blue pop-up the warn me of a virus that come up after n few minutes after starting the computer then the screen turns blue and I can do nothing futher, the backround also turn blue. When I ran Trend It luckily did the scan with only trend open and the popup. The Pop up read Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer.
I am running Windows XP Professional. Please find attached the report from Combofix.
The virus found from Trend is Pak_Generic.
If you require more information please do not hesitate to contact me
Please help me to resolve this problem as quickly as possible.
Thank you
You do not have the required permissions to view the files attached to this post.
Eli
Regular Member
 
Posts: 25
Joined: June 17th, 2008, 7:45 am
Advertisement
Register to Remove

Re: I is a takeover

Unread postby Shaba » June 23rd, 2008, 2:01 am

Hi Eli

Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: I is a takeover

Unread postby Eli » June 23rd, 2008, 5:40 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:32:53 AM, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\CATSysDemon.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SuperCopier2\SuperCopier2.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: QXK Rhythm - {132F969E-2442-47BE-8CC8-955483AF951B} - C:\WINDOWS\fvowketqfgq.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [UADCcw] "C:\Program Files\AdvancedCleaner Free\UADCcw.exe" -c
O4 - HKLM\..\Run: [BMN] "C:\Program Files\Fichiers communs\AntivirusOrdi\bm.exe" dm=http://antivirusordi.com ad=http://antivirusordi.com sd=http://gregistre.antivirusordi.com
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [SuperCopier2.exe] C:\Program Files\SuperCopier2\SuperCopier2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'SERVICE RESEAU')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'Default user')
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O20 - Winlogon Notify: fccdcDus - C:\WINDOWS\
O21 - SSODL: mpfanvqg - {0332C26B-A151-4352-A2D3-4A76A5490BC4} - C:\WINDOWS\mpfanvqg.dll (file missing)
O21 - SSODL: vbksrofa - {B05FDAF4-A03F-4F67-A74B-6A45A8428BB3} - C:\WINDOWS\vbksrofa.dll (file missing)
O21 - SSODL: AvpPrx - {a7afcc91-b39d-4cc0-bbf2-d4712a39d03a} - C:\WINDOWS\Resources\AvpPrx.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\CATSysDemon.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - C:\Program Files\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: SAVRoam (SavRoam) - Unknown owner - C:\Program Files\Symantec AntiVirus\SavRoam.exe (file missing)
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: SPBBCSvc - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe (file missing)
O23 - Service: Symantec AntiVirus - Unknown owner - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (file missing)
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 7662 bytes
Eli
Regular Member
 
Posts: 25
Joined: June 17th, 2008, 7:45 am

Re: I is a takeover

Unread postby Shaba » June 23rd, 2008, 10:03 am

Hi

Delete your copy of combofix, it's outdated.

After that:

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: I is a takeover

Unread postby Eli » June 23rd, 2008, 10:38 am

Hi everything went well ComboFix was done with in 13Minutes.

ComboFix 08-06-20.4 - Hassib 2008-06-23 16:17:27.2 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1256.216.1036.18.409 [GMT 2:00]
Endroit: C:\Documents and Settings\Hassib\Bureau\ComboFix.exe
* Création d'un nouveau point de restauration
.

((((((((((((((((((((((((((((( Fichiers créés 2008-05-23 to 2008-06-23 ))))))))))))))))))))))))))))))))))))
.

2008-06-16 15:45 . 2008-06-16 15:45 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-16 05:12 . 2008-02-15 23:39 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-16 05:12 . 2008-02-15 23:39 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-06-16 05:12 . 2008-02-15 23:39 52,240 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-06-16 05:10 . 2008-06-23 11:32 <REP> d-------- C:\Program Files\Trend Micro
2008-06-15 00:51 . 2008-06-15 00:53 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2008-06-15 00:31 . 2008-06-17 02:45 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-06-12 16:59 . 2008-06-15 11:25 <REP> d-------- C:\Documents and Settings\Hassib\.housecall6.6
2008-06-12 16:58 . 2008-06-12 16:58 <REP> d-------- C:\WINDOWS\Sun
2008-06-12 16:58 . 2005-04-13 03:48 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-06-12 16:57 . 2008-06-12 16:58 <REP> d-------- C:\Program Files\Java
2008-06-12 16:55 . 2008-06-12 16:55 <REP> d-------- C:\Program Files\Fichiers communs\Java
2008-06-12 15:30 . 2008-06-14 22:04 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-12 14:39 . 2008-06-12 14:45 <REP> d-------- C:\Program Files\Google
2008-06-12 14:39 . 2008-06-12 14:48 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-12 14:22 . 2008-06-12 14:22 0 --a------ C:\LOG75.tmp
2008-06-01 11:19 . 2008-06-01 11:19 0 --a------ C:\LOG1EA.tmp
2008-06-01 10:23 . 2008-06-12 15:35 <REP> d-------- C:\Ad-Aware SE Professional
2008-06-01 10:21 . 2008-06-01 10:21 <REP> d-------- C:\Inetpub
2008-06-01 10:02 . 2008-06-01 10:02 0 --a------ C:\LOG45.tmp

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-12 14:32 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-06-12 14:32 --------- d-----w C:\Program Files\Fichiers communs\Symantec Shared
2008-06-01 09:18 --------- d-----w C:\Documents and Settings\Hassib\Application Data\U3
2008-05-22 14:13 --------- d-----w C:\Program Files\Fichiers communs\ReparateurDeSysteme
2008-05-21 10:45 --------- d-----w C:\Documents and Settings\Hassib\Application Data\Lavasoft
2008-05-20 17:27 --------- d-----w C:\Program Files\Winamp
2008-05-20 17:26 --------- d-----w C:\Program Files\MSN Messenger
2008-05-20 17:20 --------- d-----w C:\Program Files\IMsecure
2008-05-20 16:24 --------- d-----w C:\Documents and Settings\Hassib\Application Data\Skype
2008-05-20 16:24 --------- d-----w C:\Documents and Settings\Hassib\Application Data\ITEDO
2008-05-20 16:23 --------- d-----w C:\Documents and Settings\Hassib\Application Data\DassaultSystemes
2008-05-20 16:23 --------- d-----w C:\Documents and Settings\Hassib\Application Data\AdobeUM
2008-05-20 16:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-05-20 16:21 --------- d-----r C:\Documents and Settings\All Users\Application Data\SalesMon
2008-05-20 16:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\DassaultSystemes
2008-05-20 16:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-05-20 16:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2008-05-20 15:44 160,256 ----a-w C:\WINDOWS\system32\blackster.scr
2008-05-19 13:10 0 ----a-w C:\winxplogon.sys
2008-05-10 16:17 0 ----a-w C:\Documents and Settings\MyDocuments\readthis.doc.exe
2008-05-10 16:17 0 ----a-w C:\Documents and Settings\MyDocuments\Readme.doc .exe
2008-05-02 14:22 205,328 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-05-02 14:21 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-05-02 14:17 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
.
Code: Select all
<pre>
----a-w                 0 2008-05-10 16:17:05  C:\Documents and Settings\MyDocuments\Readme.doc .exe
</pre>



------- Sigcheck -------

2006-03-09 10:25 578048 0df75fb73f705b011630159a43d7c354 C:\WINDOWS\system32\user32.dll

2006-04-12 20:13 667648 241dbc4c2714b2f39afded49459ed420 C:\WINDOWS\system32\wininet.dll

2006-02-14 21:56 359808 667192a11db19f36624119c0dd4de4f2 C:\WINDOWS\system32\drivers\tcpip.sys

2006-05-09 10:11 2017280 50b3a210b6fa8d3089a36a32e7d8b21f C:\WINDOWS\system32\ntkrnlpa.exe

2006-03-09 10:25 2137600 e75f7aa5a33479f29c636fd0890f5762 C:\WINDOWS\system32\ntoskrnl.exe
.
((((((((((((((((((((((((((((( snapshot@2008-06-17_ 6.15.44.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-17 04:08:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-17 11:52:05 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2000-08-31 06:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 06:00:00 28,672 ----a-w C:\WINDOWS\Nircmd.exe
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{132F969E-2442-47BE-8CC8-955483AF951B}]
C:\WINDOWS\fvowketqfgq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SuperCopier2.exe"="C:\Program Files\SuperCopier2\SuperCopier2.exe" [2006-07-07 18:45 1052672]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 17:09 15360]
"FrameWorkService"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-12 14:39 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe" [ ]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 21:33 125168]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24 32768]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 11:50 16855552 C:\WINDOWS\RTHDCPL.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-11 22:05 344064]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [ ]
"FrameWorkService"="" []
"UADCcw"="C:\Program Files\AdvancedCleaner Free\UADCcw.exe" [ ]
"BMN"="C:\Program Files\Fichiers communs\AntivirusOrdi\bm.exe dm=http://antivirusordi.com ad=http://antivirusordi.com" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48 36975]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 17:09 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Config"="C:\WINDOWS\system32\run.cmd" [2006-02-14 12:24 248]
"nlsf"="move" []
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-19 16:52 44544]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoStrCmpLogical"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= cmd.exe
"2"= mmc.exe
"3"= rstrui.exe
"4"= regedit.exe
"5"= regedt32.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"mpfanvqg"= {0332C26B-A151-4352-A2D3-4A76A5490BC4} - C:\WINDOWS\mpfanvqg.dll [ ]
"vbksrofa"= {B05FDAF4-A03F-4F67-A74B-6A45A8428BB3} - C:\WINDOWS\vbksrofa.dll [ ]
"AvpPrx"= {a7afcc91-b39d-4cc0-bbf2-d4712a39d03a} - C:\WINDOWS\Resources\AvpPrx.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccdcDus]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"DisablePagingExecutive"=dword:00000001
"SecondLevelDataCache"=dword:00000200

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R1 LUMDriver;LUMDriver;C:\WINDOWS\system32\drivers\LUMDriver.sys [2003-07-11 15:22]
R2 BBDemon;Backbone Service;"C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\CATSysDemon.exe" -service []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{623506b4-a33b-11dc-a6d2-001b24510921}]
\Shell\AutoRun\command - E:\zPharaoh.exe
\Shell\explore\command - E:\zPharaoh.exe
\Shell\open\command - E:\zPharaoh.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{623506b9-a33b-11dc-a6d2-001b24510921}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL antihost.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84918836-cb54-11dc-a711-001b24510921}]
\Shell\AutoRun\command - qd.cmd
\Shell\explore\Command - qd.cmd
\Shell\open\Command - qd.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f24ea9e-ccbd-11dc-a714-001b24510921}]
\Shell\AutoRun\command - zPharaoh.exe
\Shell\explore\command - zPharaoh.exe
\Shell\open\command - zPharaoh.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f24eaa1-ccbd-11dc-a714-001b24510921}]
\Shell\AutoRun\command - E:\m1t8ta.com
\Shell\explore\Command - E:\m1t8ta.com
\Shell\open\Command - E:\m1t8ta.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98a899ce-1a7b-11dd-a769-001b24510921}]
\Shell\AutoRun\command - E:\u2.cmd
\Shell\explore\Command - E:\u2.cmd
\Shell\open\Command - E:\u2.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cbc59340-cb69-11dc-a712-001b24510921}]
\Shell\AutoRun\command - E:\ntde1ect.com
\Shell\explore\Command - E:\ntde1ect.com
\Shell\open\Command - E:\ntde1ect.com

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-23 16:25:31
Windows 5.1.2600 Service Pack 2 NTFS

Balayage processus cachés ...

Balayage caché autostart entries ...

Balayage des fichiers cachés ...

Scan terminé avec succès
Les fichiers cachés: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\C:\DOCUME~1\Hassib\LOCALS~1\Temp\mc25.tmp"
.
Temps d'accomplissement: 2008-06-23 16:29:46
ComboFix-quarantined-files.txt 2008-06-23 14:29:23
ComboFix2.txt 2008-06-17 04:17:07

Pre-Run: 40,638,337,024 octets libres
Post-Run: 40,629,817,344 octets libres

191 --- E O F --- 2008-05-20 12:44:35
Eli
Regular Member
 
Posts: 25
Joined: June 17th, 2008, 7:45 am

Re: I is a takeover

Unread postby Shaba » June 23rd, 2008, 10:49 am

Hi

Please post also a fresh HijackThis log and tell which device is E: ?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: I is a takeover

Unread postby Eli » June 23rd, 2008, 10:57 am

There is no E: on my computer.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:47:59 PM, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\CATSysDemon.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SuperCopier2\SuperCopier2.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: QXK Rhythm - {132F969E-2442-47BE-8CC8-955483AF951B} - C:\WINDOWS\fvowketqfgq.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [UADCcw] "C:\Program Files\AdvancedCleaner Free\UADCcw.exe" -c
O4 - HKLM\..\Run: [BMN] "C:\Program Files\Fichiers communs\AntivirusOrdi\bm.exe" dm=http://antivirusordi.com ad=http://antivirusordi.com sd=http://gregistre.antivirusordi.com
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [SuperCopier2.exe] C:\Program Files\SuperCopier2\SuperCopier2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'SERVICE RESEAU')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Config] %systemroot%\system32\run.cmd (User 'Default user')
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O20 - Winlogon Notify: fccdcDus - C:\WINDOWS\
O21 - SSODL: mpfanvqg - {0332C26B-A151-4352-A2D3-4A76A5490BC4} - C:\WINDOWS\mpfanvqg.dll (file missing)
O21 - SSODL: vbksrofa - {B05FDAF4-A03F-4F67-A74B-6A45A8428BB3} - C:\WINDOWS\vbksrofa.dll (file missing)
O21 - SSODL: AvpPrx - {a7afcc91-b39d-4cc0-bbf2-d4712a39d03a} - C:\WINDOWS\Resources\AvpPrx.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\CATSysDemon.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - C:\Program Files\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: SAVRoam (SavRoam) - Unknown owner - C:\Program Files\Symantec AntiVirus\SavRoam.exe (file missing)
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: SPBBCSvc - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe (file missing)
O23 - Service: Symantec AntiVirus - Unknown owner - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (file missing)
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 7747 bytes
Eli
Regular Member
 
Posts: 25
Joined: June 17th, 2008, 7:45 am

Re: I is a takeover

Unread postby Shaba » June 23rd, 2008, 11:14 am

Hi

Do you use USB sticks or something similar?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: I is a takeover

Unread postby Eli » June 23rd, 2008, 11:31 am

Nothing is pluged in at the moment. But I will normally use my USB stick which is a cruzer micro? I have not used it since the virus atack.
Eli
Regular Member
 
Posts: 25
Joined: June 17th, 2008, 7:45 am

Re: I is a takeover

Unread postby Shaba » June 23rd, 2008, 12:33 pm

Hi

Then that usb stick needs to be formatted, it's infected.

As for that, see here

"How did I format my flash drive?"
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: I is a takeover

Unread postby Eli » June 23rd, 2008, 12:43 pm

I will do so thank you.

What should I do about my Pc?
Eli
Regular Member
 
Posts: 25
Joined: June 17th, 2008, 7:45 am

Re: I is a takeover

Unread postby Shaba » June 23rd, 2008, 12:58 pm

Hi

Please do that formatting before instructions below or you will get re-infected when you plug next time that usb stick.

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
C:\Documents and Settings\MyDocuments\Readme.doc .exe
C:\Documents and Settings\MyDocuments\readthis.doc.exe
C:\winxplogon.sys
C:\WINDOWS\system32\blackster.scr

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{132F969E-2442-47BE-8CC8-955483AF951B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"mpfanvqg"=-
"vbksrofa"=-
"AvpPrx"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccdcDus]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{623506b4-a33b-11dc-a6d2-001b24510921}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{623506b9-a33b-11dc-a6d2-001b24510921}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84918836-cb54-11dc-a711-001b24510921}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f24ea9e-ccbd-11dc-a714-001b24510921}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f24eaa1-ccbd-11dc-a714-001b24510921}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98a899ce-1a7b-11dd-a769-001b24510921}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cbc59340-cb69-11dc-a712-001b24510921}]


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: I is a takeover

Unread postby Eli » June 23rd, 2008, 4:00 pm

No problems running ComboFix. :o

ComboFix 08-06-20.4 - Hassib 2008-06-23 20:29:17.3 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1256.216.1036.18.389 [GMT 2:00]
Endroit: C:\Documents and Settings\Hassib\Bureau\ComboFix.exe
Command switches used :: C:\Documents and Settings\Hassib\Bureau\cfscript.txt
* Création d'un nouveau point de restauration

FILE ::
C:\Documents and Settings\MyDocuments\Readme.doc .exe
C:\Documents and Settings\MyDocuments\readthis.doc.exe
C:\WINDOWS\system32\blackster.scr
C:\winxplogon.sys
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\MyDocuments\Readme.doc .exe
C:\Documents and Settings\MyDocuments\readthis.doc.exe
C:\WINDOWS\system32\blackster.scr
C:\winxplogon.sys

.
((((((((((((((((((((((((((((( Fichiers créés 2008-05-23 to 2008-06-23 ))))))))))))))))))))))))))))))))))))
.

2008-06-16 15:45 . 2008-06-16 15:45 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-16 05:12 . 2008-02-15 23:39 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-16 05:12 . 2008-02-15 23:39 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-06-16 05:12 . 2008-02-15 23:39 52,240 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-06-16 05:10 . 2008-06-23 11:32 <REP> d-------- C:\Program Files\Trend Micro
2008-06-15 00:51 . 2008-06-15 00:53 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2008-06-15 00:31 . 2008-06-17 02:45 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-06-12 16:59 . 2008-06-15 11:25 <REP> d-------- C:\Documents and Settings\Hassib\.housecall6.6
2008-06-12 16:58 . 2008-06-12 16:58 <REP> d-------- C:\WINDOWS\Sun
2008-06-12 16:58 . 2005-04-13 03:48 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-06-12 16:57 . 2008-06-12 16:58 <REP> d-------- C:\Program Files\Java
2008-06-12 16:55 . 2008-06-12 16:55 <REP> d-------- C:\Program Files\Fichiers communs\Java
2008-06-12 15:30 . 2008-06-14 22:04 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-12 14:39 . 2008-06-12 14:45 <REP> d-------- C:\Program Files\Google
2008-06-12 14:39 . 2008-06-12 14:48 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-12 14:22 . 2008-06-12 14:22 0 --a------ C:\LOG75.tmp
2008-06-01 11:19 . 2008-06-01 11:19 0 --a------ C:\LOG1EA.tmp
2008-06-01 10:23 . 2008-06-12 15:35 <REP> d-------- C:\Ad-Aware SE Professional
2008-06-01 10:21 . 2008-06-01 10:21 <REP> d-------- C:\Inetpub
2008-06-01 10:02 . 2008-06-01 10:02 0 --a------ C:\LOG45.tmp

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-12 14:32 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-06-12 14:32 --------- d-----w C:\Program Files\Fichiers communs\Symantec Shared
2008-06-01 09:18 --------- d-----w C:\Documents and Settings\Hassib\Application Data\U3
2008-05-22 14:13 --------- d-----w C:\Program Files\Fichiers communs\ReparateurDeSysteme
2008-05-21 10:45 --------- d-----w C:\Documents and Settings\Hassib\Application Data\Lavasoft
2008-05-20 17:27 --------- d-----w C:\Program Files\Winamp
2008-05-20 17:26 --------- d-----w C:\Program Files\MSN Messenger
2008-05-20 17:20 --------- d-----w C:\Program Files\IMsecure
2008-05-20 16:24 --------- d-----w C:\Documents and Settings\Hassib\Application Data\Skype
2008-05-20 16:24 --------- d-----w C:\Documents and Settings\Hassib\Application Data\ITEDO
2008-05-20 16:23 --------- d-----w C:\Documents and Settings\Hassib\Application Data\DassaultSystemes
2008-05-20 16:23 --------- d-----w C:\Documents and Settings\Hassib\Application Data\AdobeUM
2008-05-20 16:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-05-20 16:21 --------- d-----r C:\Documents and Settings\All Users\Application Data\SalesMon
2008-05-20 16:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\DassaultSystemes
2008-05-20 16:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-05-20 16:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2008-05-02 14:22 205,328 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-05-02 14:21 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-05-02 14:17 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
.

------- Sigcheck -------

2006-03-09 10:25 578048 0df75fb73f705b011630159a43d7c354 C:\WINDOWS\system32\user32.dll

2006-04-12 20:13 667648 241dbc4c2714b2f39afded49459ed420 C:\WINDOWS\system32\wininet.dll

2006-02-14 21:56 359808 667192a11db19f36624119c0dd4de4f2 C:\WINDOWS\system32\drivers\tcpip.sys

2006-05-09 10:11 2017280 50b3a210b6fa8d3089a36a32e7d8b21f C:\WINDOWS\system32\ntkrnlpa.exe

2006-03-09 10:25 2137600 e75f7aa5a33479f29c636fd0890f5762 C:\WINDOWS\system32\ntoskrnl.exe
.
((((((((((((((((((((((((((((( snapshot@2008-06-17_ 6.15.44.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-17 04:08:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-17 11:52:05 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2000-08-31 06:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 06:00:00 28,672 ----a-w C:\WINDOWS\Nircmd.exe
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SuperCopier2.exe"="C:\Program Files\SuperCopier2\SuperCopier2.exe" [2006-07-07 18:45 1052672]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 17:09 15360]
"FrameWorkService"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-12 14:39 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe" [ ]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 21:33 125168]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24 32768]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 11:50 16855552 C:\WINDOWS\RTHDCPL.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-11 22:05 344064]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [ ]
"FrameWorkService"="" []
"UADCcw"="C:\Program Files\AdvancedCleaner Free\UADCcw.exe" [ ]
"BMN"="C:\Program Files\Fichiers communs\AntivirusOrdi\bm.exe dm=http://antivirusordi.com ad=http://antivirusordi.com" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48 36975]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 17:09 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Config"="C:\WINDOWS\system32\run.cmd" [2006-02-14 12:24 248]
"nlsf"="move" []
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-19 16:52 44544]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoStrCmpLogical"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= cmd.exe
"2"= mmc.exe
"3"= rstrui.exe
"4"= regedit.exe
"5"= regedt32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"DisablePagingExecutive"=dword:00000001
"SecondLevelDataCache"=dword:00000200

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R1 LUMDriver;LUMDriver;C:\WINDOWS\system32\drivers\LUMDriver.sys [2003-07-11 15:22]
R2 BBDemon;Backbone Service;"C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\CATSysDemon.exe" -service []

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-23 20:36:46
Windows 5.1.2600 Service Pack 2 NTFS

Balayage processus cachés ...

Balayage caché autostart entries ...

Balayage des fichiers cachés ...

Scan terminé avec succès
Les fichiers cachés: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\C:\DOCUME~1\Hassib\LOCALS~1\Temp\mc25.tmp"
.
Temps d'accomplissement: 2008-06-23 20:40:57
ComboFix-quarantined-files.txt 2008-06-23 18:40:42
ComboFix2.txt 2008-06-23 14:29:49
ComboFix3.txt 2008-06-17 04:17:07

Pre-Run: 40,619,442,176 octets libres
Post-Run: 40,610,512,896 octets libres

165 --- E O F --- 2008-05-20 12:44:35
Eli
Regular Member
 
Posts: 25
Joined: June 17th, 2008, 7:45 am

Re: I is a takeover

Unread postby Shaba » June 24th, 2008, 6:52 am

Hi

Nice to hear :)

Please post also a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: I is a takeover

Unread postby Eli » June 25th, 2008, 9:19 am

here with latest combofix log

ComboFix 08-06-20.4 - Hassib 2008-06-25 14:49:43.4 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1256.216.1036.18.408 [GMT 2:00]
Endroit: C:\Documents and Settings\Hassib\Bureau\ComboFix.exe
.

((((((((((((((((((((((((((((( Fichiers créés 2008-05-25 to 2008-06-25 ))))))))))))))))))))))))))))))))))))
.

2008-06-16 15:45 . 2008-06-16 15:45 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-16 05:12 . 2008-02-15 23:39 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-16 05:12 . 2008-02-15 23:39 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-06-16 05:12 . 2008-02-15 23:39 52,240 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-06-16 05:10 . 2008-06-23 11:32 <REP> d-------- C:\Program Files\Trend Micro
2008-06-15 00:51 . 2008-06-15 00:53 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2008-06-15 00:31 . 2008-06-17 02:45 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-06-12 16:59 . 2008-06-15 11:25 <REP> d-------- C:\Documents and Settings\Hassib\.housecall6.6
2008-06-12 16:58 . 2008-06-12 16:58 <REP> d-------- C:\WINDOWS\Sun
2008-06-12 16:58 . 2005-04-13 03:48 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-06-12 16:57 . 2008-06-12 16:58 <REP> d-------- C:\Program Files\Java
2008-06-12 16:55 . 2008-06-12 16:55 <REP> d-------- C:\Program Files\Fichiers communs\Java
2008-06-12 15:30 . 2008-06-14 22:04 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-12 14:39 . 2008-06-12 14:45 <REP> d-------- C:\Program Files\Google
2008-06-12 14:39 . 2008-06-12 14:48 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-12 14:22 . 2008-06-12 14:22 0 --a------ C:\LOG75.tmp
2008-06-01 11:19 . 2008-06-01 11:19 0 --a------ C:\LOG1EA.tmp
2008-06-01 10:23 . 2008-06-12 15:35 <REP> d-------- C:\Ad-Aware SE Professional
2008-06-01 10:21 . 2008-06-01 10:21 <REP> d-------- C:\Inetpub
2008-06-01 10:02 . 2008-06-01 10:02 0 --a------ C:\LOG45.tmp

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-12 14:32 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-06-12 14:32 --------- d-----w C:\Program Files\Fichiers communs\Symantec Shared
2008-06-01 09:18 --------- d-----w C:\Documents and Settings\Hassib\Application Data\U3
2008-05-22 14:13 --------- d-----w C:\Program Files\Fichiers communs\ReparateurDeSysteme
2008-05-21 10:45 --------- d-----w C:\Documents and Settings\Hassib\Application Data\Lavasoft
2008-05-20 17:27 --------- d-----w C:\Program Files\Winamp
2008-05-20 17:26 --------- d-----w C:\Program Files\MSN Messenger
2008-05-20 17:20 --------- d-----w C:\Program Files\IMsecure
2008-05-20 16:24 --------- d-----w C:\Documents and Settings\Hassib\Application Data\Skype
2008-05-20 16:24 --------- d-----w C:\Documents and Settings\Hassib\Application Data\ITEDO
2008-05-20 16:23 --------- d-----w C:\Documents and Settings\Hassib\Application Data\DassaultSystemes
2008-05-20 16:23 --------- d-----w C:\Documents and Settings\Hassib\Application Data\AdobeUM
2008-05-20 16:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-05-20 16:21 --------- d-----r C:\Documents and Settings\All Users\Application Data\SalesMon
2008-05-20 16:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\DassaultSystemes
2008-05-20 16:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-05-20 16:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2008-05-02 14:22 205,328 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-05-02 14:21 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-05-02 14:17 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
.

------- Sigcheck -------

2006-03-09 10:25 578048 0df75fb73f705b011630159a43d7c354 C:\WINDOWS\system32\user32.dll

2006-04-12 20:13 667648 241dbc4c2714b2f39afded49459ed420 C:\WINDOWS\system32\wininet.dll

2006-02-14 21:56 359808 667192a11db19f36624119c0dd4de4f2 C:\WINDOWS\system32\drivers\tcpip.sys

2006-05-09 10:11 2017280 50b3a210b6fa8d3089a36a32e7d8b21f C:\WINDOWS\system32\ntkrnlpa.exe

2006-03-09 10:25 2137600 e75f7aa5a33479f29c636fd0890f5762 C:\WINDOWS\system32\ntoskrnl.exe
.
((((((((((((((((((((((((((((( snapshot@2008-06-17_ 6.15.44.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-17 04:08:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-23 19:51:18 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2000-08-31 06:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 06:00:00 28,672 ----a-w C:\WINDOWS\Nircmd.exe
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SuperCopier2.exe"="C:\Program Files\SuperCopier2\SuperCopier2.exe" [2006-07-07 18:45 1052672]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 17:09 15360]
"FrameWorkService"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-12 14:39 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe" [ ]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 21:33 125168]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24 32768]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 11:50 16855552 C:\WINDOWS\RTHDCPL.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-11 22:05 344064]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [ ]
"FrameWorkService"="" []
"UADCcw"="C:\Program Files\AdvancedCleaner Free\UADCcw.exe" [ ]
"BMN"="C:\Program Files\Fichiers communs\AntivirusOrdi\bm.exe dm=http://antivirusordi.com ad=http://antivirusordi.com" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48 36975]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 17:09 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Config"="C:\WINDOWS\system32\run.cmd" [2006-02-14 12:24 248]
"nlsf"="move" []
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-19 16:52 44544]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoStrCmpLogical"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= cmd.exe
"2"= mmc.exe
"3"= rstrui.exe
"4"= regedit.exe
"5"= regedt32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"DisablePagingExecutive"=dword:00000001
"SecondLevelDataCache"=dword:00000200

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R1 LUMDriver;LUMDriver;C:\WINDOWS\system32\drivers\LUMDriver.sys [2003-07-11 15:22]
R2 BBDemon;Backbone Service;"C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\CATSysDemon.exe" -service []

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-25 14:57:40
Windows 5.1.2600 Service Pack 2 NTFS

Balayage processus cachés ...

Balayage caché autostart entries ...

Balayage des fichiers cachés ...

Scan terminé avec succès
Les fichiers cachés: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\C:\DOCUME~1\Hassib\LOCALS~1\Temp\mc21.tmp"
.
Temps d'accomplissement: 2008-06-25 15:01:54
ComboFix-quarantined-files.txt 2008-06-25 13:01:31
ComboFix2.txt 2008-06-23 18:41:01
ComboFix3.txt 2008-06-23 14:29:49
ComboFix4.txt 2008-06-17 04:17:07

Pre-Run: 40,599,519,232 octets libres
Post-Run: 40,591,392,768 octets libres

151 --- E O F --- 2008-05-20 12:44:35
Eli
Regular Member
 
Posts: 25
Joined: June 17th, 2008, 7:45 am
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 297 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware