Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic of your own. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!
Bagle Worm, cant access Antivirus/hijackthis!plz help [RESOLVED]
verve
post Mar 23 2008, 06:07 PM
Post #1


Member
**
Posts: 71
OS: windows XP
hello,

I've somehow managed to get my pc infected with the bagle worm. Xoftspy (practically the only antispyware that willopen up except for pestpatrol) finds the Bagle IX and Bagle GI and offers removing them. but when i restart i get the same thing again. Avast cant be opened and doesnt even load on startup. it says its not a valid win32 application. I cant even open hijackthis. when i click the exe it simply freezes.

Also, i noticed desktop.ini in my startup folder and in a few other locations.

The only thing that ran so far is COMBOFIX and here is the log for it. I truely hope someone can help me here, as this is the most recommended place I found. I'm a graphic designer and under a very tight schedule, so not being able to fix this in the next few days will have horrible consequences on me.


THANKS FOR THE HELP IN ADVANCE!!!

david.


ComboFix 08-03-23.2 - dave 2008-03-23 23:42:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1591 [GMT 0:00]
Running from: C:\Documents and Settings\dave\Local Settings\Temporary Internet Files\Content.IE5\ORUF9Q70\ComboFix[1].exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
-- Other TimeOuts --
Findstr -MIF:/ "\\TTC\.pdb InsertAdvertisement"
GREP -i "C:\\Program Files\\[^\\]*\\[^\\]*$"
VFind -tf -s282624 "C:\Program Files\????????*[0-9].dll"
CF15905.exe /c " VFind.exe -ltf -s-1000000 -d+2007-12-23 "C:\Program Files\*" >progfile.dat"
VFind.exe -ltf -s-1000000 -d+2007-12-23 "C:\Program Files\*"
CF15905.exe /c " dir /a/s/b C:\_desktop.ini C:\desktop_.ini C:\cnsmin* C:\_install.exe >DirRoot"

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\recover.reg
C:\WINDOWS\system32\ban_list.txt
C:\WINDOWS\system32\drivers\down
C:\WINDOWS\system32\drivers\down\100328.exe
C:\WINDOWS\system32\drivers\down\101062.exe
C:\WINDOWS\system32\drivers\down\101312.exe
C:\WINDOWS\system32\drivers\down\101687.exe
C:\WINDOWS\system32\drivers\down\103515.exe
C:\WINDOWS\system32\drivers\down\104421.exe
C:\WINDOWS\system32\drivers\down\106687.exe
C:\WINDOWS\system32\drivers\down\108015.exe
C:\WINDOWS\system32\drivers\down\108421.exe
C:\WINDOWS\system32\drivers\down\108796.exe
C:\WINDOWS\system32\drivers\down\109718.exe
C:\WINDOWS\system32\drivers\down\111781.exe
C:\WINDOWS\system32\drivers\down\112265.exe
C:\WINDOWS\system32\drivers\down\112359.exe
C:\WINDOWS\system32\drivers\down\112656.exe
C:\WINDOWS\system32\drivers\down\112843.exe
C:\WINDOWS\system32\drivers\down\114453.exe
C:\WINDOWS\system32\drivers\down\117375.exe
C:\WINDOWS\system32\drivers\down\117968.exe
C:\WINDOWS\system32\drivers\down\118046.exe
C:\WINDOWS\system32\drivers\down\121296.exe
C:\WINDOWS\system32\drivers\down\124250.exe
C:\WINDOWS\system32\drivers\down\125609.exe
C:\WINDOWS\system32\drivers\down\131531.exe
C:\WINDOWS\system32\drivers\down\132234.exe
C:\WINDOWS\system32\drivers\down\134671.exe
C:\WINDOWS\system32\drivers\down\147187.exe
C:\WINDOWS\system32\drivers\down\147484.exe
C:\WINDOWS\system32\drivers\down\153296.exe
C:\WINDOWS\system32\drivers\down\153765.exe
C:\WINDOWS\system32\drivers\down\157578.exe
C:\WINDOWS\system32\drivers\down\163703.exe
C:\WINDOWS\system32\drivers\down\169375.exe
C:\WINDOWS\system32\drivers\down\176234.exe
C:\WINDOWS\system32\drivers\down\51031.exe
C:\WINDOWS\system32\drivers\down\52265.exe
C:\WINDOWS\system32\drivers\down\52968.exe
C:\WINDOWS\system32\drivers\down\53140.exe
C:\WINDOWS\system32\drivers\down\53796.exe
C:\WINDOWS\system32\drivers\down\54250.exe
C:\WINDOWS\system32\drivers\down\54937.exe
C:\WINDOWS\system32\drivers\down\56250.exe
C:\WINDOWS\system32\drivers\down\56312.exe
C:\WINDOWS\system32\drivers\down\58093.exe
C:\WINDOWS\system32\drivers\down\58328.exe
C:\WINDOWS\system32\drivers\down\58640.exe
C:\WINDOWS\system32\drivers\down\58734.exe
C:\WINDOWS\system32\drivers\down\60406.exe
C:\WINDOWS\system32\drivers\down\60718.exe
C:\WINDOWS\system32\drivers\down\61734.exe
C:\WINDOWS\system32\drivers\down\62875.exe
C:\WINDOWS\system32\drivers\down\63125.exe
C:\WINDOWS\system32\drivers\down\63515.exe
C:\WINDOWS\system32\drivers\down\65515.exe
C:\WINDOWS\system32\drivers\down\66000.exe
C:\WINDOWS\system32\drivers\down\66140.exe
C:\WINDOWS\system32\drivers\down\68531.exe
C:\WINDOWS\system32\drivers\down\69421.exe
C:\WINDOWS\system32\drivers\down\70937.exe
C:\WINDOWS\system32\drivers\down\72687.exe
C:\WINDOWS\system32\drivers\down\75531.exe
C:\WINDOWS\system32\drivers\down\77562.exe
C:\WINDOWS\system32\drivers\down\79093.exe
C:\WINDOWS\system32\drivers\down\79234.exe
C:\WINDOWS\system32\drivers\down\79875.exe
C:\WINDOWS\system32\drivers\down\81734.exe
C:\WINDOWS\system32\drivers\down\82562.exe
C:\WINDOWS\system32\drivers\down\84375.exe
C:\WINDOWS\system32\drivers\down\85859.exe
C:\WINDOWS\system32\drivers\down\87953.exe
C:\WINDOWS\system32\drivers\down\89406.exe
C:\WINDOWS\system32\drivers\down\89781.exe
C:\WINDOWS\system32\drivers\down\90046.exe
C:\WINDOWS\system32\drivers\down\92484.exe
C:\WINDOWS\system32\drivers\down\92984.exe
C:\WINDOWS\system32\drivers\down\93234.exe
C:\WINDOWS\system32\drivers\down\93843.exe
C:\WINDOWS\system32\drivers\down\94109.exe
C:\WINDOWS\system32\drivers\down\95421.exe
C:\WINDOWS\system32\drivers\down\95796.exe
C:\WINDOWS\system32\drivers\down\97703.exe
C:\WINDOWS\system32\drivers\down\99125.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\lsprst7.dll
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\prsgrc.dll
C:\WINDOWS\system32\ssprs.dll
C:\WINDOWS\system32\wintems.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SROSA


((((((((((((((((((((((((( Files Created from 2008-02-23 to 2008-03-23 )))))))))))))))))))))))))))))))
.

2008-03-23 14:45 . 2008-03-23 14:45 <DIR> d-------- C:\Program Files\Vara Software
2008-03-21 16:05 . 2008-03-22 11:34 <DIR> d-------- C:\Program Files\WH GBP Casino
2008-03-21 16:05 . 2007-06-22 17:02 107,520 --a------ C:\WINDOWS\system32\UnCasino5.exe
2008-03-21 16:04 . 2008-03-22 18:26 <DIR> d-------- C:\Program Files\William Hill Poker
2008-03-19 19:10 . 2004-08-04 00:56 16,384 --a------ C:\WINDOWS\system32\ipsink.ax
2008-03-19 19:10 . 2004-08-04 00:56 16,384 --a--c--- C:\WINDOWS\system32\dllcache\ipsink.ax
2008-03-19 19:10 . 2004-08-03 23:10 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2008-03-19 19:10 . 2004-08-03 23:10 15,360 --a--c--- C:\WINDOWS\system32\dllcache\streamip.sys
2008-03-19 19:10 . 2004-08-03 23:10 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2008-03-19 19:10 . 2004-08-03 23:10 11,136 --a--c--- C:\WINDOWS\system32\dllcache\slip.sys
2008-03-19 19:10 . 2004-08-03 23:10 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2008-03-19 19:10 . 2004-08-03 23:10 10,880 --a--c--- C:\WINDOWS\system32\dllcache\ndisip.sys
2008-03-19 19:10 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2008-03-19 19:10 . 2004-08-03 22:58 5,504 --a--c--- C:\WINDOWS\system32\dllcache\mstee.sys
2008-03-19 19:07 . 2004-08-03 23:10 48,128 --a------ C:\WINDOWS\system32\drivers\61883.sys
2008-03-19 19:07 . 2004-08-03 23:10 48,128 --a--c--- C:\WINDOWS\system32\dllcache\61883.sys
2008-03-19 18:56 . 2008-03-19 18:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Vara Software
2008-03-19 18:50 . 2008-03-19 18:50 <DIR> d-------- C:\Documents and Settings\dave\Application Data\Vara Software
2008-03-19 18:29 . 2005-08-13 02:11 61,312 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2008-03-19 18:29 . 2005-08-13 02:11 61,312 --a--c--- C:\WINDOWS\system32\dllcache\ohci1394.sys
2008-03-19 18:29 . 2004-08-03 23:10 53,248 --a------ C:\WINDOWS\system32\drivers\1394bus.sys
2008-03-19 18:29 . 2004-08-03 23:10 53,248 --a--c--- C:\WINDOWS\system32\dllcache\1394bus.sys
2008-03-19 18:29 . 2001-08-17 13:46 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2008-03-19 18:29 . 2001-08-17 13:46 6,400 --a--c--- C:\WINDOWS\system32\dllcache\enum1394.sys
2008-03-16 14:31 . 2001-11-05 09:23 299,923 --a------ C:\WINDOWS\system32\drivers\sonyhcs.sys
2008-03-16 14:31 . 2002-10-15 22:41 102,220 --a------ C:\WINDOWS\system32\drivers\sonypvs1.sys
2008-03-16 14:31 . 2001-07-03 20:33 53,248 --a------ C:\WINDOWS\system32\SONYHCY.DLL
2008-03-16 14:31 . 2001-11-05 09:23 38,739 --a------ C:\WINDOWS\system32\drivers\sonyhcc.sys
2008-03-16 14:31 . 2001-11-05 09:23 6,097 --a------ C:\WINDOWS\system32\drivers\sonyhcb.sys
2008-03-16 14:31 . 2001-07-03 20:39 3,654 --a------ C:\WINDOWS\system32\drivers\Sonyhcp.dll
2008-03-05 18:38 . 2008-03-19 18:50 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-05 18:38 . 2008-03-05 18:38 1,409 --a------ C:\WINDOWS\system32\tmp10298.FOT
2008-03-05 18:38 . 2008-03-05 18:38 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-03 20:05 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-03-03 19:45 . 2008-03-03 23:15 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-03 19:45 . 2008-03-03 23:15 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-03 17:58 . 2008-03-03 17:58 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-03 17:58 . 2008-03-03 17:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-03 15:31 . 2007-08-01 10:03 93,184 --a------ C:\WINDOWS\system32\UnPoker.exe
2008-03-02 17:07 . 2007-11-28 14:03 1,048,576 --a------ C:\WINDOWS\P5B-ASUS-1803.ROM
2008-03-02 17:05 . 2008-03-02 17:07 606,107 --a------ C:\WINDOWS\P5B-ASUS-1803.zip
2008-03-02 16:51 . 2007-11-02 09:29 1,048,576 --a------ C:\WINDOWS\P5B-ASUS-1705.ROM
2008-03-02 16:48 . 2008-03-02 16:51 603,850 --a------ C:\WINDOWS\P5B1705.zip
2008-03-02 16:31 . 2007-01-30 15:40 1,048,576 --a------ C:\WINDOWS\P5B-ASUS-1102.ROM
2008-03-02 16:31 . 2008-03-02 16:31 583,607 --a------ C:\WINDOWS\P5B-1102.zip
2008-03-02 16:16 . 2006-10-26 20:35 1,048,576 -ra------ C:\WINDOWS\P5B-0806.ROM
2008-03-02 16:15 . 2008-03-02 16:16 579,246 --a------ C:\WINDOWS\P5B-0806.zip
2008-03-02 16:01 . 2006-10-02 17:42 1,048,576 --a------ C:\WINDOWS\P5B-0701.ROM
2008-03-02 16:00 . 2008-03-02 16:01 577,571 --a------ C:\WINDOWS\P5B-0701.zip
2008-03-02 15:46 . 2006-09-06 20:32 1,048,576 --a------ C:\WINDOWS\P5B-ASUS-0509.ROM
2008-03-02 15:41 . 2008-03-02 15:46 575,646 --a------ C:\WINDOWS\P5B-0509.zip
2008-03-02 14:11 . 2008-03-02 14:36 <DIR> d-------- C:\Program Files\ASUS
2008-03-02 14:11 . 2006-01-10 08:50 24,576 -ra------ C:\WINDOWS\system32\AsIO.dll
2008-03-02 14:11 . 2005-12-22 02:22 5,685 -ra------ C:\WINDOWS\system32\drivers\AsIO.sys
2008-03-02 14:11 . 2005-07-05 10:43 5,120 --a------ C:\WINDOWS\system32\drivers\AsInsHelp64.sys
2008-03-02 14:11 . 2005-07-05 10:43 3,328 --a------ C:\WINDOWS\system32\drivers\AsInsHelp32.sys
2008-03-02 14:09 . 2008-03-02 14:09 <DIR> dr------- C:\WINDOWS\AsDmiHtm
2008-02-29 21:34 . 2008-02-29 21:34 <DIR> d-------- C:\Program Files\Classic Menu for Office
2008-02-29 21:34 . 2008-03-23 01:32 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-29 16:48 . 2008-02-29 16:48 <DIR> d-------- C:\Documents and Settings\dave\Application Data\GridIron
2008-02-29 16:47 . 2008-02-29 16:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GridIron Software
2008-02-29 15:51 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-02-29 15:49 . 2008-02-29 15:49 <DIR> d-------- C:\Program Files\MSBuild
2008-02-29 15:49 . 2008-02-29 15:49 <DIR> d-------- C:\Program Files\Microsoft Works
2008-02-29 15:48 . 2008-02-29 15:48 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-02-29 15:40 . 2008-03-12 03:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-29 15:39 . 2008-02-29 15:39 <DIR> dr-h----- C:\MSOCache
2008-02-29 15:18 . 2008-03-04 00:10 <DIR> d-------- C:\Program Files\PowerISO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-23 22:16 --------- d-----w C:\Documents and Settings\dave\Application Data\uTorrent
2008-03-23 15:44 --------- d-----w C:\Program Files\XoftSpySE
2008-03-21 23:32 --------- d-----w C:\Program Files\Soulseek
2008-03-20 16:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-13 09:54 --------- d-----w C:\Documents and Settings\dave\Application Data\BSplayer Pro
2008-03-12 00:03 --------- d-----w C:\Documents and Settings\dave\Application Data\Ahead
2008-03-04 00:14 --------- d-----w C:\Program Files\Vtune
2008-03-04 00:14 --------- d-----w C:\Program Files\uTorrent
2008-03-04 00:08 --------- d-----w C:\Program Files\MagicISO
2008-03-04 00:06 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-03-04 00:05 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-03-03 23:58 --------- d-----w C:\Program Files\Bonjour
2008-03-03 23:58 --------- d-----w C:\Program Files\Avant Browser
2008-02-22 14:24 --------- d-----w C:\Program Files\GenArts
2008-02-14 15:42 --------- d-----w C:\Program Files\Disc2Phone
2008-02-14 15:30 --------- d-----w C:\Documents and Settings\dave\Application Data\Teleca
2008-02-14 15:29 --------- d-----w C:\Documents and Settings\dave\Application Data\Sony Ericsson
2008-02-14 15:27 --------- d-----w C:\Program Files\Sony Ericsson
2008-02-14 15:27 --------- d-----w C:\Program Files\Common Files\Sony Ericsson Shared
2008-02-14 15:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Teleca
2008-02-14 15:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-02-12 23:56 --------- d-----w C:\Program Files\Vertus Fluid Mask 3
2008-02-12 23:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\VertusTech
2008-01-31 19:25 --------- d-----w C:\Program Files\DivX
2008-01-31 13:57 --------- d-----w C:\Program Files\THQ
2008-01-31 13:37 --------- d-----w C:\Program Files\Ulead Systems
2008-01-24 00:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-01-23 23:58 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2008-01-23 23:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-01-23 23:23 --------- d-----w C:\Documents and Settings\dave\Application Data\InterVideo
2008-01-23 23:20 --------- d-----w C:\Program Files\InterVideo Information Service
2008-01-23 23:20 --------- d-----w C:\Program Files\Common Files\Ulead
2008-01-23 23:20 --------- d-----w C:\Program Files\Common Files\InterVideo
2008-01-23 23:19 --------- d-----w C:\Program Files\InterVideo
2008-01-23 22:50 --------- d-----w C:\Documents and Settings\dave\Application Data\Ulead Systems
2008-01-23 22:46 --------- d-----w C:\Documents and Settings\dave\Application Data\DivX
2008-01-23 22:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\InterVideo
2008-01-17 00:49 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-15 15:40 3,727,360 ----a-w C:\WINDOWS\system32\sapphire_ae.dll
2008-01-09 11:18 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-01-09 11:18 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-01-09 11:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-01-09 11:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-01-09 11:16 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-01-09 11:16 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-01-09 11:16 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-01-09 11:16 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-01-09 11:16 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-01-09 11:16 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2006-06-23 06:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe
2007-10-15 11:52 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
2007-10-15 11:52 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2007-10-15 11:52 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007101520071016\index.dat
2007-10-15 11:52 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-04-10 08:19 729088]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-06-02 08:45 385024]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 10:07 843776]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 17:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 17:14 1626112 C:\WINDOWS\system32\nwiz.exe]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 09:51 57344]
"P17Helper"="P17.dll" [2005-05-03 11:38 64512 C:\WINDOWS\system32\P17.dll]
"CreativeTaskScheduler"="C:\Program Files\Creative\Shared Files\CTSched.exe" [2006-01-09 02:43 53340]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 15:40 1884160]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-04 19:25 180269]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-23 23:44 79224]
"CaISSDT"="C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe" [2006-04-21 14:42 165416]
"atwtusb"="atwtusb.exe" [2005-09-21 18:08 290816 C:\WINDOWS\system32\ATWTUSB.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-06-02 13:22 28160 C:\WINDOWS\KHALMNPR.Exe]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00 90112]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 17:34 213936]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 17:14 81920]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"AsusServiceProvider"="C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe" [2006-06-30 14:57 582144]
"Ai Nap"="C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [2006-07-10 15:49 1093632]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 21:34 155648]
"eTrustPPAP"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe" [2008-01-02 21:14 258048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-01-11 16:55:20 450560]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Program Files\\Avant Browser\\avant.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\Sorenson Media\\Sorenson Squeeze\\Squeeze.exe"=
"C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"C:\\Program Files\\Adobe\\Adobe After Effects CS3\\Support Files\\AfterFX.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\William Hill Poker\\UA.exe"=
"C:\\Program Files\\Vara Software\\Wirecast\\Wirecast.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

S1 aiptektp;HyperPen;C:\WINDOWS\system32\DRIVERS\aiptektp.sys [2004-07-07 16:02]
S1 srosa;Megadrv3;C:\WINDOWS\system32\drivers\srosa.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59c4e1c2-9ae8-11dc-bd15-00173183073c}]
\Shell\AutoRun\command - F:\oufddh.exe
\Shell\explore\Command - F:\oufddh.exe
\Shell\open\Command - F:\oufddh.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{608ef21c-7b6c-11dc-bce5-00173183073c}]
\Shell\Auto\command - F:\activexdebugger32.exe f
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - F:\activexdebugger32.exe f
\Shell\open\Command - F:\activexdebugger32.exe f

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{61ab118e-9f6d-11dc-bd19-00173183073c}]
\Shell\auto\command - F:\Knight.exe open
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
\Shell\explore\command - F:\Knight.exe open
\Shell\find\command - F:\Knight.exe open
\Shell\install\command - F:\Knight.exe open
\Shell\open\command - F:\Knight.exe open

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a02e8e40-83de-11dc-bcf7-00173183073c}]
\Shell\Auto\command - activexdebugger32.exe f
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - activexdebugger32.exe f
\Shell\find\command - Knight.exe open
\Shell\install\command - Knight.exe open
\Shell\open\Command - activexdebugger32.exe f

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a02e8e43-83de-11dc-bcf7-00173183073c}]
\Shell\Auto\command - G:\activexdebugger32.exe f
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - G:\activexdebugger32.exe f
\Shell\open\Command - G:\activexdebugger32.exe f

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a123f9d6-8ba6-11dc-bd08-00173183073c}]
\Shell\Auto\command - F:\activexdebugger32.exe f
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - F:\activexdebugger32.exe f
\Shell\open\Command - F:\activexdebugger32.exe f

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a123f9d9-8ba6-11dc-bd08-00173183073c}]
\Shell\Auto\command - F:\activexdebugger32.exe f
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - F:\activexdebugger32.exe f
\Shell\open\Command - F:\activexdebugger32.exe f

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b4582c0c-8e2b-11dc-bd0c-00173183073c}]
\Shell\Auto\command - F:\activexdebugger32.exe f
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - F:\activexdebugger32.exe f
\Shell\open\Command - F:\activexdebugger32.exe f

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fdec1a0f-818f-11dc-bcf3-00173183073c}]
\Shell\Auto\command - activexdebugger32.exe f
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - activexdebugger32.exe f
\Shell\find\command - Knight.exe open
\Shell\install\command - Knight.exe open
\Shell\open\Command - activexdebugger32.exe f

.
Contents of the 'Scheduled Tasks' folder
"2008-03-23 23:47:14 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-01-07 16:23:56 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-23 23:47:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2008-03-23 23:54:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-23 23:54:42
.
2008-03-12 03:03:09 --- E O F ---
Go to the top of the page
 
+Quote Post
8 Pages V   1 2 3 > »   
 Start new topic
Replies (1 - 14)
RatHat
post Mar 23 2008, 07:02 PM
Post #2


GeekU Mod
Group Icon
Posts: 7,823
From: Lake Mabprachan, Thailand
OS: XP SP2 ~ Vista Ultimate
Hi there,

Welcome to GeeksToGo. My name is RatHat, and I will help you get through the process of cleaning the malware from your computer.


OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with. Please ensure you turn off word wrap in Notepad. To do this, open Notepad, choose Format, then Un-check Word Wrap. (Word Wrap makes reading your log difficult).


Now it was a mistake for you to run Combofix without supervision, you could cause your computer to be damaged by doing this, so please do not run any other fixes unless I tell you to OK.

We need to get rid of the version of Combofix that you had as you have saved it in your temporary internet files folder. The easiest way to do this is as follows:

Download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

If you have any other versions of Combofix on your computer, please delete them and run ATF cleaner again.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Now we need to download a new version of Combofix, and rename it, so follow these instructions very carefully.

Please read this Combofix tutorial before continuing, then follow the instructions below.

Download ComboFix from Here, Here or Here to your Desktop. (If you already have ComboFix, please delete it and download this new version).

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  2. During the download, rename Combofix to Combo-Fix as follows:





  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------
  7. Double click on Combo-Fix.exe & follow the prompts.
  8. When finished, it shall produce a log for you. Save this log to your desktop as Combofix.txt and post it in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, DSS will open two Notepad files: main.txt and extra.txt
  • Use Save As to save both Notepad files to your Desktop and post them in your next reply.

Note: A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next reply, please include the Combofix.txt and also the two DSS logs.

Regards,
RatHat
Go to the top of the page
 
+Quote Post
verve
post Mar 24 2008, 06:57 AM
Post #3


Member
**
Posts: 71
OS: windows XP
hello rathat.

thank you for the help. i've followed ur first step carefully. i ran combofix and it restarted my pc. now all i get is a black screen. its been like that for at least 15minutes and im scared to restart it in case it disturbs the combofix somehow and really messes up my pc. all i can see is my mouse pointer...why is this happening and what should i do next? im writing this from a laptop...
Go to the top of the page
 
+Quote Post
verve
post Mar 24 2008, 07:00 AM
Post #4


Member
**
Posts: 71
OS: windows XP
my pc seems to be now royaly F'd. i restarted again and it simply goes back to the blackscreen... i dont know what to do next...
Go to the top of the page
 
+Quote Post
verve
post Mar 24 2008, 07:02 AM
Post #5


Member
**
Posts: 71
OS: windows XP
safemode done the exact same thing. black screen with mouse pointer. i dont understand why combofix would cause my pc even more harm than before i tried running it....?
Go to the top of the page
 
+Quote Post
RatHat
post Mar 24 2008, 07:24 AM
Post #6


GeekU Mod
Group Icon
Posts: 7,823
From: Lake Mabprachan, Thailand
OS: XP SP2 ~ Vista Ultimate
It is likely due to running it before against bagle. I will check with the developer of Combofix and get back to you.

Regards,
RatHat
Go to the top of the page
 
+Quote Post
verve
post Mar 24 2008, 07:47 AM
Post #7


Member
**
Posts: 71
OS: windows XP
ok, hope you can find me a solution as of now i cant work and have lost all my work in progress if my pc doesnt start windows again.
Go to the top of the page
 
+Quote Post
RatHat
post Mar 24 2008, 07:59 AM
Post #8


GeekU Mod
Group Icon
Posts: 7,823
From: Lake Mabprachan, Thailand
OS: XP SP2 ~ Vista Ultimate
OK, when you start your computer, allow it to boot to normal Windows.

When you get to the black screen, hit Ctrl, Alt and Delete at the same time to bring up Task Manager.

Click the New Task... button at the bottom right

Type in explorer.exe and hit OK

Let me know if you now have your desktop back.
Go to the top of the page
 
+Quote Post
verve
post Mar 24 2008, 08:35 AM
Post #9


Member
**
Posts: 71
OS: windows XP
control alt delete doesnt do anything. black screen and that's it.
Go to the top of the page
 
+Quote Post
verve
post Mar 24 2008, 09:23 AM
Post #10


Member
**
Posts: 71
OS: windows XP
please tell me i dont need to reformat my pc......... blushing.gif
Go to the top of the page
 
+Quote Post
verve
post Mar 24 2008, 09:36 AM
Post #11


Member
**
Posts: 71
OS: windows XP
i've tried to restart the pc again, and instead of a short beep it made a very alarming long beep. i turned it off and started it on again, and it didnt recognize my 2nd hard drive in the BIOS!!!! i've now disconnected the 2nd hard drive of fear that its already been deleted completely from this virus and after booting with the OS hard drive the same black screen appears. I've tried hooking up a non wireless keyboard and still nothing happens when i ctrl alt delete.


what is going on here?!?!
Go to the top of the page
 
+Quote Post
RatHat
post Mar 24 2008, 09:44 AM
Post #12


GeekU Mod
Group Icon
Posts: 7,823
From: Lake Mabprachan, Thailand
OS: XP SP2 ~ Vista Ultimate
OK, I will get back to you shortly with a new fix to restore your desktop. Please don't be too alarmed, there are means of recovering your PC without you losing all your work.

Regards,
RatHat
Go to the top of the page
 
+Quote Post
verve
post Mar 24 2008, 09:46 AM
Post #13


Member
**
Posts: 71
OS: windows XP
thank you rathat. i dont mean to sound stressed, but im so clueless about these things, so when my pc doesnt start and it contains months of work in progress for clients, ITS FREAKOUT TIME...LOL


hope we can get this sorted today still..?

thanks again for the help.
Go to the top of the page
 
+Quote Post
RatHat
post Mar 24 2008, 10:07 AM
Post #14


GeekU Mod
Group Icon
Posts: 7,823
From: Lake Mabprachan, Thailand
OS: XP SP2 ~ Vista Ultimate
QUOTE
hope we can get this sorted today still..?
We'll do our best to get this sorted, I am at work at the moment, and in front of a computer, so I will be able to check in often. Just as long as the boss doesn't catch me! wink.gif

OK, we are going to have to use the Windows Recovery Console to restore a backed up copy of your registry, so it would best if you could print this out from another computer so you can follow the instructions exactly.

Now I need you to find your original Windows installation CD then follow the directions below:

1. Inset your Windows Install disc to boot from CD.
Note: if you cannot boot from the CD, go into your BIOS and set the computer to boot from CD first

2. Press any key on the keyboard when prompted.
3. Press R to load the Recovery Console.
4. Enter your password when prompted.
5. You must enter which Windows installation to log onto. Type 1 and press enter.
6. At the C:\Windows prompt, type the following bolded text, and press Enter:

cd ERDNT\Hiv-backup

7. At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

8. The erunt backups will begin copying.
9. At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading.

When Windows has loaded up again, post me the contents of the Combofix log located at C:\Combofix.txt

Regards,
RatHat
Go to the top of the page
 
+Quote Post
verve
post Mar 24 2008, 10:29 AM
Post #15


Member
**
Posts: 71
OS: windows XP
hooray windows has started...

there is no combofix.txt

i have C:\combo-fix folder... any idea?
Go to the top of the page
 
+Quote Post
 

8 Pages V   1 2 3 > » 
Closed TopicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 

Collapse

> Similar Topics

    Topic Title Replies / Views Topic Information
No new   27 / 2,350 19th May 2005 - 03:01 PM
02rja started - last by don77
No New Posts   7 / 1,107 8th August 2005 - 02:49 AM
hoopsguru started - last by kool808
No New Posts   8 / 300 27th October 2005 - 04:20 PM
xXNightmareXx started - last by Trevuren
No New Posts   9 / 845 20th August 2007 - 08:44 AM
staticVoid started - last by don77

RSS Time is now: 21st November 2009 - 01:05 PM

Advertisements do not imply our endorsement of that product or service. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks mentioned on this page are the property of their respective owners.

© Geeks to Go, Inc. | All Rights Reserved | Privacy Policy | Advertising
Powered By IP.Board © 2009  IPS, Inc.