|
Donation/Premium |
|
 |
|
|
|
|
|
|
|
Survey |
|
|
|
|
|
|
|
|
|
|
|
| View previous topic :: View next topic |
| Author |
Message |
Kash3
Corporal
Joined: Jan 17, 2008
Posts: 53
|
 Posted: Fri Apr 11, 2008 5:14 pm Post subject: Ran a Spybot S&D scan- scan results added |
|
|
Whilst running a Spybot S&D Scan, it picked up the following problem
Microsoft WindowsSecurityCentre_Disabled
I Clicked on the small plus box and this appeared:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start (is not) W=2
I then clicked on the entry under the heading Kind.
This is the entry it takes me to:
HKEY_USERS\S-1-5-21-2577847814-993760150-4114403836-1007\Software\Microsoft\Search Assistant\ACMru\5603
Under this entry are the following (attached the reuslts- word.doc)
This looks a bit suspicious but I'm not sure. What do you think?
Cheers,
Kash.
| Description: |
|
Download |
| Filename: |
Spybot scan results.doc |
| Filesize: |
26.5 KB |
| Downloaded: |
21 Time(s) |
|
|
| Back to top |
|
 |
PCBruiser
SRT Team Lead
Forums Admin
Joined: May 11, 2005
Posts: 11723
|
| Posted: Sun Apr 13, 2008 4:57 pm Post subject: |
|
|
Hi,
First, sorry for the delay. Last week was a zoo for me outside of CC. No time to do anything.
Beep may be legit, or may not. We'll find out shortly. I want to bring out some big guns, but first I want to do some HJT cleanup.
1. Run HijackThis again, but this time choose Do a system scan only, that is the second option from the top in the HijackThis What would you like to do choices. After HijackThis completes the system scan, check the box immediately to the left of the following item(s):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
Please be very careful, do NOT check any other boxes.
Next, click on Fix checked on the bottom left side of the HijackThis screen.
Next, reboot.
2. Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
- Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
3. Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
--------------------------------------------------------------------
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
- Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
4. Please post the following:
a. report.txt from SDFix
b. combofix.txt
c. a fresh HJT log.
_________________
Don't read? Can't learn!
|
|
| Back to top |
|
|
Kash3
Corporal
Joined: Jan 17, 2008
Posts: 53
|
| Posted: Sun Apr 13, 2008 9:05 pm Post subject: Attached logs |
|
|
Hi there,
See attached logs. When I downloaded SDfix and Combofix, two viruses / trojans infected my system. These two were picked up by an Aluria Scan (also attached). I'll remove combofix and SDfix and re'install. How do you remove them as they don't show in Control Panel- Add/remove software?
Winpatrol File Type Change Alert keeps flashing up
Registry Editor
Microsost Corporation
regedit.exe %1 %
Thanks,
Kash.
| Description: |
|
Download |
| Filename: |
Combfix report.txt |
| Filesize: |
14.17 KB |
| Downloaded: |
33 Time(s) |
|
|
| Back to top |
|
|
Kash3
Corporal
Joined: Jan 17, 2008
Posts: 53
|
| Posted: Sun Apr 13, 2008 9:14 pm Post subject: SD Log, Aluria log and HJThis log |
|
|
SD Log, Aluria log and HJThis log. Sorry, the site didn't allow me to attach these logs and have therefore copied and pasted them here.
SD Log
SDFix: Version 1.170
Run by Administrator on 13/04/2008 at 20:39
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\install.dat - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 20:52:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\BT Broadband Desktop Help\\SmartBridge\\BTHelpNotifier.exe"="C:\\Program Files\\BT Broadband Desktop Help\\SmartBridge\\BTHelpNotifier.exe:*:Enabled:BTHelpNotifier Module"
"C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe:*:Enabled:Kaspersky AV Scanner"
"C:\\Program Files\\BitLord\\BitLord.exe"="C:\\Program Files\\BitLord\\BitLord.exe:*:Enabled:BitLord"
"C:\\Program Files\\SopCast\\SopCast.exe"="C:\\Program Files\\SopCast\\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\\Documents and Settings\\(REMOVED by administrator)\\Application Data\\SopCast\\adv\\SopAdver.exe"="C:\\Documents and Settings\\(REMOVED by administrator)\\Application Data\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Yahoo!\\browser\\ycommon.exe"="C:\\Program Files\\Yahoo!\\browser\\ycommon.exe:*:Disabled:YCommon Exe Module"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Disabled:Microsoft Management Console"
"C:\\Program Files\\BT Broadband Desktop Help\\bin\\BTHelpBrowser.exe"="C:\\Program Files\\BT Broadband Desktop Help\\bin\\BTHelpBrowser.exe:*:Enabled:BT Broadband Desktop Help Browser"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Tue 8 Aug 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 24 Mar 2008 145,920 ..SHR --- "C:\Program Files\BillP Studios\WinPatrol\Setup.exe"
Sat 3 Nov 2007 48,640 ...H. --- "C:\Documents and Settings\(REMOVED by administrator)\My Documents\Cisco (IP Subnets)\~WRL0001.tmp"
Thu 8 Nov 2007 49,152 ...H. --- "C:\Documents and Settings\(REMOVED by administrator)\My Documents\Cisco (IP Subnets)\~WRL0005.tmp"
Thu 8 Nov 2007 49,664 ...H. --- "C:\Documents and Settings\(REMOVED by administrator)\My Documents\Cisco (IP Subnets)\~WRL2173.tmp"
Tue 2 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\BIT8.tmp"
Tue 8 Aug 2006 4,348 ...H. --- "C:\Documents and Settings\(REMOVED by administrator)\My Documents\My Music\License Backup\drmv1key.bak"
Fri 27 Oct 2006 20 A..H. --- "C:\Documents and Settings\(REMOVED by administrator)\My Documents\My Music\License Backup\drmv1lic.bak"
Sat 30 Sep 2006 9,656 A.SH. --- "C:\Documents and Settings\(REMOVED by administrator)\My Documents\My Music\License Backup\drmv2key.bak"
Finished!
---------------------------------------------------------------
HJThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:26:42, on 13/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALURIA~1\AL_ADS~1.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Aluria Security Center\AluriaMsgSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Aluria Security Center\SecurityCenter.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\PROGRA~1\ALURIA~1\AluriaFW.exe
C:\WINDOWS\system32\AuthFw.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\(REMOVED by administrator)\Desktop\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Aluria Security Center] "C:\Program Files\Aluria Security Center\SecurityCenter.exe" /scan
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe"
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] "C:\Program Files\btbb_wcm\McciTrayApp.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" -expressboot
O4 - HKCU\..\Run: [InstantTray] "C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe"
O4 - HKCU\..\Run: [IW_Drop_Icon] "C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe" /DropDisc
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bt.yahoo.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.bt.yahoo.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129147702953
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AL_ADSService - Aluria Software, LLC - C:\PROGRA~1\ALURIA~1\AL_ADS~1.EXE
O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\PROGRA~1\ALURIA~1\ascserv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Aluria Message Service (MsgSrvService) - Aluria Software, LLC. - C:\Program Files\Aluria Security Center\AluriaMsgSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
O23 - Service: YPCService - Unknown owner - C:\WINDOWS\system32\YPCSER~1.EXE
--
End of file - 9197 bytes
-------------------------------------------------------------------------
Aluria log
ASC Version: 1.2.15 Definition Date: 04-10-2008
Date: 13/04/2008 13:13:53
Action: Begin Virus Memory Scan
OS: Windows XP
************************************************************
ASC Version: 1.2.15 Definition Date: 04-10-2008
Date: 13/04/2008 14:22:43
Action: Begin Spyware Memory Scan
OS: Windows XP
************************************************************
ASC Version: 1.2.15 Definition Date: 04-10-2008
Date: 13/04/2008 14:23:10
Action: Begin Registry Scan
OS: Windows XP
************************************************************
ASC Version: 1.2.15 Definition Date: 04-10-2008
Date: 13/04/2008 14:23:12
Action: Begin Cookie Scan
OS: Windows XP
************************************************************
ASC Version: 1.2.15 Definition Date: 04-10-2008
Date: 13/04/2008 14:23:12
Action: Begin Spyware Scan
OS: Windows XP
************************************************************
ASC Version: 1.2.15 Definition Date: 04-10-2008
Date: 13/04/2008 16:41:13
Action: Begin Spyware Memory Scan
OS: Windows XP
************************************************************
ASC Version: 1.2.15 Definition Date: 04-10-2008
Date: 13/04/2008 16:41:37
Action: Begin Registry Scan
OS: Windows XP
************************************************************
ASC Version: 1.2.15 Definition Date: 04-10-2008
Date: 13/04/2008 16:41:40
Action: Begin Cookie Scan
OS: Windows XP
************************************************************
ASC Version: 1.2.15 Definition Date: 04-10-2008
Date: 13/04/2008 16:41:40
Action: Begin Spyware Scan
OS: Windows XP
************************************************************
ASC Version: 1.2.15 Definition Date: 04-10-2008
Date: 13/04/2008 19:14:28
Action: Begin Spyware Memory Scan
OS: Windows XP
************************************************************
ASC Version: 1.2.15 Definition Date: 04-10-2008
Date: 13/04/2008 19:26:42
Action: Begin Virus Memory Scan
OS: Windows XP
************************************************************
ASC Version: 1.2.15 Definition Date: 04-10-2008
Date: 13/04/2008 19:28:08
Action: Begin Spyware Memory Scan
OS: Windows XP
************************************************************
ASC Version: 1.2.15 Definition Date: 04-10-2008
Date: 13/04/2008 19:28:43
Action: Begin Registry Scan
OS: Windows XP
************************************************************
ASC Version: 1.2.15 Definition Date: 04-10-2008
Date: 13/04/2008 19:28:46
Action: Begin Cookie Scan
OS: Windows XP
************************************************************
ASC Version: 1.2.15 Definition Date: 04-10-2008
Date: 13/04/2008 19:28:46
Action: Begin Spyware Scan
OS: Windows XP
************************************************************
ASC Version: 1.2.15 Definition Date: 04-10-2008
Date: 13/04/2008 19:41:59
Action: Begin Virus Memory Scan
OS: Windows XP
************************************************************
ASC Version: 1.2.15 Definition Date: 04-10-2008
Date: 13/04/2008 19:55:24
Action: Begin Virus Memory Scan
OS: Windows XP
************************************************************
ASC Version: 1.2.15 Definition Date: 04-10-2008
Date: 13/04/2008 20:12:13
Action: Begin Virus Memory Scan
OS: Windows XP
************************************************************
ASC Version: 1.2.15 Definition Date: 04-10-2008
Date: 13/04/2008 20:22:40
Action: Begin Virus Memory Scan
OS: Windows XP
************************************************************
ASC Version: 1.2.15 Definition Date: 04-10-2008
Date: 13/04/2008 20:59:13
Action: Begin Virus Memory Scan
OS: Windows XP
************************************************************
ASC Version: 1.2.15 Definition Date: 04-10-2008
Date: 13/04/2008 21:27:59
Action: Begin Virus Memory Scan
OS: Windows XP
************************************************************
ASC Version: 1.2.15 Definition Date: 04-10-2008
Date: 13/04/2008 21:28:24
Action: Begin Spyware Memory Scan
OS: Windows XP
************************************************************
ASC Version: 1.2.15 Definition Date: 04-10-2008
Date: 13/04/2008 21:28:49
Action: Begin Registry Scan
OS: Windows XP
************************************************************
ASC Version: 1.2.15 Definition Date: 04-10-2008
Date: 13/04/2008 21:28:52
Action: Begin Cookie Scan
OS: Windows XP
************************************************************
Scan Time: 13/04/2008 21:28:52
Spyware Found: CDN
Item Name: software\microsoft\internet explorer\activex compatibility\{9a578c98-3c2f-4630-890b-fc04196ef420}
DType: 4
******************************
Scan Time: 13/04/2008 21:28:52
Spyware Found: BZub
Item Name: software\microsoft\windows\currentversion\control panel\load
DType: 4
******************************
ASC Version: 1.2.15 Definition Date: 04-10-2008
Date: 13/04/2008 21:28:52
Action: Begin Spyware Scan
OS: Windows XP
************************************************************
Delete Time: 13/04/2008 21:45:11
Deleted Spyware: BZub
Item Name: software\microsoft\windows\currentversion\control panel\load
******************************
Delete Time: 13/04/2008 21:45:11
Deleted Spyware: CDN
Item Name: software\microsoft\internet explorer\activex compatibility\{9a578c98-3c2f-4630-890b-fc04196ef420}
******************************
|
|
| Back to top |
|
|
PCBruiser
SRT Team Lead
Forums Admin
Joined: May 11, 2005
Posts: 11723
|
| Posted: Sun Apr 13, 2008 9:25 pm Post subject: |
|
|
Hi,
You can accept the change in WinPatrol. That's fine.
Are you saying that Aluria said that both CF and SDFix were infected? That's a big false positive. There are components of both that can fool some A/V scanners, but those files are not infected.
You can redownload them if you want. To get rid of the ones you have delete CF from your desktop, then delete the SDFix installer and the folder C:\SDFix. Neither is necessary to do, neither is infected.
Do not delete ComboFix, we still need it for some more steps. Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System: XP Pro with SP2.
Download the file & save it as it's originally named, next to ComboFix.exe.
Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log. The log will be quite small, and consist of only a few lines.
_________________
Don't read? Can't learn!
|
|
| Back to top |
|
|
PCBruiser
SRT Team Lead
Forums Admin
Joined: May 11, 2005
Posts: 11723
|
| Posted: Fri Apr 18, 2008 6:36 pm Post subject: |
|
|
I am locking this topic since there has been no response. If you would like it reopened, please private message a Moderator and we will unlock it.
_________________
Don't read? Can't learn!
|
|
| Back to top |
|
|
PCBruiser
SRT Team Lead
Forums Admin
Joined: May 11, 2005
Posts: 11723
|
| Posted: Sat Apr 19, 2008 1:10 pm Post subject: |
|
|
Unlocked at the OP's request.
As to your issue, let me think on what to do next. I'll post a little later on that.
_________________
Don't read? Can't learn!
|
|
| Back to top |
|
|
PCBruiser
SRT Team Lead
Forums Admin
Joined: May 11, 2005
Posts: 11723
|
| Posted: Sat Apr 19, 2008 2:10 pm Post subject: |
|
|
Hi,
OK, here's another way to do this step. Download the attached zip file to your C:\ root folder. Next unzip it, and then delete the zip file. It will create a new folder called c:\cmdcons. You do not need to do anything more with that folder.
Next open Notepad, click on Format menu, and uncheck Word Wrap. Next, navigate to the file c:\boot.ini and open it. Copy and paste the text into a new post.
Please tell me what SopCast is. It looks like adware, but I can't seem to verify that.
| Description: |
|
Download |
| Filename: |
cmdcons.zip |
| Filesize: |
5.05 MB |
| Downloaded: |
24 Time(s) |
_________________
Don't read? Can't learn!
|
|
| Back to top |
|
|
Kash3
Corporal
Joined: Jan 17, 2008
Posts: 53
|
| Posted: Sat Apr 19, 2008 4:21 pm Post subject: |
|
|
Hi there,
It worked.
Results from boot.ini (C:\WINDOWS\pss) this is a backup file. Should it be?
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
The other boot.ini file is in documents and settings. No boot.ini file in the Root of C:\
Sopcast is a good streaming site where one can watch football / soccer amongst many other sports and films. Little bit like TVAnts.
Whats the verdict.
Cheers.
|
|
| Back to top |
|
|
PCBruiser
SRT Team Lead
Forums Admin
Joined: May 11, 2005
Posts: 11723
|
| Posted: Sat Apr 19, 2008 4:42 pm Post subject: |
|
|
Hi,
Have you set XP to show hidden files, etc? Because your system won't boot without a boot.ini file in the boot partition root folder, and it is set as a hidden system file.
Here's how to see hidden and system files:
Go to Start>Control Panel and select Folder Options
Select the View tab
Check: Display the contents of system folders
Check: Show hidden files and folders
Uncheck: Hide protected operating system files
Click on Apply, then close all the open panels.
Next, we need to edit the boot.ini file in your root directory, and you do not need to find it or see it to do this.
Right click on My Computer and then on Properties.
Click on the Advanced tab, then on Startup and Recovery.
The topmost box contains a boot.ini editor. Click the Edit button.
Using the editor (which is just Notepad but accessed in a special way), go to Format menu, and uncheck Word Wrap. Then copy and then paste the following as the bottom most line in the file followed by <Enter>:
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
Your file should now look like this:
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
Copy and paste it so I can check it. I'll be waiting. After I check to make sure it is right, you can save the file it should automatically be set to save to your root folder. Next, change the "Time to display list of operating systems to 3 from the 30 it currently is.
Here's what this does. From now on, each time you boot, your system will pause for three seconds while offering a choice of whether to boot to either Microsoft Windows XP Professional or Microsoft Windows Recovery Console. The default and automatic choice is to boot to XP. But, if we need the recovery console in an emergency, we can now get there via the modified boot sequence.
_________________
Don't read? Can't learn!
|
|
| Back to top |
|
|
PCBruiser
SRT Team Lead
Forums Admin
Joined: May 11, 2005
Posts: 11723
|
| Posted: Sat Apr 19, 2008 4:50 pm Post subject: |
|
|
Oops, I forgot one thing. In this line:
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
change /noexecute=optin
to:
/noexecute=optout.
Sorry about that. Remember to leave a space between the "t" in optout and the following "/".
_________________
Don't read? Can't learn!
|
|
| Back to top |
|
|
Kash3
Corporal
Joined: Jan 17, 2008
Posts: 53
|
| Posted: Sat Apr 19, 2008 5:58 pm Post subject: |
|
|
Hope this is right.
[boot loader]
timeout=3
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optout /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
Cheers.
|
|
| Back to top |
|
|
PCBruiser
SRT Team Lead
Forums Admin
Joined: May 11, 2005
Posts: 11723
| |
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
