BullGuard
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
Windows antivirus and pop up virus/spyware
   
BullGuard Antivirus Forum > Virus Removal > Removal Help > Windows antivirus and pop up virus/spyware  
Forum Quick Jump
 
New Topic Post reply to : Windows antivirus and pop up virus/spyware Printable version of : Windows antivirus and pop up virus/spyware
[ << Previous Thread | Next Thread >> ]

joshhud
New Member


Date Joined Jun 2008
Total Posts : 9
 
   Posted 7/8/2008 5:11 PM (GMT +3)    Quote: Windows antivirus and pop up virus/spywareAlert an admin about: Windows antivirus and pop up virus/spyware
I recently got a virus that acts like windows antivirus and tries to get me to buy spyshedder or something like that. Also i keep getting pop ups for porn or trying to get me to buy something. I ran a virus and spyware program that said it deleted all the infection and viruses on my comp but it is still happening. I had to go into my setup and stop most of it from starting during start up now but i would like to remove it from my computer completely. Im kind of new to this virus removal stuff so im not sure what you need i am running with vista btw. any help would be great
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 12975
 
   Posted 7/8/2008 6:43 PM (GMT +3)    Quote: Windows antivirus and pop up virus/spywareAlert an admin about: Windows antivirus and pop up virus/spyware
hello smile
 
 
 
1. Get this version of Hijackthis from http://danborg.org/spy/hjt/alternativ.exe
 
2
Save it in a permanent folder of your choice, such as C:\HJT\. To create this specific folder on your hard drive: Double click the 'My Computer' icon on your desktop, then under the category hard disk drives: double click Local Disk:, then select file->New -> Folder and name it HJT
3 Run hijackthis.  (alternativ exe).

Choose the "Do a system scan and save a log file" option to perform your scan.
HijackThis will analyze your system, and automatically open a notepad textfile containing the HijackThis log when the scan is finished.
Open the text files containing the logs with a text editor and click Edit -> Select All, followed by Edit -> Copy.
From within the browser window and with the message body text box selected, click Edit -> Paste.
Post  hijackthis log here
 
NB. On Windows Vista, right-click the HijackThis© icon and select "Run as administrator”


Do NOT post your problem in someone elses thread.
Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Back to Top
 

joshhud
New Member


Date Joined Jun 2008
Total Posts : 9
 
   Posted 7/9/2008 2:00 AM (GMT +3)    Quote: Windows antivirus and pop up virus/spywareAlert an admin about: Windows antivirus and pop up virus/spyware
When i ran it a long error came up but this is what came up when it finished

Logfile of HijackThis v1.99.1
Scan saved at 6:57:35 PM, on 7/8/2008
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\AIM6\aim6.exe
C:\Users\Josh Hudson\Program Files\DNA\btdna.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Windows\system32\WerCon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Josh Hudson\Downloads\hijak.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {20177355-706D-416B-A23B-49443A7118F3} - C:\Windows\system32\ssqOFUOe.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Josh Hudson\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\JOSHHU~1\AppData\Local\Temp\khfDuUnl.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\JOSHHU~1\AppData\Local\Temp\yayxxxUN.dll,c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Unknown owner - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe" Start=service (file missing)
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 12975
 
   Posted 7/9/2008 7:54 AM (GMT +3)    Quote: Windows antivirus and pop up virus/spywareAlert an admin about: Windows antivirus and pop up virus/spyware
Please download Combofix:
 
 
And save to the desktop.

Close all other browser windows.
 
Please connect all your external hard drive/flash drive before running Combofix
 
 
 
Important-> Temporarily disable your anti-virus, real-time protection before performing a scan. They can interfere with combofix or remove some of its embedded files which may cause "unpredictable results".
 
 
Go to Start->Run and copy/paste: ComboFix /snapshot and hit OK. It should run Combofix.
 
Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

 When finished, it will produce a logfile located at C:\combofix.txt.
 

Post the contents of that log in your next reply with a new hijackthis log.
 
Please copy and paste your log files. DO NOT add it as an attachment



NB. If you are using any P2P (file sharing) programs, please remove them before we clean your computer.. We do not clean logs that have P2P applications installed as this can cause reinfection during your cleaning.


Do NOT post your problem in someone elses thread.
Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Back to Top
 

joshhud
New Member


Date Joined Jun 2008
Total Posts : 9
 
   Posted 7/9/2008 3:07 PM (GMT +3)    Quote: Windows antivirus and pop up virus/spywareAlert an admin about: Windows antivirus and pop up virus/spyware
ComboFix 08-07-08.7 - Josh Hudson 2008-07-09 8:00:49.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2124 [GMT -4:00]
Running from: C:\Users\Josh Hudson\Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\PCHealthCenter
C:\Program Files\PCHealthCenter\0.exe
C:\Program Files\PCHealthCenter\0.gif
C:\Program Files\PCHealthCenter\1.exe
C:\Program Files\PCHealthCenter\1.gif
C:\Program Files\PCHealthCenter\2.exe
C:\Program Files\PCHealthCenter\2.gif
C:\Program Files\PCHealthCenter\3.exe
C:\Program Files\PCHealthCenter\3.gif
C:\Program Files\PCHealthCenter\4.exe
C:\Program Files\PCHealthCenter\5.exe
C:\Program Files\PCHealthCenter\sc.html
C:\Program Files\PCHealthCenter\sex1.ico
C:\Program Files\PCHealthCenter\sex2.ico
C:\Windows\system32\sex1.ico
C:\Windows\system32\sex2.ico
C:\Windows\system32\vav.cpl

.
((((((((((((((((((((((((( Files Created from 2008-06-09 to 2008-07-09 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-09 12:02 --------- d-----w C:\Users\Josh Hudson\AppData\Roaming\BitTorrent
2008-07-09 12:00 --------- d-----w C:\Users\Josh Hudson\AppData\Roaming\DNA
2008-07-09 11:57 --------- d---a-w C:\ProgramData\TEMP
2008-07-09 11:57 --------- d-----w C:\Program Files\Spyware Doctor
2008-07-08 23:02 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-07-08 13:05 --------- d-----w C:\Program Files\Trend Micro
2008-07-08 12:55 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-08 04:53 80 ----a-w C:\Users\Josh Hudson\AppData\Roaming\wklnhst.dat
2008-07-08 04:53 --------- d-----w C:\Users\Josh Hudson\AppData\Roaming\Template
2008-07-08 04:09 --------- d-----w C:\Program Files\WinTV
2008-07-08 04:04 --------- d-----w C:\Program Files\RegCure
2008-07-08 02:14 --------- d-----w C:\ProgramData\Roxio
2008-07-08 01:50 --------- d-----w C:\Program Files\Common Files\PC Tools
2008-07-08 01:49 --------- d-----w C:\Users\Josh Hudson\AppData\Roaming\PC Tools
2008-07-08 01:49 --------- d-----w C:\ProgramData\PC Tools
2008-07-07 13:59 28,800 ----a-w C:\Windows\System32\ssqOFUOe.dll
2008-07-07 13:14 --------- d-----w C:\ProgramData\Microsoft Help
2008-07-07 12:30 --------- d-----w C:\Users\Josh Hudson\AppData\Roaming\DivX
2008-07-07 12:30 --------- d-----w C:\Program Files\DivX
2008-07-07 12:30 --------- d-----w C:\Program Files\Common Files\PX Storage Engine
2008-07-07 00:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-07 00:32 --------- d-----w C:\Program Files\Common Files\IviSDK
2008-06-18 18:31 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe
2008-06-10 22:30 --------- d-----w C:\Program Files\Windows Mail
2008-06-10 22:12 682,232 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-06-10 22:09 --------- d-----w C:\Users\Josh Hudson\AppData\Roaming\Roxio
2008-06-03 02:23 --------- d-----w C:\Program Files\Google
2008-06-03 02:15 --------- d-----w C:\Users\Josh Hudson\AppData\Roaming\PeerNetworking
2008-06-02 07:08 41,984 ----a-w C:\Windows\system32\drivers\monitor.sys
2008-06-02 07:08 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-06-02 07:06 944,184 ----a-w C:\Windows\System32\winload.exe
2008-06-02 07:06 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-06-02 07:06 620,088 ----a-w C:\Windows\System32\ci.dll
2008-06-02 07:06 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-06-02 07:06 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-06-02 07:06 371,712 ----a-w C:\Windows\System32\srcore.dll
2008-06-02 07:06 313,856 ----a-w C:\Windows\System32\rstrui.exe
2008-06-02 07:06 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-06-02 07:06 16,384 ----a-w C:\Windows\System32\srdelayed.exe
2008-06-02 07:05 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-06-02 07:04 83,968 ----a-w C:\Windows\System32\dnsrslvr.dll
2008-06-02 07:04 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-06-02 07:04 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-06-02 07:04 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-06-02 07:04 296,448 ----a-w C:\Windows\System32\gdi32.dll
2008-06-02 07:04 24,576 ----a-w C:\Windows\System32\dnscacheugc.exe
2008-06-02 07:04 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-06-02 07:04 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-06-02 07:04 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-06-02 07:04 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-06-02 01:29 --------- d-----w C:\Program Files\DNA
2008-06-02 01:29 --------- d-----w C:\Program Files\BitTorrent
2008-06-02 00:17 53,080 ----a-w C:\Windows\System32\wuauclt.exe
2008-06-02 00:17 43,352 ----a-w C:\Windows\System32\wups2.dll
2008-06-02 00:17 1,712,984 ----a-w C:\Windows\System32\wuaueng.dll
2008-06-02 00:17 1,524,224 ----a-w C:\Windows\System32\wucltux.dll
2008-06-02 00:16 80,896 ----a-w C:\Windows\System32\wudriver.dll
2008-06-02 00:16 549,720 ----a-w C:\Windows\System32\wuapi.dll
2008-06-02 00:16 33,624 ----a-w C:\Windows\System32\wups.dll
2008-06-02 00:16 31,232 ----a-w C:\Windows\System32\wuapp.exe
2008-06-02 00:16 163,000 ----a-w C:\Windows\System32\wuwebv.dll
2008-06-01 23:27 --------- d-----w C:\Program Files\Common Files\Remote Control Software Common
2008-06-01 23:26 --------- d-----w C:\Program Files\Logitech
2008-06-01 23:26 --------- d-----w C:\Program Files\Common Files\Remote Control USB Driver
2008-06-01 23:25 127,034 ------r C:\Windows\bwUnin-8.1.1.50-8876480SL.exe
2008-06-01 23:25 --------- d-----w C:\Users\Josh Hudson\AppData\Roaming\InstallShield
2008-06-01 22:07 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-01 21:43 --------- d-----w C:\ProgramData\AOL OCP
2008-06-01 21:42 --------- d-----w C:\Users\Josh Hudson\AppData\Roaming\acccore
2008-06-01 21:42 --------- d-----w C:\ProgramData\Viewpoint
2008-06-01 21:42 --------- d-----w C:\ProgramData\AOL
2008-06-01 21:42 --------- d-----w C:\Program Files\Viewpoint
2008-06-01 21:42 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-01 21:42 --------- d-----w C:\Program Files\AIM6
2008-06-01 19:16 --------- d-----w C:\Program Files\support.com
2008-05-30 17:22 524,288 ----a-w C:\Windows\System32\DivXsm.exe
2008-05-30 17:22 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2008-05-30 17:19 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2008-05-30 17:19 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2008-05-26 20:30 --------- d-----w C:\Users\Josh Hudson\AppData\Roaming\ATI
2008-05-26 20:30 --------- d-----w C:\ProgramData\ATI
2008-05-26 20:25 --------- d-sh--w C:\ProgramData\Templates
2008-05-26 20:25 --------- d-sh--w C:\ProgramData\Start Menu
2008-05-26 20:25 --------- d-sh--w C:\ProgramData\Favorites
2008-05-26 20:25 --------- d-sh--w C:\ProgramData\Documents
2008-05-26 20:25 --------- d-sh--w C:\ProgramData\Desktop
2008-05-26 20:25 --------- d-sh--w C:\ProgramData\Application Data
2008-05-10 03:30 14,848 ----a-w C:\Windows\System32\wshrm.dll
2008-05-10 01:21 113,664 ----a-w C:\Windows\system32\drivers\rmcast.sys
2008-05-09 22:38 87,040 ----a-w C:\Windows\System32\msoert2.dll
2008-05-09 22:38 39,424 ----a-w C:\Windows\System32\ACCTRES.dll
2008-05-09 22:38 229,888 ----a-w C:\Windows\System32\msshsq.dll
2008-05-09 22:38 205,824 ----a-w C:\Windows\System32\msoeacct.dll
2008-05-09 22:38 2,048 ----a-w C:\Windows\System32\msxml6r.dll
2008-05-09 22:38 1,335,296 ----a-w C:\Windows\System32\msxml6.dll
2008-05-09 22:37 750,080 ----a-w C:\Windows\System32\qmgr.dll
2008-05-09 22:35 974,336 ----a-w C:\Windows\System32\crypt32.dll
2008-05-09 22:35 8,704 ----a-w C:\Windows\System32\hcrstco.dll
2008-05-09 22:35 8,704 ----a-w C:\Windows\System32\hccoin.dll
2008-05-09 22:35 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20177355-706D-416B-A23B-49443A7118F3}]
2008-07-07 09:59 28800 --a------ C:\Windows\system32\ssqOFUOe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 08:35 125440]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-03-25 16:21 50528]
"BitTorrent DNA"="C:\Users\Josh Hudson\Program Files\DNA\btdna.exe" [2008-06-02 08:22 289088]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 08:36 201728]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" [2006-11-27 10:14 180224]
"UpdReg"="C:\Windows\UpdReg.EXE" [2000-05-11 02:00 90112]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-05-09 11:03 29744]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"MSConfig"="C:\Windows\system32\msconfig.exe" [2006-11-02 05:45 222208]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-11 09:26 4452352 C:\Windows\RtHDVCpl.exe]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-06-01 19:26:04 67128]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{20177355-706D-416B-A23B-49443A7118F3}"= "C:\Windows\system32\ssqOFUOe.dll" [2008-07-07 09:59 28800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-05-09 11:13 10536 C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmds]
--a------ 2008-07-07 10:04 318208 C:\Users\JOSHHU~1\AppData\Local\Temp\yayxxxUN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 13:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D6BAD6EC-0CD8-4C8D-B2AB-F334825A0ABF}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{32B32560-1944-4D0B-BEDE-A1D92713A627}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{20B2A54D-CC08-42CC-BF98-DDF951803BAB}"= UDP:C:\Program Files\AIM6\aim6.exe:AIM
"{2D32F850-9CD8-4D18-ACE0-08811776C50D}"= TCP:C:\Program Files\AIM6\aim6.exe:AIM
"{B7A30357-2316-4430-974D-EB1E9716403D}"= UDP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{ECCC1027-4640-4362-BA3C-9A39318A2FE0}"= TCP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{D82A9F86-44C0-426A-94EE-402746B10EAB}"= UDP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{2B27A29B-F078-465D-AE45-95FCD703DB83}"= TCP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{40435C03-72DB-4CE2-98C8-A2B9DC08A580}"= UDP:C:\Program Files\DNA\btdna.exe:DNA
"{58211F4C-DEC4-4033-9B4B-FFB75D246F9E}"= TCP:C:\Program Files\DNA\btdna.exe:DNA
"{DB09820A-50E0-483E-BA45-97796820BCD2}"= UDP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{BB9DFF95-E855-4660-BCE6-92ECBF2B1C7C}"= TCP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"TCP Query User{3DDEEB8D-69DD-4E33-9590-C74104597415}C:\\program files\\logitech\\desktop messenger\\8876480\\program\\logitechdesktopmessenger.exe"= UDP:C:\program files\logitech\desktop messenger\8876480\program\logitechdesktopmessenger.exe:Logitech Desktop Messenger
"UDP Query User{D3EC16AD-C47D-4F2F-BBB2-43B36C36422F}C:\\program files\\logitech\\desktop messenger\\8876480\\program\\logitechdesktopmessenger.exe"= TCP:C:\program files\logitech\desktop messenger\8876480\program\logitechdesktopmessenger.exe:Logitech Desktop Messenger
"TCP Query User{F761ED08-71C5-4EDF-8A60-64B44C3AAF58}C:\\program files\\bittorrent\\bittorrent.exe"= UDP:C:\program files\bittorrent\bittorrent.exe:bittorrent
"UDP Query User{5B9A829C-5D51-40E8-B97F-0AFAE36898BF}C:\\program files\\bittorrent\\bittorrent.exe"= TCP:C:\program files\bittorrent\bittorrent.exe:bittorrent

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7
"C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R1 pctfw2;pctfw2;C:\Windows\System32\drivers\pctfw2.sys [2008-04-10 15:14]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-09-24 06:37]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;C:\Windows\system32\drivers\HCW85BDA.sys [2007-10-01 08:21]
S3 GoogleDesktopManager-010708-104812;Google Desktop Manager 5.7.801.7324;C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-05-09 11:03]
S3 GoToAssist;GoToAssist;C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe Start=service []

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-07-09 03:30:21 C:\Windows\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-07-08 04:10:56 C:\Windows\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-MSServer - C:\Users\JOSHHU~1\AppData\Local\Temp\khfDuUnl.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-09 08:02:26
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-09 8:03:20
ComboFix-quarantined-files.txt 2008-07-09 12:03:17

The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 414,349,041,664 bytes free

218 --- E O F --- 2008-07-09 03:26:35
Back to Top
 

joshhud
New Member


Date Joined Jun 2008
Total Posts : 9
 
   Posted 7/9/2008 3:09 PM (GMT +3)    Quote: Windows antivirus and pop up virus/spywareAlert an admin about: Windows antivirus and pop up virus/spyware
Logfile of HijackThis v1.99.1
Scan saved at 8:09:14 AM, on 7/9/2008
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\AIM6\aim6.exe
C:\Users\Josh Hudson\Program Files\DNA\btdna.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Josh Hudson\Downloads\hijak.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {20177355-706D-416B-A23B-49443A7118F3} - C:\Windows\system32\ssqOFUOe.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Josh Hudson\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\JOSHHU~1\AppData\Local\Temp\yayxxxUN.dll,c
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\JOSHHU~1\AppData\Local\Temp\urqnMGVO.dll,#1
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Unknown owner - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe" Start=service (file missing)
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
Back to Top
 

joshhud
New Member


Date Joined Jun 2008
Total Posts : 9
 
   Posted 7/10/2008 5:29 PM (GMT +3)    Quote: Windows antivirus and pop up virus/spywareAlert an admin about: Windows antivirus and pop up virus/spyware
well havent heard back but the icon is gone from my control panel.. i still get random pop ups though
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 12975
 
   Posted 7/10/2008 6:43 PM (GMT +3)    Quote: Windows antivirus and pop up virus/spywareAlert an admin about: Windows antivirus and pop up virus/spyware
Ok.


Please download Malwarebytes' Anti-Malware:
 
 to your desktop.
 
Double-click mbam-setup.exe and follow the prompts to install the program.
                     
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch

Malwarebytes' Anti-Malware, then click Finish.
                     
If an update is found, it will download and install the latest version.
                     
Once the program has loaded, select Perform full scan, then click Scan.
                     
When the scan is complete, click OK, then Show Results to view the results.
 
Be sure that everything is checked, and click Remove Selected.
 
When completed, a log will open in Notepad. Please save it to a convenient location.
 
 
Copy and Paste that log into your next reply, along with new combofix log.



Do NOT post your problem in someone elses thread.
Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Back to Top
 

joshhud
New Member


Date Joined Jun 2008
Total Posts : 9
 
   Posted 7/11/2008 12:41 AM (GMT +3)    Quote: Windows antivirus and pop up virus/spywareAlert an admin about: Windows antivirus and pop up virus/spyware
Malwarebytes' Anti-Malware 1.20
Database version: 938
Windows 6.0.6000

5:39:36 PM 7/10/2008
mbam-log-7-10-2008 (17-39-36).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 124168
Time elapsed: 26 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 3
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Users\Josh Hudson\AppData\Local\Temp\sSmjIxwu.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\Windows\System32\ssqOFUOe.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{20177355-706d-416b-a23b-49443a7118f3} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{20177355-706d-416b-a23b-49443a7118f3} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmds (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{20177355-706d-416b-a23b-49443a7118f3} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Josh Hudson\AppData\Local\Temp\sSmjIxwu.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\ssqOFUOe.dll (Trojan.Vundo) -> Delete on reboot.
C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\2.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\4.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\5.exe.vir (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Users\Josh Hudson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1AMI0X06\kb767887 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Josh Hudson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EKRLEIDK\css4 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Josh Hudson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EKRLEIDK\kb456456 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Josh Hudson\AppData\Local\Temp\gottanqm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Josh Hudson\AppData\Local\Temp\lojqyykv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Josh Hudson\AppData\Local\Temp\pomubbqi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Josh Hudson\AppData\Local\Temp\sknwhsci.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Josh Hudson\AppData\Local\Temp\yayxxxUN.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
Back to Top
 

joshhud
New Member


Date Joined Jun 2008
Total Posts : 9
 
   Posted 7/11/2008 12:54 AM (GMT +3)    Quote: Windows antivirus and pop up virus/spywareAlert an admin about: Windows antivirus and pop up virus/spyware
ComboFix 08-07-10.1 - Josh Hudson 2008-07-10 17:50:25.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2232 [GMT -4:00]
Running from: C:\Users\Josh Hudson\Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\x64

.
((((((((((((((((((((((((( Files Created from 2008-06-10 to 2008-07-10 )))))))))))))))))))))))))))))))
.

2008-07-10 17:08 . 2008-07-10 17:08 <DIR> d-------- C:\Users\Josh Hudson\AppData\Roaming\Malwarebytes
2008-07-10 17:08 . 2008-07-10 17:08 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-07-10 17:08 . 2008-07-10 17:08 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-07-10 17:08 . 2008-07-10 17:08 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-10 17:08 . 2008-07-07 17:35 34,296 --a------ C:\Windows\System32\drivers\mbamcatchme.sys
2008-07-10 17:08 . 2008-07-07 17:35 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-07-09 23:27 . 2008-07-09 23:27 <DIR> d-------- C:\Users\Josh Hudson\AppData\Roaming\My Games
2008-07-09 23:27 . 2008-07-09 23:27 <DIR> d-------- C:\Users\All Users\Trymedia
2008-07-09 23:27 . 2008-07-09 23:27 <DIR> d-------- C:\ProgramData\Trymedia
2008-07-09 23:21 . 2008-07-09 23:21 <DIR> d-------- C:\Program Files\Firaxis Games
2008-07-09 23:20 . 2007-03-12 16:42 3,495,784 --a------ C:\Windows\System32\d3dx9_33.dll
2008-07-09 23:19 . 2008-07-09 23:19 <DIR> d--h----- C:\Windows\msdownld.tmp
2008-07-09 20:56 . 2008-07-09 20:56 <DIR> d-------- C:\Program Files\AC3Filter
2008-07-09 20:30 . 2008-07-09 20:31 <DIR> d-------- C:\Users\Josh Hudson\AppData\Roaming\Creative
2008-07-09 18:44 . 2008-07-09 18:44 <DIR> d-------- C:\Intel
2008-07-09 18:08 . 2008-07-09 18:08 <DIR> d-------- C:\Windows\System32\Lang
2008-07-09 18:08 . 2007-09-25 07:10 920,088 --a------ C:\Windows\System32\igxpun.exe
2008-07-09 18:08 . 2007-09-25 07:10 319,456 --a------ C:\Windows\System32\difxapi.dll
2008-07-08 08:55 . 2008-07-09 08:06 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-07-08 08:55 . 2008-07-09 08:06 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-07-08 08:55 . 2008-07-08 08:55 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-08 00:53 . 2008-07-08 00:53 <DIR> d-------- C:\Users\Josh Hudson\AppData\Roaming\Template
2008-07-08 00:53 . 2008-07-08 00:53 80 --a------ C:\Users\Josh Hudson\AppData\Roaming\wklnhst.dat
2008-07-07 23:59 . 2008-07-08 00:04 <DIR> d-------- C:\Program Files\RegCure
2008-07-07 21:49 . 2008-07-07 21:49 <DIR> d-------- C:\Users\Josh Hudson\AppData\Roaming\PC Tools
2008-07-07 21:49 . 2008-07-10 17:46 <DIR> d-a------ C:\Users\All Users\TEMP
2008-07-07 21:49 . 2008-07-07 21:49 <DIR> d-------- C:\Users\All Users\PC Tools
2008-07-07 21:49 . 2008-07-10 17:46 <DIR> d-a------ C:\ProgramData\TEMP
2008-07-07 21:49 . 2008-07-07 21:49 <DIR> d-------- C:\ProgramData\PC Tools
2008-07-07 21:49 . 2008-07-10 17:46 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-07-07 21:49 . 2008-07-07 21:50 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-07-07 21:49 . 2008-04-10 15:14 159,880 --a------ C:\Windows\System32\drivers\pctfw2.sys
2008-07-07 21:49 . 2007-12-10 13:53 81,288 --a------ C:\Windows\System32\drivers\iksyssec.sys
2008-07-07 21:49 . 2007-12-10 13:53 66,952 --a------ C:\Windows\System32\drivers\iksysflt.sys
2008-07-07 21:49 . 2008-02-01 11:55 42,376 --a------ C:\Windows\System32\drivers\ikfilesec.sys
2008-07-07 21:49 . 2007-12-10 13:53 29,576 --a------ C:\Windows\System32\drivers\kcom.sys
2008-07-07 09:01 . 2008-07-07 09:14 <DIR> d-------- C:\Users\All Users\Microsoft Help
2008-07-07 09:01 . 2008-07-07 09:14 <DIR> d-------- C:\ProgramData\Microsoft Help
2008-07-07 08:30 . 2008-07-09 20:46 <DIR> d-------- C:\Users\Josh Hudson\AppData\Roaming\DivX
2008-07-07 08:30 . 2008-07-07 08:30 <DIR> d-------- C:\Program Files\DivX
2008-07-06 20:32 . 2008-07-06 20:32 <DIR> d-------- C:\Program Files\Common Files\IviSDK
2008-07-06 20:31 . 2000-02-11 16:58 995,383 --a------ C:\Windows\System32\temp.005
2008-07-06 20:31 . 2000-03-07 15:22 278,581 --a------ C:\Windows\System32\temp.004
2008-07-06 20:31 . 1998-06-16 19:45 77,878 --a------ C:\Windows\System32\temp.003
2008-07-06 20:31 . 2008-07-06 20:32 3,783 --a------ C:\Windows\HCWPNP.INI
2008-07-06 20:29 . 2008-03-17 13:11 <DIR> d-------- C:\Users\Josh Hudson\cd_4.1a
2008-07-06 20:29 . 2007-10-01 08:21 1,129,344 --a------ C:\Windows\System32\drivers\HCW85BDA.sys
2008-07-06 20:29 . 2007-10-01 08:20 140,800 --a------ C:\Windows\System32\hcw85enc.ax
2008-07-06 20:29 . 2007-10-01 08:20 115,712 --a------ C:\Windows\System32\hcw85prop.ax
2008-07-06 20:27 . 2000-02-11 16:58 995,383 --a------ C:\Windows\System32\temp.002
2008-07-06 20:27 . 2001-07-19 07:44 393,216 --a------ C:\Windows\System32\hcwsnbd9.dll
2008-07-06 20:27 . 2000-03-07 15:22 278,581 --a------ C:\Windows\System32\temp.001
2008-07-06 20:27 . 1998-06-16 19:45 77,878 --a------ C:\Windows\System32\temp.000
2008-06-18 14:31 . 2008-06-18 14:31 161,096 --a------ C:\Windows\System32\DivXCodecVersionChecker.exe
2008-06-14 09:16 . 2008-04-23 01:11 1,244,672 --a------ C:\Windows\System32\mcmde.dll
2008-06-14 09:16 . 2008-04-23 00:27 428,032 --a------ C:\Windows\System32\EncDec.dll
2008-06-14 09:16 . 2008-04-23 01:12 292,352 --a------ C:\Windows\System32\psisdecd.dll
2008-06-14 09:16 . 2008-04-23 01:12 218,624 --a------ C:\Windows\System32\psisrndr.ax
2008-06-14 09:16 . 2008-04-23 01:12 80,896 --a------ C:\Windows\System32\MSNP.ax
2008-06-14 09:16 . 2008-04-23 01:11 68,608 --a------ C:\Windows\System32\Mpeg2Data.ax
2008-06-14 09:16 . 2008-04-23 01:11 57,856 --a------ C:\Windows\System32\MSDvbNP.ax
2008-06-10 18:12 . 2008-06-10 18:12 682,232 --a------ C:\Windows\System32\drivers\sptd.sys
2008-06-10 18:09 . 2008-06-10 18:09 <DIR> d-------- C:\Users\Josh Hudson\AppData\Roaming\Roxio
2008-06-10 18:09 . 2008-07-07 22:14 <DIR> d-------- C:\Users\All Users\Roxio
2008-06-10 18:09 . 2008-07-07 22:14 <DIR> d-------- C:\ProgramData\Roxio
2008-06-10 18:07 . 2008-04-26 03:41 1,327,616 --a------ C:\Windows\System32\quartz.dll
2008-06-10 18:07 . 2008-05-09 21:21 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys
2008-06-10 18:07 . 2008-05-09 23:30 14,848 --a------ C:\Windows\System32\wshrm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-10 21:41 --------- d-----w C:\Users\Josh Hudson\AppData\Roaming\DNA
2008-07-10 03:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-10 01:09 --------- d-----w C:\ProgramData\Creative
2008-07-10 01:02 --------- d-----w C:\Users\Josh Hudson\AppData\Roaming\BitTorrent
2008-07-09 23:54 174 --sha-w C:\Program Files\desktop.ini
2008-07-09 23:47 --------- d-----w C:\Program Files\Windows Mail
2008-07-08 13:05 --------- d-----w C:\Program Files\Trend Micro
2008-07-08 04:09 --------- d-----w C:\Program Files\WinTV
2008-07-07 12:30 --------- d-----w C:\Program Files\Common Files\PX Storage Engine
2008-06-03 02:23 --------- d-----w C:\Program Files\Google
2008-06-03 02:15 --------- d-----w C:\Users\Josh Hudson\AppData\Roaming\PeerNetworking
2008-06-02 07:08 41,984 ----a-w C:\Windows\system32\drivers\monitor.sys
2008-06-02 07:08 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-06-02 07:06 944,184 ----a-w C:\Windows\System32\winload.exe
2008-06-02 07:06 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-06-02 07:06 620,088 ----a-w C:\Windows\System32\ci.dll
2008-06-02 07:06 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-06-02 07:06 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-06-02 07:06 371,712 ----a-w C:\Windows\System32\srcore.dll
2008-06-02 07:06 313,856 ----a-w C:\Windows\System32\rstrui.exe
2008-06-02 07:06 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-06-02 07:06 16,384 ----a-w C:\Windows\System32\srdelayed.exe
2008-06-02 07:05 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-06-02 07:04 83,968 ----a-w C:\Windows\System32\dnsrslvr.dll
2008-06-02 07:04 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-06-02 07:04 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-06-02 07:04 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-06-02 07:04 296,448 ----a-w C:\Windows\System32\gdi32.dll
2008-06-02 07:04 24,576 ----a-w C:\Windows\System32\dnscacheugc.exe
2008-06-02 07:04 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-06-02 07:04 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-06-02 07:04 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-06-02 07:04 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-06-02 01:29 --------- d-----w C:\Program Files\DNA
2008-06-02 01:29 --------- d-----w C:\Program Files\BitTorrent
2008-06-02 00:17 53,080 ----a-w C:\Windows\System32\wuauclt.exe
2008-06-02 00:17 43,352 ----a-w C:\Windows\System32\wups2.dll
2008-06-02 00:17 1,712,984 ----a-w C:\Windows\System32\wuaueng.dll
2008-06-02 00:17 1,524,224 ----a-w C:\Windows\System32\wucltux.dll
2008-06-02 00:16 80,896 ----a-w C:\Windows\System32\wudriver.dll
2008-06-02 00:16 549,720 ----a-w C:\Windows\System32\wuapi.dll
2008-06-02 00:16 33,624 ----a-w C:\Windows\System32\wups.dll
2008-06-02 00:16 31,232 ----a-w C:\Windows\System32\wuapp.exe
2008-06-02 00:16 163,000 ----a-w C:\Windows\System32\wuwebv.dll
2008-06-01 23:27 --------- d-----w C:\Program Files\Common Files\Remote Control Software Common
2008-06-01 23:26 --------- d-----w C:\Program Files\Logitech
2008-06-01 23:26 --------- d-----w C:\Program Files\Common Files\Remote Control USB Driver
2008-06-01 23:25 127,034 ------r C:\Windows\bwUnin-8.1.1.50-8876480SL.exe
2008-06-01 23:25 --------- d-----w C:\Users\Josh Hudson\AppData\Roaming\InstallShield
2008-06-01 22:07 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-01 21:43 --------- d-----w C:\ProgramData\AOL OCP
2008-06-01 21:42 --------- d-----w C:\Users\Josh Hudson\AppData\Roaming\acccore
2008-06-01 21:42 --------- d-----w C:\ProgramData\Viewpoint
2008-06-01 21:42 --------- d-----w C:\ProgramData\AOL
2008-06-01 21:42 --------- d-----w C:\Program Files\Viewpoint
2008-06-01 21:42 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-01 21:42 --------- d-----w C:\Program Files\AIM6
2008-06-01 19:16 --------- d-----w C:\Program Files\support.com
2008-05-30 18:19 507,400 ----a-w C:\Windows\System32\XAudio2_1.dll
2008-05-30 18:18 238,088 ----a-w C:\Windows\System32\xactengine3_1.dll
2008-05-30 18:17 65,032 ----a-w C:\Windows\System32\XAPOFX1_0.dll
2008-05-30 18:17 25,608 ----a-w C:\Windows\System32\X3DAudio1_4.dll
2008-05-30 18:11 467,984 ----a-w C:\Windows\System32\d3dx10_38.dll
2008-05-30 18:11 3,850,760 ----a-w C:\Windows\System32\D3DX9_38.dll
2008-05-30 18:11 1,491,992 ----a-w C:\Windows\System32\D3DCompiler_38.dll
2008-05-30 17:22 524,288 ----a-w C:\Windows\System32\DivXsm.exe
2008-05-30 17:22 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2008-05-30 17:19 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2008-05-30 17:19 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2008-05-26 20:30 --------- d-----w C:\Users\Josh Hudson\AppData\Roaming\ATI
2008-05-26 20:30 --------- d-----w C:\ProgramData\ATI
2008-05-26 20:25 --------- d-sh--w C:\ProgramData\Templates
2008-05-26 20:25 --------- d-sh--w C:\ProgramData\Start Menu
2008-05-26 20:25 --------- d-sh--w C:\ProgramData\Favorites
2008-05-26 20:25 --------- d-sh--w C:\ProgramData\Documents
2008-05-26 20:25 --------- d-sh--w C:\ProgramData\Desktop
2008-05-26 20:25 --------- d-sh--w C:\ProgramData\Application Data
2008-05-09 22:38 87,040 ----a-w C:\Windows\System32\msoert2.dll
2008-05-09 22:38 39,424 ----a-w C:\Windows\System32\ACCTRES.dll
2008-05-09 22:38 229,888 ----a-w C:\Windows\System32\msshsq.dll
2008-05-09 22:38 205,824 ----a-w C:\Windows\System32\msoeacct.dll
2008-05-09 22:38 2,048 ----a-w C:\Windows\System32\msxml6r.dll
2008-05-09 22:38 1,335,296 ----a-w C:\Windows\System32\msxml6.dll
2008-05-09 22:37 750,080 ----a-w C:\Windows\System32\qmgr.dll
2008-05-09 22:35 974,336 ----a-w C:\Windows\System32\crypt32.dll
2008-05-09 22:35 8,704 ----a-w C:\Windows\System32\hcrstco.dll
2008-05-09 22:35 8,704 ----a-w C:\Windows\System32\hccoin.dll
2008-05-09 22:35 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2008-05-09 22:35 788,992 ----a-w C:\Windows\System32\rpcrt4.dll
2008-05-09 22:35 7,680 ----a-w C:\Windows\System32\spwmp.dll
2008-05-09 22:35 4,096 ----a-w C:\Windows\System32\dxmasf.dll
2008-05-09 22:35 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll
2008-05-09 22:33 8,192 ----a-w C:\Windows\System32\riched32.dll
2008-05-09 22:32 905,400 ----a-w C:\Windows\System32\winresume.exe
2008-05-09 22:30 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-05-09 22:29 84,480 ----a-w C:\Windows\System32\INETRES.dll
2008-05-09 22:29 737,792 ----a-w C:\Windows\System32\inetcomm.dll
2008-05-09 22:29 49,664 ----a-w C:\Windows\System32\csrsrv.dll
2008-05-09 22:29 376,320 ----a-w C:\Windows\System32\winsrv.dll
2008-05-09 22:29 2,048 ----a-w C:\Windows\System32\msxml3r.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 08:35 125440]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-03-25 16:21 50528]
"BitTorrent DNA"="C:\Users\Josh Hudson\Program Files\DNA\btdna.exe" [2008-06-02 08:22 289088]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" [2006-11-27 10:14 180224]
"UpdReg"="C:\Windows\UpdReg.EXE" [2000-05-11 02:00 90112]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-05-09 11:03 29744]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"MSConfig"="C:\Windows\system32\msconfig.exe" [2006-11-02 05:45 222208]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007-09-25 07:10 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007-09-25 07:10 154136]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2007-09-25 07:10 129560]
"Malwarebytes Anti-Malware Reboot"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2008-07-07 17:35 1175160]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-11 09:26 4452352 C:\Windows\RtHDVCpl.exe]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-06-01 19:26:04 67128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-05-09 11:13 10536 C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 13:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D6BAD6EC-0CD8-4C8D-B2AB-F334825A0ABF}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{32B32560-1944-4D0B-BEDE-A1D92713A627}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{20B2A54D-CC08-42CC-BF98-DDF951803BAB}"= UDP:C:\Program Files\AIM6\aim6.exe:AIM
"{2D32F850-9CD8-4D18-ACE0-08811776C50D}"= TCP:C:\Program Files\AIM6\aim6.exe:AIM
"{B7A30357-2316-4430-974D-EB1E9716403D}"= UDP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{ECCC1027-4640-4362-BA3C-9A39318A2FE0}"= TCP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{D82A9F86-44C0-426A-94EE-402746B10EAB}"= UDP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{2B27A29B-F078-465D-AE45-95FCD703DB83}"= TCP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{40435C03-72DB-4CE2-98C8-A2B9DC08A580}"= UDP:C:\Program Files\DNA\btdna.exe:DNA
"{58211F4C-DEC4-4033-9B4B-FFB75D246F9E}"= TCP:C:\Program Files\DNA\btdna.exe:DNA
"{DB09820A-50E0-483E-BA45-97796820BCD2}"= UDP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{BB9DFF95-E855-4660-BCE6-92ECBF2B1C7C}"= TCP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"TCP Query User{3DDEEB8D-69DD-4E33-9590-C74104597415}C:\\program files\\logitech\\desktop messenger\\8876480\\program\\logitechdesktopmessenger.exe"= UDP:C:\program files\logitech\desktop messenger\8876480\program\logitechdesktopmessenger.exe:Logitech Desktop Messenger
"UDP Query User{D3EC16AD-C47D-4F2F-BBB2-43B36C36422F}C:\\program files\\logitech\\desktop messenger\\8876480\\program\\logitechdesktopmessenger.exe"= TCP:C:\program files\logitech\desktop messenger\8876480\program\logitechdesktopmessenger.exe:Logitech Desktop Messenger
"TCP Query User{F761ED08-71C5-4EDF-8A60-64B44C3AAF58}C:\\program files\\bittorrent\\bittorrent.exe"= UDP:C:\program files\bittorrent\bittorrent.exe:bittorrent
"UDP Query User{5B9A829C-5D51-40E8-B97F-0AFAE36898BF}C:\\program files\\bittorrent\\bittorrent.exe"= TCP:C:\program files\bittorrent\bittorrent.exe:bittorrent

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7
"C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R1 pctfw2;pctfw2;C:\Windows\System32\drivers\pctfw2.sys [2008-04-10 15:14]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-09-24 06:37]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;C:\Windows\system32\drivers\HCW85BDA.sys [2007-10-01 08:21]
S3 GoToAssist;GoToAssist;C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe Start=service []

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-07-10 21:43:07 C:\Windows\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-07-10 21:05:13 C:\Windows\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-cmds - C:\Users\JOSHHU~1\AppData\Local\Temp\yayxxxUN.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-10 17:52:07
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-10 17:52:59
ComboFix-quarantined-files.txt 2008-07-10 21:52:56
ComboFix2.txt 2008-07-09 12:03:20

Pre-Run: 402,222,424,064 bytes free
Post-Run: 402,207,875,072 bytes free

268 --- E O F --- 2008-07-09 23:47:52
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 12975
 
   Posted 7/11/2008 10:12 AM (GMT +3)    Quote: Windows antivirus and pop up virus/spywareAlert an admin about: Windows antivirus and pop up virus/spyware
How are things running now ?


Do NOT post your problem in someone elses thread.
Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Back to Top
 

joshhud
New Member


Date Joined Jun 2008
Total Posts : 9
 
   Posted 7/11/2008 3:56 PM (GMT +3)    Quote: Windows antivirus and pop up virus/spywareAlert an admin about: Windows antivirus and pop up virus/spyware
so far so good. Thanks a bunch you were a great help.
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 12975
 
   Posted 7/12/2008 7:12 AM (GMT +3)    Quote: Windows antivirus and pop up virus/spywareAlert an admin about: Windows antivirus and pop up virus/spyware
My pleasure smile
 
 
                Please download OTMoveIt by OldTimer: http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
 
1.    Save it to your desktop.
2.    Please double-click OTMoveIt.exe to run it.
3.    Click on the CleanUp! button. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
4.    This step removes the files, folders, and shortcuts created by the tools I had you download and run.
 
 
AVG, Avira OR Avast are good FREE antivirus. These are also less taxing on resources.
 
 
Please  read Tony Klein's excellent article  about how to prevent against  spyware/hijackers in the future
http://www.castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html   
 
 


Do NOT post your problem in someone elses thread.
Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Back to Top
 

joshhud
New Member


Date Joined Jun 2008
Total Posts : 9
 
   Posted 7/12/2008 8:21 AM (GMT +3)    Quote: Windows antivirus and pop up virus/spywareAlert an admin about: Windows antivirus and pop up virus/spyware
when i click cleanup it says file access denied.
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 12975
 
   Posted 7/12/2008 8:37 AM (GMT +3)    Quote: Windows antivirus and pop up virus/spywareAlert an admin about: Windows antivirus and pop up virus/spyware
Ok. Delete the alternativ/hijackthis manually then.
Uninstall ComboFix.exe and all Backups of files that it deleted
Click START then RUN
Now type/copy:  Combofix /u  in the runbox and click OK.
Note the space between the X and the U, it needs to be there.


Do NOT post your problem in someone elses thread.
Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Back to Top
 
New Topic Post reply to : Windows antivirus and pop up virus/spyware Printable version of : Windows antivirus and pop up virus/spyware
 
Forum Information
Currently it is Tuesday, September 16, 2014 12:31 PM (GMT +3)
There are a total of 60,601 posts in 13,318 threads.
In the last 3 days there were 3 new threads and 9 reply posts. View Active Threads
Who's Online
This forum has 36357 registered members. Please welcome our newest member, davidgross.
4 Guest(s), 0 Registered Member(s) are currently online.  Details
5 Latest Threads
Bullguard 2014 Firewall and high DPC latency (19)9/16/2014 5:21:49 AM (klimek69)
Cheap kitchens Milton Keynes (0)9/16/2014 4:50:19 AM (qilokoanto)
Kitchen For Sale St Albans (0)9/16/2014 2:50:38 AM (ShinHyemi12A)
Slow Performance Since Installing Bullguard (3)9/15/2014 12:41:35 PM (Robert Mateescu)
Bullguard Backup: 3 GB of files are "missing" but freespace calcuation seems to think they (5)9/13/2014 3:08:24 PM (Robert Mateescu)