Solved

Fake Antivirus

Posted on 2007-12-05
6
4,900 Views
Last Modified: 2013-11-08
How to prevent or uninstall Fake antivirus software (e.g. Bestseller Antivirus)?
0
Comment
Question by:prasad1390
  • 2
  • 2
  • 2
6 Comments
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20413020
To prevent, don't fall for the pop-ups, don't download shareware, keep good up to date security programs running.

To remove...you can first try Add or Remove Programs, but that usually doesn't work. And you probably have a Smitfraud infection.

It would help if we could see what was going on with your computer. I suggest that you download, run, and upload a HijackThis log from the link below.

http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php

Please upload the log at EE-Stuff.com
Use the link below and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20413033
I should point out...
Where I said "shareware" I mean using P2P or torrents to download illegally. Not normal "shareware", sorry.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20435750
IF the fake antivirus software (e.g. Bestseller Antivirus) is already installed and you can't uninstall it using add/remove,
Run Combofix and upload the log or attach the log as Code Snippet.

Download ComboFix to your Desktop, from either of these locations:
http://www.forospyware.com/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Combofix will terminate your connection while scanning, and will resume connection when it's done.
If you have issues connecting to your network or internet after running combofix you can either simply reboot, or do the following:
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
or
Alternatively, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.



0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 3

Author Comment

by:prasad1390
ID: 20462649
thanks for the quick response guys,

i was able remove best seller anti virus software using ADware & search & destroy, unfortunately i am getting explorer.exe error and not able to boot safe mode also.no internet connection almost everything s blocked for me.  

i ran hijackthis test and attached the same.  
Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:10, on 2007-12-13

Platform: Windows 2003 SP1 (WinNT 5.02.3790)

MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Boot mode: Normal
 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\System32\svchost.exe

C:\xampp\filezillaftp\filezillaserver.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\dmadmin.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\cmd.exe

D:\HiJackThis.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\cmd.exe

C:\ComboFix\nircmd.cfexe

C:\WINDOWS\system32\findstr.exe
 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)

O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196712218046

O17 - HKLM\System\CCS\Services\Tcpip\..\{31FDEC4C-42CC-4AC9-827B-41E5C6D47AB4}: NameServer = 203.123.176.65,203.123.128.70

O17 - HKLM\System\CS1\Services\Tcpip\..\{31FDEC4C-42CC-4AC9-827B-41E5C6D47AB4}: NameServer = 203.123.176.65,203.123.128.70

O17 - HKLM\System\CS2\Services\Tcpip\..\{31FDEC4C-42CC-4AC9-827B-41E5C6D47AB4}: NameServer = 203.123.176.65,203.123.128.70

O17 - HKLM\System\CS3\Services\Tcpip\..\{31FDEC4C-42CC-4AC9-827B-41E5C6D47AB4}: NameServer = 203.123.176.65,203.123.128.70

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O21 - SSODL: E404Helper - {fce6faec-029d-4027-9d1d-d72213a13251} - e404d.dll (file missing)

O22 - SharedTaskScheduler: edgers - {d66c22b6-2217-4d1a-9a90-1a54de1fc706} - C:\WINDOWS\system32\zcwlnic.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: TechExcel HelpDesk Application Server (TxHdAppServ) - Unknown owner - C:\Program Files\TechExcel\HelpDesk\HDAppServer\TxHDAppSrv.exe (file missing)
 

--

End of file - 6220 bytes

Open in new window

0
 
LVL 3

Author Comment

by:prasad1390
ID: 20462701
hello RPGGAMERGIRL,

Please find the log ofcombofix
ComboFix 07-12-12.3 - Administrator 2007-12-13 11:08:48.1 - NTFSx86

Microsoft(R) Windows(R) Server 2003, Standard Edition  5.2.3790.1.1252.1.1033.18.172 [GMT 5.5:30]

Running from: D:\ComboFix.exe

.
 

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.
 

C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\VR7UVHD3\www.broadcaster.com

C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\VR7UVHD3\www.broadcaster.com\played_list.sol

C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\VR7UVHD3\www.broadcaster.com\video_queue.sol

C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com

C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol

C:\WINDOWS\system32\Cache
 

.

(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
 

.

-------\LEGACY_NPF
 
 

(((((((((((((((((((((((((   Files Created from 2007-11-13 to 2007-12-13  )))))))))))))))))))))))))))))))

.
 

2007-12-12 01:11 . 2007-12-12 01:12	<DIR>	d--------	C:\PMAIL

2007-12-12 00:53 . 2007-12-12 00:53	<DIR>	d--------	C:\Documents and Settings\Prem Subramani\Application Data\Thunderbird

2007-12-12 00:52 . 2007-12-12 01:00	<DIR>	d--------	C:\Program Files\Mozilla Thunderbird

2007-12-10 17:38 . 2007-12-10 17:38	<DIR>	d--------	C:\WINDOWS\system32\Dell

2007-12-10 17:38 . 2007-12-10 17:38	<DIR>	d--------	C:\Program Files\Dell

2007-12-10 17:27 . 2007-12-10 17:27	<DIR>	d--h-----	C:\WINDOWS\system32\GroupPolicy

2007-12-05 22:18 . 2007-12-06 12:11	<DIR>	d--------	C:\Program Files\Trojan Remover

2007-12-05 22:12 . 2007-12-05 22:12	<DIR>	d--------	C:\Program Files\Webroot

2007-12-05 22:10 . 2007-12-05 22:10	<DIR>	d--------	C:\WINDOWS\Internet Logs

2007-12-04 16:39 . 2007-12-04 16:40	<DIR>	d--------	C:\IOData

2007-12-04 14:28 . 2007-12-05 19:56	<DIR>	d--------	C:\WINDOWS\SxsCaPendDel

2007-12-04 13:38 . 2007-12-04 13:38	194	--a------	C:\WINDOWS\wininit.ini

2007-12-04 12:09 . 2007-12-04 14:20	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2007-12-04 02:49 . 2007-12-04 02:49	<DIR>	d--------	C:\WUTemp

2007-12-04 01:36 . 2007-07-30 19:18	34,136	--a------	C:\WINDOWS\system32\wucltui.dll.mui

2007-12-04 01:36 . 2007-07-30 19:19	25,944	--a------	C:\WINDOWS\system32\wuaucpl.cpl.mui

2007-12-04 01:36 . 2007-07-30 19:19	25,944	--a------	C:\WINDOWS\system32\wuapi.dll.mui

2007-12-04 01:36 . 2007-07-30 19:18	20,312	--a------	C:\WINDOWS\system32\wuaueng.dll.mui

2007-12-03 14:13 . 2007-12-03 14:16	<DIR>	d--------	C:\Program Files\VirusProtect 3.8

2007-12-03 14:11 . 2007-12-03 14:11	51,712	--a------	C:\WINDOWS\system32\e404d.dll

2007-12-03 11:36 . 2007-12-03 11:50	<DIR>	d--------	C:\Documents and Settings\navy\Application Data\U3

2007-12-03 11:36 . 2007-12-03 11:36	<DIR>	d--------	C:\Documents and Settings\navy\Application Data\DivX

2007-12-03 09:36 . 2007-12-03 09:36	<DIR>	d--------	C:\My Music

2007-12-02 22:37 . 2005-03-24 18:06	449,536	--a--c---	C:\WINDOWS\system32\dllcache\licdll.dll

2007-11-30 23:10 . 2007-12-04 14:28	<DIR>	d--------	C:\Program Files\Citrix

2007-11-29 09:43 . 2007-11-29 09:43	<DIR>	d--------	C:\Documents and Settings\navy\Application Data\FlashGet

2007-11-22 20:27 . 2007-12-04 14:30	<DIR>	d--------	C:\WINDOWS\iSCSI

2007-11-22 13:57 . 2005-05-02 21:21	2,890,240	--a------	C:\WINDOWS\system32\msi.dll

2007-11-22 13:57 . 2005-05-02 21:21	2,890,240	--a--c---	C:\WINDOWS\system32\dllcache\msi.dll

2007-11-22 02:29 . 2007-12-04 14:27	<DIR>	d--------	C:\Program Files\EasyJob Resume Builder

2007-11-21 17:47 . 2007-12-11 11:18	<DIR>	d--------	C:\Program Files\SYW95A-V3

2007-11-21 17:47 . 2007-11-21 17:47	<DIR>	d--------	C:\Program Files\Seagate Software

2007-11-21 17:47 . 2007-11-21 17:47	<DIR>	d--------	C:\Program Files\MapInfo MapX

2007-11-21 15:56 . 2003-07-16 14:27	43,264	---------	C:\WINDOWS\system32\drivers\ser2pl.sys

2007-11-21 15:56 . 2007-11-21 15:56	22,016	--a------	C:\WINDOWS\system32\drivers\Rockey4.sys

2007-11-21 15:56 . 2007-11-21 15:56	12,928	--a------	C:\WINDOWS\system32\drivers\Rockey4USB.sys

2007-11-21 15:56 . 2007-11-21 15:56	4,096	--a------	C:\WINDOWS\system32\Ry4CoInst.dll

2007-11-21 02:53 . 2007-11-21 02:55	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Metacafe

2007-11-16 20:40 . 2007-11-16 20:40	<DIR>	d--------	C:\Program Files\Bandwidth Controller Enterprise Server

2007-11-16 20:40 . 2007-11-16 20:40	<DIR>	d--------	C:\Program Files\Bandwidth Controller Enterprise Client

2007-11-16 20:24 . 2007-11-16 20:43	<DIR>	d--------	C:\Program Files\Bandwidth Controller Standard Server

2007-11-16 20:24 . 2007-11-16 20:24	216,064	--a------	C:\WINDOWS\system32\drivers\bcim.sys

2007-11-16 20:16 . 2007-11-16 20:16	<DIR>	d--------	C:\Program Files\Microsoft IEAK 7

2007-11-16 19:16 . 2007-11-21 17:50	<DIR>	d--------	C:\Program Files\Microsoft Silverlight
 

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-12-13 05:53	---------	d-----w	C:\Program Files\Symantec AntiVirus

2007-12-06 06:46	---------	d-----w	C:\Program Files\NCH Swift Sound

2007-12-06 06:46	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\NCH Swift Sound

2007-12-06 06:39	---------	d-----w	C:\Program Files\DameWare Development

2007-12-06 02:58	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\Thinstall

2007-12-05 16:56	---------	d-----w	C:\Program Files\TortoiseCVS

2007-12-05 16:54	---------	d-----w	C:\Program Files\SecureFX

2007-12-05 16:53	---------	d-----w	C:\Program Files\Common Files\Real

2007-12-04 08:58	---------	d-----w	C:\Program Files\Common Files\Quest Shared

2007-12-04 08:56	---------	d--h--w	C:\Program Files\InstallShield Installation Information

2007-12-03 08:46	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP

2007-11-30 21:07	---------	d-----w	C:\Program Files\FlashGet

2007-11-26 02:32	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\DameWare Development

2007-11-19 03:59	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Microsoft Help

2007-11-11 13:34	---------	d-----w	C:\Documents and Settings\Prem Subramani\Application Data\PC Suite

2007-11-11 01:52	---------	d-----w	C:\Documents and Settings\All Users\Application Data\PC Suite

2007-11-11 01:52	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\PC Suite

2007-11-11 01:52	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\Nokia

2007-11-11 01:50	---------	d-----w	C:\Program Files\DIFX

2007-11-11 01:46	---------	d-----w	C:\Program Files\Illustrate

2007-11-09 01:15	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\Skype

2007-11-08 09:35	---------	d-----w	C:\Program Files\MSECache

2007-11-02 04:52	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\DWMRCMSI

2007-11-02 04:35	---------	d-----w	C:\Program Files\Common Files\Symantec Shared

2007-11-02 04:34	---------	d-----w	C:\Program Files\Symantec

2007-10-30 23:54	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Installations

2007-10-29 17:52	---------	d-----w	C:\Program Files\Common Files\Ahead

2007-10-29 17:50	---------	d-----w	C:\Program Files\IPCheck Server Monitor 5

2007-10-29 17:49	---------	d-----w	C:\Program Files\Ping Plotter

2007-10-29 17:45	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Innovative Solutions

2007-10-29 17:44	---------	d-----w	C:\Program Files\Innovative Solutions

2007-10-27 12:01	---------	d-----w	C:\Documents and Settings\Prem Subramani\Application Data\AdobeUM

2007-10-26 07:52	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\Colasoft Packet Builder

2007-10-26 05:03	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\Wireshark

2007-10-26 03:55	---------	d-----w	C:\Program Files\Look@LAN

2007-10-25 16:16	720,896	----a-w	C:\WINDOWS\iun6002.exe

2007-10-25 16:09	73,216	----a-w	C:\WINDOWS\ST6UNST.EXE

2007-10-25 16:09	249,856	------w	C:\WINDOWS\Setup1.exe

2007-10-25 06:50	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\Talkback

2007-10-25 06:47	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\Thunderbird

2007-10-21 10:24	---------	d-----w	C:\Documents and Settings\Prem Subramani\Application Data\Media Player Classic

2007-10-20 12:39	---------	d-----w	C:\Documents and Settings\Prem Subramani\Application Data\DivX

2007-10-18 06:34	---------	d-----w	C:\Program Files\Common Files\L&H

2007-10-18 06:33	---------	d-----w	C:\Program Files\Microsoft ActiveSync

2007-10-18 06:32	---------	d-----w	C:\Program Files\Microsoft Works

2007-10-17 15:33	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\Software

2007-10-17 15:32	---------	d-----w	C:\Program Files\Quest Software

2007-10-17 14:27	---------	d-----w	C:\Program Files\Microsoft SQL Server

2007-10-17 14:27	---------	d-----w	C:\Program Files\Microsoft Analysis Services

2007-10-16 11:02	---------	d-----w	C:\Program Files\Tools4ever

2007-10-16 10:05	---------	d-----w	C:\Program Files\GFI

.
 

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4
 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2005-03-24 17:58]
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2003-03-25 17:30]
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"disablecad"= 0 (0x0)
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"ShowSuperHidden"= 1 (0x1)
 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"{d66c22b6-2217-4d1a-9a90-1a54de1fc706}"= C:\WINDOWS\system32\zcwlnic.dll [2007-12-02 22:37 12800]
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"E404Helper"= {fce6faec-029d-4027-9d1d-d72213a13251} - e404d.dll [ ]
 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]

@="Service"
 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wd.sys]

@="Driver"
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^TLISOFTWARE - PowerTerm WebConnect Application Zone by Ericom.lnk]

path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\TLISOFTWARE - PowerTerm WebConnect Application Zone by Ericom.lnk

backup=C:\WINDOWS\pss\TLISOFTWARE - PowerTerm WebConnect Application Zone by Ericom.lnkStartup
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^WordWeb.lnk]

path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\WordWeb.lnk

backup=C:\WINDOWS\pss\WordWeb.lnkStartup
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Univault Access Manager.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Univault Access Manager.lnk

backup=C:\WINDOWS\pss\Univault Access Manager.lnkCommon Startup

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

2006-07-19 19:26	52896	--a------	C:\Program Files\Common Files\Symantec Shared\ccApp.exe

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2005-03-24 17:58	15360	--a------	C:\WINDOWS\system32\ctfmon.exe

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eyeBeam SIP Client]

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]

			C:\Program Files\Google\Google Talk\googletalk.exe /autostart

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\idefisk.exe]

2006-06-06 14:56	2343936	--a------	C:\Documents and Settings\Administrator\Desktop\idefisk137\idefisk.exe

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JustVoip]

			C:\Program Files\JustVoip.com\JustVoip\JustVoip.exe -nosplash -minimized

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Internet Explorer]

			C:\WINDOWS\system32\iexplore.exe

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

			C:\Program Files\MSN Messenger\msnmsgr.exe /background

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

			C:\WINDOWS\system32\NeroCheck.exe

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OLPSYNCH]

2007-07-13 13:30	42288	--a------	C:\Program Files\Offline Course Player\OlpSynch.exe

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

			C:\Program Files\QuickTime\qttask.exe -atboottime

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]

			C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

2004-04-01 10:52	1368064	--a------	C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2004-06-03 22:05	32881	--a------	C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]

			C:\Program Files\Trojan Remover\Trjscan.exe

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]

			C:\WINDOWS\system32\dumprep 0 -u

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]

2006-09-27 20:33	125168	--a------	C:\PROGRA~1\SYMANT~1\VPTray.exe

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]

			VTTimer.exe

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]

			VTtrayp.exe

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

			C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zoiper.exe]

2007-07-19 18:13	4264522	--a------	C:\Program Files\Attractel\Zoiper\Zoiper.exe
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Messenger"=3 (0x3)

"HDDocServ"=2 (0x2)

"FirebirdServerDefaultInstance"=3 (0x3)

"FileZilla Server"=2 (0x2)

"Apache2.2"=2 (0x2)
 

R0 crcdisk;CRC Disk Filter Driver;C:\WINDOWS\system32\DRIVERS\crcdisk.sys

R0 DfsDriver;DfsDriver;C:\WINDOWS\system32\drivers\Dfs.sys

R1 ISODrive;ISO DVD/CD-ROM Device Driver;\??\C:\Program Files\UltraISO\drivers\ISODrive.sys

R2 AeLookupSvc;Application Experience Lookup Service;C:\WINDOWS\system32\svchost.exe -k netsvcs

R3 ROCKEYNT;Feitian ROCKEY4 Device Service;C:\WINDOWS\system32\DRIVERS\Rockey4.sys

R3 WLBS;Network Load Balancing;C:\WINDOWS\system32\DRIVERS\wlbs.sys

S2 TxHdAppServ;TechExcel HelpDesk Application Server;C:\Program Files\TechExcel\HelpDesk\HDAppServer\TxHDAppSrv.exe

S3 CSTDIDRV;CSTDIDRV;C:\WINDOWS\system32\Drivers\CSTDI50.sys

S3 Dfs;Distributed File System;C:\WINDOWS\system32\Dfssvc.exe

S3 iScsiPrt;iScsiPort Driver;C:\WINDOWS\system32\DRIVERS\msiscsi.sys

S3 NtFrs;File Replication;C:\WINDOWS\system32\ntfrs.exe

S3 RSoPProv;Resultant Set of Policy Provider;C:\WINDOWS\system32\RSoPProv.exe

S3 sacsvr;Special Administration Console Helper;C:\WINDOWS\System32\svchost.exe -k netsvcs

S3 vga;vga;C:\WINDOWS\system32\DRIVERS\vgapnp.sys

S3 WinHttpAutoProxySvc;WinHTTP Web Proxy Auto-Discovery Service;C:\WINDOWS\system32\svchost.exe -k LocalService

S4 Apache2.2;Apache2.2;"C:\xampp\apache\bin\apache.exe" -k runservice

S4 ClusDisk;Cluster Disk Driver;C:\WINDOWS\system32\DRIVERS\ClusDisk.sys

S4 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;C:\Program Files\IPCheck Server Monitor 5\Firebird\bin\fbserver.exe -s

S4 HDDocServ;TechExcel HelpDesk Document Server;C:\Program Files\TechExcel\HelpDesk\HDDocServer\HDDocServer.exe

S4 IsmServ;Intersite Messaging;C:\WINDOWS\System32\ismserv.exe

S4 kdc;Kerberos Key Distribution Center;C:\WINDOWS\System32\lsass.exe

S4 MonitorMagic;MonitorMagic (1340,48155);"D:\Program Files\MonitorMagicService\NM.EXE"

S4 TrkSvr;Distributed Link Tracking Server;C:\WINDOWS\system32\svchost.exe -k netsvcs

S4 Tssdis;Terminal Services Session Directory;C:\WINDOWS\System32\tssdis.exe
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalService	REG_MULTI_SZ   	Alerter WebClient LmHosts WinHttpAutoProxySvc W32Time

NetworkService	REG_MULTI_SZ   	6to4 DHCP DnsCache

WinErr	REG_MULTI_SZ   	ERsvc

tapisrv	REG_MULTI_SZ   	Tapisrv

regsvc	REG_MULTI_SZ   	RemoteRegistry

swprv	REG_MULTI_SZ   	swprv

iissvcs	REG_MULTI_SZ   	w3svc

DcomLaunch	REG_MULTI_SZ   	DcomLaunch
 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs

AppMgmt

AudioSrv

Browser

CryptSvc

DMServer

HidServ

LanmanServer

LanmanWorkstation

Messenger

Nla

NWCWorkstation

Sacsvr

Schedule

Seclogon

Themes

TrkWks

TrkSvr

Wmi

WmdmPmSp

winmgmt

wuauserv

BITS

ShellHWDetection

uploadmgr

xmlprov

AeLookupSvc

helpsvc
 
 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{36BBA8D2-CA5C-4847-81CC-4F807DD86C91}]

%SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateUser urlmon.dll
 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6D69F546-C1AF-4049-AE9E-28627B91D3F5}]

%SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateAdmin urlmon.dll
 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]

%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin
 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]

%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenUser

.

**************************************************************************
 

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-13 11:25:12

Windows 5.2.3790 Service Pack 1 NTFS
 

scanning hidden processes ... 
 

scanning hidden autostart entries ...
 

scanning hidden files ... 
 

**************************************************************************

.

Completion time: 2007-12-13 11:27:04 - machine was rebooted

Open in new window

0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 125 total points
ID: 20463596
Thanks for the logs.

Open notepad and copy/paste the text inside the lines below into it.
-----------------------------------------------------------------------------------
File::
C:\Program Files\VirusProtect 3.8
C:\WINDOWS\system32\e404d.dll
C:\WINDOWS\system32\zcwlnic.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"E404Helper"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Internet Explorer]
-----------------------------------------------------------------------------------
Save this as CFScript in the same location as ComboFix.exe
then drag CFScript.txt into ComboFix.exe

This will start ComboFix again. Follow the prompts. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.                  


Smitfraud is showing in your hijackthis log, if problem persists, we can run smitfraudfix later.
In hijackthis you can fix these if still present.
O21 - SSODL: E404Helper - {fce6faec-029d-4027-9d1d-d72213a13251} - e404d.dll (file missing)  
O22 - SharedTaskScheduler: edgers - {d66c22b6-2217-4d1a-9a90-1a54de1fc706} - C:\WINDOWS\system32\zcwlnic.dll


Do you recognize these folders below? if you don't know these folders, you might like to scan them online at --> http://virusscan.jotti.org/
C:\IOData
C:\WINDOWS\SxsCaPendDel
C:\Program Files\SYW95A-V3

Can you also have these files below checked? they could belong to MS visual basic or could also be a trojan droppers.
C:\WINDOWS\iun6002.exe
C:\WINDOWS\ST6UNST.EXE
C:\WINDOWS\Setup1.exe
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now