Frustrating Virus/trojan

original6
original6
in Malware talk

Alrighty, a few days ago I got a pop-up stating I was infected and should download some spyware. Of course, I knew it was bogus and didn't click on it. However, I could not get the pop-up to go away, so I shut down my pc. Upon restart, the same pop-up showed up, and after 10 seconds, my system automatically restarted. I started up in safe mode, ran HiJack This, SmitFraudFix, and SpyBot S&D, which got rid of the pop-up and allowed me to run in normal mode. Since then, I have downloaded and installed BD and have been in the process of cleaning up my pc but still have some strange things going on.


First, my pc will not run disk defrag even though I have enough available disk space (18%) and have manually gone in and had it reinstall. In addition, I know whatever it is that infected my pc is still there because I still get redirected to advertiser and miscellaneous websites when using Firefox or Explorer, particularly when trying to reach sites related to anti-spyware and Microsoft as well. On top of that, this infection has hijacked my security settings in some way in that it is preventing me from downloading files from the internet such as some recommended by this site.


My latest scan by BD found an infection called Java.Trojan.Exploit.Bytverify in a zip file located at C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-6425549-4fdf55b2 which contains 2 files, baaaa.baa.class and dvnny.class. For some reason, BD was not able to delete these files or do anything else. Right now, I'm kind of at a loss at what to do. Any help would be greatly appreciated.

Comments

  • rootkit
    rootkit ✭✭✭
    edited September 2008

    http://www.atribune.org/ccount/click.php?id=1


    Please download ATF Cleaner by Atribune.


    Double-click ATF-Cleaner.exe to run the program.


    Under Main choose: Select All


    Click the Empty Selected button.


    Post here BitDefnder scan log . :)

  • Corona
    Corona

    I got hit yesterday with several trojans and malware. Have 3 left which BD is "hopefully" working on since I haven't heard back yet. One of the trojans I was able to remove was Java.Trojan.Exploit.Byverify.


    1. Disable the real-time protection


    2. Clean up your browser cache


    3. Clean the temporary files


    4. Enable the real time protection


    I followed these instruction and got rid of the Trojan.Exploit.Byverify.


    Won't hurt giving this a try. :rolleyes:

  • original6
    original6
    edited September 2008

    Corona and crysty2k5, I have done as you suggested. Here is the latest BD scan log. Note that no problems detected this time. ;) However, I don't like that SpyHunter has so many files unchecked. This program is not even actively running on my pc nor does it show up on the install/uninstall list. Hmmm....


    /applications/core/interface/file/attachment.php?id=2895" data-fileid="2895" rel="">BDlog090208.xml

  • Niels
    Niels

    Hello original6,


    For you redirecting problem do what I wrote here.


    Can you please download combofix and save it on the root of your hard disk. Print the following instructions and read them carefully. Please post the output of the scan into your next post. So I or someone else can see if there is still some infections.


    Kind regards,


    Niels

  • csalgau
    csalgau ✭✭
    edited September 2008

    As far as I see all SpyHunter files are in the SpyBot undo archive. There's nothing wrong with that.

  • original6
    original6

    Alrighty, Niels. Here's my ComboFix log. I think my system is running clean now.


    ComboFix 08-09-04.02 - Steve 2008-09-04 19:35:06.3 - NTFSx86


    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.588 [GMT -5:00]


    Running from: C:\Documents and Settings\Steve\Desktop\ComboFix.exe


    Command switches used :: C:\Documents and Settings\Steve\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe


    * Created a new restore point


    .


    ((((((((((((((((((((((((( Files Created from 2008-08-05 to 2008-09-05 )))))))))))))))))))))))))))))))


    .


    2008-08-31 23:09 . 2008-08-31 23:09 <DIR> d-------- C:\Program Files\ATI Technologies


    2008-08-31 23:01 . 2008-08-31 23:01 <DIR> d-------- C:\Program Files\Safari


    2008-08-31 22:23 . 2008-08-31 22:23 56,564 --ah----- C:\WINDOWS\system32\mlfcache.dat


    2008-08-30 03:27 . 2008-08-30 03:27 <DIR> d-------- C:\Program Files\MSXML 6.0


    2008-08-30 03:05 . 2008-08-31 22:43 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak


    2008-08-30 02:50 . 2008-08-30 02:50 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\Research In Motion


    2008-08-30 02:50 . 2008-08-30 03:02 256 --a------ C:\WINDOWS\system32\pool.bin


    2008-08-30 02:20 . 2008-08-30 02:20 850 --a------ C:\WINDOWS\system32\ProductTweaks.xml


    2008-08-30 02:20 . 2008-08-30 02:20 385 --a------ C:\WINDOWS\system32\user_gensett.xml


    2008-08-30 02:17 . 2008-08-30 02:17 <DIR> d-------- C:\WINDOWS\system32\logs


    2008-08-30 02:17 . 2008-08-30 02:17 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\BitDefender


    2008-08-30 02:17 . 2008-08-30 02:20 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\BitDefender


    2008-08-30 02:15 . 2008-08-30 02:17 <DIR> d-------- C:\Program Files\Common Files\BitDefender


    2008-08-30 01:28 . 2008-08-30 01:28 <DIR> d-------- C:\Program Files\Common Files\Borland Shared


    2008-08-30 01:27 . 2008-08-30 01:27 <DIR> d-------- C:\Program Files\Common Files\SWF Studio


    2008-08-30 01:05 . 2008-08-30 01:06 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\sldIM


    2008-08-30 01:04 . 2008-08-30 01:04 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\SolidWorksNewsReader


    2008-08-30 01:00 . 2008-08-30 01:00 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SolidWorks


    2008-08-30 00:58 . 2008-08-30 00:58 <DIR> d-------- C:\Program Files\SolidWorks Installation Manager


    2008-08-30 00:25 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl


    2008-08-29 21:42 . 2008-08-29 21:42 <DIR> d----c--- C:\VundoFix Backups


    2008-08-29 21:35 . 2008-08-29 21:35 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\Apple Computer


    2008-08-29 21:31 . 2003-08-15 14:36 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\MSN6


    2008-08-29 21:31 . 2003-08-15 21:03 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\AdobeUM


    2008-08-29 21:31 . 2008-08-29 21:31 <DIR> d----c--- C:\Documents and Settings\Administrator


    2008-08-29 19:06 . 2008-08-29 19:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy


    2008-08-29 01:34 . 2008-08-29 01:34 <DIR> d--h----- C:\WINDOWS\PIF


    2008-08-28 23:26 . 2008-08-28 23:26 12,288 --a------ C:\WINDOWS\system32\tdssserf.dll


    2008-08-14 18:54 . 2008-08-14 18:54 102,208 --a------ C:\WINDOWS\system32\drivers\bdfndisf.sys


    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    2008-09-02 00:46 --------- d-----w C:\Documents and Settings\Steve\Application Data\SolidWorks


    2008-09-01 20:21 --------- d-----w C:\Documents and Settings\Steve\Application Data\U3


    2008-08-30 08:18 --------- d-----w C:\Program Files\Microsoft ActiveSync


    2008-08-30 05:59 --------- d-----w C:\Program Files\Common Files\SolidWorks Shared


    2008-08-30 05:57 --------- d-----w C:\Program Files\Common Files\eDrawings2007


    2008-08-30 05:25 --------- d-----w C:\Program Files\Java


    2008-08-30 02:18 --------- d-----w C:\Program Files\Common Files\Scanner


    2008-07-26 16:38 --------- d-----w C:\Documents and Settings\Steve\Application Data\Apple Computer


    2008-07-24 11:01 --------- d-----w C:\Program Files\iPod


    2008-07-10 14:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys


    2008-03-02 00:14 528 -c--a-w C:\Program Files\Shortcut to microsoft frontpage.lnk


    2006-07-30 01:08 32 -csha-w C:\WINDOWS\{A5B063EF-75F2-4839-AB7C-2C0013992813}.dat


    2006-07-30 01:08 32 -csha-w C:\WINDOWS\system32\{CBED5F42-E2FF-41D9-8C12-1B4091EA425A}.dat


    .


    ((((((((((((((((((((((((((((( snapshot@2008-09-01_15.54.09.31 )))))))))))))))))))))))))))))))))))))))))


    .


    - 2008-09-01 20:43:35 64,314 ----a-w C:\WINDOWS\system32\perfc009.dat


    + 2008-09-03 01:07:11 64,314 ----a-w C:\WINDOWS\system32\perfc009.dat


    - 2008-09-01 20:43:35 408,792 ----a-w C:\WINDOWS\system32\perfh009.dat


    + 2008-09-03 01:07:11 408,792 ----a-w C:\WINDOWS\system32\perfh009.dat


    .


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    .


    *Note* empty entries & legit default entries are not shown


    REGEDIT4


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]


    "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]


    "BDAgent"="D:\Program Files\BitDefender\BitDefender 2009\bdagent.exe" [2008-08-14 716800]


    "BitDefender Antiphishing Helper"="D:\Program Files\BitDefender\BitDefender 2009\IEShow.exe" [2008-08-10 69632]


    "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]


    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]


    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]


    "VIDC.dvsd"= pdvcodec.dll


    "vidc.ffds"= ffdshow.ax


    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]


    Notification Packages REG_MULTI_SZ scecli scecli


    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]


    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk


    backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup


    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]


    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk


    backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup


    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]


    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk


    backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup


    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]


    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk


    backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup


    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton Internet Security.lnk]


    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Norton Internet Security.lnk


    backup=C:\WINDOWS\pss\Norton Internet Security.lnkCommon Startup


    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]


    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk


    backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup


    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]


    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk


    backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup


    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]


    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk


    backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]


    C:\WINDOWS\system32\dumprep 0 -k [X]


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]


    --a--c--- 2003-03-03 13:04 54520 C:\Program Files\Common Files\Symantec Shared\ccApp.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]


    --a--c--- 2003-03-03 13:04 58616 C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]


    --a------ 2002-08-20 12:29 40960 C:\WINDOWS\system32\ezSP_Px.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]


    --a--c--- 2003-04-07 02:07 114688 C:\WINDOWS\system32\hkcmd.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]


    --a------ 2005-05-12 00:12 49152 D:\Program Files\HP\HP Software Update\hpwuSchd2.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]


    --a--c--- 2002-07-24 23:20 28672 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]


    --a------ 2003-07-16 13:22 4743168 C:\WINDOWS\system32\nvcpl.dll


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RIS2PostReboot]


    --a------ 2005-05-12 00:12 49152 D:\Program Files\HP\HP Software Update\hpwuSchd2.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]


    --a--c--- 2005-11-10 13:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]


    --a--c--- 2003-04-20 00:08 28672 C:\WINDOWS\SONYSYS\VAIO Recovery\PartSeal.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZTgServerSwitch]


    --a--c--- 2003-06-23 19:32 1409024 c:\Program Files\support.com\client\bin\tgcmd.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]


    --a--c--- 2003-05-23 12:43 88363 C:\WINDOWS\AGRSMMSG.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]


    --a--c--- 2003-07-02 19:51 28672 C:\WINDOWS\system32\cthelper.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]


    --a--c--- 2003-07-16 13:22 323584 C:\WINDOWS\system32\nwiz.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]


    "wuauserv"=2 (0x2)


    "Bonjour Service"=2 (0x2)


    [HKEY_LOCAL_MACHINE\software\microsoft\security center]


    "AntiVirusOverride"=dword:00000001


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]


    "EnableFirewall"= 0 (0x0)


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]


    "%windir%\\system32\\sessmgr.exe"=


    "C:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=


    "C:\\Program Files\\Messenger\\msmsgs.exe"=


    "D:\\Program Files\\AIM\\aim.exe"=


    "D:\\Program Files\\Ubisoft\\Gearbox Software\\BrothersInArmsEiB\\System\\EiB.exe"=


    "D:\\Program Files\\Eagletron\\DVdriver\\dvdriver.exe"=


    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=


    "C:\\Program Files\\MSN\\MSNCoreFiles\\msn6.exe"=


    "D:\\Program Files\\7-Zip\\7zFM.exe"=


    "D:\\Program Files\\Trillian\\trillian.exe"=


    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=


    "C:\\Program Files\\MSN Messenger\\livecall.exe"=


    "C:\\WINDOWS\\system32\\dpvsetup.exe"=


    "D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=


    "D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=


    "D:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=


    "D:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=


    "D:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=


    "D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=


    "D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=


    "D:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=


    "D:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=


    "D:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=


    "D:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=


    "D:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=


    "D:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=


    "D:\\Program Files\\The Print Shop 21\\tps.exe"=


    "D:\\Program Files\\LEGO MINDSTORMS\\RIS 2.0\\RIS2.exe"=


    "C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager


    "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager


    "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application


    "D:\\Program Files\\itunes\\iTunes.exe"=


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service


    R2 BDVEDISK;BDVEDISK;D:\Program Files\BitDefender\BitDefender 2009\BDVEDISK.sys [2008-07-02 82568]


    R2 DVDRIVER;DVdriver;C:\WINDOWS\system32\DRIVERS\dvdriver.sys [2005-08-29 30296]


    R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-08-14 102208]


    R3 LTower;LEGO USB Tower Driver;C:\WINDOWS\system32\Drivers\LTower.sys [2004-01-22 39936]


    S3 Arrakis3;BitDefender Arrakis Server;C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]


    S3 CamdDriverV32;CamdDriverV32;C:\WINDOWS\system32\drivers\CamdDriverV32.sys [2008-06-04 508544]


    S3 CamdVideo32;CamdVideo32;C:\WINDOWS\system32\DRIVERS\CamdVideo32.sys [2008-06-04 3768]


    S4 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]


    bdx REG_MULTI_SZ scan


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]


    \Shell\AutoRun\command - G:\LaunchU3.exe


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{31150e90-fd31-11db-81dd-000c6ef632ab}]


    \Shell\AutoRun\command - J:\LaunchU3.exe -a


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e1f5fc7-228f-11db-8152-000f666e420a}]


    \Shell\AutoRun\command - K:\setupSNK.exe


    .


    Contents of the 'Scheduled Tasks' folder


    .


    .


    ------- Supplementary Scan -------


    .


    FireFox -: Profile - C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\yj3y854j.default\


    FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official


    FF -: plugin - C:\Program Files\Real\RealOne Player\Netscape6\nppl3260.dll


    FF -: plugin - C:\Program Files\Real\RealOne Player\Netscape6\nprjplug.dll


    FF -: plugin - C:\Program Files\Real\RealOne Player\Netscape6\nprpjplug.dll


    FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll


    FF -: plugin - D:\Program Files\itunes\Mozilla Plugins\npitunes.dll


    FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\npnul32.dll


    FF -: plugin - d:\program files\Plugins\npqtplugin.dll


    FF -: plugin - d:\program files\Plugins\npqtplugin2.dll


    FF -: plugin - d:\program files\Plugins\npqtplugin3.dll


    FF -: plugin - d:\program files\Plugins\npqtplugin4.dll


    FF -: plugin - d:\program files\Plugins\npqtplugin5.dll


    FF -: plugin - d:\program files\Plugins\npqtplugin6.dll


    FF -: plugin - d:\program files\Plugins\npqtplugin7.dll


    .


    **************************************************************************


    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net


    Rootkit scan 2008-09-04 19:39:13


    Windows 5.1.2600 Service Pack 2 NTFS


    scanning hidden processes ...


    scanning hidden autostart entries ...


    scanning hidden files ...


    scan completed successfully


    hidden files: 0


    **************************************************************************


    .


    --------------------- DLLs Loaded Under Running Processes ---------------------


    PROCESS: C:\WINDOWS\explorer.exe


    -> ?:\WINDOWS\system32\ATL.DLL


    .


    ------------------------ Other Running Processes ------------------------


    .


    C:\WINDOWS\system32\ati2evxx.exe


    D:\Program Files\BitDefender\BitDefender 2009\vsserv.exe


    C:\WINDOWS\system32\ati2evxx.exe


    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe


    C:\Program Files\Norton Internet Security\NISUM.EXE


    C:\Program Files\Norton Internet Security\ccPxySvc.exe


    C:\WINDOWS\system32\wscntfy.exe


    C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe


    C:\PROGRA~1\MI3AA1~1\rapimgr.exe


    D:\Program Files\BitDefender\BitDefender 2009\seccenter.exe


    C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe


    C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe


    .


    **************************************************************************


    .


    Completion time: 2008-09-04 19:46:36 - machine was rebooted


    ComboFix-quarantined-files.txt 2008-09-05 00:46:22


    ComboFix2.txt 2008-09-01 20:55:17


    Pre-Run: 2,259,210,240 bytes free


    Post-Run: 2,240,651,264 bytes free


    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe


    [boot loader]


    timeout=2


    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS


    [operating systems]


    C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons


    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn


    259 --- E O F --- 2008-09-01 01:25:40

  • Niels
    Niels

    Hello original6,


    I can still see 1 leftover:


    C:\WINDOWS\system32\tdssserf.dll


    Please do this press the windows button together with r now type this:


    regsvr32 -u "C:\WINDOWS\system32\tdssserf.dll" press enter.


    After you have done that please open wordpad and write:


    FILE::


    C:\WINDOWS\system32\tdssserf.dll


    You need to save the file as CFscript.


    Now drag and drop the CFscript file on the combofix icon.


    I could also see some remaints of Norton (Symantec). You can use this tool to remove the leftovers.


    Kind regards,


    Niels

All Time Leaders

Categories

Defenders of the month