1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: help....am i infected from some virus from msn messenger

Discussion in 'General Security' started by PrancerTran, Mar 29, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. PrancerTran

    PrancerTran Thread Starter

    Joined:
    Apr 17, 2007
    Messages:
    328
    i got some link from my friend on msn messenger

    (friend's msn_mail id).partypickz.info

    by mistake i clicked it
    it opened but i shut it in the next 3-4 seconds without letting it load completely (the page was still blank)

    can you help me as to find out whether i have been infected by a virus, spyware, etc.

    thanks
     
  2. lunarlander

    lunarlander

    Joined:
    Sep 21, 2007
    Messages:
    11,817
    Try the free online scanners listed in the sticky 'Security Help Tools' first
     
  3. PrancerTran

    PrancerTran Thread Starter

    Joined:
    Apr 17, 2007
    Messages:
    328
    there are so many available
    which one to use....
    please tell me the one i should use....

    i am using Housecall
    they need to add some files to my system before this can be done....hope these file s are not harmful and will not take any of my data....??? please let me know as this is the first time i am doing this


    also i am using xoftspy and symantec corporate edition....none of them returned any viruses or spyware or any other vulnerabilities....
     
  4. MJTech

    MJTech

    Joined:
    Mar 30, 2008
    Messages:
    8
    Housecall is a very good scanner, and i've used it numorous times without problems. It has to download some files to do the scan.

    I can recommend the bitdefender online scan or the ESET online scan.
     
  5. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Hi and welcome to TSG :)

    Go to here and download 'Hijack This!' self installer.
    Save it to the desktop or other suitable place. DO NOT just press run from the website
    Double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu.
    Click on the entry in start menu to run HijackThis
    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.
     
  6. PrancerTran

    PrancerTran Thread Starter

    Joined:
    Apr 17, 2007
    Messages:
    328
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:13:21 PM, on 4/2/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    D:\Miscellaneous\Nero 8\Nero BackItUp\NBService.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    C:\WINDOWS\system32\svchost.exe
    D:\Miscellaneous\Firefox 2.0\firefox.exe
    D:\Miscellaneous\Adobe acrobat\Acrobat\Acrobat.exe
    C:\DOCUME~1\iNdiSoUL\LOCALS~1\Temp\Adobelm_Cleanup.0001
    C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    C:\DOCUME~1\iNdiSoUL\LOCALS~1\Temp\Adobelm_Cleanup.0001
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O1 - Hosts: 66.98.148.65 auto.search.msn.es
    O1 - Hosts: 66.98.148.65 auto.search.msn.es
    O1 - Hosts: 66.98.148.65 auto.search.msn.es
    O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Miscellaneous\Orbitdownloader\orbitcth.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Miscellaneous\Adobe acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Miscellaneous\Adobe acrobat\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Miscellaneous\Adobe acrobat\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
    O8 - Extra context menu item: &Download by Orbit - res://D:\Miscellaneous\Orbitdownloader\orbitmxt.dll/201
    O8 - Extra context menu item: &Grab video by Orbit - res://D:\Miscellaneous\Orbitdownloader\orbitmxt.dll/204
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Miscellaneous\Adobe acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Miscellaneous\Adobe acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Miscellaneous\Adobe acrobat\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Miscellaneous\Adobe acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Miscellaneous\Adobe acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Miscellaneous\Adobe acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Miscellaneous\Adobe acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://D:\Miscellaneous\Adobe acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Miscellaneous\Orbitdownloader\orbitmxt.dll/203
    O8 - Extra context menu item: Down&load all by Orbit - res://D:\Miscellaneous\Orbitdownloader\orbitmxt.dll/202
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2E26CF20-C750-4CBE-A111-2CA5E99EBA37}: NameServer = 202.63.177.10,202.63.164.17
    O17 - HKLM\System\CCS\Services\Tcpip\..\{AEEB9DEF-2106-4069-9717-553C4CF30F63}: NameServer = 202.63.177.10,202.63.164.17
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2E26CF20-C750-4CBE-A111-2CA5E99EBA37}: NameServer = 202.63.177.10,202.63.164.17
    O17 - HKLM\System\CS2\Services\Tcpip\..\{2E26CF20-C750-4CBE-A111-2CA5E99EBA37}: NameServer = 202.63.177.10,202.63.164.17
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Miscellaneous\Nero 8\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    --
    End of file - 8186 bytes
     
  7. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Please download MsnCleaner.zip and Save it to your Desktop.
    • Unzip it to the Desktop.
    • Now reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit Enter.
    • Double-click MsnCleaner.exe to run it.
    • Click the Analyze button.
    • A report will be created once after you finish scan.
    • If it finds an infection, click the Deleted button.
    • Now, please reboot back to normal mode.
    • Please post the contents of C:\MsnCleaner.txt in a reply to this post along with a new HJT log.
     
  8. PrancerTran

    PrancerTran Thread Starter

    Joined:
    Apr 17, 2007
    Messages:
    328
    does my comp look infected?

    and what files will the msn cleaner delete?
     
  9. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    There is a huge list of files that the cleaner is affiliated with. It would take forever to type it out.
    If you don't wanna run it, that's fine. But we need to run at least one scan to see if it's dropped many infected files.
    You could do this one instead:



    Download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    --------------------------------------------------------------------
    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • ...
    --------------------------------------------------------------------

    Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
     
  10. PrancerTran

    PrancerTran Thread Starter

    Joined:
    Apr 17, 2007
    Messages:
    328
    MSNCLEANER

    - Logfile MSNCleaner 1.6.2 by www.forospyware.com
    - Created Logfile: 4/6/2008 on 11:26:56 PM
    - Operative System: Windows XP
    - Boot mode: Safe mode
    _________________________________________

    Detected files: 0
    Deleted file: 0
    Undeleted Files: 0

    <<<<<<< No file found >>>>>>>

    HJT

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:34:22 PM, on 4/6/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    D:\Miscellaneous\Nero 8\Nero BackItUp\NBService.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
    C:\WINDOWS\system32\wuauclt.exe
    D:\Miscellaneous\Firefox 2.0\firefox.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Windows Live\Messenger\usnsvc.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O1 - Hosts: 66.98.148.65 auto.search.msn.es
    O1 - Hosts: 66.98.148.65 auto.search.msn.es
    O1 - Hosts: 66.98.148.65 auto.search.msn.es
    O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Miscellaneous\Orbitdownloader\orbitcth.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Miscellaneous\Adobe acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Miscellaneous\Adobe acrobat\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Miscellaneous\Adobe acrobat\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
    O8 - Extra context menu item: &Download by Orbit - res://D:\Miscellaneous\Orbitdownloader\orbitmxt.dll/201
    O8 - Extra context menu item: &Grab video by Orbit - res://D:\Miscellaneous\Orbitdownloader\orbitmxt.dll/204
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Miscellaneous\Adobe acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Miscellaneous\Adobe acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Miscellaneous\Adobe acrobat\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Miscellaneous\Adobe acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Miscellaneous\Adobe acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Miscellaneous\Adobe acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Miscellaneous\Adobe acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://D:\Miscellaneous\Adobe acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Miscellaneous\Orbitdownloader\orbitmxt.dll/203
    O8 - Extra context menu item: Down&load all by Orbit - res://D:\Miscellaneous\Orbitdownloader\orbitmxt.dll/202
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2E26CF20-C750-4CBE-A111-2CA5E99EBA37}: NameServer = 202.63.177.10,202.63.164.17
    O17 - HKLM\System\CCS\Services\Tcpip\..\{AEEB9DEF-2106-4069-9717-553C4CF30F63}: NameServer = 202.63.177.10,202.63.164.17
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2E26CF20-C750-4CBE-A111-2CA5E99EBA37}: NameServer = 202.63.177.10,202.63.164.17
    O17 - HKLM\System\CS2\Services\Tcpip\..\{2E26CF20-C750-4CBE-A111-2CA5E99EBA37}: NameServer = 202.63.177.10,202.63.164.17
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Miscellaneous\Nero 8\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    --
    End of file - 7989 bytes
     
  11. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Now please run ComboFix
     
  12. PrancerTran

    PrancerTran Thread Starter

    Joined:
    Apr 17, 2007
    Messages:
    328
    how do i get a surity that the steps to use combofix are safe
    appreciate you helping me but then its scary to turn off the auto protect

    i have a lot of data....and i fear it getting affected in any way by this step....
     
  13. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
  14. PrancerTran

    PrancerTran Thread Starter

    Joined:
    Apr 17, 2007
    Messages:
    328
    apologies for this late reply but i had my exams....
    Here is the report from ComboFix....
    ---------------------------------------------------------------------------------------------------------------------------------------------
    ComboFix 08-04-24.1 - iNdiSoUL 2008-04-26 19:00:59.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.194 [GMT -7:00]
    Running from: C:\Documents and Settings\iNdiSoUL\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
    .

    2008-04-26 14:28 . 2002-10-03 00:09 38,912 --a------ C:\WINDOWS\system32\RASPPPOE.DLL
    2008-04-26 14:28 . 2002-10-03 00:09 31,424 --a------ C:\WINDOWS\system32\drivers\RMSPPPOE.SYS
    2008-04-26 14:28 . 2002-10-03 00:09 16,896 --a------ C:\WINDOWS\system32\RASPPPOE.EXE
    2008-04-25 18:56 . 2008-04-25 18:56 <DIR> d-------- C:\Documents and Settings\Girish\Application Data\Nokia Multimedia Player
    2008-04-24 08:41 . 2008-04-25 23:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-04-24 08:41 . 2008-04-24 08:41 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-04-18 08:50 . 2008-04-21 18:53 <DIR> d-------- C:\New Folder
    2008-04-06 23:34 . 2008-04-06 23:41 <DIR> d-------- C:\Program Files\Trend Micro
    2008-04-02 17:56 . 2008-04-18 20:02 <DIR> d-------- C:\Hindi Songs
    2008-03-30 11:30 . 2008-03-30 11:28 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-27 01:59 --------- d-----w C:\Program Files\Symantec AntiVirus
    2008-04-26 21:38 --------- d-----w C:\Documents and Settings\iNdiSoUL\Application Data\MegauploadToolbar
    2008-04-26 21:31 --------- d-----w C:\Documents and Settings\iNdiSoUL\Application Data\Orbit
    2008-03-31 02:04 --------- d-----w C:\Documents and Settings\iNdiSoUL\Application Data\U3
    2008-03-24 00:07 19,944 ----a-w C:\Documents and Settings\iNdiSoUL\Application Data\GDIPFONTCACHEV1.DAT
    2008-03-23 00:11 --------- d-----w C:\Program Files\iPod
    2008-03-21 19:52 --------- d-----w C:\Program Files\eLitecore
    2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
    2008-03-09 06:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-03-09 06:31 --------- d-----w C:\Program Files\ATI Technologies
    2008-03-07 21:42 --------- d-----w C:\Documents and Settings\Girish\Application Data\MEGAUPLOADTOOLBAR
    2008-03-07 00:38 --------- d-----w C:\Program Files\MegauploadToolbar
    2008-03-02 19:38 --------- d-----w C:\Program Files\Windows Live
    2008-03-02 19:37 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
    2008-03-02 19:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
    2008-03-01 06:00 --------- d-----w C:\Documents and Settings\iNdiSoUL\Application Data\AdobeUM
    2008-02-29 06:12 --------- d-----w C:\Program Files\Java
    2008-02-29 05:41 --------- d-----w C:\Program Files\Common Files\Java
    2008-02-28 04:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
    2008-02-28 03:59 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
    2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
    2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
    2008-01-27 22:23 1,071,480 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 17:33 52840]
    "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-10-07 21:48 125368]
    "MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 05:00 158208]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^24Online Client.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\24Online Client.lnk
    backup=C:\WINDOWS\pss\24Online Client.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
    backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
    backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^iNdiSoUL^Start Menu^Programs^Startup^Anapod Manager.lnk]
    path=C:\Documents and Settings\iNdiSoUL\Start Menu\Programs\Startup\Anapod Manager.lnk
    backup=C:\WINDOWS\pss\Anapod Manager.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
    --a------ 2006-01-12 21:52 483328 D:\Miscellaneous\Adobe acrobat\Distillr\Acrotray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
    D:\Miscellaneous\Adobe Acrobat\Acrobat\Acrotray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    --a------ 2007-09-20 16:35 202024 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2008-01-15 04:22 267048 D:\Miscellaneous\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --------- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    C:\Program Files\MSN Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
    --a------ 2007-09-20 10:51 1836328 D:\Miscellaneous\Nero 8\Nero BackItUp\NBKeyScan.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    --a------ 2007-03-01 16:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
    --a------ 2006-06-15 13:36 229376 D:\MISCEL~1\NOKIAP~1\NOKIAP~1\LAUNCH~1.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
    --a------ 2006-06-27 17:21 1449984 D:\Miscellaneous\Nokia PC Suite\Nokia PC Suite 6\PcSync2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
    --a------ 2007-08-06 17:05 200704 D:\Miscellaneous\PowerISO\PWRISOVM.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-01-10 16:27 385024 C:\Program Files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
    --a------ 2003-05-30 10:42 585728 C:\Program Files\Analog Devices\SoundMAX\smax4.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    --a------ 2003-05-29 17:28 790528 C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    --a------ 2007-12-14 04:42 144784 C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a------ 2008-02-07 05:20 151597 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "D:\\Miscellaneous\\BitComet\\BitComet.exe"=
    "C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
    "C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
    "D:\\Miscellaneous\\Orbitdownloader\\orbitnet.exe"=
    "D:\\Miscellaneous\\iTunes\\iTunes.exe"=
    "D:\\Miscellaneous\\Firefox 2.0\\firefox.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "D:\\Miscellaneous\\Orbitdownloader\\orbitdm.exe"=

    R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);C:\WINDOWS\system32\DRIVERS\RMSPPPOE.SYS [2002-10-03 00:09]

    *Newly Created Service* - CATCHME
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-04-27 01:31:50 C:\WINDOWS\Tasks\XoftSpySE 2.job"
    - D:\Miscellaneous\XoftSpySE\XoftSpy.exe
    "2008-04-23 15:55:58 C:\WINDOWS\Tasks\XoftSpySE.job"
    - D:\Miscellaneous\XoftSpySE\XoftSpy.exe
    .
    **************************************************************************

    catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-26 19:02:10
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    C:\sccfg.sys 326 bytes

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\Ati2evxx.dll
    .
    Completion time: 2008-04-26 19:02:53
    ComboFix-quarantined-files.txt 2008-04-27 02:02:40

    Pre-Run: 708,829,184 bytes free
    Post-Run: 714,969,088 bytes free

    147 --- E O F --- 2008-04-14 18:48:00
     
  15. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    This looks okay. Are you still having problems?
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/698312

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice