Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Fake Antivirus

Posted on 2007-12-05
6
Medium Priority
?
5,003 Views
Last Modified: 2013-11-08
How to prevent or uninstall Fake antivirus software (e.g. Bestseller Antivirus)?
0
Comment
Question by:prasad1390
  • 2
  • 2
  • 2
6 Comments
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20413020
To prevent, don't fall for the pop-ups, don't download shareware, keep good up to date security programs running.

To remove...you can first try Add or Remove Programs, but that usually doesn't work. And you probably have a Smitfraud infection.

It would help if we could see what was going on with your computer. I suggest that you download, run, and upload a HijackThis log from the link below.

http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php

Please upload the log at EE-Stuff.com
Use the link below and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20413033
I should point out...
Where I said "shareware" I mean using P2P or torrents to download illegally. Not normal "shareware", sorry.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20435750
IF the fake antivirus software (e.g. Bestseller Antivirus) is already installed and you can't uninstall it using add/remove,
Run Combofix and upload the log or attach the log as Code Snippet.

Download ComboFix to your Desktop, from either of these locations:
http://www.forospyware.com/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Combofix will terminate your connection while scanning, and will resume connection when it's done.
If you have issues connecting to your network or internet after running combofix you can either simply reboot, or do the following:
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
or
Alternatively, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.



0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
LVL 3

Author Comment

by:prasad1390
ID: 20462649
thanks for the quick response guys,

i was able remove best seller anti virus software using ADware & search & destroy, unfortunately i am getting explorer.exe error and not able to boot safe mode also.no internet connection almost everything s blocked for me.  

i ran hijackthis test and attached the same.  
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10, on 2007-12-13
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\xampp\filezillaftp\filezillaserver.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe
D:\HiJackThis.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\ComboFix\nircmd.cfexe
C:\WINDOWS\system32\findstr.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196712218046
O17 - HKLM\System\CCS\Services\Tcpip\..\{31FDEC4C-42CC-4AC9-827B-41E5C6D47AB4}: NameServer = 203.123.176.65,203.123.128.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{31FDEC4C-42CC-4AC9-827B-41E5C6D47AB4}: NameServer = 203.123.176.65,203.123.128.70
O17 - HKLM\System\CS2\Services\Tcpip\..\{31FDEC4C-42CC-4AC9-827B-41E5C6D47AB4}: NameServer = 203.123.176.65,203.123.128.70
O17 - HKLM\System\CS3\Services\Tcpip\..\{31FDEC4C-42CC-4AC9-827B-41E5C6D47AB4}: NameServer = 203.123.176.65,203.123.128.70
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: E404Helper - {fce6faec-029d-4027-9d1d-d72213a13251} - e404d.dll (file missing)
O22 - SharedTaskScheduler: edgers - {d66c22b6-2217-4d1a-9a90-1a54de1fc706} - C:\WINDOWS\system32\zcwlnic.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TechExcel HelpDesk Application Server (TxHdAppServ) - Unknown owner - C:\Program Files\TechExcel\HelpDesk\HDAppServer\TxHDAppSrv.exe (file missing)
 
--
End of file - 6220 bytes

Open in new window

0
 
LVL 3

Author Comment

by:prasad1390
ID: 20462701
hello RPGGAMERGIRL,

Please find the log ofcombofix
ComboFix 07-12-12.3 - Administrator 2007-12-13 11:08:48.1 - NTFSx86
Microsoft(R) Windows(R) Server 2003, Standard Edition  5.2.3790.1.1252.1.1033.18.172 [GMT 5.5:30]
Running from: D:\ComboFix.exe
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\VR7UVHD3\www.broadcaster.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\VR7UVHD3\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\VR7UVHD3\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\system32\Cache
 
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
 
.
-------\LEGACY_NPF
 
 
(((((((((((((((((((((((((   Files Created from 2007-11-13 to 2007-12-13  )))))))))))))))))))))))))))))))
.
 
2007-12-12 01:11 . 2007-12-12 01:12	<DIR>	d--------	C:\PMAIL
2007-12-12 00:53 . 2007-12-12 00:53	<DIR>	d--------	C:\Documents and Settings\Prem Subramani\Application Data\Thunderbird
2007-12-12 00:52 . 2007-12-12 01:00	<DIR>	d--------	C:\Program Files\Mozilla Thunderbird
2007-12-10 17:38 . 2007-12-10 17:38	<DIR>	d--------	C:\WINDOWS\system32\Dell
2007-12-10 17:38 . 2007-12-10 17:38	<DIR>	d--------	C:\Program Files\Dell
2007-12-10 17:27 . 2007-12-10 17:27	<DIR>	d--h-----	C:\WINDOWS\system32\GroupPolicy
2007-12-05 22:18 . 2007-12-06 12:11	<DIR>	d--------	C:\Program Files\Trojan Remover
2007-12-05 22:12 . 2007-12-05 22:12	<DIR>	d--------	C:\Program Files\Webroot
2007-12-05 22:10 . 2007-12-05 22:10	<DIR>	d--------	C:\WINDOWS\Internet Logs
2007-12-04 16:39 . 2007-12-04 16:40	<DIR>	d--------	C:\IOData
2007-12-04 14:28 . 2007-12-05 19:56	<DIR>	d--------	C:\WINDOWS\SxsCaPendDel
2007-12-04 13:38 . 2007-12-04 13:38	194	--a------	C:\WINDOWS\wininit.ini
2007-12-04 12:09 . 2007-12-04 14:20	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-04 02:49 . 2007-12-04 02:49	<DIR>	d--------	C:\WUTemp
2007-12-04 01:36 . 2007-07-30 19:18	34,136	--a------	C:\WINDOWS\system32\wucltui.dll.mui
2007-12-04 01:36 . 2007-07-30 19:19	25,944	--a------	C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-12-04 01:36 . 2007-07-30 19:19	25,944	--a------	C:\WINDOWS\system32\wuapi.dll.mui
2007-12-04 01:36 . 2007-07-30 19:18	20,312	--a------	C:\WINDOWS\system32\wuaueng.dll.mui
2007-12-03 14:13 . 2007-12-03 14:16	<DIR>	d--------	C:\Program Files\VirusProtect 3.8
2007-12-03 14:11 . 2007-12-03 14:11	51,712	--a------	C:\WINDOWS\system32\e404d.dll
2007-12-03 11:36 . 2007-12-03 11:50	<DIR>	d--------	C:\Documents and Settings\navy\Application Data\U3
2007-12-03 11:36 . 2007-12-03 11:36	<DIR>	d--------	C:\Documents and Settings\navy\Application Data\DivX
2007-12-03 09:36 . 2007-12-03 09:36	<DIR>	d--------	C:\My Music
2007-12-02 22:37 . 2005-03-24 18:06	449,536	--a--c---	C:\WINDOWS\system32\dllcache\licdll.dll
2007-11-30 23:10 . 2007-12-04 14:28	<DIR>	d--------	C:\Program Files\Citrix
2007-11-29 09:43 . 2007-11-29 09:43	<DIR>	d--------	C:\Documents and Settings\navy\Application Data\FlashGet
2007-11-22 20:27 . 2007-12-04 14:30	<DIR>	d--------	C:\WINDOWS\iSCSI
2007-11-22 13:57 . 2005-05-02 21:21	2,890,240	--a------	C:\WINDOWS\system32\msi.dll
2007-11-22 13:57 . 2005-05-02 21:21	2,890,240	--a--c---	C:\WINDOWS\system32\dllcache\msi.dll
2007-11-22 02:29 . 2007-12-04 14:27	<DIR>	d--------	C:\Program Files\EasyJob Resume Builder
2007-11-21 17:47 . 2007-12-11 11:18	<DIR>	d--------	C:\Program Files\SYW95A-V3
2007-11-21 17:47 . 2007-11-21 17:47	<DIR>	d--------	C:\Program Files\Seagate Software
2007-11-21 17:47 . 2007-11-21 17:47	<DIR>	d--------	C:\Program Files\MapInfo MapX
2007-11-21 15:56 . 2003-07-16 14:27	43,264	---------	C:\WINDOWS\system32\drivers\ser2pl.sys
2007-11-21 15:56 . 2007-11-21 15:56	22,016	--a------	C:\WINDOWS\system32\drivers\Rockey4.sys
2007-11-21 15:56 . 2007-11-21 15:56	12,928	--a------	C:\WINDOWS\system32\drivers\Rockey4USB.sys
2007-11-21 15:56 . 2007-11-21 15:56	4,096	--a------	C:\WINDOWS\system32\Ry4CoInst.dll
2007-11-21 02:53 . 2007-11-21 02:55	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Metacafe
2007-11-16 20:40 . 2007-11-16 20:40	<DIR>	d--------	C:\Program Files\Bandwidth Controller Enterprise Server
2007-11-16 20:40 . 2007-11-16 20:40	<DIR>	d--------	C:\Program Files\Bandwidth Controller Enterprise Client
2007-11-16 20:24 . 2007-11-16 20:43	<DIR>	d--------	C:\Program Files\Bandwidth Controller Standard Server
2007-11-16 20:24 . 2007-11-16 20:24	216,064	--a------	C:\WINDOWS\system32\drivers\bcim.sys
2007-11-16 20:16 . 2007-11-16 20:16	<DIR>	d--------	C:\Program Files\Microsoft IEAK 7
2007-11-16 19:16 . 2007-11-21 17:50	<DIR>	d--------	C:\Program Files\Microsoft Silverlight
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-13 05:53	---------	d-----w	C:\Program Files\Symantec AntiVirus
2007-12-06 06:46	---------	d-----w	C:\Program Files\NCH Swift Sound
2007-12-06 06:46	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\NCH Swift Sound
2007-12-06 06:39	---------	d-----w	C:\Program Files\DameWare Development
2007-12-06 02:58	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\Thinstall
2007-12-05 16:56	---------	d-----w	C:\Program Files\TortoiseCVS
2007-12-05 16:54	---------	d-----w	C:\Program Files\SecureFX
2007-12-05 16:53	---------	d-----w	C:\Program Files\Common Files\Real
2007-12-04 08:58	---------	d-----w	C:\Program Files\Common Files\Quest Shared
2007-12-04 08:56	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-12-03 08:46	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-30 21:07	---------	d-----w	C:\Program Files\FlashGet
2007-11-26 02:32	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\DameWare Development
2007-11-19 03:59	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-11 13:34	---------	d-----w	C:\Documents and Settings\Prem Subramani\Application Data\PC Suite
2007-11-11 01:52	---------	d-----w	C:\Documents and Settings\All Users\Application Data\PC Suite
2007-11-11 01:52	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\PC Suite
2007-11-11 01:52	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\Nokia
2007-11-11 01:50	---------	d-----w	C:\Program Files\DIFX
2007-11-11 01:46	---------	d-----w	C:\Program Files\Illustrate
2007-11-09 01:15	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\Skype
2007-11-08 09:35	---------	d-----w	C:\Program Files\MSECache
2007-11-02 04:52	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\DWMRCMSI
2007-11-02 04:35	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2007-11-02 04:34	---------	d-----w	C:\Program Files\Symantec
2007-10-30 23:54	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Installations
2007-10-29 17:52	---------	d-----w	C:\Program Files\Common Files\Ahead
2007-10-29 17:50	---------	d-----w	C:\Program Files\IPCheck Server Monitor 5
2007-10-29 17:49	---------	d-----w	C:\Program Files\Ping Plotter
2007-10-29 17:45	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Innovative Solutions
2007-10-29 17:44	---------	d-----w	C:\Program Files\Innovative Solutions
2007-10-27 12:01	---------	d-----w	C:\Documents and Settings\Prem Subramani\Application Data\AdobeUM
2007-10-26 07:52	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\Colasoft Packet Builder
2007-10-26 05:03	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\Wireshark
2007-10-26 03:55	---------	d-----w	C:\Program Files\Look@LAN
2007-10-25 16:16	720,896	----a-w	C:\WINDOWS\iun6002.exe
2007-10-25 16:09	73,216	----a-w	C:\WINDOWS\ST6UNST.EXE
2007-10-25 16:09	249,856	------w	C:\WINDOWS\Setup1.exe
2007-10-25 06:50	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\Talkback
2007-10-25 06:47	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\Thunderbird
2007-10-21 10:24	---------	d-----w	C:\Documents and Settings\Prem Subramani\Application Data\Media Player Classic
2007-10-20 12:39	---------	d-----w	C:\Documents and Settings\Prem Subramani\Application Data\DivX
2007-10-18 06:34	---------	d-----w	C:\Program Files\Common Files\L&H
2007-10-18 06:33	---------	d-----w	C:\Program Files\Microsoft ActiveSync
2007-10-18 06:32	---------	d-----w	C:\Program Files\Microsoft Works
2007-10-17 15:33	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\Software
2007-10-17 15:32	---------	d-----w	C:\Program Files\Quest Software
2007-10-17 14:27	---------	d-----w	C:\Program Files\Microsoft SQL Server
2007-10-17 14:27	---------	d-----w	C:\Program Files\Microsoft Analysis Services
2007-10-16 11:02	---------	d-----w	C:\Program Files\Tools4ever
2007-10-16 10:05	---------	d-----w	C:\Program Files\GFI
.
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2005-03-24 17:58]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2003-03-25 17:30]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"= 1 (0x1)
 
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{d66c22b6-2217-4d1a-9a90-1a54de1fc706}"= C:\WINDOWS\system32\zcwlnic.dll [2007-12-02 22:37 12800]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"E404Helper"= {fce6faec-029d-4027-9d1d-d72213a13251} - e404d.dll [ ]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wd.sys]
@="Driver"
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^TLISOFTWARE - PowerTerm WebConnect Application Zone by Ericom.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\TLISOFTWARE - PowerTerm WebConnect Application Zone by Ericom.lnk
backup=C:\WINDOWS\pss\TLISOFTWARE - PowerTerm WebConnect Application Zone by Ericom.lnkStartup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^WordWeb.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\WordWeb.lnk
backup=C:\WINDOWS\pss\WordWeb.lnkStartup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Univault Access Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Univault Access Manager.lnk
backup=C:\WINDOWS\pss\Univault Access Manager.lnkCommon Startup
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2006-07-19 19:26	52896	--a------	C:\Program Files\Common Files\Symantec Shared\ccApp.exe
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2005-03-24 17:58	15360	--a------	C:\WINDOWS\system32\ctfmon.exe
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eyeBeam SIP Client]
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
			C:\Program Files\Google\Google Talk\googletalk.exe /autostart
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\idefisk.exe]
2006-06-06 14:56	2343936	--a------	C:\Documents and Settings\Administrator\Desktop\idefisk137\idefisk.exe
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JustVoip]
			C:\Program Files\JustVoip.com\JustVoip\JustVoip.exe -nosplash -minimized
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Internet Explorer]
			C:\WINDOWS\system32\iexplore.exe
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
			C:\Program Files\MSN Messenger\msnmsgr.exe /background
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
			C:\WINDOWS\system32\NeroCheck.exe
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OLPSYNCH]
2007-07-13 13:30	42288	--a------	C:\Program Files\Offline Course Player\OlpSynch.exe
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
			C:\Program Files\QuickTime\qttask.exe -atboottime
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
			C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-04-01 10:52	1368064	--a------	C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2004-06-03 22:05	32881	--a------	C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
			C:\Program Files\Trojan Remover\Trjscan.exe
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
			C:\WINDOWS\system32\dumprep 0 -u
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2006-09-27 20:33	125168	--a------	C:\PROGRA~1\SYMANT~1\VPTray.exe
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
			VTTimer.exe
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
			VTtrayp.exe
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
			C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zoiper.exe]
2007-07-19 18:13	4264522	--a------	C:\Program Files\Attractel\Zoiper\Zoiper.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=3 (0x3)
"HDDocServ"=2 (0x2)
"FirebirdServerDefaultInstance"=3 (0x3)
"FileZilla Server"=2 (0x2)
"Apache2.2"=2 (0x2)
 
R0 crcdisk;CRC Disk Filter Driver;C:\WINDOWS\system32\DRIVERS\crcdisk.sys
R0 DfsDriver;DfsDriver;C:\WINDOWS\system32\drivers\Dfs.sys
R1 ISODrive;ISO DVD/CD-ROM Device Driver;\??\C:\Program Files\UltraISO\drivers\ISODrive.sys
R2 AeLookupSvc;Application Experience Lookup Service;C:\WINDOWS\system32\svchost.exe -k netsvcs
R3 ROCKEYNT;Feitian ROCKEY4 Device Service;C:\WINDOWS\system32\DRIVERS\Rockey4.sys
R3 WLBS;Network Load Balancing;C:\WINDOWS\system32\DRIVERS\wlbs.sys
S2 TxHdAppServ;TechExcel HelpDesk Application Server;C:\Program Files\TechExcel\HelpDesk\HDAppServer\TxHDAppSrv.exe
S3 CSTDIDRV;CSTDIDRV;C:\WINDOWS\system32\Drivers\CSTDI50.sys
S3 Dfs;Distributed File System;C:\WINDOWS\system32\Dfssvc.exe
S3 iScsiPrt;iScsiPort Driver;C:\WINDOWS\system32\DRIVERS\msiscsi.sys
S3 NtFrs;File Replication;C:\WINDOWS\system32\ntfrs.exe
S3 RSoPProv;Resultant Set of Policy Provider;C:\WINDOWS\system32\RSoPProv.exe
S3 sacsvr;Special Administration Console Helper;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 vga;vga;C:\WINDOWS\system32\DRIVERS\vgapnp.sys
S3 WinHttpAutoProxySvc;WinHTTP Web Proxy Auto-Discovery Service;C:\WINDOWS\system32\svchost.exe -k LocalService
S4 Apache2.2;Apache2.2;"C:\xampp\apache\bin\apache.exe" -k runservice
S4 ClusDisk;Cluster Disk Driver;C:\WINDOWS\system32\DRIVERS\ClusDisk.sys
S4 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;C:\Program Files\IPCheck Server Monitor 5\Firebird\bin\fbserver.exe -s
S4 HDDocServ;TechExcel HelpDesk Document Server;C:\Program Files\TechExcel\HelpDesk\HDDocServer\HDDocServer.exe
S4 IsmServ;Intersite Messaging;C:\WINDOWS\System32\ismserv.exe
S4 kdc;Kerberos Key Distribution Center;C:\WINDOWS\System32\lsass.exe
S4 MonitorMagic;MonitorMagic (1340,48155);"D:\Program Files\MonitorMagicService\NM.EXE"
S4 TrkSvr;Distributed Link Tracking Server;C:\WINDOWS\system32\svchost.exe -k netsvcs
S4 Tssdis;Terminal Services Session Directory;C:\WINDOWS\System32\tssdis.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService	REG_MULTI_SZ   	Alerter WebClient LmHosts WinHttpAutoProxySvc W32Time
NetworkService	REG_MULTI_SZ   	6to4 DHCP DnsCache
WinErr	REG_MULTI_SZ   	ERsvc
tapisrv	REG_MULTI_SZ   	Tapisrv
regsvc	REG_MULTI_SZ   	RemoteRegistry
swprv	REG_MULTI_SZ   	swprv
iissvcs	REG_MULTI_SZ   	w3svc
DcomLaunch	REG_MULTI_SZ   	DcomLaunch
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Sacsvr
Schedule
Seclogon
Themes
TrkWks
TrkSvr
Wmi
WmdmPmSp
winmgmt
wuauserv
BITS
ShellHWDetection
uploadmgr
xmlprov
AeLookupSvc
helpsvc
 
 
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{36BBA8D2-CA5C-4847-81CC-4F807DD86C91}]
%SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateUser urlmon.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6D69F546-C1AF-4049-AE9E-28627B91D3F5}]
%SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateAdmin urlmon.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin
 
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenUser
.
**************************************************************************
 
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 11:25:12
Windows 5.2.3790 Service Pack 1 NTFS
 
scanning hidden processes ... 
 
scanning hidden autostart entries ...
 
scanning hidden files ... 
 
**************************************************************************
.
Completion time: 2007-12-13 11:27:04 - machine was rebooted

Open in new window

0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 20463596
Thanks for the logs.

Open notepad and copy/paste the text inside the lines below into it.
-----------------------------------------------------------------------------------
File::
C:\Program Files\VirusProtect 3.8
C:\WINDOWS\system32\e404d.dll
C:\WINDOWS\system32\zcwlnic.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"E404Helper"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Internet Explorer]
-----------------------------------------------------------------------------------
Save this as CFScript in the same location as ComboFix.exe
then drag CFScript.txt into ComboFix.exe

This will start ComboFix again. Follow the prompts. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.                  


Smitfraud is showing in your hijackthis log, if problem persists, we can run smitfraudfix later.
In hijackthis you can fix these if still present.
O21 - SSODL: E404Helper - {fce6faec-029d-4027-9d1d-d72213a13251} - e404d.dll (file missing)  
O22 - SharedTaskScheduler: edgers - {d66c22b6-2217-4d1a-9a90-1a54de1fc706} - C:\WINDOWS\system32\zcwlnic.dll


Do you recognize these folders below? if you don't know these folders, you might like to scan them online at --> http://virusscan.jotti.org/
C:\IOData
C:\WINDOWS\SxsCaPendDel
C:\Program Files\SYW95A-V3

Can you also have these files below checked? they could belong to MS visual basic or could also be a trojan droppers.
C:\WINDOWS\iun6002.exe
C:\WINDOWS\ST6UNST.EXE
C:\WINDOWS\Setup1.exe
0

Featured Post

WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
Experts Exchange expands question security options for members.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question