Solve : Virus help!?

1.	Solve : Virus help!?
Answer» here you go ComboFix 08-08-28.04 - Family 2008-08-28 16:42:33.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.657 [GMT -4:00] Running from: C:\Documents and Settings\Family\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Family\Desktop\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\dtpv.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\-2145839103\ C:\Documents and Settings\All Users\Application Data\services C:\dtpv.exe C:\WINDOWS\system32\349168 . ((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-28 ))))))))))))))))))))))))))))))) . 2008-08-28 15:36 . 2008-08-28 15:36 d-------- C:\sdfix 2008-08-27 21:36 . 2008-08-27 21:36 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-08-27 21:36 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-08-27 21:36 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-08-27 20:11 . 2008-08-27 20:11 2 --a------ C:\-2145839103 2008-08-27 01:23 . 2008-08-27 01:38 d-------- C:\WINDOWS\system32\CatRoot_bak . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-28 20:42 --------- d-----w C:\Documents and Settings\Family\Application Data\DNA 2008-08-25 23:03 --------- d-----w C:\Documents and Settings\Family\Application Data\LimeWire 2008-08-08 22:33 --------- d-----w C:\Documents and Settings\Family\Application Data\BitTorrent 2008-07-30 20:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8 2008-07-23 17:27 --------- d-----w C:\Program Files\BroadJump 2008-07-21 18:39 --------- d-----w C:\Program Files\V CAST Music with Rhapsody 2008-07-21 18:39 --------- d-----w C:\Program Files\Common Files\Real 2008-07-21 18:38 --------- d-----w C:\Program Files\Real 2008-07-19 16:55 --------- d-----w C:\Documents and Settings\Family\Application Data\InstallShield Installation Information 2008-07-19 16:55 --------- d-----w C:\Documents and Settings\Family\Application Data\2K Games 2008-07-19 16:53 --------- d-----w C:\Documents and Settings\Family\Application Data\InstallShield 2008-07-19 16:31 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-07-17 01:26 --------- d-----w C:\Program Files\Full Tilt Poker 2008-07-12 18:08 --------- d-----w C:\Program Files\VideoLAN 2008-07-11 20:03 --------- d-----w C:\Program Files\Infogrames Interactive 2008-07-05 21:50 --------- d-----w C:\Program Files\PartyGaming 2008-07-04 00:14 --------- d-----w C:\Program Files\Firaxis Games 2008-05-17 22:10 36,868 ----a-w C:\Program Files\uninst-Particular.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17 50736] "EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 19:16 454784] "AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 00:06 2321600] "BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-06-04 13:14 289088] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 15:52 339968] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 06:06 40048] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 05:41 49152] "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 11:38 241664] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 09:24 286720] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 23:15 271672] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 08:00 132496] "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-06 20:05 200704] "Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 17:40 1884160] C:\Documents and Settings\Family\Start Menu\Programs\Startup\ MEMonitor.lnk - C:\Program Files\V CAST Music Manager\MEMonitor.exe [2007-12-24 23:17:32 951640] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 07:21:22 288472] HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 10:56:20 73728] Photo Loader supervisory.lnk - C:\Program Files\CASIO\Photo Loader\Plauto.exe [2007-10-22 22:01:29 229376] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnss pc.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "C:\\Program Files\\AIM6\\aim6.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Azureus\\Azureus.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"= "C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"= "C:\\Program Files\\mIRC\\mirc.exe"= "C:\\Program Files\\Cain\\Cain.exe"= "C:\\Program Files\\DNA\\btdna.exe"= "C:\\Program Files\\BitTorrent\\bittorrent.exe"= "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:\\Documents and Settings\\Family\\Application Data\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Civilization4.exe"= "C:\\Documents and Settings\\Family\\Application Data\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Warlords\\Civ4Warlords.exe"= "C:\\WINDOWS\\system32\\winver.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server "3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server "50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server "50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundTimestampRequest"= 1 (0x1) "AllowInboundMaskRequest"= 1 (0x1) "AllowInboundRouterRequest"= 1 (0x1) "AllowOutboundDestinationUnreachable"= 1 (0x1) "AllowOutboundSourceQuench"= 1 (0x1) "AllowOutboundParameterProblem"= 1 (0x1) "AllowOutboundTimeExceeded"= 1 (0x1) "AllowRedirect"= 1 (0x1) "AllowOutboundPacketTooBig"= 1 (0x1) R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 19:20] R1 ts_lb;ts_lb;C:\WINDOWS\system32\drivers\ts_lb.sys [2007-06-19 23:35] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 19:16] S3 CV2K1;CommView Network Monitor;C:\WINDOWS\system32\DRIVERS\cv2k1.sys [2006-12-07 22:04] S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 16:22] . Contents of the 'Scheduled Tasks' folder 2008-08-21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 16:15] . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-28 16:45:12 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe C:\WINDOWS\system32\HPZipm12.exe . ********************************************************************** . Completion time: 2008-08-28 16:49:21 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-28 20:49:17 ComboFix2.txt 2008-08-28 20:17:20 Pre-Run: 79,689,158,656 bytes free Post-Run: 79,688,552,448 bytes free 169 --- E O F --- 2008-08-14 07:01:12 Download OTCleanIt.exe and save it to your Desktop. Double-click OTCleanIt.exe. Click the CleanUp! button. Select Yes when the "Begin cleanup Process?" prompt appears. If you are prompted to Reboot during the cleanup, select Yes. The tool will DELETE itself once it finishes, if not delete it yourself. . ---------- Set a New Restore Point to prevent possible reinfection from an old one Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed. Go to Start > Programs > Accessories > System Tools and click System Restore Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create. The new restore point will be stamped with the CURRENT date and time. Keep a log of this so you can find it easily should you need to use System Restore. Next go to Start > Run and type Cleanmgr Click OK Click the More Options Tab. Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one. You can find instructions on how to enable and re-enable system restore here: Windows XP System Restore Guide or Windows Vista System Restore Guide . ---------- Use the Secunia Software Inspector to check for out of date software. Click Start Now Check the box next to Enable thorough system inspection. Click Start Allow the scan to finish and scroll down to see if any updates are needed. Update anything listed. . ---------- Go to Microsoft Windows Update and get all critical updates. ----- How is everything now?hey ran otclean it but i dont think my problem is fixed beacuse my desktop backround is blue with box in the top left corner that has a red square green circle and blue triangle, when i go to reboot my normal backround pops up though what should i do?Try this. You might loose your current background but I think it needs to be reset as the virus changed the settings. Go to start > Control panel > Display > Desktop > Customize Desktop... > Web tab Make sure Lock desktop items is unchecked. Select everything you find in there (except for "My current home page") and press the delete button on the right. Hit OK below > apply in previous window. ---------- Now lets make sure everything is actually gone with a kaspersky scan. Run the Kaspersky Online Scanner In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator. Click on SCAN NOW Click Accept. The program will then begin downloading the latest definition files. Once the files have been downloaded locate the Scan Settings and have it scan My Computer. The scan will TAKE a while, so be patient and let it finish. When the scan is done, in the Scan is complete window, any infection is displayed. There is no option to clean/disinfect, however, we need to analyze the information on the report. To obtain the report: Click on: Save Report As Next, in the Save as prompt, Save in area, select: Desktop. In the File name area use KScan, or something similar. In Save as type: click the drop arrow and select: Text file [.txt]* Then, click: Save Copy and paste the Kaspersky Online Scanner Report in your next reply. Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.Did the scan everything seems normal what do you think -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Thursday, August 28, 2008 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Thursday, August 28, 2008 21:44:06 Records in database: 1158226 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ Scan statistics: Files scanned: 149241 Threat name: 5 Infected objects: 7 Suspicious objects: 0 Duration of the scan: 02:00:36 File name / Threat name / Threats count C:\Documents and Settings\Family\Desktop\Mom\NetTools5.0.70.zip Infected: not-a-virus:NetTool.MSIL.Sniffer.a 1 C:\Documents and Settings\Family\My Documents\Chase\ca_setup.exe Infected: not-a-virus:PSWTool.Win32.Cain.284 1 C:\Program Files\Cain\Abel.exe Infected: not-a-virus:PSWTool.Win32.Cain.284 1 C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1 D:\Installs\WorkFlow\GUI\actwin2.exe Infected: Trojan.Win32.Shutdowner.cq 1 D:\Setup\SST\Data\VNC\MotVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 2 The selected area was scanned. I now also want to buy some antivirus software can you suggest the best product. Thanks for all your help.Do you use Cain & Abel? There are plenty of free reliable solutions for antivirus. Remember to only install one antivirus! 1) Avast! Home Free Edition 2) AVG Free Edition 3) Avira AntiVir Personal 4) Comodo Antivirus 5) PC Tools AntiVirus Free Edition Free firewalls 1) Comodo (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one) 2) Online Armor 3) Sunbelt/Kerio 4) Agnitum 5) PC Tools Firewall Plus i used cain and able a while back probley should delete it now, thanks for all your help.Also are the free antivirus programs just as good as the ones you buyAs long as you know Cain & Abel is there, and what it's for... Yes the free ones are just as effective. Another question. Is this PC set up to be accessed Remotely?I do not think so i have router for my famliys laptops but thats it.and yes i no cain and able is used for hacking i used it for some other things not hacking or cracking passwords. Quote from: ChazMcJazz on August 28, 2008, 06:51:53 PM and yes i no cain and able is used for hacking i used it for some other things not hacking or cracking passwords. Just wanted to know it was being used by you and not against you. Create An Uninstall List Start HijackThis Click on the Open the Misc Tools section Click on the Open Uninstall Manager button. Click on the Save list button and specify where you would like to save this file and click Save. When you press Save button a notepad will open with the contents of that file. Copy and paste that list in your reply.

Answer»

here you go

ComboFix 08-08-28.04 - Family 2008-08-28 16:42:33.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.657 [GMT -4:00]
Running from: C:\Documents and Settings\Family\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Family\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\dtpv.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-2145839103\
C:\Documents and Settings\All Users\Application Data\services
C:\dtpv.exe
C:\WINDOWS\system32\349168

.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-28 )))))))))))))))))))))))))))))))
.

2008-08-28 15:36 . 2008-08-28 15:36      d--------   C:\sdfix
2008-08-27 21:36 . 2008-08-27 21:36      d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-08-27 21:36 . 2008-08-17 15:01   38,472   --a------   C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-27 21:36 . 2008-08-17 15:01   17,144   --a------   C:\WINDOWS\system32\drivers\mbam.sys
2008-08-27 20:11 . 2008-08-27 20:11   2   --a------   C:\-2145839103
2008-08-27 01:23 . 2008-08-27 01:38      d--------   C:\WINDOWS\system32\CatRoot_bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-28 20:42   ---------   d-----w   C:\Documents and Settings\Family\Application Data\DNA
2008-08-25 23:03   ---------   d-----w   C:\Documents and Settings\Family\Application Data\LimeWire
2008-08-08 22:33   ---------   d-----w   C:\Documents and Settings\Family\Application Data\BitTorrent
2008-07-30 20:31   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\avg8
2008-07-23 17:27   ---------   d-----w   C:\Program Files\BroadJump
2008-07-21 18:39   ---------   d-----w   C:\Program Files\V CAST Music with Rhapsody
2008-07-21 18:39   ---------   d-----w   C:\Program Files\Common Files\Real
2008-07-21 18:38   ---------   d-----w   C:\Program Files\Real
2008-07-19 16:55   ---------   d-----w   C:\Documents and Settings\Family\Application Data\InstallShield Installation Information
2008-07-19 16:55   ---------   d-----w   C:\Documents and Settings\Family\Application Data\2K Games
2008-07-19 16:53   ---------   d-----w   C:\Documents and Settings\Family\Application Data\InstallShield
2008-07-19 16:31   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-07-17 01:26   ---------   d-----w   C:\Program Files\Full Tilt Poker
2008-07-12 18:08   ---------   d-----w   C:\Program Files\VideoLAN
2008-07-11 20:03   ---------   d-----w   C:\Program Files\Infogrames Interactive
2008-07-05 21:50   ---------   d-----w   C:\Program Files\PartyGaming
2008-07-04 00:14   ---------   d-----w   C:\Program Files\Firaxis Games
2008-05-17 22:10   36,868   ----a-w   C:\Program Files\uninst-Particular.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17 50736]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 19:16 454784]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 00:06 2321600]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-06-04 13:14 289088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 15:52 339968]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 06:06 40048]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 05:41 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 11:38 241664]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 09:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 23:15 271672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 08:00 132496]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-06 20:05 200704]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 17:40 1884160]

C:\Documents and Settings\Family\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\V CAST Music Manager\MEMonitor.exe [2007-12-24 23:17:32 951640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 07:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 10:56:20 73728]
Photo Loader supervisory.lnk - C:\Program Files\CASIO\Photo Loader\Plauto.exe [2007-10-22 22:01:29 229376]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dllschannel.dlldigest.dllmsnss pc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Cain\\Cain.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Documents and Settings\\Family\\Application Data\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Civilization4.exe"=
"C:\\Documents and Settings\\Family\\Application Data\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Warlords\\Civ4Warlords.exe"=
"C:\\WINDOWS\\system32\\winver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 19:20]
R1 ts_lb;ts_lb;C:\WINDOWS\system32\drivers\ts_lb.sys [2007-06-19 23:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 19:16]
S3 CV2K1;CommView Network Monitor;C:\WINDOWS\system32\DRIVERS\cv2k1.sys [2006-12-07 22:04]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 16:22]
.
Contents of the 'Scheduled Tasks' folder

2008-08-21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 16:15]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-28 16:45:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\WINDOWS\system32\HPZipm12.exe
.
**************************************************************************
.
Completion time: 2008-08-28 16:49:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-28 20:49:17
ComboFix2.txt 2008-08-28 20:17:20

Pre-Run: 79,689,158,656 bytes free
Post-Run: 79,688,552,448 bytes free

169   --- E O F ---   2008-08-14 07:01:12
Download OTCleanIt.exe and save it to your Desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will DELETE itself once it finishes, if not delete it yourself.

.
----------

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

Go to Start > Programs > Accessories > System Tools and click System Restore
Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
The new restore point will be stamped with the CURRENT date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Next go to Start > Run and type Cleanmgr
Click OK
Click the More Options Tab.
Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide
.
----------

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

-----

How is everything now?hey ran otclean it but i dont think my problem is fixed beacuse my desktop backround is blue with box in the top left corner that has a red square green circle and blue triangle, when i go to reboot my normal backround pops up though what should i do?Try this. You might loose your current background but I think it needs to be reset as the virus changed the settings.

Go to start > Control panel > Display > Desktop > Customize Desktop... > Web tab
Make sure Lock desktop items is unchecked.
Select everything you find in there (except for "My current home page") and press the delete button on the right.
Hit OK below > apply in previous window.

----------

Now lets make sure everything is actually gone with a kaspersky scan.

Run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

Click on SCAN NOW
Click Accept.
The program will then begin downloading the latest definition files.
Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
The scan will TAKE a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

Next, in the Save as prompt, Save in area, select: Desktop.
In the File name area use KScan, or something similar.
In Save as type: click the drop arrow and select: Text file [*.txt]
Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.Did the scan everything seems normal what do you think

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, August 28, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, August 28, 2008 21:44:06
Records in database: 1158226
--------------------------------------------------------------------------------

Scan settings:
   Scan using the following database: extended
   Scan archives: yes
   Scan mail databases: yes

Scan area - My Computer:
   A:\
   C:\
   D:\
   E:\
   F:\
   G:\

Scan statistics:
   Files scanned: 149241
   Threat name: 5
   Infected objects: 7
   Suspicious objects: 0
   Duration of the scan: 02:00:36

File name / Threat name / Threats count
C:\Documents and Settings\Family\Desktop\Mom\NetTools5.0.70.zip   Infected: not-a-virus:NetTool.MSIL.Sniffer.a   1
C:\Documents and Settings\Family\My Documents\Chase\ca_setup.exe   Infected: not-a-virus:PSWTool.Win32.Cain.284   1
C:\Program Files\Cain\Abel.exe   Infected: not-a-virus:PSWTool.Win32.Cain.284   1
C:\Program Files\mIRC\mirc.exe   Infected: not-a-virus:Client-IRC.Win32.mIRC.631   1
D:\Installs\WorkFlow\GUI\actwin2.exe   Infected: Trojan.Win32.Shutdowner.cq   1
D:\Setup\SST\Data\VNC\MotVNC.exe   Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b   2

The selected area was scanned.

I now also want to buy some antivirus software can you suggest the best product. Thanks for all your help.Do you use Cain & Abel?

There are plenty of free reliable solutions for antivirus.

Remember to only install one antivirus!

1) Avast! Home Free Edition
2) AVG Free Edition
3) Avira AntiVir Personal
4) Comodo Antivirus
5) PC Tools AntiVirus Free Edition

Free firewalls

1) Comodo (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)
2) Online Armor
3) Sunbelt/Kerio
4) Agnitum
5) PC Tools Firewall Plus

i used cain and able a while back probley should delete it now, thanks for all your help.Also are the free antivirus programs just as good as the ones you buyAs long as you know Cain & Abel is there, and what it's for...

Yes the free ones are just as effective.

Another question. Is this PC set up to be accessed Remotely?I do not think so i have router for my famliys laptops but thats it.and yes i no cain and able is used for hacking i used it for some other things not hacking or cracking passwords. Quote from: ChazMcJazz on August 28, 2008, 06:51:53 PM

and yes i no cain and able is used for hacking i used it for some other things not hacking or cracking passwords.

Just wanted to know it was being used by you and not against you.

Create An Uninstall List

Start HijackThis
Click on the Open the Misc Tools section
Click on the Open Uninstall Manager button.
Click on the Save list button and specify where you would like to save this file and click Save.
- When you press Save button a notepad will open with the contents of that file.
Copy and paste that list in your reply.

Solve : Virus help!?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment