Win32 Trojan - Problem

Alan1ar1s

Alan1ar1s

New Member
hello Guys

Its been a week now I am having problems with a virus. Win32. (onlinegames and several other sub-categories of this trojan). Every time I am plug a new USB device in my laptop I see a pop-up window from Eset coming up and saying that a file is deleted because it is possible a virus. And most of the times it says it may be the Autorun.exe
I have installed a variety of antivirus and antispyware software tools to solve the problem. But none of them manage to find the trojan except of Eset NOD32. Some of the best antispyware tools that are in the market havent done anything (Spy Sweeper, Spyware Doctor, Malwarebytes Anti -Malware,etc). They found many other malicious software but not the specific trojan. The problem is that I infect every computer I plug in a USB, previously plugged in on my pc. :mad:

What are your suggestions about my problem?
Thanks in advance
 
Alan1ar1s

Alan1ar1s

New Member
hackapelite said:
Re-format the stick. Though I can't see why NOD couldn't remove the trojan...
Click to expand...

mate the problem is not the stick... (Before I've noticed the virus I have attached more than 2-3 sicks on my laptop)
The problem is the trojan and how can I remove it:confused:
 
Alan1ar1s

Alan1ar1s

New Member
hackapelite said:
Oh *facepalm*

Well, really, if NOD (or any other program for that matter) can't get rid of it, your only option is to reformat the whole computer.
Click to expand...

Thanks for your advise my friend, but this is the last option I am thinking right now.

I hope someone else suggest me something not so "painful" :p and time waisting
 
Respital

Respital

Active Member
Alan1ar1s said:
Thanks for your advise my friend, but this is the last option I am thinking right now.

I hope someone else suggest me something not so "painful" :p and time waisting
Click to expand...

Don't worry we should be able to clean this up without reformatting. Please read the following steps carefully and complete the instructions.


Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.



How to run a scan with Malwarebytes' Anti-Malware

Download Malwarebytes' Anti-Malware from Here , Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Download and post a log with HiJackThis.

Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Double click on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
  • Click Save to save the log file and then the log will open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

In your next reply(s) i will need;
  • The ComboFix log
  • The Malwarebytes' log
  • The HiJackThis log
  • An update on how your computer is running.
 
Alan1ar1s

Alan1ar1s

New Member
Here are the logs of the three programs:

Compofix:

ComboFix 09-02-19.01 - Andreas Dimitriou 2009-02-21 2:42:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1253.30.1033.18.1023.479 [GMT 0:00]
Running from: c:\documents and settings\Andreas Dimitriou\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-01-21 to 2009-02-21 )))))))))))))))))))))))))))))))
.

2009-02-21 02:39 . 2009-02-21 02:40 <DIR> d-------- C:\32788R22FWJFW
2009-02-20 14:15 . 2009-02-20 14:15 56 --ah----- c:\windows\system32\ezsidmv.dat
2009-02-20 14:14 . 2009-02-20 14:14 <DIR> dr------- c:\program files\Skype
2009-02-20 14:14 . 2009-02-20 14:14 <DIR> d-------- c:\program files\Common Files\Skype
2009-02-20 03:26 . 2009-02-20 03:26 <DIR> d-------- c:\documents and settings\Andreas Dimitriou\Application Data\IDM
2009-02-20 01:17 . 2009-02-20 01:17 <DIR> d-------- c:\documents and settings\Andreas Dimitriou\Application Data\True Sword
2009-02-20 01:16 . 2009-02-20 01:19 <DIR> d-------- c:\program files\True Sword 4
2009-02-19 23:38 . 2009-02-19 23:38 <DIR> d-------- C:\Binaries
2009-02-19 23:37 . 2009-02-19 23:37 <DIR> d-------- c:\program files\Webroot
2009-02-19 23:37 . 2009-02-19 23:37 <DIR> d-------- c:\documents and settings\Andreas Dimitriou\Application Data\Webroot
2009-02-19 23:37 . 2009-02-19 23:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Webroot
2009-02-19 23:37 . 2008-10-12 13:18 1,553,272 --a------ c:\windows\WRSetup.dll
2009-02-18 15:03 . 2009-02-20 03:27 <DIR> d-------- c:\documents and settings\Andreas Dimitriou\Application Data\DMCache
2009-02-18 01:05 . 2009-02-18 01:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-18 01:05 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-18 01:05 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-17 17:58 . 2009-02-17 18:23 <DIR> d-------- c:\program files\XoftSpySE
2009-02-17 16:55 . 2009-02-17 16:55 <DIR> d-------- c:\documents and settings\Andreas Dimitriou\Application Data\Malwarebytes
2009-02-17 16:54 . 2009-02-17 16:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-17 16:45 . 2009-02-17 16:45 <DIR> d-------- c:\documents and settings\Andreas Dimitriou\DoctorWeb
2009-02-17 16:30 . 2009-02-17 16:30 <DIR> d-------- c:\documents and settings\Andreas Dimitriou\Application Data\Lavasoft
2009-02-17 16:23 . 2009-02-17 16:23 <DIR> d-------- c:\program files\ESET
2009-02-17 16:23 . 2009-02-17 16:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2009-02-17 16:19 . 2009-02-17 16:19 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-02-17 16:07 . 2009-02-17 16:16 <DIR> d-------- c:\program files\Your Uninstaller 2008
2009-02-17 16:07 . 2009-02-17 16:07 <DIR> d-------- c:\documents and settings\Andreas Dimitriou\Application Data\URSoft
2009-02-17 03:00 . 2009-02-17 03:00 <DIR> d-------- c:\program files\MSXML 4.0
2009-02-15 23:10 . 2009-02-15 23:10 <DIR> d-------- c:\documents and settings\Andreas Dimitriou\Application Data\HP
2009-02-15 23:10 . 2009-02-15 23:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP
2009-02-15 23:08 . 2009-02-15 23:09 <DIR> d-------- c:\program files\Common Files\HP
2009-02-15 23:06 . 2009-02-15 23:07 <DIR> d-------- c:\program files\Hewlett-Packard
2009-02-15 23:06 . 2009-02-15 23:06 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2009-02-15 23:03 . 2006-04-10 14:03 48,128 --a------ c:\windows\system32\hpzll054.dll
2009-02-15 23:02 . 1998-10-29 16:45 306,688 --a------ c:\windows\IsUninst.exe
2009-02-15 23:02 . 2006-03-03 21:03 282,680 --a------ c:\windows\system32\HPZidr12.dll
2009-02-15 23:02 . 2006-03-03 21:02 204,800 --a------ c:\windows\system32\HPZipr12.dll
2009-02-15 23:02 . 2006-03-03 21:02 94,208 --a------ c:\windows\system32\HPZipt12.dll
2009-02-15 23:02 . 2006-03-03 21:03 69,632 --a------ c:\windows\system32\HPZipm12.exe
2009-02-15 23:02 . 2006-03-03 21:03 65,536 --a------ c:\windows\system32\HPZinw12.exe
2009-02-15 23:02 . 2006-03-03 21:02 57,344 --a------ c:\windows\system32\HPZisn12.dll
2009-02-15 23:01 . 2009-02-15 23:09 <DIR> d-------- c:\program files\HP
2009-02-15 23:00 . 2009-02-15 23:11 117,673 --a------ c:\windows\hpoins11.dat
2009-02-15 20:39 . 2006-04-12 12:02 659,456 --a------ c:\windows\system32\hpowiax2.dll
2009-02-15 20:39 . 2006-04-12 12:02 598,016 --a------ c:\windows\system32\hpotscl2.dll
2009-02-15 20:39 . 2006-04-12 12:02 254,026 --a------ c:\windows\system32\hpovst09.dll
2009-02-15 20:39 . 2006-04-12 12:04 49,664 --a------ c:\windows\system32\drivers\HPZid412.sys
2009-02-15 20:39 . 2006-04-12 12:04 21,568 --a------ c:\windows\system32\drivers\HPZius12.sys
2009-02-15 20:39 . 2006-04-12 12:04 16,496 --a------ c:\windows\system32\drivers\HPZipr12.sys
2009-02-15 20:34 . 2005-07-18 13:39 98,304 --a------ c:\windows\system32\hpzjsn01.dll
2009-02-15 20:31 . 2006-04-12 12:04 282,624 --a------ c:\windows\system32\HPZc3212.dll
2009-02-15 20:31 . 2006-05-05 12:25 11,634 --a------ c:\windows\hpomdl11.dat
2009-02-15 20:30 . 2006-01-03 18:12 77,824 --a------ c:\windows\system32\HPZIDS01.dll
2009-02-15 02:57 . 2009-02-19 23:54 <DIR> d-------- c:\documents and settings\Andreas Dimitriou\Tracing
2009-02-15 02:55 . 2009-02-15 02:55 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-02-15 02:55 . 2009-02-15 02:55 <DIR> d-------- c:\program files\Microsoft
2009-02-15 02:49 . 2009-02-15 02:49 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-02-10 17:39 . 2009-02-10 17:39 <DIR> d-------- c:\program files\ooVoo
2009-02-10 17:39 . 2009-02-10 17:40 <DIR> d-------- c:\documents and settings\Andreas Dimitriou\Application Data\ooVoo Details
2009-02-10 17:36 . 2009-02-10 17:36 <DIR> d-------- c:\windows\PixArt
2009-02-10 17:36 . 2009-02-10 17:36 <DIR> d-------- c:\program files\KYE
2009-02-10 17:36 . 2009-02-10 17:36 <DIR> d-------- c:\program files\Common Files\PAC7302
2009-02-10 17:36 . 2006-11-03 10:59 48,128 --a------ c:\windows\system32\Remove.exe
2009-02-10 17:36 . 2007-05-24 12:17 291 --a------ c:\windows\system32\Remover.ini
2009-02-10 17:35 . 2004-08-03 23:07 59,264 --a------ c:\windows\system32\drivers\USBAUDIO.sys
2009-02-10 17:35 . 2004-08-03 23:07 59,264 --a--c--- c:\windows\system32\dllcache\usbaudio.sys
2009-02-09 22:11 . 2009-02-18 00:07 <DIR> d-------- C:\Temp
2009-02-06 18:52 . 2009-02-06 18:52 49,504 --a------ c:\windows\system32\sirenacm.dll
2009-02-05 21:52 . 2009-02-05 21:55 <DIR> d-------- C:\TPW
2009-02-05 21:52 . 2009-02-05 21:52 <DIR> d-------- c:\documents and settings\Andreas Dimitriou\WINDOWS
2009-02-05 21:52 . 1992-06-08 01:50 130,224 --a------ c:\windows\system\BWCC.DLL
2009-02-05 21:52 . 1992-06-08 01:50 26,960 --a------ c:\windows\WINHELP.HLP
2009-02-05 21:52 . 1992-06-08 01:50 9,279 --a------ c:\windows\system\TDDEBUG.386
2009-02-05 21:52 . 2009-02-05 21:55 137 --a------ c:\windows\WORKSHOP.INI
2009-02-05 21:52 . 2009-02-05 21:52 137 --a------ c:\windows\TDW.INI
2009-02-05 21:52 . 2009-02-12 13:25 91 --a------ c:\windows\TPW.INI
2009-02-05 11:06 . 2009-02-05 11:05 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-04 20:04 . 2009-02-04 20:04 <DIR> d-------- c:\program files\Common Files\xing shared
2009-02-04 16:50 . 2009-02-20 01:39 <DIR> d-------- c:\program files\Spyware Doctor
2009-02-04 16:50 . 2009-02-04 16:50 <DIR> d-------- c:\documents and settings\Andreas Dimitriou\Application Data\PC Tools
2009-02-04 16:50 . 2009-02-04 17:24 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-02-04 16:50 . 2009-02-04 17:24 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-02-04 16:50 . 2009-02-04 17:24 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-02-04 16:50 . 2008-06-02 15:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-02-04 16:33 . 2009-02-05 01:15 <DIR> d-------- c:\documents and settings\Andreas Dimitriou\Application Data\Download Manager
2009-02-04 16:30 . 2009-02-12 19:05 <DIR> d-------- c:\program files\Google
2009-02-02 19:09 . 2009-02-02 19:09 <DIR> d-------- c:\program files\Common Files\snp2std
2009-02-02 19:09 . 2007-01-26 16:48 12,028,032 --a------ c:\windows\system32\drivers\snp2sxp.sys
2009-02-02 19:09 . 2006-09-15 13:21 675,840 --a------ c:\windows\vsnp2std.exe
2009-02-02 19:09 . 2005-01-26 15:45 349,472 --a------ c:\windows\WindowsXP-KB822603-x86.exe
2009-02-02 19:09 . 2006-11-29 16:11 258,048 --a------ c:\windows\tsnp2std.exe
2009-02-02 19:09 . 2006-10-03 14:35 249,856 --a------ c:\windows\system32\vsnp2std.dll
2009-02-02 19:09 . 2007-02-05 15:25 151,552 --a------ c:\windows\system32\rsnp2std.dll
2009-02-02 19:09 . 2006-11-16 15:57 77,824 --a------ c:\windows\system32\csnp2std.dll
2009-02-02 19:09 . 2007-01-25 18:48 25,472 --a------ c:\windows\system32\drivers\sncamd.sys
2009-02-02 19:09 . 2007-02-12 14:50 20,480 --a------ c:\windows\FixCamera.exe
2009-02-02 19:09 . 2004-12-09 17:23 15,497 --a------ c:\windows\snp2std.ini
2009-02-02 19:09 . 2004-12-09 17:23 13,022 --a------ c:\windows\snp2std.src

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-21 00:51 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-21 00:33 --------- d-----w c:\documents and settings\Andreas Dimitriou\Application Data\Skype
2009-02-21 00:05 --------- d-----w c:\documents and settings\Andreas Dimitriou\Application Data\skypePM
2009-02-20 14:14 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-02-17 18:23 --------- d-----w c:\program files\DAEMON Tools Pro
2009-02-17 17:29 --------- d-----w c:\program files\MegauploadToolbar
2009-02-15 02:54 --------- d-----w c:\program files\Windows Live
2009-02-12 17:48 --------- d-----w c:\documents and settings\Andreas Dimitriou\Application Data\Metacafe
2009-02-12 17:48 --------- d-----w c:\documents and settings\All Users\Application Data\Metacafe
2009-02-12 03:05 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-10 17:39 --------- d-----w c:\program files\InstallShield Installation Information
2009-02-05 11:05 --------- d-----w c:\program files\Java
2009-02-04 20:04 --------- d-----w c:\program files\Common Files\Real
2009-02-04 16:31 --------- d-----w c:\documents and settings\Andreas Dimitriou\Application Data\MegauploadToolbar
2009-02-01 05:00 --------- d-----w c:\documents and settings\Andreas Dimitriou\Application Data\U3
2008-02-25 23:16 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
.

------- Sigcheck -------

2008-04-14 00:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\winlogon.exe
2008-05-01 00:22 502272 6e8ca4fcb30282f216f5db9dd58a5f81 c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2008-10-12 13:11 238968 --a------ c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_9.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"rideooff"="c:\windows\system32\rideooff.exe" [2002-10-25 640512]
"PRISMSTA.EXE"="c:\windows\system32\PRISMSTA.EXE" [2002-09-02 214528]
"MPB"="c:\windows\system32\MPB.exe" [2003-04-28 278528]
"SoundMan"="c:\windows\SOUNDMAN.EXE" [2003-03-27 53248]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-05-21 4726784]
"nwiz"="c:\windows\system32\nwiz.exe" [2003-05-21 323584]
"PCTVOICE"="c:\windows\system32\pctspk.exe" [2002-10-29 167936]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-02-03 114688]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-02-03 630784]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-05 136600]
"snp2std"="c:\windows\vsnp2std.exe" [2006-09-15 675840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-02-04 185896]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-10-24 1451264]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2008-10-12 6272888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"msacm.imc"= imc32.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Opera\\Opera.exe"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12654:TCP"= 12654:TCP:BitComet 12654 TCP
"12654:UDP"= 12654:UDP:BitComet 12654 UDP
"7154:TCP"= 7154:TCP:BitComet 7154 TCP
"7154:UDP"= 7154:UDP:BitComet 7154 UDP
"12497:TCP"= 12497:TCP:BitComet 12497 TCP
"12497:UDP"= 12497:UDP:BitComet 12497 UDP
"9911:TCP"= 9911:TCP:BitComet 9911 TCP
"9911:UDP"= 9911:UDP:BitComet 9911 UDP
"443:TCP"= 443:TCP:*:Disabled:eek:oVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:eek:oVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:eek:oVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:eek:oVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:eek:oVoo UDP port 37675

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-10-02 29808]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-10-24 34824]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-10-24 468224]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [2009-02-19 1066360]
R3 GetPort;GetPort;c:\windows\system32\getport.sys [2002-10-23 3200]
R3 MTC0001_MPB;MPB device driver;c:\windows\system32\NTMPB.SYS [2008-02-25 5072]
R3 PRISM;Intersil PRISM Wireless LAN Driver;c:\windows\system32\drivers\PRISMNDS.sys [2002-09-02 50688]
S3 AVPsys;AVPsys;c:\windows\system32\drivers\tdi.sys [2004-08-04 18560]
S3 PAC7302;Messenger 310;c:\windows\system32\drivers\PAC7302.SYS [2007-06-14 457856]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-02-04 356920]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [2008-05-16 17920]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\drivers\silabser.sys [2008-05-16 61696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{090a177f-67d6-11dd-b82e-0040d04bc1d7}]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{090a1780-67d6-11dd-b82e-0040d04bc1d7}]
\Shell\Auto\command - G:\Autorun.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{221ba86b-6633-11dd-b82d-0040d04bc1d7}]
\Shell\auto\command - G:\Knight.exe open
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
\Shell\explore\command - G:\Knight.exe open
\Shell\find\command - G:\Knight.exe open
\Shell\install\command - G:\Knight.exe open
\Shell\open\command - G:\Knight.exe open

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34fa83f3-02a9-11dd-b7f5-0040d04bc1d7}]
\Shell\Auto\command - F:\Autorun.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34fa8520-02a9-11dd-b7f5-0040d04bc1d7}]
\Shell\Auto\command - F:\Autorun.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{431b0884-f256-11dc-b7e1-0040d04bc1d7}]
\Shell\AutoRun\command - F:\f.bat
\Shell\explore\Command - F:\f.bat
\Shell\open\Command - F:\f.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{560c32ed-235a-11dd-b7ff-0040d04bc1d7}]
\Shell\AutoRun\command - G:\CruzerProfile.exe /autorun

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b876454-e4d2-11dc-b7ca-0040d04bc1d7}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5e547f2-f015-11dd-b856-0040d04bc1d7}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5e547f3-f015-11dd-b856-0040d04bc1d7}]
\Shell\AutoRun\command - G:\opgde.exe
\Shell\open\Command - G:\opgde.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{becd82cc-e91a-11dc-b7d2-0040d04bc1d7}]
\Shell\Auto\command - H:\Autorun.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c17df10c-1c65-11dd-b7fc-0040d04bc1d7}]
\Shell\Auto\command - F:\Autorun.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{da756cc7-8674-11dd-b83b-0040d04bc1d7}]
\Shell\Shell00\Command - G:\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{da756da0-8674-11dd-b83b-0040d04bc1d7}]
\Shell\AutoRun\command - E:\fe.bat
\Shell\explore\Command - E:\fe.bat
\Shell\open\Command - E:\fe.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dfce2a73-f72d-11dc-b7e3-0040d04bc1d7}]
\Shell\Auto\command - G:\Autorun.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{edcc8ddf-f1bd-11dd-b856-000000000000}]
\Shell\Auto\command - Autorun.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6f3884e-6abe-11dd-b831-0040d04bc1d7}]
\Shell\AutoRun\command - E:\nfdmg.com
\Shell\explore\Command - E:\nfdmg.com
\Shell\open\Command - E:\nfdmg.com
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DAEMON Tools Pro Agent - c:\program files\DAEMON Tools Pro\DTProAgent.exe
Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.co.uk/
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab
FF - ProfilePath - c:\documents and settings\Andreas Dimitriou\Application Data\Mozilla\Firefox\Profiles\bxrem5l3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.shu.ac.uk/webapps/portal/frameset.jsp
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-21 02:49:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\ANDREA~1\LOCALS~1\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Webroot\WebrootSecurity\SpySweeper.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-21 2:55:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-21 02:55:38

Pre-Run: 6,854,545,408 bytes free
Post-Run: 7,230,562,304 bytes free

332 --- E O F --- 2009-02-17 19:33:46
Click to expand...
 
Last edited:
Alan1ar1s

Alan1ar1s

New Member
MalwareBytes:

Malwarebytes' Anti-Malware 1.34
Database version: 1782
Windows 5.1.2600 Service Pack 2

21/02/2009 12:29:38
mbam-log-2009-02-21 (12-29-38).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 108095
Time elapsed: 49 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Click to expand...

Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:01, on 21/02/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\rideooff.exe
C:\WINDOWS\system32\PRISMSTA.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [ehTray] "C:\WINDOWS\ehome\ehtray.exe"
O4 - HKLM\..\Run: [rideooff] "C:\WINDOWS\system32\rideooff.exe"
O4 - HKLM\..\Run: [PRISMSTA.EXE] "C:\WINDOWS\system32\PRISMSTA.EXE" START
O4 - HKLM\..\Run: [MPB] "C:\WINDOWS\system32\MPB.exe"
O4 - HKLM\..\Run: [SoundMan] "C:\WINDOWS\SOUNDMAN.EXE"
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /installquiet
O4 - HKLM\..\Run: [PCTVOICE] "C:\WINDOWS\system32\pctspk.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [snp2std] "C:\WINDOWS\vsnp2std.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PAC7302_Monitor] "C:\WINDOWS\PixArt\PAC7302\Monitor.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 8206 bytes
Click to expand...
 
Alan1ar1s

Alan1ar1s

New Member
The computer is running smoothly. I didnt notice anything bad on it. I 've plugged some usb sticks on it but no worrying action detected.
 
Respital

Respital

Active Member
Alan1ar1s said:
So? Any ideas about what is going to solve the problem?
Click to expand...

Do you still have a problem when you plug in flash drives? If so please re-run ComboFix with them plugged in, then please re-run Malwarbytes' and make sure all of the disks are checked to scan.
 
Alan1ar1s

Alan1ar1s

New Member
Respital said:
Do you still have a problem when you plug in flash drives? If so please re-run ComboFix with them plugged in, then please re-run Malwarbytes' and make sure all of the disks are checked to scan.
Click to expand...

Mate n of the first programs I run when I found the trojan was Malwarebytes. It did not found anything. When I 've finished scanning with Malwarebytes I run Eset and it was the only program that found the trojan. (previously I've checked with Spyware Doctor, Spy Sweeper, Xoft Spy) :confused:
At the moment I am not encountering any problems and I think that Eset solved it because an hour ago I've run it again it did not found anything.

I hope that this is permanently
 
ceewi1

ceewi1

VIP Member
Please run Notepad and paste the contents of the codebox into a new file. Please do not include the word Code:
Code: 
REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]

Save the file to the desktop as fix.reg and make sure the Save as Type field says All Files. Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.
 
ceewi1

ceewi1

VIP Member
There are entries showing in your ComboFix log which will cause your computer to automatically load the malware files should the infected device ever be plugged in. The instructions in my previous post will remove those entries.
 
Alan1ar1s

Alan1ar1s

New Member
ceewi1 said:
There are entries showing in your ComboFix log which will cause your computer to automatically load the malware files should the infected device ever be plugged in. The instructions in my previous post will remove those entries.
Click to expand...

Thanks a lot ceewi1 ;) I have done it. I hope it'll work :cool:
 
You must log in or register to reply here.
Top