prasad1390
asked on
Fake Antivirus
How to prevent or uninstall Fake antivirus software (e.g. Bestseller Antivirus)?
I should point out...
Where I said "shareware" I mean using P2P or torrents to download illegally. Not normal "shareware", sorry.
Where I said "shareware" I mean using P2P or torrents to download illegally. Not normal "shareware", sorry.
IF the fake antivirus software (e.g. Bestseller Antivirus) is already installed and you can't uninstall it using add/remove,
Run Combofix and upload the log or attach the log as Code Snippet.
Download ComboFix to your Desktop, from either of these locations:
http://www.forospyware.com/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Combofix will terminate your connection while scanning, and will resume connection when it's done.
If you have issues connecting to your network or internet after running combofix you can either simply reboot, or do the following:
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
or
Alternatively, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.
Run Combofix and upload the log or attach the log as Code Snippet.
Download ComboFix to your Desktop, from either of these locations:
http://www.forospyware.com/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Combofix will terminate your connection while scanning, and will resume connection when it's done.
If you have issues connecting to your network or internet after running combofix you can either simply reboot, or do the following:
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
or
Alternatively, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.
ASKER
thanks for the quick response guys,
i was able remove best seller anti virus software using ADware & search & destroy, unfortunately i am getting explorer.exe error and not able to boot safe mode also.no internet connection almost everything s blocked for me.
i ran hijackthis test and attached the same.
i was able remove best seller anti virus software using ADware & search & destroy, unfortunately i am getting explorer.exe error and not able to boot safe mode also.no internet connection almost everything s blocked for me.
i ran hijackthis test and attached the same.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10, on 2007-12-13
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\xampp\filezillaftp\filezillaserver.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe
D:\HiJackThis.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\ComboFix\nircmd.cfexe
C:\WINDOWS\system32\findstr.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196712218046
O17 - HKLM\System\CCS\Services\Tcpip\..\{31FDEC4C-42CC-4AC9-827B-41E5C6D47AB4}: NameServer = 203.123.176.65,203.123.128.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{31FDEC4C-42CC-4AC9-827B-41E5C6D47AB4}: NameServer = 203.123.176.65,203.123.128.70
O17 - HKLM\System\CS2\Services\Tcpip\..\{31FDEC4C-42CC-4AC9-827B-41E5C6D47AB4}: NameServer = 203.123.176.65,203.123.128.70
O17 - HKLM\System\CS3\Services\Tcpip\..\{31FDEC4C-42CC-4AC9-827B-41E5C6D47AB4}: NameServer = 203.123.176.65,203.123.128.70
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: E404Helper - {fce6faec-029d-4027-9d1d-d72213a13251} - e404d.dll (file missing)
O22 - SharedTaskScheduler: edgers - {d66c22b6-2217-4d1a-9a90-1a54de1fc706} - C:\WINDOWS\system32\zcwlnic.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TechExcel HelpDesk Application Server (TxHdAppServ) - Unknown owner - C:\Program Files\TechExcel\HelpDesk\HDAppServer\TxHDAppSrv.exe (file missing)
--
End of file - 6220 bytes
ASKER
hello RPGGAMERGIRL,
Please find the log ofcombofix
Please find the log ofcombofix
ComboFix 07-12-12.3 - Administrator 2007-12-13 11:08:48.1 - NTFSx86
Microsoft(R) Windows(R) Server 2003, Standard Edition 5.2.3790.1.1252.1.1033.18.172 [GMT 5.5:30]
Running from: D:\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\VR7UVHD3\www.broadcaster.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\VR7UVHD3\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\VR7UVHD3\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\system32\Cache
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_NPF
((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 )))))))))))))))))))))))))))))))
.
2007-12-12 01:11 . 2007-12-12 01:12 <DIR> d-------- C:\PMAIL
2007-12-12 00:53 . 2007-12-12 00:53 <DIR> d-------- C:\Documents and Settings\Prem Subramani\Application Data\Thunderbird
2007-12-12 00:52 . 2007-12-12 01:00 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2007-12-10 17:38 . 2007-12-10 17:38 <DIR> d-------- C:\WINDOWS\system32\Dell
2007-12-10 17:38 . 2007-12-10 17:38 <DIR> d-------- C:\Program Files\Dell
2007-12-10 17:27 . 2007-12-10 17:27 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-12-05 22:18 . 2007-12-06 12:11 <DIR> d-------- C:\Program Files\Trojan Remover
2007-12-05 22:12 . 2007-12-05 22:12 <DIR> d-------- C:\Program Files\Webroot
2007-12-05 22:10 . 2007-12-05 22:10 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-12-04 16:39 . 2007-12-04 16:40 <DIR> d-------- C:\IOData
2007-12-04 14:28 . 2007-12-05 19:56 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-12-04 13:38 . 2007-12-04 13:38 194 --a------ C:\WINDOWS\wininit.ini
2007-12-04 12:09 . 2007-12-04 14:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-04 02:49 . 2007-12-04 02:49 <DIR> d-------- C:\WUTemp
2007-12-04 01:36 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2007-12-04 01:36 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-12-04 01:36 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-12-04 01:36 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-12-03 14:13 . 2007-12-03 14:16 <DIR> d-------- C:\Program Files\VirusProtect 3.8
2007-12-03 14:11 . 2007-12-03 14:11 51,712 --a------ C:\WINDOWS\system32\e404d.dll
2007-12-03 11:36 . 2007-12-03 11:50 <DIR> d-------- C:\Documents and Settings\navy\Application Data\U3
2007-12-03 11:36 . 2007-12-03 11:36 <DIR> d-------- C:\Documents and Settings\navy\Application Data\DivX
2007-12-03 09:36 . 2007-12-03 09:36 <DIR> d-------- C:\My Music
2007-12-02 22:37 . 2005-03-24 18:06 449,536 --a--c--- C:\WINDOWS\system32\dllcache\licdll.dll
2007-11-30 23:10 . 2007-12-04 14:28 <DIR> d-------- C:\Program Files\Citrix
2007-11-29 09:43 . 2007-11-29 09:43 <DIR> d-------- C:\Documents and Settings\navy\Application Data\FlashGet
2007-11-22 20:27 . 2007-12-04 14:30 <DIR> d-------- C:\WINDOWS\iSCSI
2007-11-22 13:57 . 2005-05-02 21:21 2,890,240 --a------ C:\WINDOWS\system32\msi.dll
2007-11-22 13:57 . 2005-05-02 21:21 2,890,240 --a--c--- C:\WINDOWS\system32\dllcache\msi.dll
2007-11-22 02:29 . 2007-12-04 14:27 <DIR> d-------- C:\Program Files\EasyJob Resume Builder
2007-11-21 17:47 . 2007-12-11 11:18 <DIR> d-------- C:\Program Files\SYW95A-V3
2007-11-21 17:47 . 2007-11-21 17:47 <DIR> d-------- C:\Program Files\Seagate Software
2007-11-21 17:47 . 2007-11-21 17:47 <DIR> d-------- C:\Program Files\MapInfo MapX
2007-11-21 15:56 . 2003-07-16 14:27 43,264 --------- C:\WINDOWS\system32\drivers\ser2pl.sys
2007-11-21 15:56 . 2007-11-21 15:56 22,016 --a------ C:\WINDOWS\system32\drivers\Rockey4.sys
2007-11-21 15:56 . 2007-11-21 15:56 12,928 --a------ C:\WINDOWS\system32\drivers\Rockey4USB.sys
2007-11-21 15:56 . 2007-11-21 15:56 4,096 --a------ C:\WINDOWS\system32\Ry4CoInst.dll
2007-11-21 02:53 . 2007-11-21 02:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Metacafe
2007-11-16 20:40 . 2007-11-16 20:40 <DIR> d-------- C:\Program Files\Bandwidth Controller Enterprise Server
2007-11-16 20:40 . 2007-11-16 20:40 <DIR> d-------- C:\Program Files\Bandwidth Controller Enterprise Client
2007-11-16 20:24 . 2007-11-16 20:43 <DIR> d-------- C:\Program Files\Bandwidth Controller Standard Server
2007-11-16 20:24 . 2007-11-16 20:24 216,064 --a------ C:\WINDOWS\system32\drivers\bcim.sys
2007-11-16 20:16 . 2007-11-16 20:16 <DIR> d-------- C:\Program Files\Microsoft IEAK 7
2007-11-16 19:16 . 2007-11-21 17:50 <DIR> d-------- C:\Program Files\Microsoft Silverlight
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-13 05:53 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-12-06 06:46 --------- d-----w C:\Program Files\NCH Swift Sound
2007-12-06 06:46 --------- d-----w C:\Documents and Settings\Administrator\Application Data\NCH Swift Sound
2007-12-06 06:39 --------- d-----w C:\Program Files\DameWare Development
2007-12-06 02:58 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Thinstall
2007-12-05 16:56 --------- d-----w C:\Program Files\TortoiseCVS
2007-12-05 16:54 --------- d-----w C:\Program Files\SecureFX
2007-12-05 16:53 --------- d-----w C:\Program Files\Common Files\Real
2007-12-04 08:58 --------- d-----w C:\Program Files\Common Files\Quest Shared
2007-12-04 08:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-03 08:46 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-30 21:07 --------- d-----w C:\Program Files\FlashGet
2007-11-26 02:32 --------- d-----w C:\Documents and Settings\Administrator\Application Data\DameWare Development
2007-11-19 03:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-11 13:34 --------- d-----w C:\Documents and Settings\Prem Subramani\Application Data\PC Suite
2007-11-11 01:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2007-11-11 01:52 --------- d-----w C:\Documents and Settings\Administrator\Application Data\PC Suite
2007-11-11 01:52 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Nokia
2007-11-11 01:50 --------- d-----w C:\Program Files\DIFX
2007-11-11 01:46 --------- d-----w C:\Program Files\Illustrate
2007-11-09 01:15 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2007-11-08 09:35 --------- d-----w C:\Program Files\MSECache
2007-11-02 04:52 --------- d-----w C:\Documents and Settings\Administrator\Application Data\DWMRCMSI
2007-11-02 04:35 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-02 04:34 --------- d-----w C:\Program Files\Symantec
2007-10-30 23:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2007-10-29 17:52 --------- d-----w C:\Program Files\Common Files\Ahead
2007-10-29 17:50 --------- d-----w C:\Program Files\IPCheck Server Monitor 5
2007-10-29 17:49 --------- d-----w C:\Program Files\Ping Plotter
2007-10-29 17:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Innovative Solutions
2007-10-29 17:44 --------- d-----w C:\Program Files\Innovative Solutions
2007-10-27 12:01 --------- d-----w C:\Documents and Settings\Prem Subramani\Application Data\AdobeUM
2007-10-26 07:52 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Colasoft Packet Builder
2007-10-26 05:03 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Wireshark
2007-10-26 03:55 --------- d-----w C:\Program Files\Look@LAN
2007-10-25 16:16 720,896 ----a-w C:\WINDOWS\iun6002.exe
2007-10-25 16:09 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-10-25 16:09 249,856 ------w C:\WINDOWS\Setup1.exe
2007-10-25 06:50 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Talkback
2007-10-25 06:47 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Thunderbird
2007-10-21 10:24 --------- d-----w C:\Documents and Settings\Prem Subramani\Application Data\Media Player Classic
2007-10-20 12:39 --------- d-----w C:\Documents and Settings\Prem Subramani\Application Data\DivX
2007-10-18 06:34 --------- d-----w C:\Program Files\Common Files\L&H
2007-10-18 06:33 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-10-18 06:32 --------- d-----w C:\Program Files\Microsoft Works
2007-10-17 15:33 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Software
2007-10-17 15:32 --------- d-----w C:\Program Files\Quest Software
2007-10-17 14:27 --------- d-----w C:\Program Files\Microsoft SQL Server
2007-10-17 14:27 --------- d-----w C:\Program Files\Microsoft Analysis Services
2007-10-16 11:02 --------- d-----w C:\Program Files\Tools4ever
2007-10-16 10:05 --------- d-----w C:\Program Files\GFI
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2005-03-24 17:58]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2003-03-25 17:30]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{d66c22b6-2217-4d1a-9a90-1a54de1fc706}"= C:\WINDOWS\system32\zcwlnic.dll [2007-12-02 22:37 12800]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"E404Helper"= {fce6faec-029d-4027-9d1d-d72213a13251} - e404d.dll [ ]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wd.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^TLISOFTWARE - PowerTerm WebConnect Application Zone by Ericom.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\TLISOFTWARE - PowerTerm WebConnect Application Zone by Ericom.lnk
backup=C:\WINDOWS\pss\TLISOFTWARE - PowerTerm WebConnect Application Zone by Ericom.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^WordWeb.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\WordWeb.lnk
backup=C:\WINDOWS\pss\WordWeb.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Univault Access Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Univault Access Manager.lnk
backup=C:\WINDOWS\pss\Univault Access Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2006-07-19 19:26 52896 --a------ C:\Program Files\Common Files\Symantec Shared\ccApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2005-03-24 17:58 15360 --a------ C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eyeBeam SIP Client]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe /autostart
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\idefisk.exe]
2006-06-06 14:56 2343936 --a------ C:\Documents and Settings\Administrator\Desktop\idefisk137\idefisk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JustVoip]
C:\Program Files\JustVoip.com\JustVoip\JustVoip.exe -nosplash -minimized
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Internet Explorer]
C:\WINDOWS\system32\iexplore.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OLPSYNCH]
2007-07-13 13:30 42288 --a------ C:\Program Files\Offline Course Player\OlpSynch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-04-01 10:52 1368064 --a------ C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2004-06-03 22:05 32881 --a------ C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
C:\Program Files\Trojan Remover\Trjscan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2006-09-27 20:33 125168 --a------ C:\PROGRA~1\SYMANT~1\VPTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
VTtrayp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zoiper.exe]
2007-07-19 18:13 4264522 --a------ C:\Program Files\Attractel\Zoiper\Zoiper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=3 (0x3)
"HDDocServ"=2 (0x2)
"FirebirdServerDefaultInstance"=3 (0x3)
"FileZilla Server"=2 (0x2)
"Apache2.2"=2 (0x2)
R0 crcdisk;CRC Disk Filter Driver;C:\WINDOWS\system32\DRIVERS\crcdisk.sys
R0 DfsDriver;DfsDriver;C:\WINDOWS\system32\drivers\Dfs.sys
R1 ISODrive;ISO DVD/CD-ROM Device Driver;\??\C:\Program Files\UltraISO\drivers\ISODrive.sys
R2 AeLookupSvc;Application Experience Lookup Service;C:\WINDOWS\system32\svchost.exe -k netsvcs
R3 ROCKEYNT;Feitian ROCKEY4 Device Service;C:\WINDOWS\system32\DRIVERS\Rockey4.sys
R3 WLBS;Network Load Balancing;C:\WINDOWS\system32\DRIVERS\wlbs.sys
S2 TxHdAppServ;TechExcel HelpDesk Application Server;C:\Program Files\TechExcel\HelpDesk\HDAppServer\TxHDAppSrv.exe
S3 CSTDIDRV;CSTDIDRV;C:\WINDOWS\system32\Drivers\CSTDI50.sys
S3 Dfs;Distributed File System;C:\WINDOWS\system32\Dfssvc.exe
S3 iScsiPrt;iScsiPort Driver;C:\WINDOWS\system32\DRIVERS\msiscsi.sys
S3 NtFrs;File Replication;C:\WINDOWS\system32\ntfrs.exe
S3 RSoPProv;Resultant Set of Policy Provider;C:\WINDOWS\system32\RSoPProv.exe
S3 sacsvr;Special Administration Console Helper;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 vga;vga;C:\WINDOWS\system32\DRIVERS\vgapnp.sys
S3 WinHttpAutoProxySvc;WinHTTP Web Proxy Auto-Discovery Service;C:\WINDOWS\system32\svchost.exe -k LocalService
S4 Apache2.2;Apache2.2;"C:\xampp\apache\bin\apache.exe" -k runservice
S4 ClusDisk;Cluster Disk Driver;C:\WINDOWS\system32\DRIVERS\ClusDisk.sys
S4 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;C:\Program Files\IPCheck Server Monitor 5\Firebird\bin\fbserver.exe -s
S4 HDDocServ;TechExcel HelpDesk Document Server;C:\Program Files\TechExcel\HelpDesk\HDDocServer\HDDocServer.exe
S4 IsmServ;Intersite Messaging;C:\WINDOWS\System32\ismserv.exe
S4 kdc;Kerberos Key Distribution Center;C:\WINDOWS\System32\lsass.exe
S4 MonitorMagic;MonitorMagic (1340,48155);"D:\Program Files\MonitorMagicService\NM.EXE"
S4 TrkSvr;Distributed Link Tracking Server;C:\WINDOWS\system32\svchost.exe -k netsvcs
S4 Tssdis;Terminal Services Session Directory;C:\WINDOWS\System32\tssdis.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService REG_MULTI_SZ Alerter WebClient LmHosts WinHttpAutoProxySvc W32Time
NetworkService REG_MULTI_SZ 6to4 DHCP DnsCache
WinErr REG_MULTI_SZ ERsvc
tapisrv REG_MULTI_SZ Tapisrv
regsvc REG_MULTI_SZ RemoteRegistry
swprv REG_MULTI_SZ swprv
iissvcs REG_MULTI_SZ w3svc
DcomLaunch REG_MULTI_SZ DcomLaunch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Sacsvr
Schedule
Seclogon
Themes
TrkWks
TrkSvr
Wmi
WmdmPmSp
winmgmt
wuauserv
BITS
ShellHWDetection
uploadmgr
xmlprov
AeLookupSvc
helpsvc
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{36BBA8D2-CA5C-4847-81CC-4F807DD86C91}]
%SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateUser urlmon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6D69F546-C1AF-4049-AE9E-28627B91D3F5}]
%SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateAdmin urlmon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenUser
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 11:25:12
Windows 5.2.3790 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-12-13 11:27:04 - machine was rebootedASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
To remove...you can first try Add or Remove Programs, but that usually doesn't work. And you probably have a Smitfraud infection.
It would help if we could see what was going on with your computer. I suggest that you download, run, and upload a HijackThis log from the link below.
http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php
Please upload the log at EE-Stuff.com
Use the link below and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here