WiredWX Hobby Weather ToolsLog in

 


Window Antivirus

3 posters

descriptionSolvedWindow Antivirus

more_horiz
Hello again
I keep getting a Win.A.V Security pop up

descriptionSolvedRe: Window Antivirus

more_horiz
Hello Chris.
Post a new Hijack This log.

descriptionSolvedRe: Window Antivirus

more_horiz
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:03 AM, on 11/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WebMediaViewer\qttask.exe
C:\Program Files\WebMediaViewer\hpmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\WAV\wav.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WebMediaViewer\qttaskm.exe
C:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe
C:\Program Files\WebMediaViewer\hpmom.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {64466B8E-20A7-4A4A-AFF4-AAD9CA68B52C} - C:\Program Files\WebMediaViewer\hpmun.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {F3C6B4F7-9DD5-44B8-90AB-E835CFE5A110} - (no file)
O2 - BHO: (no name) - {FD36273A-48C9-48D5-95B6-A91B9320FB37} - (no file)
O3 - Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ccApp] -
O4 - HKLM\..\Run: [PC Pitstop Optimize Reminder] C:\Program Files\PCPitstop\Optimize2\Reminder.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ANTIVIRUS] C:\Program Files\WAV\wav.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Uniblue Registry Booster2] C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [ANTIVIRUS] C:\Program Files\WAV\wav.exe
O4 - HKLM\..\Policies\Explorer\Run: [QuickTime Task] C:\Program Files\WebMediaViewer\qttask.exe
O4 - HKLM\..\Policies\Explorer\Run: [VMware hptray] C:\Program Files\WebMediaViewer\hpmon.exe
O4 - Global Startup: Mobile User VPN.lnk = C:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IExplorer Security - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.5.0_07) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O20 - Winlogon Notify: ttlffzfc - C:\WINDOWS\
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7493 bytes

descriptionSolvedRe: Window Antivirus

more_horiz

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
    O2 - BHO: (no name) - {64466B8E-20A7-4A4A-AFF4-AAD9CA68B52C} - C:\Program Files\WebMediaViewer\hpmun.dll
    O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - (no file)
    O2 - BHO: (no name) - {F3C6B4F7-9DD5-44B8-90AB-E835CFE5A110} - (no file)
    O2 - BHO: (no name) - {FD36273A-48C9-48D5-95B6-A91B9320FB37} - (no file)
    O3 - Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)
    O4 - HKLM\..\Run: [ANTIVIRUS] C:\Program Files\WAV\wav.exe
    O4 - HKLM\..\Policies\Explorer\Run: [QuickTime Task] C:\Program Files\WebMediaViewer\qttask.exe
    O4 - HKLM\..\Policies\Explorer\Run: [VMware hptray] C:\Program Files\WebMediaViewer\hpmon.exe
    O20 - Winlogon Notify: ttlffzfc - C:\WINDOWS\


  • Press "Fix Checked"
  • Close Hijack This.


Delete these folders:
C:\Program Files\WAV
C:\Program Files\WebMediaViewer

descriptionSolvedRe: Window Antivirus

more_horiz
C:\Program Files\WAV
C:\Program Files\WebMediaViewer

sorry were are these located?

descriptionSolvedRe: Window Antivirus

more_horiz
Open My computer.
Open the C drive.
Double click Program Files to open that folder.

Look for two folders:
WAV
WebMediaViewer

Delete them.

descriptionSolvedRe: Window Antivirus

more_horiz
that what I thought,
they are not there

descriptionSolvedRe: Window Antivirus

more_horiz
Download a new version of combofix from here.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Do not run it yet.

Now open a new notepad file.
Input this into the notepad file:

Folder::
C:\Program Files\WebMediaViewer
C:\Program Files\WAV


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
Window Antivirus Sfxdaw

This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

descriptionSolvedRe: Window Antivirus

more_horiz
ComboFix 08-11-26.03 - Administrator 2008-11-26 12:15:56.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.83 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFscript.txt,.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\My Documents\My Documents.url
c:\documents and settings\Administrator\My Documents\My Music\My Music.url
c:\documents and settings\Administrator\My Documents\My Pictures\My Pictures.url
c:\documents and settings\Administrator\My Documents\My Videos\My Video.url
c:\program files\WAV
c:\program files\WAV\Uninstall.exe
c:\program files\WAV\WAV.cpl
c:\program files\WAV\WAV.exe
c:\program files\WebMediaViewer
c:\program files\WebMediaViewer\browseu.exe
c:\program files\WebMediaViewer\browseul.dll
c:\program files\WebMediaViewer\hpmom.exe
c:\program files\WebMediaViewer\hpmon.exe
c:\program files\WebMediaViewer\hpmun.dll
c:\program files\WebMediaViewer\hpmun.exe
c:\program files\WebMediaViewer\myd.ico
c:\program files\WebMediaViewer\mym.ico
c:\program files\WebMediaViewer\myp.ico
c:\program files\WebMediaViewer\myv.ico
c:\program files\WebMediaViewer\ot.ico
c:\program files\WebMediaViewer\qttask.exe
c:\program files\WebMediaViewer\qttaskm.exe
c:\program files\WebMediaViewer\qttasku.exe
c:\program files\WebMediaViewer\ts.ico
c:\windows\system32\wav.cpl

.
((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.

2008-11-26 00:42 . 2008-11-26 00:42 23,392 --a------ c:\windows\system32\nscompat.tlb
2008-11-26 00:42 . 2008-11-26 00:42 16,832 --a------ c:\windows\system32\amcompat.tlb
2008-11-26 00:32 . 2008-11-26 00:42 d-------- c:\windows\SxsCaPendDel
2008-11-25 19:50 . 2008-11-25 19:49 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-25 19:42 . 2008-11-25 19:49 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-25 16:48 . 2008-11-25 16:48 250 --a------ c:\windows\gmer.ini
2008-11-25 08:31 . 2008-11-25 08:31 d-------- c:\program files\Common Files\Download Manager
2008-11-25 08:19 . 2008-11-25 08:27 d-------- c:\program files\Perfect Uninstaller
2008-11-24 22:28 . 2007-09-02 20:56 1,686,016 --a------ c:\windows\system32\clinetsuitex6.ocx
2008-11-24 22:28 . 2004-03-09 16:45 662,288 --a------ c:\windows\system32\MSCOMCT2.OCX
2008-11-24 22:28 . 2004-06-14 14:56 427,864 --a------ c:\windows\system32\XceedZip.dll
2008-11-24 20:11 . 2008-11-25 22:32 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-24 20:11 . 2008-11-24 20:11 1,409 --a------ c:\windows\QTFont.for
2008-11-24 11:43 . 2008-11-24 16:33 d-------- c:\program files\Spybot - Search & Destroy
2008-11-24 11:43 . 2008-11-24 19:12 d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-24 11:25 . 2008-11-24 11:25 0 --a------ c:\windows\nsreg.dat
2008-11-24 10:27 . 2008-11-24 10:27 d-------- c:\temp\google
2008-11-24 09:41 . 2008-11-24 11:45 d-------- c:\documents and settings\All Users\Application Data\SITEguard
2008-11-24 09:40 . 2008-11-24 09:40 d-------- c:\program files\Common Files\iS3
2008-11-24 09:40 . 2008-11-24 12:08 d-------- c:\documents and settings\All Users\Application Data\STOPzilla!
2008-11-24 09:19 . 2008-11-25 14:12 d-a------ c:\documents and settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 06:43 --------- d-----w c:\program files\Common Files\Adobe
2008-11-26 06:37 --------- d-----w c:\program files\Windows Live
2008-11-26 06:36 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-26 06:33 --------- d-----w c:\program files\Google
2008-11-26 06:25 --------- d-----w c:\program files\Windows Media Connect 2
2008-11-26 01:54 --------- d-----w c:\program files\Java
2008-11-25 23:50 105,472 ----a-w c:\windows\system32\ynwnwlj.dll
2008-11-25 14:38 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-24 18:11 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-24 17:54 --------- d-----w c:\documents and settings\All Users\Application Data\PCPitstop
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-04 16:37 --------- d-----w c:\program files\JumpStart
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-27 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-12 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="-" [X]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"Lexmark X74-X75"="c:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 57344]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Mobile User VPN.lnk - c:\program files\WatchGuard\Mobile User VPN\SafeCfg.exe [2006-06-08 65588]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\WatchGuard\\Mobile User VPN\\IreIKE.exe"=
"c:\program files\WatchGuard\Mobile User VPN\ViewLog.exe"= c:\program files\WatchGuard\Mobile User VPN\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog
"c:\program files\WatchGuard\Mobile User VPN\CmonApp.exe"= c:\program files\WatchGuard\Mobile User VPN\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp
"c:\program files\WatchGuard\Mobile User VPN\vpn.exe"= c:\program files\WatchGuard\Mobile User VPN\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"38750:TCP"= 38750:TCP:@xpsp2res.dll
"2552:TCP"= 2552:TCP:@xpsp2res.dll
"80:TCP"= 80:TCP:@xpsp2res.dll,-22009
"36875:TCP"= 36875:TCP:@xpsp2res.dll
"49480:TCP"= 49480:TCP:@xpsp2res.dll
"7529:TCP"= 7529:TCP:@xpsp2res.dll
"5908:TCP"= 5908:TCP:@xpsp2res.dll
"60232:TCP"= 60232:TCP:@xpsp2res.dll,-22009
"58952:TCP"= 58952:TCP:@xpsp2res.dll,-22009
"60766:TCP"= 60766:TCP:@xpsp2res.dll,-22009
"33272:TCP"= 33272:TCP:@xpsp2res.dll,-22009
"32080:TCP"= 32080:TCP:@xpsp2res.dll,-22009
"36756:TCP"= 36756:TCP:@xpsp2res.dll,-22009
"62486:TCP"= 62486:TCP:@xpsp2res.dll,-22009
"2571:TCP"= 2571:TCP:@xpsp2res.dll,-22009
"50044:TCP"= 50044:TCP:@xpsp2res.dll,-22009
"63081:TCP"= 63081:TCP:@xpsp2res.dll,-22009
"49686:TCP"= 49686:TCP:@xpsp2res.dll,-22009

R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [2006-06-08 521786]
R2 IPSECDRV;SafeNet IPSec Plugin;\??\c:\windows\system32\Drivers\IPSECDRV.sys [2006-06-08 119864]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\DRIVERS\vap.sys [2006-06-08 36188]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
HKCU-Run-Uniblue Registry Booster2 - c:\program files\Uniblue\RegistryBooster2\RegistryBooster.exe
HKLM-Run-PC Pitstop Optimize Reminder - c:\program files\PCPitstop\Optimize2\Reminder.exe
HKLM-Run-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
HKLM-Run-ANTIVIRUS - c:\program files\WAV\wav.exe
HKLM-Explorer_Run-QuickTime Task - c:\program files\WebMediaViewer\qttask.exe
HKLM-Explorer_Run-VMware hptray - c:\program files\WebMediaViewer\hpmon.exe



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-26 12:17:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-26 12:18:26
ComboFix-quarantined-files.txt 2008-11-26 18:18:01
ComboFix2.txt 2008-11-26 00:50:40

Pre-Run: 11,264,774,144 bytes free
Post-Run: 11,288,416,256 bytes free

156 --- E O F --- 2008-09-20 14:45:28

descriptionSolvedRe: Window Antivirus

more_horiz
Last round.

Now open a new notepad file.
Input this into the notepad file:

c:\windows\system32\ynwnwlj.dll


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
Window Antivirus Sfxdaw

This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

descriptionSolvedRe: Window Antivirus

more_horiz
here ya go

ComboFix 08-11-26.03 - Administrator 2008-11-26 12:36:35.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.88 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFscript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.

2008-11-26 00:42 . 2008-11-26 00:42 23,392 --a------ c:\windows\system32\nscompat.tlb
2008-11-26 00:42 . 2008-11-26 00:42 16,832 --a------ c:\windows\system32\amcompat.tlb
2008-11-26 00:32 . 2008-11-26 00:42 d-------- c:\windows\SxsCaPendDel
2008-11-25 19:50 . 2008-11-25 19:49 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-25 19:42 . 2008-11-25 19:49 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-25 16:48 . 2008-11-25 16:48 250 --a------ c:\windows\gmer.ini
2008-11-25 08:31 . 2008-11-25 08:31 d-------- c:\program files\Common Files\Download Manager
2008-11-25 08:19 . 2008-11-25 08:27 d-------- c:\program files\Perfect Uninstaller
2008-11-24 22:28 . 2007-09-02 20:56 1,686,016 --a------ c:\windows\system32\clinetsuitex6.ocx
2008-11-24 22:28 . 2004-03-09 16:45 662,288 --a------ c:\windows\system32\MSCOMCT2.OCX
2008-11-24 22:28 . 2004-06-14 14:56 427,864 --a------ c:\windows\system32\XceedZip.dll
2008-11-24 20:11 . 2008-11-25 22:32 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-24 20:11 . 2008-11-24 20:11 1,409 --a------ c:\windows\QTFont.for
2008-11-24 11:43 . 2008-11-24 16:33 d-------- c:\program files\Spybot - Search & Destroy
2008-11-24 11:43 . 2008-11-24 19:12 d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-24 11:25 . 2008-11-24 11:25 0 --a------ c:\windows\nsreg.dat
2008-11-24 10:27 . 2008-11-24 10:27 d-------- c:\temp\google
2008-11-24 09:41 . 2008-11-24 11:45 d-------- c:\documents and settings\All Users\Application Data\SITEguard
2008-11-24 09:40 . 2008-11-24 09:40 d-------- c:\program files\Common Files\iS3
2008-11-24 09:40 . 2008-11-24 12:08 d-------- c:\documents and settings\All Users\Application Data\STOPzilla!
2008-11-24 09:19 . 2008-11-25 14:12 d-a------ c:\documents and settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 06:43 --------- d-----w c:\program files\Common Files\Adobe
2008-11-26 06:37 --------- d-----w c:\program files\Windows Live
2008-11-26 06:36 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-26 06:33 --------- d-----w c:\program files\Google
2008-11-26 06:25 --------- d-----w c:\program files\Windows Media Connect 2
2008-11-26 01:54 --------- d-----w c:\program files\Java
2008-11-25 14:38 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-24 18:11 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-24 17:54 --------- d-----w c:\documents and settings\All Users\Application Data\PCPitstop
2008-10-04 16:37 --------- d-----w c:\program files\JumpStart
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-27 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-12 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="-" [X]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"Lexmark X74-X75"="c:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 57344]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Mobile User VPN.lnk - c:\program files\WatchGuard\Mobile User VPN\SafeCfg.exe [2006-06-08 65588]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\WatchGuard\\Mobile User VPN\\IreIKE.exe"=
"c:\program files\WatchGuard\Mobile User VPN\ViewLog.exe"= c:\program files\WatchGuard\Mobile User VPN\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog
"c:\program files\WatchGuard\Mobile User VPN\CmonApp.exe"= c:\program files\WatchGuard\Mobile User VPN\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp
"c:\program files\WatchGuard\Mobile User VPN\vpn.exe"= c:\program files\WatchGuard\Mobile User VPN\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"38750:TCP"= 38750:TCP:@xpsp2res.dll
"2552:TCP"= 2552:TCP:@xpsp2res.dll
"80:TCP"= 80:TCP:@xpsp2res.dll,-22009
"36875:TCP"= 36875:TCP:@xpsp2res.dll
"49480:TCP"= 49480:TCP:@xpsp2res.dll
"7529:TCP"= 7529:TCP:@xpsp2res.dll
"5908:TCP"= 5908:TCP:@xpsp2res.dll
"60232:TCP"= 60232:TCP:@xpsp2res.dll,-22009
"58952:TCP"= 58952:TCP:@xpsp2res.dll,-22009
"60766:TCP"= 60766:TCP:@xpsp2res.dll,-22009
"33272:TCP"= 33272:TCP:@xpsp2res.dll,-22009
"32080:TCP"= 32080:TCP:@xpsp2res.dll,-22009
"36756:TCP"= 36756:TCP:@xpsp2res.dll,-22009
"62486:TCP"= 62486:TCP:@xpsp2res.dll,-22009
"2571:TCP"= 2571:TCP:@xpsp2res.dll,-22009
"50044:TCP"= 50044:TCP:@xpsp2res.dll,-22009
"63081:TCP"= 63081:TCP:@xpsp2res.dll,-22009
"49686:TCP"= 49686:TCP:@xpsp2res.dll,-22009

R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [2006-06-08 521786]
R2 IPSECDRV;SafeNet IPSec Plugin;\??\c:\windows\system32\Drivers\IPSECDRV.sys [2006-06-08 119864]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\DRIVERS\vap.sys [2006-06-08 36188]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-26 12:37:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-26 12:39:01
ComboFix-quarantined-files.txt 2008-11-26 18:38:44
ComboFix2.txt 2008-11-26 18:18:28
ComboFix3.txt 2008-11-26 00:50:40

Pre-Run: 11,270,111,232 bytes free
Post-Run: 11,261,571,072 bytes free

110 --- E O F --- 2008-09-20 14:45:28

descriptionSolvedRe: Window Antivirus

more_horiz
Hello Chris.
Log looks clean again.
Delete this folder again:
C:\Qoobox

Please read my prevention speech from the other thread, and please be careful in future.

descriptionSolvedRe: Window Antivirus

more_horiz
thanks, the problem is there a couple of peeps who use this machine, I thought I did download the preventative measures, in short I will be careful thanks
Chris

descriptionSolvedRe: Window Antivirus

more_horiz
Hello.
I know this will be hard for whoever uses your machine, but if I were you, I wouldn't let them use it.

descriptionSolvedRe: Window Antivirus

more_horiz
yea thats gonna b a problem

thanks a gain
chris

descriptionSolvedRe: Window Antivirus

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum