Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91734 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Trojans, AdWare, Worm, IE went crazy...HELP


  • This topic is locked This topic is locked
54 replies to this topic

#16 gringo_pr

gringo_pr

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 423 posts

Posted 13 May 2008 - 07:41 PM

Hello

Just alittle more to go

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

File::
C:\Documents and Settings\Owner\Incomplete\Preview-T-3545425-bratz movie.mpg
C:\Documents and Settings\Owner\Incomplete\Preview-T-3545425-little mermaid 2.mpg
C:\Documents and Settings\Owner\Shared\(New Release) good is good sheral crow 23.wma
C:\Documents and Settings\Owner\Shared\little mermaid 2.mpg
C:\Documents and Settings\Owner\Shared\TOTALLY HIP TRACK.wma
C:\My Games\Tropix\postcard.exe


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

let me have the combofix log

greingo

    Advertisements

Register to Remove


#17 IAmSusie3

IAmSusie3

    Authentic Member

  • Authentic Member
  • PipPip
  • 55 posts

Posted 14 May 2008 - 09:50 PM

HEY...I OPENED NOTEPAD AND DID WHAT YOU SAID....AND A BOX CAME UP AND TOLD ME THAT MY VERSION OF COMBOFIX HAD EXPIRED AND TO RE DOWNLOAD IT. THEN IT TOOK MY COMBOFIX ICON AND THAT CFSCRIPT.TXT I SAVED OFF OF MY DESKTOP. I HOPE THAT WAS SUPPOSED TO HAVE HAPPENED. I'M GOING TO REDOWNLOAD COMBOFIX AND THEN DO WHAT YOU SAID. THEN I'LL POST IT FOR YOU.

#18 gringo_pr

gringo_pr

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 423 posts

Posted 16 May 2008 - 02:32 PM

ok I'll be waiting gringo

#19 IAmSusie3

IAmSusie3

    Authentic Member

  • Authentic Member
  • PipPip
  • 55 posts

Posted 17 May 2008 - 08:30 AM

OK....SORRY THIS HAS BEEN SO LONG....I STARTED THIS SEVERAL TIMES, BUT FELL ASLEEP WHILE WATITING AND THE COMPUTER WOULD SHUT OFF...(MAYBE THE KIDS DID IT...I DON'T KNOW.) ANYWAY, THE COMPUTER FREEZES UP A LOT AND I HAVE TO TURN OFF AND RESTART. SOMETIMES, I GO INTO WINDOWS TASK MANAGER AND THERE WILL BE LIKE 2 "INTERNET EXPLORER'S" RUNNING AND I HAVEN'T EVEN SIGNED IN ON INTERNET EXPLORER. AND SOMETIMES, THERE WILL ME MORE THAN ONE "YBROWSER" OPEN AND WHEN I CLICK ON IT AND PUSH END TASK, IT WON'T GO AWAY. I CAN HAVE TOTALLY SIGNED OUT AND IT WILL STAY THERE UNTIL I SHUT DOWN AND RESTART. AND WHAT IS UP WITH ALL THIS AOL STUFF ON THE PROCESS LIST? WHY IS ALL THAT STUFF RUNNING OR EVEN ON THERE? IS IT SUPPOSED TO BE THERE? AND ONE MORE QUESTION...(CAUSE I'M CONCERNED SOMEONE IS GETTING THROUGH OUR EMAILS, PASSWORDS, OR WHATEVER). BEFORE ALL THIS CRAZY STUFF STARTED, WE HAD ONE "ADMINISTRATOR" WITH PASSWORD, (WHICH I ASSUME WAS MY HUSBAND THAT HE PUT ON THERE WHEN WE BOUGHT THIS COMPUTER 2 YEARS AGO) AND THEN ME OOR WHATEVER AS "GUEST". I CAN'T TELL YOU WHERE I SAW THIS INFO (CLUESLESS), BUT I DID AND THEN, AFTER ALL THIS CRAZINESS, I FOUND THAT PLACE AGAIN AND THERE WAS "ADMINISTRATOR", "ADMINISTRATORS", AND LIKE 3 "USERS" OR "GUESTS" SIGNED ON OR SOMETHING LIKE THAT. I TRIED TO DELETE THE ONES I KNEW WERE NOT SUPPOSED TO BE THERE AND THEY WOULD GO AWAY AND COME BACK AND SAID SOMETHING LIKE THE MAIN "ADMINISTRATOR" HAD GIVEN PERMISSION FOR PASSWORDS OR SOMETHING LIKE THAT. THIS WAS A FEW WEEKS AGO BEFORE I STARTED TALKING TO YOU, AND I DON'T REMEMBER WHERE I FOUND IT. AM I CRAZY OR DOES ANY OF THAT MAKE SENSE TO YOU AND IS IT SUPPOSED TO BE THERE OR DO YOU THINK SOMETHING FISHY IS GOING ON? ANYWAY, HERE'S THIS LOG FILE...DON'T GIVE UP ON ME....SOMETIMES IT MAY TAKE A FEW DAYS..OR MORE TO REPLY, (END OF SCHOOL ACTIVITIES TIMES 3 KIDS EQUALS BUSY BUSY BUSY) ,BUT I WILL GET BACK WITH YOU. File:: C:\Documents and Settings\Owner\Incomplete\Preview-T-3545425-bratz movie.mpg C:\Documents and Settings\Owner\Incomplete\Preview-T-3545425-little mermaid 2.mpg C:\Documents and Settings\Owner\Shared\(New Release) good is good sheral crow 23.wma C:\Documents and Settings\Owner\Shared\little mermaid 2.mpg C:\Documents and Settings\Owner\Shared\TOTALLY HIP TRACK.wma C:\My Games\Tropix\postcard.exe

#20 gringo_pr

gringo_pr

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 423 posts

Posted 17 May 2008 - 10:35 PM

Hello

:run combofix:

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: how-to-use-combofix

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

Note:Do not mouseclick combofix's window while it's running. That may cause it to stall

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

File::
C:\Documents and Settings\Owner\Incomplete\Preview-T-3545425-bratz movie.mpg
C:\Documents and Settings\Owner\Incomplete\Preview-T-3545425-little mermaid 2.mpg
C:\Documents and Settings\Owner\Shared\(New Release) good is good sheral crow 23.wma
C:\Documents and Settings\Owner\Shared\little mermaid 2.mpg
C:\Documents and Settings\Owner\Shared\TOTALLY HIP TRACK.wma
C:\My Games\Tropix\postcard.exe

Folder::
C:\Documents and Settings\All Users\Application Data\iWin Games
C:\Program Files\temp01


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall


let me have the log it produces

Gringo

#21 IAmSusie3

IAmSusie3

    Authentic Member

  • Authentic Member
  • PipPip
  • 55 posts

Posted 20 May 2008 - 01:37 PM

OOPS...DID I NOT DO THAT RIGHT. HERE'S THE LOG THAT I SAVED THAT DAY. LET ME KNOW IT THAT'S WHAT YOU WERE LOOKING FOR....CAUSE I ALREADY DID ALL THAT CFSCRIPT STUFF LIKE YOU SAID. BUT I NOTICED IT'S NOT THE LOG I SAVED TO MY DESKTOP...SO HERE IT IS ...IF ITS WRONG...I WILL DO IT FROM SCRATCH.

ComboFix 08-05-12.1 - Owner 2008-05-17 8:53:07.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.85 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Owner\Incomplete\Preview-T-3545425-bratz movie.mpg
C:\Documents and Settings\Owner\Incomplete\Preview-T-3545425-little mermaid 2.mpg
C:\Documents and Settings\Owner\Shared\(New Release) good is good sheral crow 23.wma
C:\Documents and Settings\Owner\Shared\little mermaid 2.mpg
C:\Documents and Settings\Owner\Shared\TOTALLY HIP TRACK.wma
C:\My Games\Tropix\postcard.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Owner\Incomplete\Preview-T-3545425-bratz movie.mpg
C:\Documents and Settings\Owner\Incomplete\Preview-T-3545425-little mermaid 2.mpg
C:\Documents and Settings\Owner\Shared\(New Release) good is good sheral crow 23.wma
C:\Documents and Settings\Owner\Shared\little mermaid 2.mpg
C:\Documents and Settings\Owner\Shared\TOTALLY HIP TRACK.wma
C:\My Games\Tropix\postcard.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-17 to 2008-05-17 )))))))))))))))))))))))))))))))
.

2008-05-16 00:56 . 2008-05-16 00:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MysteryStudio
2008-05-15 23:53 . 2008-05-15 23:56 <DIR> d-------- C:\Program Files\The Lost Cases of Sherlock Holmes
2008-05-15 23:48 . 2008-05-15 23:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Gaijin Ent
2008-05-15 23:25 . 2008-05-15 23:25 <DIR> d-------- C:\Program Files\Mystery Cookbook
2008-05-15 20:39 . 2008-05-15 20:42 <DIR> d-------- C:\Program Files\Airport Mania - First Flight
2008-05-15 11:43 . 2008-05-15 11:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\iWinArcade
2008-05-13 21:12 . 2008-05-13 21:23 538 --a------ C:\WINDOWS\wwwconfig.dat
2008-05-13 00:23 . 2008-05-13 00:23 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-13 00:23 . 2008-05-13 00:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-11 23:07 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-11 23:07 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-05 16:58 . 2008-05-05 16:58 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Gamelab
2008-05-05 16:31 . 2008-05-17 01:22 <DIR> d-------- C:\Program Files\SpongeBob SquarePants Diner Dash
2008-05-05 00:48 . 2008-05-05 00:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Zylom
2008-05-04 23:13 . 2008-05-04 23:13 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\iWin
2008-05-04 16:37 . 2008-05-04 16:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-30 17:38 . 2008-04-30 17:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-04-30 17:28 . 2008-04-30 17:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-30 17:28 . 2008-04-30 17:28 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-04-30 17:28 . 2008-04-30 17:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-30 16:39 . 2008-04-30 16:39 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-30 13:24 . 2008-04-30 13:31 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-30 00:26 . 2008-04-30 00:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-04-30 00:09 . 2006-09-18 10:57 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-30 00:09 . 2006-09-18 11:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-04-30 00:09 . 2006-09-18 11:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-04-30 00:09 . 2006-09-18 11:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-04-30 00:09 . 2008-04-30 00:09 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-30 00:09 . 2008-05-16 11:47 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-29 17:16 . 2008-04-29 17:16 <DIR> d-------- C:\Program Files\Mystery P.I. - The Vegas Heist
2008-04-29 17:16 . 2008-05-15 09:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SpinTop
2008-04-28 18:01 . 2008-05-12 23:10 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-28 18:01 . 2008-04-28 18:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-28 18:01 . 2008-04-28 18:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-28 16:45 . 2008-04-28 16:45 109,738 --a------ C:\WINDOWS\BMa3f72945.xml
2008-04-27 00:30 . 2006-09-14 11:53 1,941,504 --a------ C:\WINDOWS\system32\Tropix.scr
2008-04-21 03:45 . 2008-04-21 03:45 <DIR> d-------- C:\Program Files\The Hidden Object Show
2008-04-20 02:20 . 2008-04-20 02:20 <DIR> d-------- C:\WINDOWS\Dream Day - First Home
2008-04-20 02:20 . 2008-04-20 02:21 <DIR> d-------- C:\Program Files\Dream Day - First Home
2008-04-19 02:15 . 2008-04-20 01:15 <DIR> d-------- C:\Program Files\Dream Day First Home
2008-04-19 02:04 . 2008-05-04 23:14 <DIR> d-------- C:\Program Files\Family Feud III - Dream Home

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-17 08:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-05-17 06:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-16 15:24 --------- d-----w C:\Program Files\LimeWire
2008-05-15 14:41 --------- d-----w C:\Program Files\Bonjour
2008-05-15 14:26 --------- d-----w C:\Documents and Settings\Owner\Application Data\Pogo Games
2008-05-09 07:37 --------- d-----w C:\Program Files\QuickTime
2008-05-09 07:37 --------- d-----w C:\Program Files\Norton Internet Security
2008-05-09 07:37 --------- d-----w C:\Program Files\Microsoft LifeCam
2008-05-09 07:37 --------- d-----w C:\Program Files\iTunes
2008-05-09 07:37 --------- d-----w C:\Program Files\Digital Media Reader
2008-05-09 07:37 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-09 07:37 --------- d-----w C:\Program Files\America Online 9.0
2008-05-07 07:14 --------- d-----w C:\Documents and Settings\Owner\Application Data\PlayFirst
2008-05-07 07:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-05-07 02:49 --------- d-----w C:\Program Files\Brain Booster
2008-05-05 06:28 --------- d-----w C:\Program Files\Lx_cats
2008-05-04 05:59 --------- d-----w C:\Program Files\AOL Games
2008-05-01 05:41 --------- d-----w C:\Program Files\2Wire
2008-04-30 05:35 --------- d-----w C:\Documents and Settings\Owner\Application Data\Uniblue
2008-04-29 08:45 --------- d-----w C:\Program Files\GameHouse
2008-04-29 07:13 --------- d-----w C:\Documents and Settings\Owner\Application Data\Big Fish Games
2008-04-29 06:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Fugazo
2008-04-29 00:20 --------- d-----w C:\Program Files\BFG
2008-04-21 08:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Gogii
2008-04-21 02:30 --------- d-----w C:\Program Files\Tropix
2008-04-20 22:13 13,984 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-04-19 06:59 --------- d-----w C:\Program Files\bfgclient
2008-04-10 05:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Interama
2008-04-10 04:48 --------- d-----w C:\Program Files\MostFun
2008-04-07 07:13 --------- d-----w C:\Documents and Settings\Owner\Application Data\Pi Eye Games
2008-04-07 06:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\MostFun
2008-04-07 06:23 --------- d-----w C:\Program Files\Circulate
2008-04-04 19:43 --------- d-----w C:\Program Files\iPod
2008-04-02 19:21 --------- d-----w C:\Program Files\Games
2008-04-02 03:18 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ludia
2008-04-02 03:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ludia
2008-04-01 07:50 --------- d-----w C:\Documents and Settings\Owner\Application Data\Boomzap
2008-04-01 07:02 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-03-28 01:24 --------- d-----w C:\Program Files\CardRecovery
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-26 18:52 --------- d-----w C:\Documents and Settings\Owner\Application Data\Leadertech
2008-03-26 18:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-26 17:36 --------- d-----w C:\Program Files\Digital Photo Recovery
2008-03-21 07:16 --------- d-----w C:\Documents and Settings\Owner\Application Data\Friday's games
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-12 15:10 0 ----a-w C:\Program Files\temp01
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2006-12-19 00:21 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-11-11 23:06 1,727,833 ----a-w C:\Program Files\ChayceAndRoland.JPG
.

((((((((((((((((((((((((((((( snapshot_2008-05-16_ 1.47.56.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-16 03:03:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-17 08:46:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-17 08:50:59 24,576 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\neodesk\e42ab0fd\2e9ffd2\-90cdhj1.dll
+ 2008-05-17 08:50:58 4,096 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\neodesk\e42ab0fd\2e9ffd2\gfugleqm.dll
+ 2008-05-17 08:50:55 3,072 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\neodesk\e42ab0fd\2e9ffd2\rgfhq_pc.dll
- 2008-04-06 05:56:20 19,836,024 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-05-17 08:50:52 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_4d4.dat
+ 2008-05-17 08:47:42 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_750.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShutterflyStudio"="C:\Program Files\Shutterfly\Studio\BIN\SFlyStudio.exe" [2007-03-06 13:05 2496512]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 19:42 79448]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 14:05 212992]
"LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 14:47 73728]
"avast! Web Scanner"="C:\PROGRA~1\ALWILS~1\Avast4\ashWebSv.exe" [ ]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-05 18:03 267064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"avast!"="C:\Program Files\Alwil Software\Avast4\ashServ.exe" [ ]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
2WireSetup.lnk - C:\Program Files\2Wire\WebWorks.exe [2008-05-01 00:40:53 622592]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
2WireSetup.lnk - C:\Program Files\2Wire\WebWorks.exe [2008-05-01 00:40:53 622592]
Event Minder Reminders.lnk - C:\HALLMARK\EMREMIND.EXE [2007-07-09 16:39:42 6240]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Install Pending Files.LNK - C:\Program Files\SIFXINST\SIFXINST.EXE [2006-09-18 11:35:37 729088]
iWin Desktop Alerts.lnk - C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe [2008-01-28 19:51:51 107520]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\1158597562\\EE\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MostFun\\Bin\\MostFun.exe"=

R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2006-10-13 18:01]
R3 2WIREPCP;2Wire USB;C:\WINDOWS\system32\DRIVERS\2WirePCP.sys [2005-05-12 11:26]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 01:01]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 16:44:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-17 09:29:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-05-13 12:25:44 C:\WINDOWS\Tasks\McAfee AntiSpyware.job"
- c:\progra~1\mcafee\MCAFEE~1\MASCon.exe
"2008-05-14 23:00:01 C:\WINDOWS\Tasks\ParetoLogic Registration.job"
- C:\WINDOWS\system32\rundll32.exe@
"2006-09-18 16:26:07 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-03-22 13:24:00 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- C:\PROGRA~1\Uniblue\SPYERA~1\SpyEraser.exe
"2007-10-14 06:03:04 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\PROGRA~1\Uniblue\SPYERA~1\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-17 08:57:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-17 9:02:21
ComboFix-quarantined-files.txt 2008-05-17 14:02:00
ComboFix2.txt 2008-05-16 06:49:48
ComboFix3.txt 2008-05-12 03:57:16
ComboFix4.txt 2008-05-09 07:52:08
ComboFix5.txt 2008-05-07 14:58:54

Pre-Run: 67,958,161,408 bytes free
Post-Run: 67,945,955,328 bytes free

236 --- E O F --- 2008-05-16 16:47:22

#22 gringo_pr

gringo_pr

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 423 posts

Posted 21 May 2008 - 06:13 PM

Hello IAmSusie3

sorry for taking so long, they are trying to kill me at work

lets do this one more time

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

File::
C:\WINDOWS\BMa3f72945.xml

Folder::
C:\Program Files\temp01
C:\Documents and Settings\All Users\Application Data\iWin Games


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

let me have the log combofix makes please

gringo

#23 gringo_pr

gringo_pr

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 423 posts

Posted 25 May 2008 - 02:07 PM

Hello

: three day bump :


It has been three days since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

#24 IAmSusie3

IAmSusie3

    Authentic Member

  • Authentic Member
  • PipPip
  • 55 posts

Posted 27 May 2008 - 10:34 PM

hey...yes...i still need help....don't leave me!!!! We went out of town and I'm just now checking my emails. I'll do this for you...please don't go away!!! Oh no...I just read that I had 48 hours...has it been 48 hours? Oh, please tell me I didn't lose my helper.

Edited by IAmSusie3, 27 May 2008 - 10:36 PM.


#25 IAmSusie3

IAmSusie3

    Authentic Member

  • Authentic Member
  • PipPip
  • 55 posts

Posted 28 May 2008 - 10:18 AM

Ok...here's the latest info you needed....hope I'm not too late:

ComboFix 08-05-27.4 - Owner 2008-05-28 10:54:42.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.117 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\cfscript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BMa3f72945.xml
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\iWin Games
C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\res\btn_all.png
C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\res\btn_dl.png
C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\res\btn_next.png
C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\res\btn_prev.png
C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\WebUpdater.exe
C:\Documents and Settings\All Users\Application Data\iWin Games\drm\data\{17035800-0871-0331-4342-74480F0FF4IW}.dta
C:\Documents and Settings\All Users\Application Data\iWin Games\drm\drm_1735808713314347448_PollyPride.ifn.stdat
C:\Documents and Settings\Guest\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\CPV.stt
C:\Program Files\temp01\

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-28 )))))))))))))))))))))))))))))))
.

2008-05-17 12:41 . 2008-05-21 01:31 <DIR> d-------- C:\Program Files\The Amazing Brain Train
2008-05-17 11:33 . 2008-05-17 11:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Astar Games
2008-05-17 11:31 . 2008-05-17 11:31 <DIR> d-------- C:\Program Files\Laura Jones and the Gates of Good and Evil
2008-05-16 00:56 . 2008-05-16 00:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MysteryStudio
2008-05-15 23:53 . 2008-05-15 23:56 <DIR> d-------- C:\Program Files\The Lost Cases of Sherlock Holmes
2008-05-15 23:48 . 2008-05-15 23:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Gaijin Ent
2008-05-15 23:25 . 2008-05-15 23:25 <DIR> d-------- C:\Program Files\Mystery Cookbook
2008-05-15 20:39 . 2008-05-15 20:42 <DIR> d-------- C:\Program Files\Airport Mania - First Flight
2008-05-15 11:43 . 2008-05-15 11:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\iWinArcade
2008-05-13 21:12 . 2008-05-13 21:23 538 --a------ C:\WINDOWS\wwwconfig.dat
2008-05-13 00:23 . 2008-05-13 00:23 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-13 00:23 . 2008-05-13 00:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-11 23:07 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-11 23:07 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-05 16:58 . 2008-05-05 16:58 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Gamelab
2008-05-05 16:31 . 2008-05-17 01:22 <DIR> d-------- C:\Program Files\SpongeBob SquarePants Diner Dash
2008-05-05 00:48 . 2008-05-05 00:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Zylom
2008-05-04 23:13 . 2008-05-04 23:13 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\iWin
2008-05-04 16:37 . 2008-05-04 16:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-30 17:38 . 2008-04-30 17:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-04-30 17:28 . 2008-04-30 17:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-30 17:28 . 2008-04-30 17:28 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-04-30 17:28 . 2008-04-30 17:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-30 16:39 . 2008-04-30 16:39 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-30 13:24 . 2008-04-30 13:31 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-30 00:26 . 2008-04-30 00:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-04-30 00:09 . 2006-09-18 10:57 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-30 00:09 . 2006-09-18 11:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-04-30 00:09 . 2006-09-18 11:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-04-30 00:09 . 2006-09-18 11:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-04-30 00:09 . 2008-04-30 00:09 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-29 17:16 . 2008-04-29 17:16 <DIR> d-------- C:\Program Files\Mystery P.I. - The Vegas Heist
2008-04-29 17:16 . 2008-05-15 09:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SpinTop
2008-04-28 18:01 . 2008-05-12 23:10 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-28 18:01 . 2008-04-28 18:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-28 18:01 . 2008-04-28 18:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-28 14:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-05-27 19:48 --------- d-----w C:\Program Files\LimeWire
2008-05-21 06:32 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-15 14:41 --------- d-----w C:\Program Files\Bonjour
2008-05-15 14:26 --------- d-----w C:\Documents and Settings\Owner\Application Data\Pogo Games
2008-05-09 07:37 --------- d-----w C:\Program Files\QuickTime
2008-05-09 07:37 --------- d-----w C:\Program Files\Norton Internet Security
2008-05-09 07:37 --------- d-----w C:\Program Files\Microsoft LifeCam
2008-05-09 07:37 --------- d-----w C:\Program Files\iTunes
2008-05-09 07:37 --------- d-----w C:\Program Files\Digital Media Reader
2008-05-09 07:37 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-09 07:37 --------- d-----w C:\Program Files\America Online 9.0
2008-05-07 07:14 --------- d-----w C:\Documents and Settings\Owner\Application Data\PlayFirst
2008-05-07 07:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-05-07 02:49 --------- d-----w C:\Program Files\Brain Booster
2008-05-05 06:28 --------- d-----w C:\Program Files\Lx_cats
2008-05-05 04:14 --------- d-----w C:\Program Files\Family Feud III - Dream Home
2008-05-04 05:59 --------- d-----w C:\Program Files\AOL Games
2008-05-01 05:41 --------- d-----w C:\Program Files\2Wire
2008-04-30 05:35 --------- d-----w C:\Documents and Settings\Owner\Application Data\Uniblue
2008-04-29 08:45 --------- d-----w C:\Program Files\GameHouse
2008-04-29 07:13 --------- d-----w C:\Documents and Settings\Owner\Application Data\Big Fish Games
2008-04-29 06:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Fugazo
2008-04-29 00:20 --------- d-----w C:\Program Files\BFG
2008-04-21 08:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Gogii
2008-04-21 08:45 --------- d-----w C:\Program Files\The Hidden Object Show
2008-04-21 02:30 --------- d-----w C:\Program Files\Tropix
2008-04-20 22:13 13,984 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-04-20 07:21 --------- d-----w C:\Program Files\Dream Day - First Home
2008-04-20 06:15 --------- d-----w C:\Program Files\Dream Day First Home
2008-04-19 06:59 --------- d-----w C:\Program Files\bfgclient
2008-04-10 05:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Interama
2008-04-10 04:48 --------- d-----w C:\Program Files\MostFun
2008-04-07 07:13 --------- d-----w C:\Documents and Settings\Owner\Application Data\Pi Eye Games
2008-04-07 06:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\MostFun
2008-04-07 06:23 --------- d-----w C:\Program Files\Circulate
2008-04-04 19:43 --------- d-----w C:\Program Files\iPod
2008-04-02 19:21 --------- d-----w C:\Program Files\Games
2008-04-02 03:18 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ludia
2008-04-02 03:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ludia
2008-04-01 07:50 --------- d-----w C:\Documents and Settings\Owner\Application Data\Boomzap
2008-04-01 07:02 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-03-28 01:24 --------- d-----w C:\Program Files\CardRecovery
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-12 15:10 0 ----a-w C:\Program Files\temp01
2006-12-19 00:21 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-11-11 23:06 1,727,833 ----a-w C:\Program Files\ChayceAndRoland.JPG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShutterflyStudio"="C:\Program Files\Shutterfly\Studio\BIN\SFlyStudio.exe" [2007-03-06 13:05 2496512]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 19:42 79448]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 14:05 212992]
"LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 14:47 73728]
"avast! Web Scanner"="C:\PROGRA~1\ALWILS~1\Avast4\ashWebSv.exe" [ ]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-05 18:03 267064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"avast!"="C:\Program Files\Alwil Software\Avast4\ashServ.exe" [ ]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
2WireSetup.lnk - C:\Program Files\2Wire\WebWorks.exe [2008-05-01 00:40:53 622592]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
2WireSetup.lnk - C:\Program Files\2Wire\WebWorks.exe [2008-05-01 00:40:53 622592]
Event Minder Reminders.lnk - C:\HALLMARK\EMREMIND.EXE [2007-07-09 16:39:42 6240]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Install Pending Files.LNK - C:\Program Files\SIFXINST\SIFXINST.EXE [2006-09-18 11:35:37 729088]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\1158597562\\EE\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MostFun\\Bin\\MostFun.exe"=

R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2006-10-13 18:01]
R3 2WIREPCP;2Wire USB;C:\WINDOWS\system32\DRIVERS\2WirePCP.sys [2005-05-12 11:26]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 01:01]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 16:44:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-28 14:29:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-05-20 15:06:05 C:\WINDOWS\Tasks\McAfee AntiSpyware.job"
- c:\progra~1\mcafee\MCAFEE~1\MASCon.exe
"2008-05-22 23:00:00 C:\WINDOWS\Tasks\ParetoLogic Registration.job"
- C:\WINDOWS\system32\rundll32.exe@
"2006-09-18 16:26:07 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-03-22 13:24:00 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- C:\PROGRA~1\Uniblue\SPYERA~1\SpyEraser.exe
"2007-10-14 06:03:04 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\PROGRA~1\Uniblue\SPYERA~1\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-28 10:57:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-05-28 11:01:23
ComboFix-quarantined-files.txt 2008-05-28 16:00:19
ComboFix2.txt 2008-05-28 14:25:38
ComboFix3.txt 2008-05-17 14:02:22
ComboFix4.txt 2008-05-16 06:49:48
ComboFix5.txt 2008-05-12 03:57:16

Pre-Run: 67,350,503,424 bytes free
Post-Run: 67,336,269,824 bytes free

212 --- E O F --- 2008-05-16 16:47:22

    Advertisements

Register to Remove


#26 gringo_pr

gringo_pr

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 423 posts

Posted 28 May 2008 - 03:40 PM

no you are not to late will be back soon with new instructions Gringo

#27 IAmSusie3

IAmSusie3

    Authentic Member

  • Authentic Member
  • PipPip
  • 55 posts

Posted 28 May 2008 - 05:15 PM

OH...THANK GOODNESS!!! TALK TO YOU IN A BIT.

#28 gringo_pr

gringo_pr

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 423 posts

Posted 29 May 2008 - 07:21 PM

Hello IAmSusie3

You still are doing very good and don't worry I will give you a couple of chances before I close this

If you think you are going to be more than a couple of days just send me a note, ok

AND WHAT IS UP WITH ALL THIS AOL STUFF ON THE PROCESS LIST? WHY IS ALL THAT STUFF RUNNING OR EVEN ON THERE? IS IT SUPPOSED TO BE THERE?

Do you use A.O.L ?
If not we will start to get rid of it.

I FOUND THAT PLACE AGAIN AND THERE WAS "ADMINISTRATOR", "ADMINISTRATORS", AND LIKE 3 "USERS" OR "GUESTS" SIGNED ON OR SOMETHING LIKE THAT.

sounds strange,
click on start-->settings-->control panel-->user accounts and let me know the names and how many accounts you have guest is normal so don't worry about that one

Now do the steps below

: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

:Run Kaspersky Online AV Scanner:

  • Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer"
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Copy and paste the report into your next reply

:information and logs:

In your next post I need the following

1.log from MBAM
2.log from kaspersky
[/list]
Gringo


#29 IAmSusie3

IAmSusie3

    Authentic Member

  • Authentic Member
  • PipPip
  • 55 posts

Posted 01 June 2008 - 03:02 AM

Just letting you know that I'm still here. It's just been crazy here. Kids will be out of school in 4 more days and then maybe I can relax a bit....(YEAH RIGHT). Anyway, it's like 4 in the morning and I am going to bed. I will do all that stuff tomorrow (Sunday) at my first possible chance. For Starters, NO, I DO NOT HAVE AOL. We use sbcglobal.net (if that's what you mean...our phone bill will our internet service is AT&T. Talk to you tomorrow.

#30 gringo_pr

gringo_pr

    Silver Member

  • Visiting Fellow
  • PipPipPip
  • 423 posts

Posted 02 June 2008 - 06:42 AM

Ok I'll be waiting. Gringo

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users