Looking for advice - Page 4

ryanryan007 · 13-Jan-2008, 05:00 PM **#46**

i started a panda scan..and during the scan i got a virus/worm detection and avast made me abort connection..here is the screenshot of wat i happened

http://img122.imageshack.us/my.php?image=viruscl8.jpg

**Byteman** · 13-Jan-2008, 05:45 PM **#47**

You will have to turn off Avast, during the scan, similar to when we used ComboFix.....

The file detected says it was part of Panda activescan.

ryanryan007 · 13-Jan-2008, 06:03 PM **#48**

nothing found

http://img91.imageshack.us/my.php?image=scanzz4.jpg

**Byteman** · 13-Jan-2008, 07:13 PM **#49**

Hi, Good- just this left to fix:

One of the security experts would like to examine a copy of this file which may still be on your computer

C:\WINDOWS\system32\firefoxupdateg.exe

Any idea where it came from, or if it was some extension or something? There is no information found for it which makes it a suspect and some antivirus sites detect it as an SDBot worm, so we need to look at it closer.

You need these settings made, unless you still have it this way:

Quote:

Because XP will not always show you hidden files and folders by default, Go to Start > Search>Files and Folders>> and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Download suspicious file packer from http://www.safer-networking.org/en/tools/index.html (direct download http://www.safer-networking.org/files/sfp.zip )

Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop

please upload that to http://www.thespykiller.co.uk/index.php?board=1.0 so we can examine the files

Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, When the file is listed in the windows press Send to upload the zipped-up file shown below:

C:\WINDOWS\system32\firefoxupdateg.exe (which will look like a folder and have the .zip extension after you zip it.)

It will be a day or so till we get the results unless they get to it sooner, so sit tight until then.

Let me know if anything else is a problem, but don't rush and try to fix things, post here.

ryanryan007 · 13-Jan-2008, 07:51 PM **#50**

im running another super a/s scan and im still picking up alot of trojans...all of which are coming from the vundofix backup..should i delete it somehow or sumting?

**Byteman** · 13-Jan-2008, 08:02 PM **#51**

Hi, Yes, but they are harmless there, if it bugs you delete the entire VundoFix and the backups....if you have to use VundoFix later, we need to download a brand new copy because they update the files it finds every day almost!

Same for ComboFix, you should re-download a new copy, not hang onto the old one.

We usually post what to get rid of, as one of the last steps in fixing malware.

You also will be instructed to empty the System Restore Points, malware will be backed up inthere too, if you have Restore on.

You then create a new, clean Restore Point...all this will be done as one of the last steps.

ryanryan007 · 13-Jan-2008, 08:22 PM **#52**

heres the post..i wasnt sure exactly wat u wanted me to upload..so i hope this is correct
http://thespykiller.co.uk/index.php/...febe50878eec7d

ps..i found another 35 traces in my super a/s scan..so its all been quarantined..how do i delete it from my system or should i keep them quarantined

**Byteman** · 13-Jan-2008, 08:34 PM **#53**

Well, first, as always, you Post the log here so I can see what is going on...if they are Cookies, that is normal, you will always have those....

I need to see the file locations and file names to advise.

RE> Upload, you were asked to upload this file:
C:\WINDOWS\system32\firefoxupdateg.exe this file in BOLD

After we are done fixing, in the future- you can always leave any item in Quarantine, with any of the programs you use, and actually it's safer to do that, because you never know what might be a false positive.

Leaving them Quarantined assures that you can get something back that was detected wrong.

ryanryan007 · 13-Jan-2008, 08:39 PM **#54**

whenever i restart my computer i get the pop up

http://img101.imageshack.us/my.php?image=erroryr6.jpg

ryanryan007 · 13-Jan-2008, 08:44 PM **#55**

http://thespykiller.co.uk/index.php/...23f658f0b4ae9d

here is hte newest sas log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/13/2008 at 04:16 PM

Application Version : 3.9.1008

Core Rules Database Version : 3377
Trace Rules Database Version: 1371

Scan type : Complete Scan
Total Scan Time : 01:10:36

Memory items scanned : 494
Memory threats detected : 0
Registry items scanned : 6618
Registry threats detected : 26
File items scanned : 46172
File threats detected : 9

Unclassified.Oreans32
HKLM\System\ControlSet001\Services\oreans32
C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS
HKLM\System\ControlSet003\Services\oreans32
HKLM\System\CurrentControlSet\Services\oreans32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#Active Service
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP15\A0011175.SYS

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@members.xxxadultstars[2].txt
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[1].txt
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[3].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.bridgetrack[1].txt
C:\Documents and Settings\Owner\Cookies\owner@pandasoftware.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt

**Byteman** · 08:54 PM

Ryan- You probably did it right- I cannot see what you uploaded, as they are hidden when you send them in.

But, I do not see a link to our thread here, so here is one you should copy and paste INTO your post at Spykiller forums:

http://forums.techguy.org/general-se...ng-advice.html

Copy that link to your post where you uploaded the file... you have to do that so they can post here to let us know what the file actually is, bad or good....

Right click it when you have a page open, (maybe you can Edit your post there, I am not sure as different forums work differently....) and select "Copy Shortcut" then, at spykiller, click into the space in the reply, and right click and select "Paste" so the link itself, appears on the reply....submit your post, making sure you also Upload the file

firefoxupdateg.exe again using the directions.

Perhaps put a short note about why you re-posted....forgot the link to our TechGuy thread....it will be OK.

or, you can make a new reply and include the file again, with a link.

You might have only copied the text line....but again, I can't tell as they do not show to anyone.

C:\WINDOWS\system32\firefoxupdateg.exe

Use the Browse button you see at spykiller.....you then find the file in question, by going to your System32 folder, and highlight the firefoxupdateg.exe file there once with your mouse....that sends the path to the file into the Submit line, when you hit Submit or UPload, it sends a copy of that file, to the site...

It's like making an attachment in emails, see.

RE:

the popup>

Let me see a brand new ComboFix log please, and also a new Hijackthis log, one that you create after finishing ComboFix

Remember to follow the same directions when you run ComboFix as I had in my other replies...look back to find them unless you have them printed out or saved.

ryanryan007 · 13-Jan-2008, 08:48 PM **#57**

heres the latest forum post..i hope everything is done correctly this time

http://thespykiller.co.uk/index.php/...0.new.html#new

**Byteman** · 13-Jan-2008, 08:59 PM **#58**

Hi, I can see you posted a link to our thread here, that's fine...and, as long as you attached the file we want them to look at, that is OK...but, I can't tell as no one can see the attached file

If you followed this, then it should be there:

Quote:

This is just a place to upload files that have been asked for from other forums.
Please start a new post and Just give a link to your posts on the other forum & then press attach and upload the files.
Files can be uploaded by anybody but not seen or downloaded by anybody except for those users that have been given special permissions
You DO NOT need to be a member to upload, anybody can upload the files

Now, we just have to wait to hear back, they are in the United Kingdom so it may be tomorrow.

In the meantime, do the new scan with ComboFix etc

ryanryan007 · 13-Jan-2008, 09:05 PM **#59**

ComboFix 08-01-13.1 - Owner 2008-01-13 16:55:43.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.211 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\system32\idbwxnut.dll
C:\WINDOWS\system32\sqlmfvwd.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn

.
((((((((((((((((((((((((( Files Created from 2007-12-14 to 2008-01-14 )))))))))))))))))))))))))))))))
.

2008-01-13 16:34 . 2008-01-13 16:34 33,952 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2008-01-13 15:56 . 2008-01-13 14:54 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-12 23:28 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-12 15:29 . 2008-01-12 15:29 <DIR> d-------- C:\Program Files\WinPcap
2008-01-12 15:27 . 2008-01-12 23:02 <DIR> d-------- C:\Program Files\WMR11
2008-01-12 01:56 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-12 01:55 . 2008-01-12 01:55 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-10 12:35 . 2008-01-10 12:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-10 12:34 . 2008-01-13 16:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-10 12:34 . 2008-01-10 12:34 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-01-10 01:26 . 2008-01-13 16:53 <DIR> d-------- C:\Program Files\iTunes
2008-01-10 01:26 . 2008-01-10 01:26 <DIR> d-------- C:\Program Files\iPod
2008-01-10 01:22 . 2008-01-11 03:40 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-01-10 00:22 . 2008-01-13 15:51 <DIR> d-------- C:\VundoFix Backups
2008-01-09 09:02 . 2008-01-09 09:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-05 19:31 . 2008-01-05 19:28 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-05 19:28 . 2008-01-05 19:34 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-01-01 13:35 . 2008-01-01 13:51 <DIR> d-------- C:\Program Files\mIRC
2008-01-01 13:35 . 2008-01-01 14:05 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\mIRC
2007-12-23 00:43 . 2007-12-23 00:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Yahoo!
2007-12-23 00:43 . 2007-12-23 00:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-14 00:53 --------- d-----w C:\Program Files\Zune
2008-01-14 00:53 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2008-01-14 00:53 --------- d-----w C:\Program Files\QuickTime
2008-01-14 00:53 --------- d-----w C:\Program Files\MSN Messenger
2008-01-14 00:53 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-01-14 00:53 --------- d-----w C:\Program Files\MagicISO
2008-01-14 00:53 --------- d-----w C:\Program Files\Common Files\Webroot Shared
2008-01-14 00:52 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-01-13 00:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-01-12 09:56 --------- d-----w C:\Program Files\Java
2008-01-10 20:34 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-10 09:22 --------- d-----w C:\Program Files\Apple Software Update
2008-01-07 13:00 --------- d-----w C:\Program Files\Folder Lock
2008-01-06 13:59 --------- d-----w C:\Program Files\uTorrent
2008-01-06 01:47 --------- d-----w C:\Program Files\TVUPlayer
2008-01-02 03:13 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
2007-12-24 02:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2007-12-23 08:43 --------- d-----w C:\Program Files\Yahoo!
2007-12-17 07:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-12-13 11:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-09 06:34 --------- d-----w C:\Program Files\Microsoft Works
2007-12-09 06:33 --------- d-----w C:\Program Files\MSBuild
2007-12-09 06:29 --------- d-----w C:\Program Files\Microsoft.NET
2007-12-09 06:23 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-12-03 10:29 --------- d-----w C:\Program Files\Common Files\Raxco
2007-12-03 10:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Raxco
2007-12-02 18:38 --------- d-----w C:\Program Files\Alex Feinman
2007-12-02 07:38 --------- d-----w C:\Program Files\MP3Gain
2007-12-02 06:56 --------- d-----w C:\Program Files\Smart Projects
2007-12-02 06:49 --------- d-----w C:\Program Files\Common Files\Ahead
2007-12-02 06:49 --------- d-----w C:\Program Files\Ahead
2007-12-02 06:31 --------- d-----w C:\Program Files\MediaMonkey
2007-12-01 01:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\TVU Networks
2007-11-30 09:15 --------- d-----w C:\Documents and Settings\Owner\Application Data\dvdcss
2007-11-29 20:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-29 20:10 --------- d-----w C:\Program Files\Ross Histology
2007-11-25 09:25 --------- d-----w C:\Program Files\MP3ext
2007-11-25 09:15 --------- d-----w C:\Program Files\Winamp
2007-11-25 09:15 --------- d-----w C:\Program Files\Mp3tag
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-03-28 04:23 89,052 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_27_21_21_20_small.dmp.zip
2007-03-28 04:23 22,656,498 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_03_27_21_20_56_full.dmp.zip
2007-03-27 05:03 22,655,457 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_03_25_21_15_31_full.dmp.zip
2007-03-24 20:36 22,396,790 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_03_22_22_47_09_full.dmp.zip
2007-03-13 21:29 93,084 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_13_14_11_54_small.dmp.zip
2007-03-09 02:07 105,147 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_06_18_12_33_small.dmp.zip
2007-03-07 04:53 88,047 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_06_20_32_00_small.dmp.zip
2007-02-26 00:41 93,830 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_02_24_15_05_10_small.dmp.zip
2007-02-16 19:17 89,836 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_02_16_11_13_47_small.dmp.zip
2007-02-14 05:07 784 ----a-w C:\Documents and Settings\Owner\Application Data\mpauth.dat
2004-10-06 08:52 22,555,648 ----a-w C:\Program Files\setup.exe
2004-10-05 20:54 27,494 ----a-w C:\Program Files\Readme.txt
2004-09-22 17:07 25,047 ------w C:\Program Files\License.rtf
2005-07-14 18:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
2007-06-13 10:23 1,276,928 --sha-r C:\WINDOWS\system32\firefoxupdateg.exe
2007-07-30 00:58 16,753,440 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-26 10:09 548,896 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( snapshot@2008-01-12_23.38.35.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-08-24 16:28:54 141,424 ----a-w C:\WINDOWS\Downloaded Program Files\asinst.dll
- 2008-01-13 07:28:47 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-14 00:55:30 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-13 07:28:47 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-14 00:55:30 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-13 07:28:47 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-14 00:55:30 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-13 07:28:47 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-14 00:55:30 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-13 07:28:47 6,254,592 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-14 00:55:30 6,316,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-13 07:28:47 299,008 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-14 00:55:30 299,008 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2007-06-25 05:34:08 803,908 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2008-01-13 22:55:10 238,176 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
- 2008-01-13 07:34:15 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_788.dat
+ 2008-01-14 00:34:29 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_788.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2007-03-14 16:03 24104]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-06 06:49 185632]
"firefox"="firefoxupdateg.exe" [2007-06-13 02:23 1276928 C:\WINDOWS\system32\firefoxupdateg.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"firefox"="firefoxupdateg.exe" [2007-06-13 02:23 1276928 C:\WINDOWS\system32\firefoxupdateg.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Post-itr Digital Notes.lnk - C:\Program Files\3M\PDNotes\PDNotes.exe [2006-03-21 13:23:30]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shell executehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"Window Washer"=C:\Program Files\Webroot\Washer\wwDisp.exe
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
"SoundMan"=SOUNDMAN.EXE
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2008-01-13 16:34]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 NAL;Nal Service ;C:\WINDOWS\System32\Drivers\iqvw32.sys [2002-10-16 00:11]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 09:31]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - OREANS32
.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 01:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-01-10 09:22:55 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-14 00:26:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 16:58:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk error: C:\WINDOWS\

**************************************************************************
.
Completion time: 2008-01-13 16:59:22
ComboFix-quarantined-files.txt 2008-01-14 00:58:30
ComboFix2.txt 2008-01-13 11:14:16
ComboFix3.txt 2008-01-13 07:39:45
.
2008-01-13 11:01:08 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:04:52 PM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\firefoxupdateg.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\3M\PDNotes\PDNotes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [firefox] firefoxupdateg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\RunServices: [firefox] firefoxupdateg.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Post-it® Digital Notes.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/14ffe564...p/RdxIE601.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/...oUploader2.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/a...v2.0.0.10.cab?
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Owner/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 8829 bytes

**Byteman** · 13-Jan-2008, 09:45 PM **#60**

Hi

Did you use CFScript in that scan with ComboFix? I didn't post any to use- you don't do that every time.

I just wanted to see a ComboFix log.

I'm looking back through the other scans to see if there is a registry entry to remove that pointed to the deleted file your are getting the popups for.

Tag Cloud
access acer asus bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory modem monitor motherboard network printer problem ram registry router security slow software sound toshiba trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!