Author Topic: Virus? (Read 33664 times)

Neik · « **Reply #30 on:** August 27, 2007, 07:40:15 PM »

Quote from: patio on August 27, 2007, 07:38:13 PM

You don't have a virus...you have a sister !

Just kiddin...someone should be along shortly.

lol!

true,

Update: Scanned with SUPERantispy, Found 34 infections, Adware now cleaned. I will tell you if things have been okay now

CBMatt · « **Reply #31 on:** August 28, 2007, 02:40:58 AM »

This entry should be fixed...

O4 - HKCU\..\Run: [Name Creative] C:\DOCUME~1\Owner\APPLIC~1\CHICID~1\extragluecdrom.exe

You also need to delete the following folder...
C:\Documents and Settings\Owner\Application Data\chicidledeaf

Once you have done that...
Download ComboFix and save it to your desktop. Run the program and read its disclaimer (it's fairly short) and make sure you really pay attention to what it says. Follow the prompts and when finished, it will produce a log at C:\ComboFix.txt. Go ahead and post that here. Note: Don't click on the window while it's running; this may cause stalls.

Neik · « **Reply #32 on:** August 28, 2007, 12:19:49 PM »

The link for ComboFix does not work, if tried googling it, but it comes with the same broken link.

Fed · « **Reply #33 on:** August 28, 2007, 07:33:26 PM »

It's a broken link Neik, try Google again later on.

F5 to get into safe mode, what's this about?
Safe mode is a Windows function, nothing to do with mobos is it?

Neik · « **Reply #34 on:** August 28, 2007, 08:30:06 PM »

Quote from: Fed on August 28, 2007, 07:33:26 PM

It's a broken link Neik, try Google again later on.

F5 to get into safe mode, what's this about?
Safe mode is a Windows function, nothing to do with mobos is it?

I'm not sure, but for my old motherboard i replaced I remember pressing F8 or something to access SafeMode, I think $:-\$ It use to be a Sony Vaio, I've seen different brand computers like Dell and MDG have to press different buttons like F8 to get in

I still can't find ComboFix on google, they all provide the same link which is broken

Fed · « **Reply #35 on:** August 28, 2007, 08:54:19 PM »

I expect then you have seen where ComboFix was taken offline earlier this year, perhaps it has happened again.
I'd give it a day to see what comes out on the net, I have a fresh ComboFix sitting on my desktop that I can upload (1.4Mbs) but I'm reluctant to do that in case ComboFix has a problem we're unaware of yet.
Have patience.

EDIT: As I suspected...
http://forums.spybot.info/showthread.php?t=17284

CBMatt · « **Reply #36 on:** August 29, 2007, 06:32:47 AM »

Odd... The link is working for me, so perhaps ComboFix has been un-pulled. I don't really know what the situation is and I'm far too tired to look into it right now, but I will ASAP.

Neik · « **Reply #37 on:** August 29, 2007, 01:07:23 PM »

Alright thanks, I will wait

Fed · « **Reply #38 on:** August 29, 2007, 01:20:48 PM »

Neik, it was back when CBMatt posted.

Neik · « **Reply #39 on:** August 30, 2007, 02:03:29 PM »

Okay I downloaded it and ran the program, Heres the log

ComboFix 07-08-30.3 - "Owner" 2007-08-30 15:54:13.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1131 [GMT -4:00]

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\Owner\APPLIC~1\microsoft\internet explorer\quick launch\intern~1.lnk
C:\DOCUME~1\Owner\Desktop\internet explorer.lnk

((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-30 )))))))))))))))))))))))))))))))

2007-08-30 15:53   51,200   --a------   C:\WINDOWS\nircmd.exe
2007-08-27 20:37   <DIR>   d--------   C:\DOCUME~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2007-08-27 20:37   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-27 00:30   <DIR>   d--------   C:\Program Files\chicidledeaf
2007-08-25 13:23   <DIR>   d--------   C:\Program Files\Windows Live
2007-08-25 13:23   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller
2007-08-25 13:23   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\WindowsLiveInstaller
2007-08-24 23:29   <DIR>   d--------   C:\WINDOWS\SxsCaPendDel
2007-08-21 15:51   512,096   --a------   C:\WINDOWS\system32\drivers\amon.sys
2007-08-21 15:51   298,104   --a------   C:\WINDOWS\system32\imon.dll
2007-08-21 15:51   15,424   --a------   C:\WINDOWS\system32\drivers\nod32drv.sys
2007-08-21 13:07   <DIR>   d--------   C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-08-20 18:49   <DIR>   d--------   C:\Program Files\Windows Media Connect 2
2007-08-20 18:44   <DIR>   d--------   C:\WINDOWS\system32\LogFiles
2007-08-20 18:44   <DIR>   d--------   C:\WINDOWS\system32\drivers\UMDF
2007-08-15 15:50   23,864   --a------   C:\WINDOWS\system32\drivers\sskbfd.sys
2007-08-15 15:50   21,816   --a------   C:\WINDOWS\system32\drivers\sshrmd.sys
2007-08-15 15:50   20,280   --a------   C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-08-15 15:50   163,128   --a------   C:\WINDOWS\system32\drivers\ssidrv.sys
2007-08-15 15:50   1,521,464   --a------   C:\WINDOWS\WRSetup.dll
2007-08-15 15:50   <DIR>   d--------   C:\DOCUME~1\Owner\APPLIC~1\Webroot
2007-08-15 15:50   <DIR>   d--------   C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-08-15 15:50   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-08-14 23:03   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Screaming Bee
2007-08-13 23:32   0   -ra------   C:\logwmemory.bin
2007-08-13 23:30   <DIR>   d--------   C:\DOCUME~1\Owner\APPLIC~1\Soldat
2007-08-08 14:14   <DIR>   d--------   C:\DOCUME~1\Owner\APPLIC~1\Screaming Bee
2007-08-08 14:13   <DIR>   d--------   C:\Program Files\Common Files\Screaming Bee
2007-08-06 11:15   <DIR>   d--------   C:\Program Files\ATI Technologies
2007-08-06 11:11   520,192   ---------   C:\WINDOWS\system32\ati2sgag.exe
2007-07-23 22:39   51,072   --a------   C:\WINDOWS\system32\drivers\ikhlayer.sys
2007-07-23 22:39   30,592   --a------   C:\WINDOWS\system32\drivers\ikhfile.sys
2007-07-19 13:19   <DIR>   d--------   C:\DOCUME~1\Owner\APPLIC~1\Ahead
2007-07-19 13:18   476,320   --a------   C:\WINDOWS\system32\imagXpr7.dll
2007-07-19 13:18   471,040   --a------   C:\WINDOWS\system32\imagXRA7.dll
2007-07-19 13:18   364,544   --a------   C:\WINDOWS\system32\TwnLib4.dll
2007-07-19 13:18   262,144   --a------   C:\WINDOWS\system32\imagXR7.dll
2007-07-19 13:18   1,568,768   --a------   C:\WINDOWS\system32\imagX7.dll
2007-07-19 13:18   <DIR>   d--------   C:\Program Files\Common Files\Ahead
2007-07-18 23:55   <DIR>   d--------   C:\DOCUME~1\Owner\APPLIC~1\IE7Pro
2007-07-17 13:38   <DIR>   d--------   C:\DOCUME~1\Owner\APPLIC~1\Uniblue
2007-07-13 12:43   <DIR>   d--------   C:\DOCUME~1\Owner\APPLIC~1\teamspeak2
2007-07-12 19:31   765,952   -----c---   C:\WINDOWS\system32\dllcache\vgx.dll
2007-07-04 20:39   <DIR>   d--------   C:\DOCUME~1\Owner\APPLIC~1\WinRAR
2007-07-01 16:55   <DIR>   d--------   C:\DOCUME~1\Owner\APPLIC~1\TuneUp Software
2007-07-01 16:54   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\TuneUp Software

Neik · « **Reply #40 on:** August 30, 2007, 02:04:37 PM »

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-30 13:22   ---------   d--------   C:\Program Files\Steam
2007-08-27 20:37   ---------   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2007-08-27 00:29   ---------   d--------   C:\Program Files\Messenger Plus! Live
2007-08-25 13:04   ---------   d--------   C:\Program Files\MSN Messenger
2007-08-23 12:17   ---------   d--------   C:\Program Files\LimeWire
2007-08-19 13:27   ---------   d-a------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-17 13:07   ---------   d--------   C:\Program Files\Winamp
2007-08-06 11:19   ---------   d--h-----   C:\Program Files\InstallShield Installation Information
2007-07-30 19:19   92504   --a------   C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19   549720   --a------   C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19   53080   --a------   C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19   43352   --a------   C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19   325976   --a------   C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19   271224   --a------   C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19   207736   --a------   C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19   203096   --a------   C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19   1712984   --a------   C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18   33624   --a------   C:\WINDOWS\system32\wups.dll
2007-07-23 22:38   ---------   d--------   C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-07-03 22:40   ---------   d--------   C:\Program Files\Starcraft
2007-06-29 16:51   ---------   d--------   C:\DOCUME~1\Owner\APPLIC~1\Google
2007-06-28 17:48   12528   --a------   C:\WINDOWS\system32\drivers\secdrv.sys
2007-06-26 02:08   1104896   --a------   C:\WINDOWS\system32\msxml3.dll
2007-06-19 09:31   282112   --a------   C:\WINDOWS\system32\gdi32.dll
2007-06-18 14:20   564736   --a------   C:\WINDOWS\system32\ah.scr
2007-06-18 14:20   45056   --a------   C:\WINDOWS\system32\sstunst3.exe
2007-06-13 06:23   1033216   --a------   C:\WINDOWS\explorer.exe
2007-06-01 08:20   51568   --a------   C:\WINDOWS\system32\sirenacm.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 19:22 C:\WINDOWS\SOUNDMAN.EXE]
"VTTimer"="VTTimer.exe" [2006-08-03 02:53 C:\WINDOWS\system32\VTTimer.exe]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-08-21 15:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

Neik · « **Reply #41 on:** August 30, 2007, 02:05:00 PM »

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R200 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\holetonsinteronline]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
"C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
C:\WINDOWS\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SHS]
"C:\Program Files\Rogers\SelfHealing\SHS.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Update Manager]
"C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZTgServerSwitch]
c:\program files\support.com\client\lserver\server.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VAIOMediaPlatform-PhotoServer-UPnP"=3 (0x3)
"VAIOMediaPlatform-PhotoServer-HTTP"=3 (0x3)
"VAIOMediaPlatform-PhotoServer-AppServer"=3 (0x3)
"VAIOMediaPlatform-MusicServer-UPnP"=3 (0x3)
"VAIOMediaPlatform-MusicServer-HTTP"=3 (0x3)
"VAIOMediaPlatform-MusicServer-AppServer"=3 (0x3)
"NVSvc"=2 (0x2)
"gusvc"=3 (0x3)

Neik · « **Reply #42 on:** August 30, 2007, 02:05:25 PM »

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS
R3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\ScreamingBAudio.sys
S3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINDOWS\system32\DRIVERS\point32.sys
S3 smrt;Sony MPEG RealTime encoder board;C:\WINDOWS\system32\DRIVERS\smrt.sys
S3 SONYWBMS;Sony Memory Stick controller(WB);C:\WINDOWS\system32\DRIVERS\SonyWBMS.SYS

*Newly Created Service* - CATCHME

Contents of the 'Scheduled Tasks' folder
2007-08-24 21:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job - D:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
2007-08-30 19:00:00 C:\WINDOWS\Tasks\AADE655F9362182B.job - c:\docume~1\owner\applic~1\chicid~1\Tool Bird Coal.exe
2006-09-17 15:50:24 C:\WINDOWS\Tasks\Registration reminder 1.job - C:\WINDOWS\System32\OOBE\oobebaln.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-30 15:56:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-30 15:58:22
C:\ComboFix-quarantined-files.txt ... 2007-08-30 15:58

--- E O F ---

CBMatt · « **Reply #43 on:** August 30, 2007, 08:17:08 PM »

You've still got a small trace of Lop on your computer...

Copy everything inside the quote box below (starting with @) and paste it into Notepad. Go up to File > Save As and click the drop-down box to change the "Save As Type" to "All Files". Save it as remlop.bat on your desktop.

Quote

@echo off
cd C:\WINDOWS\Tasks
attrib -r -s -h AADE655F9362182B.job
del AADE655F9362182B.job
exit

Double-click remlop.bat A window will open and close quickly; this is normal.

Have you deleted this folder yet?...
C:\Documents and Settings\Owner\Application Data\chicidledeaf

Another one that needs to be deleted is C:\Program Files\chicidledeaf.

Neik · « **Reply #44 on:** August 30, 2007, 08:45:28 PM »

Yes I have deleted those folders and done the remlop.bat,

Can Nod32 scan C:\Documents and Settings\All Users\Application Data during safe mode and delete viruses? because Application Data seems hidden.

How come Webroot Spysweeper and SUPERantispy didnt remove all the Lop traces that were still on my computer?

Computer Hope Forum

News:

Author Topic: Virus? (Read 33664 times)

Neik

Re: Virus?

CBMatt

Re: Virus?

Neik

Re: Virus?

Fed

Re: Virus?

Neik

Re: Virus?

Fed

Re: Virus?

CBMatt

Re: Virus?

Neik

Re: Virus?

Fed

Re: Virus?

Neik

Re: Virus?

Neik

Re: Virus?

Neik

Re: Virus?

Neik

Re: Virus?

CBMatt

Re: Virus?

Neik

Re: Virus?