Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 41
  1. #16
    Joined
    Nov 2001
    Location
    I've moved.....I'm over here now.
    Age
    61
    Posts
    7,290

    Re: Virus infection: My IP address is in the black hole range

    I'd also point out that cleaning these infections (any, really) is easier in Safe Mode w/ Networking - thus things like ZA don't come into play, as don't most of the infections - but even with some having the ability (to start in Safe Mode), they certainly have the same ability in Normal Mode.

  2. #17
    Joined
    Oct 2003
    Location
    Dallas, TX
    Posts
    390

    Re: Virus infection: My IP address is in the black hole range

    I ran VundoFix in normal mode Friday(not safe mode) and it didnt find anything. I sure hope I don't have to go through all those files and keys, thats a lot!

    I got the download link to SmitFraud by closing ZA, thanks. Which exe am I supposed to start? I see several.

    Sick Willie! Ha! What a sig you have...

  3. #18
    Joined
    Nov 2001
    Location
    I've moved.....I'm over here now.
    Age
    61
    Posts
    7,290

    Re: Virus infection: My IP address is in the black hole range

    Quote Originally Posted by nickdank View Post
    I ran VundoFix in normal mode Friday(not safe mode) and it didnt find anything. I sure hope I don't have to go through all those files and keys, thats a lot!

    I got the download link to SmitFraud by closing ZA, thanks. Which exe am I supposed to start? I see several.

    Sick Willie! Ha! What a sig you have...
    Run the .cmd file.

    Oh? Which part?

  4. #19
    Joined
    Oct 2003
    Location
    Dallas, TX
    Posts
    390

    Re: Virus infection: My IP address is in the black hole range

    VundoFix V6.7.8

    Checking Java version...

    Sun Java not detected
    Scan started at 12:41:04 AM 2/22/2008

    Listing files found while scanning....

    No infected files were found.

    SmitFraudFix v2.296

    Scan done at 5:58:45.65, Mon 02/25/2008
    Run from K:\VIRUS TOOLS\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» DNS Before Fix


    »»»»»»»»»»»»»»»»»»»»»»»» DNS After Fix
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    SmitFraudFix v2.296

    Scan done at 6:03:40.23, Mon 02/25/2008
    Run from K:\VIRUS TOOLS\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» Process

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\LTMSG.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\system32\cmd.exe

    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Home


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Home\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Home\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



    »»»»»»»»»»»»»»»»»»»»»»»» IEDFix
    !!!Attention, following keys are not inevitably infected!!!

    IEDFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» VACFix
    !!!Attention, following keys are not inevitably infected!!!

    VACFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Rustock



    »»»»»»»»»»»»»»»»»»»»»»»» DNS



    »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End

  5. #20
    Joined
    Oct 2003
    Location
    Dallas, TX
    Posts
    390

    Re: Virus infection: My IP address is in the black hole range

    I removed all system restore points by disabling system restore. Combofix keeps showing up as a 0 byte file after I download it. (on my pc) Twice now I've tried to download it. Maybe I need to shut down ZA first? Got it: the first link was dead. Here's a working link: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

    Also, when this HP first boots up I get a red X saying a problem caused Windows Defender Service to stop.
    AVG Anti-Rootkit found nothing. I still can't connect to the net.
    Last edited by nickdank; 02-25-2008 at 08:39 AM.

  6. #21
    Joined
    Oct 2003
    Location
    Dallas, TX
    Posts
    390

    Re: Virus infection: My IP address is in the black hole range

    ComboFix 08-02-25.3 - Home 2008-02-25 6:40:20.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.279 [GMT -6:00]
    Running from: K:\VIRUS TOOLS\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    C:\Documents and Settings\All Users\Application Data\Starware347
    C:\Documents and Settings\All Users\Application Data\Starware347\buttons\FindIt.bmp
    C:\Documents and Settings\All Users\Application Data\Starware347\buttons\FindItHot.bmp
    C:\Documents and Settings\All Users\Application Data\Starware347\buttons\findithotxp.png
    C:\Documents and Settings\All Users\Application Data\Starware347\buttons\finditxp.png
    C:\Documents and Settings\All Users\Application Data\Starware347\buttons\Highlight.bmp
    C:\Documents and Settings\All Users\Application Data\Starware347\buttons\HighlightHot.bmp
    C:\Documents and Settings\All Users\Application Data\Starware347\buttons\highlighthotxp.png
    C:\Documents and Settings\All Users\Application Data\Starware347\buttons\highlightxp.png
    C:\Documents and Settings\All Users\Application Data\Starware347\buttons\jokesearch.bmp
    C:\Documents and Settings\All Users\Application Data\Starware347\buttons\pranks.bmp
    C:\Documents and Settings\All Users\Application Data\Starware347\buttons\starware_toolbar_icon.bmp
    C:\Documents and Settings\All Users\Application Data\Starware347\contexts\error.xml
    C:\Documents and Settings\All Users\Application Data\Starware347\contexts\Related.xml
    C:\Documents and Settings\All Users\Application Data\Starware347\contexts\Travel.xml
    C:\Documents and Settings\All Users\Application Data\Starware347\SimpleUpdate\ProductMessagingConfig.xml
    C:\Documents and Settings\All Users\Application Data\Starware347\SimpleUpdate\ProductMessagingConfig.xml.backup
    C:\Documents and Settings\All Users\Application Data\Starware347\SimpleUpdate\SimpleUpdateConfig.xml
    C:\Documents and Settings\All Users\Application Data\Starware347\SimpleUpdate\SimpleUpdateConfig.xml.backup
    C:\Documents and Settings\All Users\Application Data\Starware347\SimpleUpdate\TimerManagerConfig.xml
    C:\Documents and Settings\All Users\Application Data\Starware347\SimpleUpdate\TimerManagerConfig.xml.backup
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\FunWebProducts
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\FunWebProducts\Data\CaRiSsA\avatar.dat
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\FunWebProducts\Data\CaRiSsA\register.dat
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\FunWebProducts\Data\CaRiSsA\zbucks.dat
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\BrowserSearch\BrowserSearch.xml
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\BrowserSearch\BrowserSearch.xml.backup
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\Configurator\Configurator.xml
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\Configurator\Configurator.xml.backup
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\EntertainmentMarketingSP\EntertainmentMarketingSPOptions.xml
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\EntertainmentMarketingSP\EntertainmentMarketingSPOptions.xml.backup
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\EntertainmentMarketingSP\images\active\EntertainmentMarketingSP0.bmp
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\ErrorSearch\ErrorSearchOptions.xml
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\ErrorSearch\ErrorSearchOptions.xml.backup
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\Games\GamesOptions.xml
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\Games\GamesOptions.xml.backup
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\Games\images\active\Games0.bmp
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\JokeSearch\JokeSearchOptions.xml
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\JokeSearch\JokeSearchOptions.xml.backup
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\Layouts\ToolbarLayout.xml
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\Layouts\ToolbarLayout.xml.backup
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\Manager\ManagerOptions.xml
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\Manager\ManagerOptions.xml.backup
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\Movies\images\active\Movies0.bmp
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\Movies\MoviesOptions.xml
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\Movies\MoviesOptions.xml.backup
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\Pranks\PranksOptions.xml
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\Pranks\PranksOptions.xml.backup
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\RelatedSearch\RelatedSearchOptions.xml
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\RelatedSearch\RelatedSearchOptions.xml.backup
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\ScreensaversMarketingSitePager\images\active\ScreensaversMarketingSitePager0.bmp
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\Tem95.tmp
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\Toolbar\TBProductsOptions.xml
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\Toolbar\TBProductsOptions.xml.backup
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\ToolbarLogo\ToolbarLogoOptions.xml
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\ToolbarLogo\ToolbarLogoOptions.xml.backup
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\ToolbarSearch\ToolbarSearchOptions.xml
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\ToolbarSearch\ToolbarSearchOptions.xml.backup
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\TravelSearch\TravelSearchOptions.xml
    C:\Documents and Settings\CaRiSsA.HOME-2DF2B61AEF\Application Data\Starware347\TravelSearch\TravelSearchOptions.xml.backup
    C:\Documents and Settings\carissa\Application Data\FunWebProducts

  7. #22
    Joined
    Oct 2003
    Location
    Dallas, TX
    Posts
    390

    Re: Virus infection: My IP address is in the black hole range

    C:\Documents and Settings\carissa\Application Data\FunWebProducts\Data\carissa\avatar.dat
    C:\Documents and Settings\carissa\Application Data\FunWebProducts\Data\carissa\register.dat
    C:\Documents and Settings\carissa\Application Data\Starware347
    C:\Documents and Settings\carissa\Application Data\Starware347\BrowserSearch\BrowserSearch.xml
    C:\Documents and Settings\carissa\Application Data\Starware347\BrowserSearch\BrowserSearch.xml.backup
    C:\Documents and Settings\carissa\Application Data\Starware347\Configurator\Configurator.xml
    C:\Documents and Settings\carissa\Application Data\Starware347\Configurator\Configurator.xml.backup
    C:\Documents and Settings\carissa\Application Data\Starware347\EntertainmentMarketingSP\EntertainmentMarketingSPOptions.xml
    C:\Documents and Settings\carissa\Application Data\Starware347\EntertainmentMarketingSP\EntertainmentMarketingSPOptions.xml.backup
    C:\Documents and Settings\carissa\Application Data\Starware347\EntertainmentMarketingSP\images\active\EntertainmentMarketingSP0.bmp
    C:\Documents and Settings\carissa\Application Data\Starware347\ErrorSearch\ErrorSearchOptions.xml
    C:\Documents and Settings\carissa\Application Data\Starware347\ErrorSearch\ErrorSearchOptions.xml.backup
    C:\Documents and Settings\carissa\Application Data\Starware347\Games\GamesOptions.xml
    C:\Documents and Settings\carissa\Application Data\Starware347\Games\GamesOptions.xml.backup
    C:\Documents and Settings\carissa\Application Data\Starware347\Games\images\active\Games0.bmp
    C:\Documents and Settings\carissa\Application Data\Starware347\JokeSearch\JokeSearchOptions.xml
    C:\Documents and Settings\carissa\Application Data\Starware347\JokeSearch\JokeSearchOptions.xml.backup
    C:\Documents and Settings\carissa\Application Data\Starware347\Layouts\ToolbarLayout.xml
    C:\Documents and Settings\carissa\Application Data\Starware347\Layouts\ToolbarLayout.xml.backup
    C:\Documents and Settings\carissa\Application Data\Starware347\Manager\ManagerOptions.xml
    C:\Documents and Settings\carissa\Application Data\Starware347\Manager\ManagerOptions.xml.backup
    C:\Documents and Settings\carissa\Application Data\Starware347\Movies\images\active\Movies0.bmp
    C:\Documents and Settings\carissa\Application Data\Starware347\Movies\MoviesOptions.xml
    C:\Documents and Settings\carissa\Application Data\Starware347\Movies\MoviesOptions.xml.backup
    C:\Documents and Settings\carissa\Application Data\Starware347\Pranks\PranksOptions.xml
    C:\Documents and Settings\carissa\Application Data\Starware347\Pranks\PranksOptions.xml.backup
    C:\Documents and Settings\carissa\Application Data\Starware347\RelatedSearch\RelatedSearchOptions.xml
    C:\Documents and Settings\carissa\Application Data\Starware347\RelatedSearch\RelatedSearchOptions.xml.backup
    C:\Documents and Settings\carissa\Application Data\Starware347\ScreensaversMarketingSitePager\images\active\ScreensaversMarketingSitePager0.bmp
    C:\Documents and Settings\carissa\Application Data\Starware347\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml
    C:\Documents and Settings\carissa\Application Data\Starware347\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup
    C:\Documents and Settings\carissa\Application Data\Starware347\Toolbar\TBProductsOptions.xml
    C:\Documents and Settings\carissa\Application Data\Starware347\Toolbar\TBProductsOptions.xml.backup
    C:\Documents and Settings\carissa\Application Data\Starware347\ToolbarLogo\ToolbarLogoOptions.xml
    C:\Documents and Settings\carissa\Application Data\Starware347\ToolbarLogo\ToolbarLogoOptions.xml.backup
    C:\Documents and Settings\carissa\Application Data\Starware347\ToolbarSearch\ToolbarSearchOptions.xml
    C:\Documents and Settings\carissa\Application Data\Starware347\ToolbarSearch\ToolbarSearchOptions.xml.backup
    C:\Documents and Settings\carissa\Application Data\Starware347\TravelSearch\TravelSearchOptions.xml
    C:\Documents and Settings\carissa\Application Data\Starware347\TravelSearch\TravelSearchOptions.xml.backup
    C:\Documents and Settings\carissa\err.log
    C:\Documents and Settings\Home\Application Data\FunWebProducts
    C:\Documents and Settings\Home\Application Data\FunWebProducts\Data\Home\avatar.dat
    C:\Documents and Settings\Home\Application Data\FunWebProducts\Data\Home\register.dat
    C:\Documents and Settings\Home\Application Data\Starware347
    C:\Documents and Settings\Home\Application Data\Starware347\BrowserSearch\BrowserSearch.xml
    C:\Documents and Settings\Home\Application Data\Starware347\BrowserSearch\BrowserSearch.xml.backup
    C:\Documents and Settings\Home\Application Data\Starware347\Configurator\Configurator.xml
    C:\Documents and Settings\Home\Application Data\Starware347\Configurator\Configurator.xml.backup
    C:\Documents and Settings\Home\Application Data\Starware347\EntertainmentMarketingSP\EntertainmentMarketingSPOptions.xml
    C:\Documents and Settings\Home\Application Data\Starware347\EntertainmentMarketingSP\EntertainmentMarketingSPOptions.xml.backup
    C:\Documents and Settings\Home\Application Data\Starware347\EntertainmentMarketingSP\images\active\EntertainmentMarketingSP0.bmp
    C:\Documents and Settings\Home\Application Data\Starware347\ErrorSearch\ErrorSearchOptions.xml
    C:\Documents and Settings\Home\Application Data\Starware347\ErrorSearch\ErrorSearchOptions.xml.backup
    C:\Documents and Settings\Home\Application Data\Starware347\Games\GamesOptions.xml
    C:\Documents and Settings\Home\Application Data\Starware347\Games\GamesOptions.xml.backup
    C:\Documents and Settings\Home\Application Data\Starware347\Games\images\active\Games0.bmp
    C:\Documents and Settings\Home\Application Data\Starware347\JokeSearch\JokeSearchOptions.xml
    C:\Documents and Settings\Home\Application Data\Starware347\JokeSearch\JokeSearchOptions.xml.backup
    C:\Documents and Settings\Home\Application Data\Starware347\Layouts\ToolbarLayout.xml
    C:\Documents and Settings\Home\Application Data\Starware347\Layouts\ToolbarLayout.xml.backup
    C:\Documents and Settings\Home\Application Data\Starware347\Manager\ManagerOptions.xml
    C:\Documents and Settings\Home\Application Data\Starware347\Manager\ManagerOptions.xml.backup
    C:\Documents and Settings\Home\Application Data\Starware347\Movies\images\active\Movies0.bmp
    C:\Documents and Settings\Home\Application Data\Starware347\Movies\MoviesOptions.xml
    C:\Documents and Settings\Home\Application Data\Starware347\Movies\MoviesOptions.xml.backup
    C:\Documents and Settings\Home\Application Data\Starware347\Pranks\PranksOptions.xml
    C:\Documents and Settings\Home\Application Data\Starware347\Pranks\PranksOptions.xml.backup
    C:\Documents and Settings\Home\Application Data\Starware347\RelatedSearch\RelatedSearchOptions.xml
    C:\Documents and Settings\Home\Application Data\Starware347\RelatedSearch\RelatedSearchOptions.xml.backup
    C:\Documents and Settings\Home\Application Data\Starware347\ScreensaversMarketingSitePager\images\active\ScreensaversMarketingSitePager0.bmp
    C:\Documents and Settings\Home\Application Data\Starware347\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml
    C:\Documents and Settings\Home\Application Data\Starware347\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup
    C:\Documents and Settings\Home\Application Data\Starware347\Toolbar\TBProductsOptions.xml
    C:\Documents and Settings\Home\Application Data\Starware347\Toolbar\TBProductsOptions.xml.backup
    C:\Documents and Settings\Home\Application Data\Starware347\ToolbarLogo\ToolbarLogoOptions.xml
    C:\Documents and Settings\Home\Application Data\Starware347\ToolbarLogo\ToolbarLogoOptions.xml.backup
    C:\Documents and Settings\Home\Application Data\Starware347\ToolbarSearch\ToolbarSearchOptions.xml
    C:\Documents and Settings\Home\Application Data\Starware347\ToolbarSearch\ToolbarSearchOptions.xml.backup
    C:\Documents and Settings\Home\Application Data\Starware347\TravelSearch\TravelSearchOptions.xml
    C:\Documents and Settings\Home\Application Data\Starware347\TravelSearch\TravelSearchOptions.xml.backup
    C:\Documents and Settings\Home\err.log
    C:\Documents and Settings\Home\load.exe
    C:\Documents and Settings\Home\My Documents\CROSOF~1
    C:\Documents and Settings\Home\My Documents\SKS~1
    C:\Documents and Settings\Home\My Documents\SKS~1\d?xplore.exe
    C:\Documents and Settings\Home\Start Menu\Programs\Internet Speed Monitor
    C:\Documents and Settings\Home\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
    C:\Documents and Settings\Home\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
    C:\Documents and Settings\Home\Start Menu\Programs\Outerinfo
    C:\Documents and Settings\Home\Start Menu\Programs\Outerinfo\Terms.lnk
    C:\Documents and Settings\Home\Start Menu\Programs\Outerinfo\Uninstall.lnk
    C:\Documents and Settings\LocalService\Application Data\NetMon
    C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
    C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
    C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
    C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
    C:\Program Files\FunWebProducts
    C:\Program Files\FunWebProducts\ScreenSaver\Images\00B04379.urr
    C:\Program Files\FunWebProducts\ScreenSaver\Images\00BBEB7B.urr
    C:\Program Files\FunWebProducts\ScreenSaver\Images\011DF199.urr
    C:\Program Files\FunWebProducts\ScreenSaver\Images\05742796.urr
    C:\Program Files\FunWebProducts\Shared\Cache\AvatarSmallBtn-new.html
    C:\Program Files\FunWebProducts\Shared\Cache\AvatarSmallBtn.html
    C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
    C:\Program Files\FunWebProducts\Shared\Cache\FunBuddyIconBtn.html
    C:\Program Files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn-new.html
    C:\Program Files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
    C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn-new.html
    C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
    C:\Program Files\internet explorer\msimg32.dll

  8. #23
    Joined
    Oct 2003
    Location
    Dallas, TX
    Posts
    390

    Re: Virus infection: My IP address is in the black hole range

    C:\Program Files\MyWebSearch
    C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
    C:\Program Files\MyWebSearch\bar\2.bin\F3BKGERR.JPG
    C:\Program Files\MyWebSearch\bar\2.bin\F3BROVLY.DLL
    C:\Program Files\MyWebSearch\bar\2.bin\F3CJPEG.DLL
    C:\Program Files\MyWebSearch\bar\2.bin\F3DTACTL.DLL
    C:\Program Files\MyWebSearch\bar\2.bin\F3HISTSW.DLL
    C:\Program Files\MyWebSearch\bar\2.bin\F3HTMLMU.DLL
    C:\Program Files\MyWebSearch\bar\2.bin\F3HTTPCT.DLL
    C:\Program Files\MyWebSearch\bar\2.bin\F3IMSTUB.DLL
    C:\Program Files\MyWebSearch\bar\2.bin\F3POPSWT.DLL
    C:\Program Files\MyWebSearch\bar\2.bin\F3PSSAVR.SCR
    C:\Program Files\MyWebSearch\bar\2.bin\F3REPROX.DLL
    C:\Program Files\MyWebSearch\bar\2.bin\F3RESTUB.DLL
    C:\Program Files\MyWebSearch\bar\2.bin\F3SCHMON.EXE
    C:\Program Files\MyWebSearch\bar\2.bin\F3SCRCTR.DLL
    C:\Program Files\MyWebSearch\bar\2.bin\F3SHLLVW.DLL
    C:\Program Files\MyWebSearch\bar\2.bin\F3SPACER.WMV
    C:\Program Files\MyWebSearch\bar\2.bin\F3WALLPP.DAT
    C:\Program Files\MyWebSearch\bar\2.bin\F3WPHOOK.DLL
    C:\Program Files\MyWebSearch\bar\2.bin\M3FFXTBR.JAR
    C:\Program Files\MyWebSearch\bar\2.bin\M3FFXTBR.MANIFEST
    C:\Program Files\MyWebSearch\bar\2.bin\M3HTML.DLL
    C:\Program Files\MyWebSearch\bar\2.bin\M3IDLE.DLL
    C:\Program Files\MyWebSearch\bar\2.bin\M3IMPIPE.EXE
    C:\Program Files\MyWebSearch\bar\2.bin\M3MSG.DLL
    C:\Program Files\MyWebSearch\bar\2.bin\M3NTSTBR.JAR
    C:\Program Files\MyWebSearch\bar\2.bin\M3NTSTBR.MANIFEST
    C:\Program Files\MyWebSearch\bar\2.bin\M3OUTLCN.DLL
    C:\Program Files\MyWebSearch\bar\2.bin\M3PLUGIN.DLL
    C:\Program Files\MyWebSearch\bar\2.bin\M3SKIN.DLL
    C:\Program Files\MyWebSearch\bar\2.bin\M3SKPLAY.EXE
    C:\Program Files\MyWebSearch\bar\2.bin\M3SLSRCH.EXE
    C:\Program Files\MyWebSearch\bar\2.bin\M3SRCHMN.EXE
    C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
    C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
    C:\Program Files\MyWebSearch\bar\2.bin\MWSOEPLG.DLL
    C:\Program Files\MyWebSearch\bar\2.bin\MWSOESTB.DLL
    C:\Program Files\MyWebSearch\bar\2.bin\NPMYWEBS.DLL
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON\avatar.htm
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON\bgfadel.gif
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON\bgfader.gif
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON\close.gif
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON\common-x.css
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON\common.css
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON\cornerbl.gif
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON\cornerbr.gif
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON\ext_def.gif
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON\ext_roll.gif
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON\htmlctrl.js
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON\include.js
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON\index.htm
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON\loader.htm
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON\loading.gif
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON\login.htm
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON\logo.gif
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON\max.gif
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON\max_def.gif
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON\max_roll.gif
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON\min.gif
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON\min_def.gif
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON\min_roll.gif
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON\noflash.htm
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON\res_def.gif
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON\res_roll.gif
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON\spacer.gif
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON\spacer.swf
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON\topgrad.gif
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON\unmax.gif
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON\wardrobe.htm
    C:\Program Files\MyWebSearch\bar\Avatar\COMMON\window.ico
    C:\Program Files\MyWebSearch\bar\Cache\0004E878.bin
    C:\Program Files\MyWebSearch\bar\Cache\000F3D6D
    C:\Program Files\MyWebSearch\bar\Cache\007FE5D2
    C:\Program Files\MyWebSearch\bar\Cache\00883274.bin
    C:\Program Files\MyWebSearch\bar\Cache\0088334F.bin
    C:\Program Files\MyWebSearch\bar\Cache\0088342A.bin
    C:\Program Files\MyWebSearch\bar\Cache\008834C6.bin
    C:\Program Files\MyWebSearch\bar\Cache\05708375
    C:\Program Files\MyWebSearch\bar\Cache\05708440.bin
    C:\Program Files\MyWebSearch\bar\Cache\0570876D.bin
    C:\Program Files\MyWebSearch\bar\Cache\05708C20.bin
    C:\Program Files\MyWebSearch\bar\Cache\05708E24.bin
    C:\Program Files\MyWebSearch\bar\Cache\057090C3.bin
    C:\Program Files\MyWebSearch\bar\Cache\090736C6
    C:\Program Files\MyWebSearch\bar\Cache\files.ini
    C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
    C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
    C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
    C:\Program Files\MyWebSearch\bar\History\search2
    C:\Program Files\MyWebSearch\bar\icons\CM.ICO
    C:\Program Files\MyWebSearch\bar\icons\MFC.ICO
    C:\Program Files\MyWebSearch\bar\icons\PSS.ICO
    C:\Program Files\MyWebSearch\bar\icons\SMILEY.ICO
    C:\Program Files\MyWebSearch\bar\icons\WB.ICO
    C:\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO
    C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S
    C:\Program Files\MyWebSearch\bar\Message\COMMON\ask_logo.gif
    C:\Program Files\MyWebSearch\bar\Message\COMMON\autoup.gif
    C:\Program Files\MyWebSearch\bar\Message\COMMON\autoup.htm
    C:\Program Files\MyWebSearch\bar\Message\COMMON\center.htm
    C:\Program Files\MyWebSearch\bar\Message\COMMON\index.htm
    C:\Program Files\MyWebSearch\bar\Message\COMMON\mid_dots.gif
    C:\Program Files\MyWebSearch\bar\Message\COMMON\mws_logo.gif
    C:\Program Files\MyWebSearch\bar\Message\COMMON\protect.htm
    C:\Program Files\MyWebSearch\bar\Message\COMMON\shocked.gif
    C:\Program Files\MyWebSearch\bar\Message\COMMON\stop.gif
    C:\Program Files\MyWebSearch\bar\Message\COMMON\systray.htm
    C:\Program Files\MyWebSearch\bar\Message\COMMON\systrayp.htm
    C:\Program Files\MyWebSearch\bar\Message\COMMON\tp_grad.gif
    C:\Program Files\MyWebSearch\bar\Message\COMMON\warn.gif
    C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S
    C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S
    C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S
    C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S
    C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
    C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S
    C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S
    C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S
    C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S
    C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S
    C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S
    C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
    C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
    C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
    C:\Program Files\MyWebSearch\bar\Settings\setting2.htm.bak
    C:\Program Files\MyWebSearch\bar\Settings\settings.dat
    C:\Program Files\MyWebSearch\bar\Settings\settings.dat.bak
    C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
    C:\Program Files\outerinfo
    C:\Program Files\outerinfo\FF\chrome.manifest
    C:\Program Files\outerinfo\FF\components\FF.dll
    C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
    C:\Program Files\outerinfo\FF\install.rdf
    C:\Program Files\outerinfo\OiUninstaller.exe
    C:\Program Files\outerinfo\outerinfo.ico
    C:\Program Files\outerinfo\Terms.rtf
    C:\Program Files\QdrDrive
    C:\Program Files\QdrDrive\QdrDrive8.dll
    C:\Program Files\QdrDrive\qdrloader.exe
    C:\Program Files\sstem3~1
    C:\Program Files\Starware347
    C:\Program Files\Starware347\bin\dlls\jokester.dll
    C:\Program Files\Starware347\bin\Starware347.dll
    C:\Program Files\Starware347\brand.bmp
    C:\Program Files\Starware347\icons\star_16.ico
    C:\Program Files\Starware347\Starware347Config.xml
    C:\Program Files\Starware347\Starware347Uninstall.exe
    C:\Program Files\Temporary
    C:\WINDOWS\b148.exe
    C:\WINDOWS\system32\f3PSSavr.scr
    C:\WINDOWS\system32\wcpcc32.exe
    C:\WINDOWS\system32\zzgvf.dll
    C:\WINDOWS\uninstall_nmon.vbs

    ----- BITS: Possible infected sites -----

    hxxp://80.93.48.74
    .
    ((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
    .

    2008-02-25 06:23 . 2007-01-18 06:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
    2008-02-25 05:39 . 2008-02-25 06:03 2,114 --a------ C:\WINDOWS\system32\tmp.reg
    2008-02-22 00:41 . 2008-02-22 00:41 <DIR> d-------- C:\VundoFix Backups
    2008-02-21 20:50 . 2008-02-21 20:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-02-21 20:06 . 2007-12-11 20:01 12,800 --a------ C:\Documents and Settings\Home\Application Data\ojuftqrb.exe
    2008-02-20 18:03 . 2007-12-11 20:01 12,800 --a------ C:\Documents and Settings\Home\Application Data\hbfea.exe
    2008-02-20 18:00 . 2008-02-20 18:00 <DIR> d-------- C:\Program Files\RcvSystem
    2008-02-20 17:49 . 2008-02-21 20:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-02-20 17:37 . 2007-12-11 20:01 12,800 --a------ C:\Documents and Settings\Home\Application Data\ncvbnt.exe
    2008-02-20 17:31 . 2007-12-11 20:01 12,800 --a------ C:\Documents and Settings\Home\Application Data\axuxxhl.exe
    2008-02-20 17:26 . 2007-12-11 20:01 12,800 --a------ C:\Documents and Settings\Home\Application Data\ekltcyj.exe
    2008-02-20 11:42 . 2007-12-11 20:01 12,800 --a------ C:\Documents and Settings\Home\Application Data\oiqobdui.exe
    2008-02-20 08:37 . 2007-12-11 20:01 12,800 --a------ C:\Documents and Settings\Home\Application Data\bxzgptcffajw.exe

