Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

trojan downloader

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

trojan downloader

Unread postby vince29 » June 28th, 2008, 10:56 am

hi
i have just scanned my system with the malwware scanner & for the second time it has found this trojan. it claimed to have cleared it on the first occasion but obviously not could you please check my hijack log to see if there is a more serious problem.

Malwarebytes' Anti-Malware 1.18
Database version: 898

15:41:13 28/06/2008
mbam-log-6-28-2008 (15-41-07).txt

Scan type: Full Scan (C:\|)
Objects scanned: 117171
Time elapsed: 27 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Config\csrss.exe (Trojan.Downloader) -> No action taken.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:45:44, on 28/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe
C:\Program Files\Dell Photo AIO Printer 942\memcard.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\SPAMfighter\SFAgent.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Dell Photo AIO Printer 942\dlbubmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nottinghamforest.premiumtv.co.uk/page/Home/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 942] "C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe"
O4 - HKLM\..\Run: [DellMCM] "C:\Program Files\Dell Photo AIO Printer 942\memcard.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DLBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-21-2201595877-1149870447-2797179189-1007\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'hazel')
O4 - HKUS\S-1-5-21-2201595877-1149870447-2797179189-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'hazel')
O4 - HKUS\S-1-5-21-2201595877-1149870447-2797179189-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'hazel')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.co.uk/scan_uk/scan8/oscan8.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crl ... crlocx.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4F27770-931E-4811-B3EB-2EFA7C30F454}: NameServer = 212.139.132.27 212.139.132.26
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10817 bytes
vince29
Regular Member
 
Posts: 19
Joined: May 18th, 2008, 10:26 am
Advertisement
Register to Remove

Re: trojan downloader

Unread postby Katana » July 1st, 2008, 5:13 am

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.


Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

I apologize for the delay in responding, but as you can probably see the forums are quite busy.
Unfortunately there are far more people needing help than there are helpers.

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe


----------------------------------------------------------------------------------------


Disable Teatimer
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.



SD Fix

Please download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F5 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: trojan downloader

Unread postby vince29 » July 1st, 2008, 6:38 am

hi info as required
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:32:40, on 01/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe
C:\Program Files\Dell Photo AIO Printer 942\memcard.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\SPAMfighter\SFAgent.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Dell Photo AIO Printer 942\dlbubmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nottinghamforest.premiumtv.co.uk/page/Home/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 942] "C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe"
O4 - HKLM\..\Run: [DellMCM] "C:\Program Files\Dell Photo AIO Printer 942\memcard.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DLBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.co.uk/scan_uk/scan8/oscan8.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crl ... crlocx.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10258 bytes


SDFix: Version 1.199
Run by vince on 01/07/2008 at 11:19

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-01 11:26:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Sun 27 Apr 2008 6,104,632 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sun 15 Jun 2008 848 A.SH. --- "C:\WINDOWS\SYSTEM32\KGyGaAvL.sys"
Tue 22 Apr 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 8 May 2008 813,384 A..H. --- "C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE"
Thu 8 May 2008 439,568 A..H. --- "C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll"
Thu 8 May 2008 434,528 A..H. --- "C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe"
Thu 8 May 2008 626,688 A..H. --- "C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\msvcr80.dll"
Thu 8 May 2008 184,632 A..H. --- "C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll"
Thu 8 May 2008 145,184 A..H. --- "C:\MSOCache\All Users\{91120000-002F-0000-0000-0000000FF1CE}-C\ose.exe"
Thu 8 May 2008 6,536,992 A..H. --- "C:\MSOCache\All Users\{91120000-002F-0000-0000-0000000FF1CE}-C\osetup.dll"
Thu 8 May 2008 463,152 A..H. --- "C:\MSOCache\All Users\{91120000-002F-0000-0000-0000000FF1CE}-C\setup.exe"
Sat 28 Jun 2008 145,920 ..SHR --- "C:\Program Files\BillP Studios\WinPatrol\Setup.exe"
Sun 4 May 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 8 May 2008 108,872 A..H. --- "C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll"
Fri 18 Jan 2008 400 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COH32LU.reg"
Fri 18 Jan 2008 403 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COHDLU.reg"
Sun 29 Jun 2008 250,721 ...HR --- "C:\WINDOWS\SYSTEM32\DRIVERS\ETC\Hosts.bak"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Assets\My Asset Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Bank\My Bank Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Customer\My Customer Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Finance\My Finance Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Invoice\My Invoice Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Nominal\My Nominal Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\POP\My POP Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Products\My Products Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\SOP\My SOP Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Supplier\My Supplier Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\DemoData\REPORTS\Assets\My Asset Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\DemoData\REPORTS\Bank\My Bank Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\DemoData\REPORTS\Customer\My Customer Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\DemoData\REPORTS\Finance\My Finance Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\DemoData\REPORTS\Invoice\My Invoice Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\DemoData\REPORTS\Nominal\My Nominal Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\DemoData\REPORTS\POP\My POP Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\DemoData\REPORTS\Products\My Products Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\DemoData\REPORTS\SOP\My SOP Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\DemoData\REPORTS\Supplier\My Supplier Reports\rpt.sys"
Wed 8 Jun 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Wed 8 Jun 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"

Finished!
vince29
Regular Member
 
Posts: 19
Joined: May 18th, 2008, 10:26 am

Re: trojan downloader

Unread postby Katana » July 1st, 2008, 6:57 am

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: trojan downloader

Unread postby vince29 » July 1st, 2008, 8:55 am

as requested
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:53:48, on 01/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe
C:\Program Files\Dell Photo AIO Printer 942\memcard.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\SPAMfighter\SFAgent.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Dell Photo AIO Printer 942\dlbubmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\dlbucoms.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nottinghamforest.premiumtv.co.uk/page/Home/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 942] "C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe"
O4 - HKLM\..\Run: [DellMCM] "C:\Program Files\Dell Photo AIO Printer 942\memcard.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DLBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.co.uk/scan_uk/scan8/oscan8.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crl ... crlocx.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4F27770-931E-4811-B3EB-2EFA7C30F454}: NameServer = 212.139.132.27 212.139.132.26
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10175 bytes
ComboFix 08-06-20.4 - vince 2008-07-01 13:49:00.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1522 [GMT 1:00]
Running from: C:\Documents and Settings\vince\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))
.

2008-06-28 04:36 . 2008-06-28 04:36 7,327,865 --a------ C:\WINDOWS\SYSTEM32\LimeWireWin.exe
2008-06-28 04:36 . 2008-06-28 04:36 688,129 --a------ C:\WINDOWS\SYSTEM32\1.4 XR6.exe
2008-06-25 22:51 . 2008-06-25 22:51 <DIR> d-------- C:\Documents and Settings\vince\WINDOWS
2008-06-25 22:40 . 2008-06-25 22:40 <DIR> d-------- C:\Program Files\GSP
2008-06-25 22:39 . 1998-10-01 15:22 299,520 --a------ C:\WINDOWS\uninst.exe
2008-06-25 22:39 . 2008-06-25 22:41 66 --a------ C:\WINDOWS\GSP_ApRg.INI
2008-06-25 22:31 . 2008-06-25 22:31 <DIR> d-------- C:\Documents and Settings\vince\Application Data\Uniblue
2008-06-25 10:30 . 2008-06-25 10:30 <DIR> d-------- C:\Documents and Settings\vince\Application Data\Apple Computer
2008-06-24 14:23 . 2008-06-24 14:23 <DIR> d-------- C:\VundoFix Backups
2008-06-22 13:46 . 2008-06-22 13:46 29 --a------ C:\WINDOWS\AlphaPlayer.INI
2008-06-22 13:23 . 1999-09-10 12:06 45,056 -ra------ C:\WINDOWS\SYSTEM32\wnaspi32.dll
2008-06-22 13:23 . 1999-09-10 12:06 45,056 -ra------ C:\WINDOWS\SYSTEM32\wnaspi32.bak
2008-06-22 13:23 . 1999-09-10 12:06 25,244 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\ASPI32.sys
2008-06-22 13:23 . 1999-09-10 12:06 5,600 -ra------ C:\WINDOWS\SYSTEM\Winaspi.dll
2008-06-22 13:23 . 1999-09-10 12:06 4,672 -ra------ C:\WINDOWS\SYSTEM\Wowpost.exe
2008-06-22 13:23 . 2008-06-22 13:23 2,368 --a------ C:\WINDOWS\SYSTEM32\STEC3.sys
2008-06-19 17:36 . 2008-06-19 17:36 <DIR> d-------- C:\Program Files\CCleaner
2008-06-14 08:49 . 2008-06-14 08:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Fellowes
2008-06-14 08:48 . 2008-06-14 08:48 <DIR> d-------- C:\Program Files\Fellowes
2008-06-13 14:45 . 2008-06-13 14:45 579,464 --a------ C:\WINDOWS\SYSTEM32\SymNeti.dll
2008-06-13 14:45 . 2008-06-13 14:45 207,240 --a------ C:\WINDOWS\SYSTEM32\SymRedir.dll
2008-06-13 14:14 . 2008-06-13 14:14 31,280 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SymIM.sys
2008-06-13 14:14 . 2008-06-13 14:14 13,093 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SymRedir.cat
2008-06-13 14:14 . 2008-06-13 14:14 1,611 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SymRedir.inf
2008-06-13 14:13 . 2008-06-13 14:13 184,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symtdi.sys
2008-06-13 14:13 . 2008-06-13 14:13 96,432 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symfw.sys
2008-06-13 14:13 . 2008-06-13 14:13 41,008 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symndisv.sys
2008-06-13 14:13 . 2008-06-13 14:13 38,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symids.sys
2008-06-13 14:13 . 2008-06-13 14:13 37,424 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symndis.sys
2008-06-13 14:13 . 2008-06-13 14:13 22,320 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symredrv.sys
2008-06-13 14:13 . 2008-06-13 14:13 13,616 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symdns.sys
2008-06-11 14:45 . 2008-06-13 14:10 272,128 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys
2008-06-11 14:45 . 2008-06-13 14:10 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-06-08 08:33 . 2008-06-08 08:33 <DIR> d-------- C:\Program Files\DVD Shrink
2008-06-08 08:33 . 2008-06-08 08:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-06-07 17:29 . 2008-06-07 17:29 <DIR> d-------- C:\de149883b38d9ef120750e26980c9e
2008-06-07 17:25 . 2008-06-07 17:29 <DIR> d-------- C:\e135fb76c7d00b5aaa55
2008-06-05 20:54 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-06-05 20:52 . 2008-06-05 20:52 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-04 09:46 . 2008-06-04 09:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 12:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-07-01 12:40 --------- d-----w C:\Program Files\Dl_cats
2008-07-01 12:25 --------- d-----w C:\Program Files\SPAMfighter
2008-07-01 10:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-01 07:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-30 14:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-30 07:55 --------- d-----w C:\Documents and Settings\vince\Application Data\wsInspector
2008-06-29 18:10 --------- d-----w C:\Documents and Settings\vince\Application Data\LimeWire
2008-06-29 14:05 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-06-28 15:29 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-28 13:16 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-28 13:16 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-06-28 12:16 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-28 03:37 --------- d-----w C:\Program Files\LimeWire
2008-06-21 07:45 --------- d-----w C:\Documents and Settings\vince\Application Data\Roxio
2008-06-14 07:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-08 12:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-07 16:29 --------- d-----w C:\Program Files\Windows Desktop Search
2008-06-05 19:54 --------- d-----w C:\Program Files\Java
2008-06-04 08:47 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-06-04 08:47 --------- d-----w C:\Documents and Settings\vince\Application Data\SUPERAntiSpyware.com
2008-05-31 10:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2008-05-31 08:47 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-31 08:47 60,800 ----a-w C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2008-05-31 08:47 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-31 08:47 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-31 08:47 --------- d-----w C:\Program Files\Symantec
2008-05-29 17:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-29 14:16 --------- d-----w C:\Program Files\BillP Studios
2008-05-29 14:16 --------- d-----w C:\Documents and Settings\vince\Application Data\WinPatrol
2008-05-23 15:33 --------- d-----w C:\Documents and Settings\vince\Application Data\ArcSoft
2008-05-23 12:12 --------- d-----w C:\Program Files\ArcSoft
2008-05-23 12:11 --------- d-----w C:\Documents and Settings\vince\Application Data\Diino
2008-05-23 11:10 --------- d-----w C:\Program Files\Norton Internet Security
2008-05-23 11:09 --------- d-----w C:\Program Files\Windows Sidebar
2008-05-23 11:08 1,245,064 ----a-w C:\Documents and Settings\vince\SymLCSVC.EXE
2008-05-22 19:45 --------- d-----w C:\Program Files\MSXML 6.0
2008-05-21 15:19 --------- d-----w C:\Program Files\Sonic
2008-05-15 20:11 --------- d-----w C:\Program Files\Common Files\AOL
2008-05-15 20:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-15 16:27 --------- d-----w C:\Program Files\Microsoft Visual Studio 9.0
2008-05-14 08:01 --------- d-----w C:\Program Files\Dell Photo AIO Printer 942
2008-05-13 15:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-05-12 19:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-12 17:12 --------- d-----w C:\Program Files\Microsoft Synchronization Services
2008-05-12 17:12 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-05-12 17:05 --------- d-----w C:\Program Files\Reference Assemblies
2008-05-12 17:05 --------- d-----w C:\Program Files\MSBuild
2008-05-12 14:11 107,888 ----a-w C:\WINDOWS\SYSTEM32\CmdLineExt.dll
2008-05-12 14:11 --------- d--h--r C:\Documents and Settings\vince\Application Data\SecuROM
2008-05-12 14:11 --------- d-----w C:\Documents and Settings\vince\Application Data\Sports Interactive
2008-05-12 14:08 --------- d-----w C:\Program Files\Sports Interactive
2008-05-09 10:17 --------- d-----w C:\Program Files\Sage EBanking
2008-05-09 10:17 --------- d-----w C:\Program Files\Informer50
2008-05-09 10:16 --------- d-----w C:\Program Files\Common Files\Sage Line50
2008-05-09 10:15 --------- d-----w C:\Program Files\Sage
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
2008-05-08 07:03 --------- d-----w C:\Program Files\Microsoft Works
2008-05-08 07:02 --------- d-----w C:\Program Files\Microsoft.NET
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2008-05-06 14:42 --------- d-----w C:\Program Files\Apple Software Update
2008-05-06 14:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-05-05 14:41 3,434 ----a-w C:\WINDOWS\SYSTEM32\tmp.reg
2008-05-04 17:35 --------- d-----w C:\Program Files\QuickTime
2008-05-04 17:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-04 16:51 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-03 08:42 --------- d-----w C:\Program Files\Trend Micro
2008-05-02 07:42 --------- d-----w C:\Program Files\Incomplete
2008-05-01 13:19 --------- d-----w C:\Documents and Settings\vince\Application Data\Malwarebytes
2008-05-01 13:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-23 21:16 3,591,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-04-19 08:07 184 ----a-w C:\setuplog.exe
2008-04-14 04:43 92,424 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\rdpdd.dll
2008-04-14 04:43 87,176 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\rdpwsx.dll
2008-04-14 04:43 40,840 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\termdd.sys
2008-04-14 04:43 299,520 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\drmclien.dll
2008-04-14 04:43 21,896 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tdtcp.sys
2008-04-14 04:43 139,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\rdpwd.sys
2008-04-14 04:43 12,168 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tsddd.dll
2008-04-14 04:43 12,040 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tdpipe.sys
2008-04-14 04:41 98,304 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\actxprxy.dll
2008-04-14 04:40 67,584 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pmigrate.dll
2008-04-14 04:40 53,760 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pintlcsd.dll
2008-04-14 04:40 53,279 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\odbcji32.dll
2008-04-14 04:40 4,126 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msdxmlc.dll
2008-04-14 04:40 3,584 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msafd.dll
2008-04-14 04:40 259,328 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\perm3dd.dll
2008-04-14 04:40 211,584 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\perm2dll.dll
2008-04-14 04:40 175,104 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pintlcsa.dll
2008-04-14 04:40 15,872 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\padrs404.dll
2008-04-14 04:40 15,360 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\padrs804.dll
2008-04-13 23:51 162,816 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\netbt.sys
2008-04-13 23:50 91,520 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ndiswan.sys
2008-04-13 23:50 182,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ndis.sys
2002-04-16 10:27 5 --sha-w C:\WINDOWS\SYSTEM32\CdI5T.drv
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2008-06-17 14:23 349552 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-05-23 12:09 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2004-07-19 07:51 306688]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-19 10:42 68856]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 12:52 339968]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12 221184]
"Dell Photo AIO Printer 942"="C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe" [2005-02-03 09:08 294912]
"DellMCM"="C:\Program Files\Dell Photo AIO Printer 942\memcard.exe" [2004-07-27 15:08 262144]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-21 08:38 185896]
"DLBUCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll" [2004-11-09 22:47 69632]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 17:47 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-02-06 22:49 718704]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-04-25 18:31 333120]
"SPAMfighter Agent"="C:\Program Files\SPAMfighter\SFAgent.exe" [2008-02-26 11:10 317072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration]
--a------ 2004-07-01 19:08 53248 C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R2 SPAMfighter Update Service;SPAMfighter Update Service;"C:\Program Files\SPAMfighter\sfus.exe" [2008-02-26 11:10]
S3 APL531;OVT Scanner;C:\WINDOWS\system32\Drivers\ov550i.sys []
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-06-13 15:52:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-02 19:00:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - vince.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
"2008-06-10 17:00:00 C:\WINDOWS\Tasks\Pareto UNS.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe
"2008-07-01 12:23:56 C:\WINDOWS\Tasks\RegCure Program Check.job"
- G:\RegCure\RegCure.exe
"2008-04-24 08:37:06 C:\WINDOWS\Tasks\RegCure.job"
- G:\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-01 13:50:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-01 13:51:05
ComboFix-quarantined-files.txt 2008-07-01 12:50:53
ComboFix2.txt 2008-07-01 12:48:01

Pre-Run: 136,221,446,144 bytes free
Post-Run: 136,208,478,208 bytes free

233 --- E O F --- 2008-06-20 06:57:17
vince29
Regular Member
 
Posts: 19
Joined: May 18th, 2008, 10:26 am

Re: trojan downloader

Unread postby Katana » July 1st, 2008, 9:43 am

ComboFix 08-06-20.4 - vince 2008-07-01 13:49:00.4 - NTFSx86


please can you post the log from the first time you ran Combofix today.
It should be in C:\Qoobox folder and should have a time stamp of before 12:48:01
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: trojan downloader

Unread postby vince29 » July 1st, 2008, 11:43 am

hi
the only log i can find is posted below, i did start a scan but it was aborted as i had spybot & winpatrol still running which ceated error messages & combo fix closed itself because i tried to install recovery console which i had forgotten was already installed.
ComboFix 08-06-20.4 - vince 2008-07-01 13:44:46.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1536 [GMT 1:00]
Running from: C:\Documents and Settings\vince\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))
.

2008-06-28 04:36 . 2008-06-28 04:36 7,327,865 --a------ C:\WINDOWS\SYSTEM32\LimeWireWin.exe
2008-06-28 04:36 . 2008-06-28 04:36 688,129 --a------ C:\WINDOWS\SYSTEM32\1.4 XR6.exe
2008-06-25 22:51 . 2008-06-25 22:51 <DIR> d-------- C:\Documents and Settings\vince\WINDOWS
2008-06-25 22:40 . 2008-06-25 22:40 <DIR> d-------- C:\Program Files\GSP
2008-06-25 22:39 . 1998-10-01 15:22 299,520 --a------ C:\WINDOWS\uninst.exe
2008-06-25 22:39 . 2008-06-25 22:41 66 --a------ C:\WINDOWS\GSP_ApRg.INI
2008-06-25 22:31 . 2008-06-25 22:31 <DIR> d-------- C:\Documents and Settings\vince\Application Data\Uniblue
2008-06-25 10:30 . 2008-06-25 10:30 <DIR> d-------- C:\Documents and Settings\vince\Application Data\Apple Computer
2008-06-24 14:23 . 2008-06-24 14:23 <DIR> d-------- C:\VundoFix Backups
2008-06-22 13:46 . 2008-06-22 13:46 29 --a------ C:\WINDOWS\AlphaPlayer.INI
2008-06-22 13:23 . 1999-09-10 12:06 45,056 -ra------ C:\WINDOWS\SYSTEM32\wnaspi32.dll
2008-06-22 13:23 . 1999-09-10 12:06 45,056 -ra------ C:\WINDOWS\SYSTEM32\wnaspi32.bak
2008-06-22 13:23 . 1999-09-10 12:06 25,244 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\ASPI32.sys
2008-06-22 13:23 . 1999-09-10 12:06 5,600 -ra------ C:\WINDOWS\SYSTEM\Winaspi.dll
2008-06-22 13:23 . 1999-09-10 12:06 4,672 -ra------ C:\WINDOWS\SYSTEM\Wowpost.exe
2008-06-22 13:23 . 2008-06-22 13:23 2,368 --a------ C:\WINDOWS\SYSTEM32\STEC3.sys
2008-06-19 17:36 . 2008-06-19 17:36 <DIR> d-------- C:\Program Files\CCleaner
2008-06-14 08:49 . 2008-06-14 08:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Fellowes
2008-06-14 08:48 . 2008-06-14 08:48 <DIR> d-------- C:\Program Files\Fellowes
2008-06-13 14:45 . 2008-06-13 14:45 579,464 --a------ C:\WINDOWS\SYSTEM32\SymNeti.dll
2008-06-13 14:45 . 2008-06-13 14:45 207,240 --a------ C:\WINDOWS\SYSTEM32\SymRedir.dll
2008-06-13 14:14 . 2008-06-13 14:14 31,280 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SymIM.sys
2008-06-13 14:14 . 2008-06-13 14:14 13,093 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SymRedir.cat
2008-06-13 14:14 . 2008-06-13 14:14 1,611 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SymRedir.inf
2008-06-13 14:13 . 2008-06-13 14:13 184,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symtdi.sys
2008-06-13 14:13 . 2008-06-13 14:13 96,432 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symfw.sys
2008-06-13 14:13 . 2008-06-13 14:13 41,008 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symndisv.sys
2008-06-13 14:13 . 2008-06-13 14:13 38,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symids.sys
2008-06-13 14:13 . 2008-06-13 14:13 37,424 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symndis.sys
2008-06-13 14:13 . 2008-06-13 14:13 22,320 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symredrv.sys
2008-06-13 14:13 . 2008-06-13 14:13 13,616 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symdns.sys
2008-06-11 14:45 . 2008-06-13 14:10 272,128 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys
2008-06-11 14:45 . 2008-06-13 14:10 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-06-08 08:33 . 2008-06-08 08:33 <DIR> d-------- C:\Program Files\DVD Shrink
2008-06-08 08:33 . 2008-06-08 08:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-06-07 17:29 . 2008-06-07 17:29 <DIR> d-------- C:\de149883b38d9ef120750e26980c9e
2008-06-07 17:25 . 2008-06-07 17:29 <DIR> d-------- C:\e135fb76c7d00b5aaa55
2008-06-05 20:54 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-06-05 20:52 . 2008-06-05 20:52 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-04 09:46 . 2008-06-04 09:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 12:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-07-01 12:40 --------- d-----w C:\Program Files\Dl_cats
2008-07-01 12:25 --------- d-----w C:\Program Files\SPAMfighter
2008-07-01 10:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-01 07:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-30 14:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-30 07:55 --------- d-----w C:\Documents and Settings\vince\Application Data\wsInspector
2008-06-29 18:10 --------- d-----w C:\Documents and Settings\vince\Application Data\LimeWire
2008-06-29 14:05 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-06-28 15:29 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-28 13:16 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-28 13:16 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-06-28 12:16 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-28 03:37 --------- d-----w C:\Program Files\LimeWire
2008-06-21 07:45 --------- d-----w C:\Documents and Settings\vince\Application Data\Roxio
2008-06-14 07:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-08 12:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-07 16:29 --------- d-----w C:\Program Files\Windows Desktop Search
2008-06-05 19:54 --------- d-----w C:\Program Files\Java
2008-06-04 08:47 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-06-04 08:47 --------- d-----w C:\Documents and Settings\vince\Application Data\SUPERAntiSpyware.com
2008-05-31 10:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2008-05-31 08:47 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-31 08:47 60,800 ----a-w C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2008-05-31 08:47 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-31 08:47 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-31 08:47 --------- d-----w C:\Program Files\Symantec
2008-05-29 17:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-29 14:16 --------- d-----w C:\Program Files\BillP Studios
2008-05-29 14:16 --------- d-----w C:\Documents and Settings\vince\Application Data\WinPatrol
2008-05-23 15:33 --------- d-----w C:\Documents and Settings\vince\Application Data\ArcSoft
2008-05-23 12:12 --------- d-----w C:\Program Files\ArcSoft
2008-05-23 12:11 --------- d-----w C:\Documents and Settings\vince\Application Data\Diino
2008-05-23 11:10 --------- d-----w C:\Program Files\Norton Internet Security
2008-05-23 11:09 --------- d-----w C:\Program Files\Windows Sidebar
2008-05-23 11:08 1,245,064 ----a-w C:\Documents and Settings\vince\SymLCSVC.EXE
2008-05-22 19:45 --------- d-----w C:\Program Files\MSXML 6.0
2008-05-21 15:19 --------- d-----w C:\Program Files\Sonic
2008-05-15 20:11 --------- d-----w C:\Program Files\Common Files\AOL
2008-05-15 20:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-15 16:27 --------- d-----w C:\Program Files\Microsoft Visual Studio 9.0
2008-05-14 08:01 --------- d-----w C:\Program Files\Dell Photo AIO Printer 942
2008-05-13 15:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-05-12 19:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-12 17:12 --------- d-----w C:\Program Files\Microsoft Synchronization Services
2008-05-12 17:12 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-05-12 17:05 --------- d-----w C:\Program Files\Reference Assemblies
2008-05-12 17:05 --------- d-----w C:\Program Files\MSBuild
2008-05-12 14:11 107,888 ----a-w C:\WINDOWS\SYSTEM32\CmdLineExt.dll
2008-05-12 14:11 --------- d--h--r C:\Documents and Settings\vince\Application Data\SecuROM
2008-05-12 14:11 --------- d-----w C:\Documents and Settings\vince\Application Data\Sports Interactive
2008-05-12 14:08 --------- d-----w C:\Program Files\Sports Interactive
2008-05-09 10:17 --------- d-----w C:\Program Files\Sage EBanking
2008-05-09 10:17 --------- d-----w C:\Program Files\Informer50
2008-05-09 10:16 --------- d-----w C:\Program Files\Common Files\Sage Line50
2008-05-09 10:15 --------- d-----w C:\Program Files\Sage
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
2008-05-08 07:03 --------- d-----w C:\Program Files\Microsoft Works
2008-05-08 07:02 --------- d-----w C:\Program Files\Microsoft.NET
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2008-05-06 14:42 --------- d-----w C:\Program Files\Apple Software Update
2008-05-06 14:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-05-05 14:41 3,434 ----a-w C:\WINDOWS\SYSTEM32\tmp.reg
2008-05-04 17:35 --------- d-----w C:\Program Files\QuickTime
2008-05-04 17:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-04 16:51 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-03 08:42 --------- d-----w C:\Program Files\Trend Micro
2008-05-02 07:42 --------- d-----w C:\Program Files\Incomplete
2008-05-01 13:19 --------- d-----w C:\Documents and Settings\vince\Application Data\Malwarebytes
2008-05-01 13:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-23 21:16 3,591,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-04-19 08:07 184 ----a-w C:\setuplog.exe
2008-04-14 04:43 92,424 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\rdpdd.dll
2008-04-14 04:43 87,176 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\rdpwsx.dll
2008-04-14 04:43 40,840 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\termdd.sys
2008-04-14 04:43 299,520 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\drmclien.dll
2008-04-14 04:43 21,896 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tdtcp.sys
2008-04-14 04:43 139,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\rdpwd.sys
2008-04-14 04:43 12,168 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tsddd.dll
2008-04-14 04:43 12,040 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tdpipe.sys
2008-04-14 04:41 98,304 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\actxprxy.dll
2008-04-14 04:40 67,584 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pmigrate.dll
2008-04-14 04:40 53,760 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pintlcsd.dll
2008-04-14 04:40 53,279 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\odbcji32.dll
2008-04-14 04:40 4,126 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msdxmlc.dll
2008-04-14 04:40 3,584 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msafd.dll
2008-04-14 04:40 259,328 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\perm3dd.dll
2008-04-14 04:40 211,584 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\perm2dll.dll
2008-04-14 04:40 175,104 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pintlcsa.dll
2008-04-14 04:40 15,872 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\padrs404.dll
2008-04-14 04:40 15,360 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\padrs804.dll
2008-04-13 23:51 162,816 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\netbt.sys
2008-04-13 23:50 91,520 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ndiswan.sys
2008-04-13 23:50 182,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\ndis.sys
2002-04-16 10:27 5 --sha-w C:\WINDOWS\SYSTEM32\CdI5T.drv
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2008-06-17 14:23 349552 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-05-23 12:09 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2004-07-19 07:51 306688]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-19 10:42 68856]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 12:52 339968]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12 221184]
"Dell Photo AIO Printer 942"="C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe" [2005-02-03 09:08 294912]
"DellMCM"="C:\Program Files\Dell Photo AIO Printer 942\memcard.exe" [2004-07-27 15:08 262144]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-21 08:38 185896]
"DLBUCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll" [2004-11-09 22:47 69632]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 17:47 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-02-06 22:49 718704]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-04-25 18:31 333120]
"SPAMfighter Agent"="C:\Program Files\SPAMfighter\SFAgent.exe" [2008-02-26 11:10 317072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration]
--a------ 2004-07-01 19:08 53248 C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R2 SPAMfighter Update Service;SPAMfighter Update Service;"C:\Program Files\SPAMfighter\sfus.exe" [2008-02-26 11:10]
S3 APL531;OVT Scanner;C:\WINDOWS\system32\Drivers\ov550i.sys []
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-06-13 15:52:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-02 19:00:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - vince.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
"2008-06-10 17:00:00 C:\WINDOWS\Tasks\Pareto UNS.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe
"2008-07-01 12:23:56 C:\WINDOWS\Tasks\RegCure Program Check.job"
- G:\RegCure\RegCure.exe
"2008-04-24 08:37:06 C:\WINDOWS\Tasks\RegCure.job"
- G:\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-01 13:47:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-01 13:48:00
ComboFix-quarantined-files.txt 2008-07-01 12:47:45

Pre-Run: 136,059,547,648 bytes free
Post-Run: 136,208,670,720 bytes free

231 --- E O F --- 2008-06-20 06:57:17
vince29
Regular Member
 
Posts: 19
Joined: May 18th, 2008, 10:26 am

Re: trojan downloader

Unread postby Katana » July 1st, 2008, 4:13 pm

C:\WINDOWS\Config\csrss.exe (Trojan.Downloader) -> No action taken.


Have you let MBAM fix the entry at all ?


Create A Batch File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it look.bat Please save it on your desktop.

@echo off
if exist C:\kresults.txt del /q C:\kresults.txt
dir /a /s C:\Qoobox >> C:\kresults.txt
start notepad C:\kresults.txt
del /q %0
exit

Double click on look.bat
Please be patient, as this will search the entire disc

Notepad will open, please copy/paste the results here.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: trojan downloader

Unread postby vince29 » July 2nd, 2008, 8:24 am

hi
many thanks for your help. i am afraid that i made a mess of your last insruction i did run the programme & the results were shown by i did not paste the reply to you & now it will not allow me to run the instruction again.i have pasted the latest scan log which does not show any problems


Malwarebytes' Anti-Malware 1.19
Database version: 913
Windows 5.1.2600 Service Pack 2

13:14:15 02/07/2008
mbam-log-7-2-2008 (13-14-15).txt

Scan type: Full Scan (C:\|)
Objects scanned: 105059
Time elapsed: 23 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
vince29
Regular Member
 
Posts: 19
Joined: May 18th, 2008, 10:26 am

Re: trojan downloader

Unread postby Katana » July 2nd, 2008, 9:21 am

Please do the following

Click Start >> Run
In the run box type the following

notepad C:\kresults.txt

Now press Enter
Notepad will open
Copy paste the contents here
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: trojan downloader

Unread postby vince29 » July 2nd, 2008, 2:13 pm

Volume in drive C has no label.
Volume Serial Number is 8091-DF86

Directory of C:\Qoobox

01/07/2008 13:49 <DIR> .
01/07/2008 13:49 <DIR> ..
01/07/2008 13:43 <DIR> BackEnv
01/07/2008 13:50 76 ComboFix-quarantined-files.txt
01/07/2008 13:48 17,217 ComboFix2.txt
01/07/2008 13:47 <DIR> Quarantine
01/07/2008 13:47 733,484 snapshot@2008-07-01_13.47.33.42.dat
01/07/2008 13:47 686,186 snapshot@2008-07-01_13.47.33.42_B.dat
4 File(s) 1,436,963 bytes

Directory of C:\Qoobox\BackEnv

01/07/2008 13:43 <DIR> .
01/07/2008 13:43 <DIR> ..
01/07/2008 13:43 341 appdata.folder.dat
01/07/2008 13:43 316 cache.folder.dat
01/07/2008 13:43 133 desktop.folder.dat
01/07/2008 13:43 191 favorites.folder.dat
01/07/2008 13:43 284 localappdata.folder.dat
01/07/2008 13:43 275 localsettings.folder.dat
01/07/2008 13:43 181 mypictures.folder.dat
01/07/2008 13:43 145 personal.folder.dat
01/07/2008 13:43 267 profiles.folder.dat
01/07/2008 13:43 231 programs.folder.dat
01/07/2008 13:43 11,203 SetPath.bat
01/07/2008 13:43 195 startmenu.folder.dat
01/07/2008 13:43 193 startup.folder.dat
01/07/2008 13:43 4,879 SysPath.dat
01/07/2008 13:43 139 templates.folder.dat
15 File(s) 18,973 bytes

Directory of C:\Qoobox\Quarantine

01/07/2008 13:47 <DIR> .
01/07/2008 13:47 <DIR> ..
01/07/2008 13:43 <DIR> C
01/07/2008 13:50 108 catchme.log
01/07/2008 13:46 <DIR> Registry_backups
1 File(s) 108 bytes

Directory of C:\Qoobox\Quarantine\C

01/07/2008 13:43 <DIR> .
01/07/2008 13:43 <DIR> ..
0 File(s) 0 bytes

Directory of C:\Qoobox\Quarantine\Registry_backups

01/07/2008 13:46 <DIR> .
01/07/2008 13:46 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
20 File(s) 1,456,044 bytes
14 Dir(s) 136,211,197,952 bytes free
vince29
Regular Member
 
Posts: 19
Joined: May 18th, 2008, 10:26 am

Re: trojan downloader

Unread postby Katana » July 2nd, 2008, 6:23 pm

Well, it looks like that file is gone but there are a couple of other things I would like to check


Installed Programs

Please could you give me a list of the programs that are installed.
  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.


Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)

Go Here http://www.kaspersky.com/kos/eng/partne ... bscan.html

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: trojan downloader

Unread postby vince29 » July 3rd, 2008, 7:29 am

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, July 3, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, July 03, 2008 09:08:06
Records in database: 909933
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
G:\

Scan statistics:
Files scanned: 72492
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:04:18


File name / Threat name / Threats count
C:\Documents and Settings\vince\My Documents\My Music\music2\LimeWire Pro 4.18.3.zip Infected: Trojan-Dropper.Win32.VB.azm 1

hijack report

The selected area was scanned.
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
ABBYY FineReader 5.0 Sprint Plus
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
AppCore
Apple Software Update
ARTEuro
ATI Control Panel
ATI Display Driver
BBC iPlayer Download Manager
Broadcom Management Programs
ccCommon
CCleaner (remove only)
Component Framework
Corel Paint Shop Pro Photo X2
Creative MediaSource
Dell Driver Reset Tool
Dell Photo AIO Printer 942
Dell Support 5.0.0 (630)
DivX
DVD Shrink 3.2
Family Tree Maker 2006
Football Manager 2008
G21942EN
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
GSP FACE
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915800)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Intel(R) 537EP V9x DF PCI Modem
Internet Explorer Default Page
Java(TM) 6 Update 6
LimeWire PRO 4.18.3
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
Malwarebytes' Anti-Malware
MediaFACE 4.01
MediaFACE 4.01 Image Library
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft SQL Server Compact 3.5 Design Tools ENU
Microsoft SQL Server Compact 3.5 ENU
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Modem Event Monitor
Modem Helper
Modem On Hold
MSN
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Nero Suite
Norton AntiVirus
Norton AntiVirus Help
Norton Confidential Core
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
Picasa 2
PowerDVD 5.5
QuickTime
RealPlayer
Roxio Content 9
Roxio MyDVD 9 Studio Premier
Sage Accounts
Sage MIS 3.01
SAGEM F@st 800-840
Security Update for Excel 2007 (KB946974)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Office 2007 (KB947801)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Serif PagePlus 11
Sound Blaster Live! 24-bit
SPAMfighter
SPBBC 32bit
Spell Checker For OE 2.1
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Symantec Real Time Storage Protection Component
Tiscali Internet
Uninstall Startup Inspector
Update for Office 2007 (KB946691)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
WinPatrol 2008
vince29
Regular Member
 
Posts: 19
Joined: May 18th, 2008, 10:26 am

Re: trojan downloader

Unread postby Katana » July 3rd, 2008, 10:36 am

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

LimeWire PRO 4.18.3

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Please note: you must NOT use this whilst we are cleaning your machine.



Delete Files and Folders
Find and delete the following Files and Folders if present
C:\Documents and Settings\vince\My Documents\My Music\music2\LimeWire Pro 4.18.3.zip




Congratulations your logs look clean :D

Let's see if I can help you keep it that way

First lets tidy up :D


  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
    • Image
You can also delete any logs we have produced, and empty your Recycle bin.




The following is some info to help you stay safe and clean.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partne ... bscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware
    AntiSpyware is not the same thing as Antivirus.
    Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
    You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
    Most of the programs in this list have a free (for Home Users ) and paid versions,
    it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
  • Spybot - Search & Destroy <<< A must have program
    • It includes host protection and registry protection
    • A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
  • MalwareBytes Anti-malware <<< A New and effective program
  • a-squared Free <<< A good "realtime" or "on demand" scanner
  • superantispyware <<< A good "realtime" or "on demand" scanner

Prevention
    These programs don't detect malware, they help stop it getting on your machine in the first place.
    Each does a different job, so you can have more than one
  • Winpatrol
    • An excellent startup manager and then some !!
    • Notifies you if programs are added to startup
    • Allows delayed startup
    • A must have addition
  • SpywareBlaster 4.0
    • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
  • SpywareGuard 2.2
    • SpywareGuard provides real-time protection against spyware.
    • Not required if you have other "realtime" antispyware or Winpatrol
  • ZonedOut
    • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
  • MVPS HOSTS
    • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
    • For information on how to download and install, please read this tutorial by WinHelp2002.
    • Not required if you are using other host file protections

Internet Browsers
    Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
    Using a different web browser can help stop malware getting on your machine.
    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        • Change the Download signed ActiveX controls to Prompt
        • Change the Download unsigned ActiveX controls to Disable
        • Change the Initialise and script ActiveX controls not marked as safe to Disable
        • Change the Installation of desktop items to Prompt
        • Change the Launching programs and files in an IFRAME to Prompt
        • Change the Navigate sub-frames across different domains to Prompt
        • When all these settings have been made, click on the OK button.
        • If it prompts you as to whether or not you want to save the settings, press the Yes button.
      5. Next press the Apply button and then the OK to exit the Internet Properties page.
    If you are still using IE6 then either update, or get one of the following.
    • FireFox
      • With many addons available that make customization easy this is a very popular choice
      • NoScript and AdBlockPlus addons are essential
    • Opera
      • Another popular alternative
    • Netscape
      • Another popular alternative
      • Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies
    Temporary Internet Files are mainly the files that are downloaded when you open a web page.
    Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
    It is a good idea to empty the Temporary Internet Files folder on a regular basis.

    Tracking Cookies are files that websites use to monitor which sites you visit and how often.
    A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
    CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

    Both of these can be cleaned manually, but a quicker option is to use a program
  • ATF Cleaner
    • Free and very simple to use
  • CCleaner
    • Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: trojan downloader

Unread postby vince29 » July 4th, 2008, 8:28 am

Hi
Many thanks for all your help i have deleted the file But i am surprised it got through as i always scan a file with Norton, malware scanner, or superantispyware before installing but it just goes to show.
Again many thanks
vince29
Regular Member
 
Posts: 19
Joined: May 18th, 2008, 10:26 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 262 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware