Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93116 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Internet Security 2010 - System Scan - Security Warning - W

Started by kapusta , Dec 12 2009 11:38 PM

  • This topic is locked This topic is locked
96 replies to this topic

#76 kapusta

kapusta

    Authentic Member

  • Authentic Member
  • PipPip
  • 125 posts

Posted 18 December 2009 - 08:40 PM

Untitled (download) window pops up:
“You have chosen to open
OTM.exe
Which is a: Application
From: http://oldtimer.geekstogo.com
Would you like to save this file?"

The “Save File” click button is faded.
The “Cancel” click button is not, but it is not responding.
The only feature that works is the Red X out.
This closes all of firefox.

I tried this another time with my task manager open.
Selecting your OTM link causes 2 Firefox applications to go from Running to Not Responding -
the WTT page application and the untitled window application, I guess.

    Advertisements

Register to Remove

#77 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 18 December 2009 - 08:41 PM

Download KittyFix
http://download.blee...ta/KittyFix.exe


* IMPORTANT !!! Save KittyFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs

  • Double click on KittyFix.exe & follow the prompts.



  • As part of it's process, KittyFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow KittyFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\KittyFix.txt in your next reply.
"copy/paste" a new HijackThis log file into this thread as well.

Notes:

1.Do not mouse-click KittyFix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#78 kapusta

kapusta

    Authentic Member

  • Authentic Member
  • PipPip
  • 125 posts

Posted 18 December 2009 - 09:56 PM

It's been so long since I've seen my normal desktop background, I'm not 100% sure how the icons looked, but I think something is still different with them. At least the old background is viewable. I tried to go into my MediaCenter to see if it would play a DVD. I stopped when I could tell that I did not hear the MediaCenter little welcome jingle. No sound on that. At least I can get into my Yahoo e-mail and open things up without it hanging up Firefox. What next? Do you want to see any logs? Adobe Photoshop opens OK. I wonder what to try next.

#79 kapusta

kapusta

    Authentic Member

  • Authentic Member
  • PipPip
  • 125 posts

Posted 18 December 2009 - 10:52 PM

Please use Copy/paste and post the scan results.

log


ComboFix 09-12-18.01 - Myself 12/18/2009 22:11:09.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1363 [GMT -5:00]
Running from: c:\documents and settings\Desktop\KittyFix.exe
AV: Trend Micro PC-cillin Internet Security *On-access scanning enabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Myself\LOCALS~1\Temp\1.wmv
c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate\swUPdate.dll
c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate\swupdate.dll.tmp
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Desktop\HijackThis(2).exe
c:\documents and settings\Desktop\Internet Security 2010.lnk
c:\windows\kb913800.exe
c:\windows\system32\dowikabu.dll
c:\windows\system32\gezonawo.dll
c:\windows\system32\hamaveho.dll
c:\windows\system32\jiyayuda.dll
c:\windows\system32\kabunabo.dll
c:\windows\system32\kipiheba.dll
c:\windows\system32\PCLECoInst.dll
c:\windows\system32\pikedahu.dll
c:\windows\system32\poyinada.dll
c:\windows\system32\susopaya.dll
c:\windows\system32\tesegigo.dll
c:\windows\system32\wegubeva.dll
c:\windows\system32\wutilowu.dll
c:\windows\system32\yapowuwi.dll
c:\windows\system32\yivomadu.dll
c:\windows\Tasks\mpnwnfsj.job

----- BITS: Possible infected sites -----

hxxp://77.74.48.111
.
((((((((((((((((((((((((( Files Created from 2009-11-19 to 2009-12-19 )))))))))))))))))))))))))))))))
.

2009-12-19 02:49 . 2009-12-19 02:49 3857787 ----a-r- c:\documents and settings\Desktop\KittyFix.exe
2009-12-15 02:25 . 2009-12-15 02:25 289792 ----a-w- c:\documents and settings\Desktop\exeHelper.com
2009-12-13 18:15 . 2009-12-13 18:15 203 ----a-w- C:\fixme.reg
2009-12-13 17:07 . 2009-12-13 19:42 812344 ----a-w- c:\documents and settings\Desktop\HJTInstall.exe
2009-12-13 16:45 . 2009-12-13 16:45 -------- d-----w- c:\program files\TrendMicro
2009-12-13 16:26 . 2009-12-13 16:26 1401344 ----a-w- c:\documents and settings\Desktop\HijackThis.msi
2009-12-13 15:23 . 2009-12-14 01:12 204 ----a-w- c:\documents and settings\Desktop\fixme.reg
2009-12-13 04:04 . 2009-12-13 04:04 0 ----a-w- c:\documents and settings\Desktop\settings.dat
2009-12-13 03:59 . 2009-12-13 03:59 472064 ----a-w- c:\documents and settings\Desktop\RootRepeal.exe
2009-12-13 03:00 . 2009-12-13 03:00 -------- d-----w- c:\documents and settings\Myself\Local Settings\Application Data\Threat Expert
2009-12-13 02:09 . 2009-12-13 02:14 -------- d-----w- c:\program files\ERUNT
2009-12-12 18:55 . 2009-12-03 21:14 276816 ----a-w- c:\documents and settings\Desktop\mbamservice.exe
2009-12-12 18:55 . 2009-12-03 21:14 429392 ----a-w- c:\documents and settings\Desktop\mbamgui.exe
2009-12-12 18:55 . 2009-12-03 21:14 79696 ----a-w- c:\documents and settings\Desktop\zlib.dll
2009-12-12 18:55 . 2009-12-03 21:14 46416 ----a-w- c:\documents and settings\Desktop\ssubtmr6.dll
2009-12-12 18:55 . 2009-12-13 16:07 -------- d-----w- c:\documents and settings\Desktop\Languages
2009-12-12 18:55 . 2009-12-13 16:07 97365 ----a-w- c:\documents and settings\Desktop\unins000.dat
2009-12-12 18:55 . 2009-12-13 16:01 702288 ----a-w- c:\documents and settings\Desktop\unins000.exe
2009-12-12 18:55 . 2009-12-03 21:14 167760 ----a-w- c:\documents and settings\Desktop\mbam.dll
2009-12-12 18:55 . 2009-12-03 21:13 84816 ----a-w- c:\documents and settings\Desktop\mbamext.dll
2009-12-12 08:00 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-12 08:00 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-12 07:06 . 2009-11-10 15:28 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-12-12 07:06 . 2009-11-10 15:26 767952 ----a-w- c:\windows\BDTSupport.dll
2009-12-12 07:06 . 2008-11-26 17:08 131 ----a-w- c:\windows\IDB.zip
2009-12-12 07:06 . 2009-11-10 15:28 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-12-12 07:06 . 2009-11-10 15:28 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-12-12 07:06 . 2009-10-28 06:36 1152444 ----a-w- c:\windows\UDB.zip
2009-12-12 06:47 . 2009-12-12 06:47 4844296 ----a-w- c:\documents and settings\Desktop\mbam-setup(2).exe
2009-12-12 06:45 . 2009-12-12 06:45 -------- d-----w- c:\documents and settings\Myself\Application Data\Malwarebytes
2009-12-12 06:45 . 2009-12-12 18:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-12 06:45 . 2009-12-12 06:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-12 06:36 . 2009-10-30 16:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-12 06:36 . 2009-11-09 16:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-12 06:36 . 2009-10-06 21:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-12 06:36 . 2009-09-03 14:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-12-12 06:35 . 2009-12-12 07:16 -------- d-----w- c:\program files\Spyware Doctor
2009-12-12 06:35 . 2009-12-12 07:07 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-12 06:35 . 2009-12-12 06:35 -------- d-----w- c:\documents and settings\Myself\Application Data\PC Tools
2009-12-12 06:35 . 2009-12-12 06:35 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-12-12 06:34 . 2009-12-19 03:18 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-12 06:23 . 2009-12-12 06:23 -------- d-----w- c:\documents and settings\Desktop\lspfix
2009-12-12 06:19 . 2009-12-12 06:19 201030 ----a-w- c:\documents and settings\Desktop\lspfix.zip
2009-12-12 05:37 . 2009-08-13 15:16 512000 ------w- c:\windows\system32\dllcache\jscript.dll
2009-12-12 04:42 . 2009-12-15 02:32 538112 ----a-w- c:\documents and settings\Desktop\OTL.exe
2009-12-12 04:42 . 2009-12-12 06:41 4844296 ----a-w- c:\documents and settings\Desktop\explorer3.exe
2009-11-28 03:32 . 2009-11-28 03:33 -------- d-----w- c:\windows\system32\en
2009-11-28 03:32 . 2009-11-28 03:32 -------- d-----w- c:\windows\system32\bits

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-13 22:49 . 2006-12-05 16:37 44324606 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-12-13 17:28 . 2006-04-14 20:22 -------- d-----w- c:\program files\Trend Micro
2009-12-13 16:45 . 2009-12-13 16:45 388096 ----a-r- c:\documents and settings\Myself\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-11 03:07 . 2006-04-22 16:54 55568 -c--a-w- c:\documents and settings\Myself\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-01 03:10 . 2009-10-25 03:56 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-01 00:51 . 2009-08-06 01:11 -------- d-----w- c:\program files\SequoiaView
2009-10-29 05:38 . 2005-08-16 09:18 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2005-08-16 09:18 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2005-08-16 09:18 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 04:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2005-08-16 09:18 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2005-08-16 09:18 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2005-08-16 09:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-04 23:56 . 2006-05-15 01:31 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-03 02:41 . 2009-10-03 02:41 0 ----atw- c:\windows\005866_.tmp
2009-09-25 05:37 . 2005-08-16 09:18 81920 ----a-w- c:\windows\system32\ieencode.dll
2002-07-26 21:02 . 2007-09-26 00:31 153088 ----a-w- c:\program files\UNWISE.EXE
2006-05-06 14:01 . 2006-04-22 16:53 88 -csh--r- c:\windows\system32\CB6D8158AE.sys
2009-09-19 02:59 . 2009-09-19 02:59 61440 --sha-w- c:\windows\system32\lenasoyu.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2005-08-16 20553]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-05-15 171448]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowLOMControl"="1 (0x1)" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-17 397312]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-12-15 839680]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-04-14 98304]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-04-14 169472]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-03-16 755480]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-03-17 102400]
"PCLEUSBTip"="c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2006-01-23 196608]
"USBToolTip"="c:\program files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe" [2006-01-23 196608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-5-11 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-6-16 49152]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-14 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security 12\\PcCtlCom.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [12/12/2009 1:36 AM 207792]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [12/12/2009 2:06 AM 112592]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [8/30/2005 4:30 PM 190480]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [8/30/2005 4:30 PM 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/30/2005 4:30 PM 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [8/30/2005 4:30 PM 31248]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [8/30/2005 4:30 PM 262215]
S3 AngelUsb;Angel USB MPEG Device;c:\windows\system32\drivers\AngelUsb.sys [4/14/2006 2:42 PM 375424]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 hcw72ADFilter;WinTV HVR-950 USB Audio Filter Driver;c:\windows\system32\drivers\hcw72ADFilter.sys [7/8/2008 5:35 PM 27904]
S3 hcw72ATV;WinTV HVR-950 NTSC;c:\windows\system32\drivers\hcw72ATV.sys [7/8/2008 5:37 PM 1208448]
S3 hcw72DTV;WinTV HVR-950 ATSC/QAM;c:\windows\system32\drivers\hcw72DTV.sys [7/8/2008 5:41 PM 1200768]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [12/12/2009 1:35 AM 359624]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.intergate.com/startpage/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.intergate.com/startpage/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Myself\Application Data\Mozilla\Firefox\Profiles\sr4rv36a.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{c9e49d70-cd9a-4ceb-8c1d-3deeddead7e4} - kabunabo.dll
HKLM-Run-USB2Check - c:\windows\system32\PCLECoInst.dll
HKLM-Run-donihowata - susopaya.dll
HKLM-Run-kibimoboh - c:\windows\system32\poyinada.dll
SharedTaskScheduler-{f54f1c26-f2c6-412a-9267-44a311f5e0c5} - c:\windows\system32\poyinada.dll
SSODL-bolemujeb-{f54f1c26-f2c6-412a-9267-44a311f5e0c5} - c:\windows\system32\poyinada.dll
AddRemove-SmartInstaller - c:\program files\EarthLink\TotalAccess Smart Installer\UnSMI.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-18 22:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\TRENDM~1\INTERN~1\PccGuide.exe
c:\windows\stsystra.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
.
**************************************************************************
.
Completion time: 2009-12-18 22:30:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-19 03:30

Pre-Run: 12,537,262,080 bytes free
Post-Run: 12,531,318,784 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 6EA1DB921E9DBA02ED42BFF0ECA9B092

Attached Files

  • Attached File  log.txt   16.67KB   368 downloads

#80 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 19 December 2009 - 05:13 AM

How's it running?


You need to update Java.

Update Java
Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
First remove the older versions:
  • Download JavaRa and unzip it to your desktop.
  • Double-click on JavaRa.exe to start the program.
  • Click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.
Now let's download and install the newest version:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 10.
  • Click on Windows XP/Vista/2000/2003 Offline and save the downloaded file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on the download to install the newest version.
  • Reboot your computer.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#81 kapusta

kapusta

    Authentic Member

  • Authentic Member
  • PipPip
  • 125 posts

Posted 19 December 2009 - 07:43 AM

I did not get the option to.... "Click on Remove Older Versions..." So, other things were different and (sorry) I tried it again. I WAS prompted, the second time, if I wanted to write the new log files over the top of the ones from the first pass. But these are just the logs. Do I used my Control Panel and Add Or Remove Programs to see if there is an older version and uninstall it?

#82 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 19 December 2009 - 08:14 AM

I did not get the option to....
"Click on Remove Older Versions..."
So, other things were different and (sorry) I tried it again.
I WAS prompted, the second time, if I wanted to write the new log files over the top of the ones from the first pass.
But these are just the logs.
Do I used my Control Panel and Add Or Remove Programs to see if there is an older version and uninstall it?

Yes.
Are you still getting any pop-up warnings?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#83 kapusta

kapusta

    Authentic Member

  • Authentic Member
  • PipPip
  • 125 posts

Posted 19 December 2009 - 08:46 AM

I checked back on this log. The biggest improvement was the first improvement on Dec 13 2009, 03:00 PM Post #17 - - - - - - - - " Delete these Files if listed: c:\windows\system32\paviviwa.dll C:\Program Files\InternetSecurity2010\IS2010.exe Delete these Folders if listed: C:\Program Files\InternetSecurity2010 " I used my search feature on: "paviviwa" "internetsecurity" "is2010" and "is 2010" I could only find the folder. I deleted it and emptied Recycle. Also found, but did not delete:........ .....One of my previous symptoms, one immovable "popup" did not show up this time. Also haven't seen certain other popups...... ....Also, mediacenter: dvd still has no sound when playing. - - - - - - - - Since that time, my AdobePhotoshop started loading OK. My MS Word has been working the whole time or most of the time. So, it was a huge improvement to have the pop-ups go away. Thank you very, very much for that. I will try to test it with multiple Firefox windows up. But I still have no sound. When I use the volume buttons on the front of the keyboard, the volume indicator that pops up shows up indicates that the volume is at max. When I put a DVD in and it comes up with no sound, I go to the screen volume "buttons" and the same thing - it's at max. I think I used to have a volume feature in the tray, but I don't see one now. And when I clicked on the windows symbol in the upper left hand of my MediaCenter, to see what options I could get, I got the window "ehshell.exe - Common Language Runtime Debugging... Application has generated an exception that could not be handled. Process id=0xa20 (2592), Thread id=0x240 (576). Click OK to terminate the application. Click CANCEL to debug the application" next window "ehshell.exe - No debugger found. Registered JIT debugger is not available. An attempt to launch a JIT debugger with the following command resulted n an error code of 0x2 (2). Please check computer settings. cordbg.exe !0xa20 Click on Retry to have the process wait while attaching a debugger manually. Click on....." Then when I get rid of the window a crash reports begins generating. The error messages seem to be something that I had before the malware. I think. I have an Angel TV tuner that has been having increasing problems over the last year, and It will be my next problem to fix on this site. However, the no-volume problem started exactly when the malware started.

#84 kapusta

kapusta

    Authentic Member

  • Authentic Member
  • PipPip
  • 125 posts

Posted 19 December 2009 - 08:49 AM

Add or Remove programs has Java 2 Runtime Environment, SE v1.4.2_03 136MB Get rid of this now and then proceed with your previous instructions?

#85 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 19 December 2009 - 08:50 AM

Do you have the little speaker Icon on your taskbar down by the time/date? If so, open it and make sure there's no checkmark / tick in Mute at the bottom.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

    Advertisements

Register to Remove

#86 kapusta

kapusta

    Authentic Member

  • Authentic Member
  • PipPip
  • 125 posts

Posted 19 December 2009 - 09:00 AM

I expanded the taskbar and I thought I used to have one there. I never use that version for the volume, just the other two that I mentioned. But I hovered over each icon and none has to do with the volume. (I have one like you're talking about on my computer at work.) There's nothing to un-mute.

#87 kapusta

kapusta

    Authentic Member

  • Authentic Member
  • PipPip
  • 125 posts

Posted 19 December 2009 - 09:01 AM

You want me to Remove Java 2 Runtime Environment, SE v1.4.2_03?

#88 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 19 December 2009 - 09:04 AM

OK. Beings you're clean of bad guys, I want you do to the below and then start a new topic in our General Hardware forum for one of the Tech Team to help you with the sound issues.

Good job :thumbup:

The following will implement some cleanup procedures as well as reset System Restore points:

  • Click START then RUN
  • Now type KittyFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

You can also uninstall any programs / tools I have you install unless you want to keep them.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#89 kapusta

kapusta

    Authentic Member

  • Authentic Member
  • PipPip
  • 125 posts

Posted 19 December 2009 - 10:07 AM

KittyFix /Uninstall does not work. "Run" wants something like "c:\Documents and Settings\Myself\My Documents\Downloads\OTL.exe"

#90 kapusta

kapusta

    Authentic Member

  • Authentic Member
  • PipPip
  • 125 posts

Posted 19 December 2009 - 05:58 PM

I'll put this post here for continuity. I don't know if I had this seemingly fake alert right from the start of my malware, but now that this is closing, I want to note that I am still getting 1 pop-up. It sort of looks like a fire hydrant icon to me, but I guess it's supposed to look like the old fashioned, red, rotating, siren bubble on top of a police car. It only stays up for a short time. What I've caught so far is "Network Virus Emergency Center Detect MS02-039 SQL SERVER RESOL…... Network Virus Emergency Center Detect and Blocked......" - - - - - - ( Also, "KittyFix /Uninstall does not work. "Run" wants something like "c:\Documents and Settings\Myself\My Documents\Downloads\OTL.exe" " )

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·