  9. #24
    Joined
    Oct 2003
    Location
    Dallas, TX
    Posts
    390

    Re: Virus infection: My IP address is in the black hole range

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-02-22 02:50 --------- d-----w C:\Program Files\Lavasoft
    2008-02-21 00:14 --------- d-----w C:\Program Files\Windows Defender
    2008-02-21 00:14 --------- d-----w C:\Program Files\Prolific Publishing, Inc
    2008-02-21 00:14 --------- d-----w C:\Program Files\Photo Story 3 for Windows
    2008-02-21 00:13 --------- d-----w C:\Program Files\Google
    2008-02-21 00:13 --------- d-----w C:\Program Files\DivX
    2008-02-21 00:00 --------- d-----w C:\Program Files\Freeze.com Toolbar
    2008-02-21 00:00 --------- d-----w C:\Program Files\Common Files\uowo
    2008-02-20 14:44 0 --sha-w C:\Documents and Settings\Home\Application Data\d39f385f5928c90945b009c292fb73495707dbcc.dat
    2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
    2007-12-12 02:01 12,800 ----a-w C:\info.exe
    2007-12-12 02:01 12,800 ----a-w C:\Documents and Settings\Home\Application Data\wqlhi.exe
    2007-12-12 02:01 12,800 ----a-w C:\Documents and Settings\Home\Application Data\wee.exe
    2007-12-12 02:01 12,800 ----a-w C:\Documents and Settings\Home\Application Data\mgaz.exe
    2007-12-12 02:01 12,800 ----a-w C:\Documents and Settings\Home\Application Data\ffgiipnoe.exe
    2005-07-29 22:24 472 --sha-r C:\WINDOWS\SG9tZQ\m36Qtk.vbs
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-23 16:30 68856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LTMSG"="LTMSG.exe" [2003-07-14 09:52 40960 C:\WINDOWS\ltmsg.exe]
    "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-03 20:10 344064]
    "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 12:47 57344 C:\WINDOWS\Alcxmntr.exe]
    "HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11 49152]
    "Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2004-02-27 09:05 135168]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 18:05 257088]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
    "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-02-10 16:27 1420560]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2006-09-12 20:32:42 217088]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=

    R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]
    S3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2004-02-04 11:53]
    S3 TNET1130;802.11 WLAN;C:\WINDOWS\system32\DRIVERS\TNET1130.sys [2004-12-01 18:35]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7405217-8d5e-11dc-b29a-000ea6b695c7}]
    \Shell\AutoRun\command - K:\wd_windows_tools\setup.exe

    *Newly Created Service* - AVGARCLN
    *Newly Created Service* - AVG_ANTI-ROOTKIT
    .
    Contents of the 'Scheduled Tasks' folder
    "2007-12-02 05:11:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2008-02-22 08:13:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
    - C:\Program Files\Windows Defender\MpCmdRun.exe-Scan -ScanType config -Privileges restricted
    "2007-11-24 02:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Home.job"
    - C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
    "2007-11-01 14:00:00 C:\WINDOWS\Tasks\rpc.job"
    - C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-02-25 06:41:39
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-02-25 6:42:12
    ComboFix-quarantined-files.txt 2008-02-25 12:42:10

  10. #25
    Joined
    Jul 2003
    Location
    Australia
    Posts
    14,223

    Re: Virus infection: My IP address is in the black hole range

    Good work on getting ComboFix to work - I'll get started on a repair file for you. Many infected files listed.

  11. #26
    Joined
    Jul 2003
    Location
    Australia
    Posts
    14,223

    Re: Virus infection: My IP address is in the black hole range

    OK - there's a large number of infected files. You have two options. One is to back up any valuable data, scan the buggery out of that stuff with antivirus programs and hope that nothing nasty slipped through. Second is to try and remove the infected files and hope that we catch everything.

    What you need to do if you want to continue trying to clean this PC is turn off System Restore until we finish cleaning. Download the the attached CFScript file and unzip it, ready to put on the infected PC. Jump into Safe Mode, drag CFScript over ComboFix and let the PC run through the cleaning process. After that, reboot back into Safe Mode and run Combofix again and post the log here.

    Try and avoid allowing the PC into normal mode and I would also avoid connecting it to any network at least until we get those infected files off that PC. Ideally it wouldn't be connected to the LAN until after you check the other PC's you have too. There are several more things we have to do to clean the PC, so it's best to take it one step at a time from here on.


    A couple of important points:

    It looks like you guys may have downloaded some screensavers, maybe some small Flash games and/or some "fix-it" utilities. Flash Games (and other little downloaded EXE or CMD game files) along with screensavers are particularly high malware risk downloads. I strongly recommend avoiding them! There are also many so called "Fix-it" utilities on the 'Net. A surprisingly large percentage of these are either useless or counter productive to improving your PC's performance. Best to be very wary of them unless they have been recommended by trusted sources and have been downloaded from trusted sources (such as the manufacturer's own sites). A classic example is RegPowerClean - known to give false positives. I haven't included it in the cleanup file but i strongly recommend that you uninstall it:
    http://securityresponse.symantec.com...552-99&tabid=2

    In addition to that, several internet browser toolbars were detected. In my personal opinion, these attract malicious software attacks and I'd even go so far as to say they can be synonymous with malicious software.
    Last edited by Mjölnir; 02-25-2008 at 11:57 AM.

  12. #27
    Joined
    Oct 2003
    Location
    Dallas, TX
    Posts
    390

    Re: Virus infection: My IP address is in the black hole range

    Quote Originally Posted by Mjölnir View Post
    It looks like you guys may have downloaded some screensavers, maybe some small Flash games and/or some "fix-it" utilities. Flash Games (and other little downloaded EXE or CMD game files) along with screensavers are particularly high malware risk downloads. I strongly recommend avoiding them! There are also many so called "Fix-it" utilities on the 'Net. A surprisingly large percentage of these are either useless or counter productive to improving your PC's performance. Best to be very wary of them unless they have been recommended by trusted sources and have been downloaded from trusted sources (such as the manufacturer's own sites). A classic example is RegPowerClean - known to give false positives.
    This is the kind of thing I tell people all the time. I really want to teach a class in the 'private sector' if you know what I mean. ;-)

    Thanks a million; I'll get right on this. First I have to go do some low-brow volunteer work for a hot chick. (brake light bulb)

  13. #28
    Joined
    Oct 2003
    Location
    Dallas, TX
    Posts
    390

    Re: Virus infection: My IP address is in the black hole range

    OK I deleted the Winferno folder (after running this scan below) from the program files folder. I haven't touched the registry.

    ComboFix 08-02-25.3 - Home 2008-02-25 13:36:45.3 - NTFSx86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.380 [GMT -6:00]
    Running from: K:\VIRUS TOOLS\ComboFix.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
    .

    2008-02-25 06:23 . 2007-01-18 06:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
    2008-02-22 00:41 . 2008-02-22 00:41 <DIR> d-------- C:\VundoFix Backups
    2008-02-21 20:50 . 2008-02-21 20:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-02-20 17:49 . 2008-02-21 20:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-02-22 02:50 --------- d-----w C:\Program Files\Lavasoft
    2008-02-21 00:14 --------- d-----w C:\Program Files\Windows Defender
    2008-02-21 00:14 --------- d-----w C:\Program Files\Photo Story 3 for Windows
    2008-02-21 00:13 --------- d-----w C:\Program Files\Google
    2008-02-21 00:13 --------- d-----w C:\Program Files\DivX
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LTMSG"="LTMSG.exe" [2003-07-14 09:52 40960 C:\WINDOWS\ltmsg.exe]
    "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-03 20:10 344064]
    "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 12:47 57344 C:\WINDOWS\Alcxmntr.exe]
    "HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11 49152]
    "Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2004-02-27 09:05 135168]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 18:05 257088]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
    "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-02-10 16:27 1420560]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2006-09-12 20:32:42 217088]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=

    S2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]
    S3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2004-02-04 11:53]
    S3 TNET1130;802.11 WLAN;C:\WINDOWS\system32\DRIVERS\TNET1130.sys [2004-12-01 18:35]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7405217-8d5e-11dc-b29a-000ea6b695c7}]
    \Shell\AutoRun\command - K:\wd_windows_tools\setup.exe

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-12-02 05:11:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2008-02-22 08:13:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
    - C:\Program Files\Windows Defender\MpCmdRun.exe-Scan -ScanType config -Privileges restricted
    "2007-11-24 02:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Home.job"
    - C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
    "2007-11-01 14:00:00 C:\WINDOWS\Tasks\rpc.job"
    - C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-02-25 13:38:25
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-02-25 13:39:00
    ComboFix-quarantined-files.txt 2008-02-25 19:38:58
    ComboFix2.txt 2008-02-25 19:34:03
    ComboFix3.txt 2008-02-25 12:42:12
    Last edited by nickdank; 02-25-2008 at 03:52 PM.

  14. #29
    Joined
    Jul 2003
    Location
    Australia
    Posts
    14,223

    Re: Virus infection: My IP address is in the black hole range

    Excellent. That looks like it cleaned off everything it was asked to do. Do you know what this file is and did you create that folder:

    K:\wd_windows_tools\setup.exe

    If not, run the attached CFScript and then delete the K:\wd_windows_tools\ folder.

    After you've done that, restart the PC in Safe Mode and scan with each of these (make sure they're updated first):
    • AVG Anti-Rootkit (let us know if this finds anything)
    • AVG Anti-Virus
    • AVG Anti-Spyware (restart after cleaning)
    • Another AV program (Avira seems to be quite effective over there)
    • SuperAntispyware
    • Ad-Aware (run in each individual user profile and restart after cleaning)
    • Spybot (run in each individual user profile and restart after cleaning)
    • Spyware Blaster
    • Kaspersky Online Scanner (requires internet connection)
    • Trend Micro Housecall (requires internet connection)
    Good luck with the PC and the hot chick

  15. #30
    Joined
    Oct 2003
    Location
    Dallas, TX
    Posts
    390

    Re: Virus infection: My IP address is in the black hole range

    I don't see a wd_windows_tools folder in my K: drive, and I have the option to show hidden files and folders turned on. Sounds bad, eh? How can I delete it if I don't see it? I guess thats what combofix is for.
    Oh and for Sick Willie, I didn't get to have sex with the hot chick today, so that sucks. I'd have rather been alone, too, but you gotta work for these things sometimes.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •