Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Multiple trojan and malware problems [RESOLVED]

Started by bruntyblue , Sep 08 2007 06:13 AM

  • This topic is locked This topic is locked

#1
bruntyblue
Posted 08 September 2007 - 06:13 AM

bruntyblue

    Member

  • Member
  • PipPip
  • 28 posts
Hello everyone, need a lot of help with this one. I will explain what has been done so far and a description of the problems encountered. 1st I had this laptop bought to me ( Dell Inspiron 1000, Celron 2.2GHz, 448MB Ram Windows XP Service pack 1 ) with multiple popups and virus warnings from spyware programs and blue screens of death before completely into the desktop, I removed harddisk and placed it in a external drive case, and scanned with with avg free on my spare PC. found over 270 trojans, viruses etc and "healed" them. also removed a bit of adware with lavasoft, spybot and super anti spyware. placed the drive back in the laptop and ran a repair install and validated via phone, still had multiple pop ups happening as loading the desktop but no BSDs, managed to get Ad-aware SE and scan and remove numerous items. This PC also has 2 out of date Anti-virus programs, McAfee and Norton. Well here is the first problem McAfee has no uninstall option from the program menu and doe's not appear in add remove programs, then with the Norton I start the uninstall though add remove programs and it is installed in a language that I cant read, The bloke who owns the PC is from south africa and his mates got on to some Porn sites (I know where the bad stuff has gome from) and I think it could be in Dutch or German? anyway I don't know which is the uninstall option. Tried to load Service pack 2 for XP of an original service pack 2 CD that I sent away for a couple of years before I had a broadband conection, starts loading but get a heap of errors during the backing up of the registry stage and then end up with an unfinished install that uninstalls straight away (automatically). So then i loaded AVG Free and updated definitions etc, on running AVG it hung at about the 8% mark on 2 attempts. So I uninstalled AVG and Downloaded and installed a 30 day trial of Nod32 by ESET installed and updated, upon the first scan it detected trojans in the boot record and terminated and removed them on the reboot. after rebooting I run Nod32 again and it found and removed lots of trojans and viruses and submitted various suspicious files for detailed investigation. After a reboot and another ad-aware scan I tried to load SUPER ANTI SPYWARE and keep getting a windows installer error, so I down loaded Windows installer 3.1 and have tried to install but still getting the same problem. I think I am at the stage where I need some help from the pros, and maybe get service pack 2 installed. I have run HJT and will paste the logfile here, have done nothing but connect and type out this forum starter.
Logfile of HijackThis v1.99.1
Scan saved at 21:22:14, on 9/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/N.../3560/homepage/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSVPS System - {A1770FD6-A7CB-44DA-AD2C-692D2A2B521B} - C:\WINDOWS\vpsnetwork.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mstsdsc.exe] c:\windows\system32\mstsdsc.exe
O4 - HKLM\..\Run: [Microsoft security adviser] C:\Program Files\Microsoft Security Adviser\mssadv.exe
O4 - HKLM\..\Run: [msctrl.exe] C:\Program Files\Microsoft Security Adviser\msctrl.exe
O4 - HKLM\..\Run: [msavsc.exe] C:\Program Files\Microsoft Security Adviser\msavsc.exe
O4 - HKLM\..\Run: [msscan.exe] C:\Program Files\Microsoft Security Adviser\msscan.exe
O4 - HKLM\..\Run: [msiemon.exe] C:\Program Files\Microsoft Security Adviser\msiemon.exe
O4 - HKLM\..\Run: [msfw.exe] C:\Program Files\Microsoft Security Adviser\msfw.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WinMedia] svchost
O4 - HKCU\..\Run: [alpha] c:\DriverLoad\windrv0.exe
O4 - HKCU\..\Run: [beta] c:\DriverLoad\windrv0.exe
O4 - HKCU\..\Run: [gamma] c:\DriverLoad\windrv0.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1062941351687
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8FE1553-42B8-48AA-BB54-B31D5369FDAA}: Domain = vic.bigpond.net.au
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)
O21 - SSODL: vpssup - {2528486C-8B65-497E-82BF-222843092A1C} - C:\WINDOWS\vpssup.dll (file missing)
O21 - SSODL: expro - {297371D8-080F-4C78-96E8-35D67DC58CDF} - C:\WINDOWS\expro.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton AntiVirus Auto-Protect-service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: WinLd01Service - Unknown owner - C:\Documents and Settings\Clinton Brown\Application Data\Microsoft\svchost.exe (file missing)

Well hope there is enough info to start and will look forward to any help from the valued members of this forum, we have saved systems before and hope to do it again. (loe the challenge).
Thanks Rob Brunt
  • 0

Advertisements

#2
jwbirdsong
Posted 11 September 2007 - 09:27 PM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
Download SDFix and save it to your desktop.

Double click SDFix.exe and it will extract the files to C:\SDFix

Please then reboot your computer in Safe Mode (without Networking) by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the C:\SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back here along with a Combofix log..(below)
Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply .
  • 0

#3
bruntyblue
Posted 11 September 2007 - 11:52 PM

bruntyblue

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Thanks for your help jwbirdsong, here are the requested logs.



SDFix: Version 1.104

Run by clinton on Wed 09/12/2007 at 15:07

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
kprof
poof
runtime2
xpdx

ImagePath:
\??\C:\WINDOWS\System32\kprof
\??\C:\WINDOWS\System32\poof
\SystemRoot\system32\drivers\runtime2.sys
\??\C:\WINDOWS\System32\xpdx.sys

kprof - Deleted
poof - Deleted
runtime2 - Deleted
xpdx - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage
Restoring Default Desktop Components Value

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\Documents and Settings\clinton\Desktop\Error Cleaner.url - Deleted
C:\Documents and Settings\clinton\Favorites\Error Cleaner.url - Deleted
C:\Documents and Settings\clinton\Desktop\Privacy Protector.url - Deleted
C:\Documents and Settings\clinton\Favorites\Privacy Protector.url - Deleted
C:\Documents and Settings\clinton\Desktop\Spyware&Malware Protection.url - Deleted
C:\Documents and Settings\clinton\Favorites\Spyware&Malware Protection.url - Deleted
C:\DOCUME~1\clinton\LOCALS~1\Temp\hd-log.txt - Deleted
C:\WINDOWS\dat.txt - Deleted
C:\WINDOWS\search_res.txt - Deleted
C:\WINDOWS\System32KBRunOnce2.tm_ - Deleted
C:\WINDOWS\System32KBRunOnce2.t__ - Deleted
C:\WINDOWS\system32\7_exception.nls - Deleted
C:\WINDOWS\system32\form.txt - Deleted
C:\WINDOWS\system32\KBRunOnce2.t__ - Deleted
C:\WINDOWS\system32\svcp.csv - Deleted
C:\WINDOWS\system32\windev-peers.ini - Deleted
C:\WINDOWS\system32\winsub.xml - Deleted
C:\WINDOWS\wints.ini - Deleted


Folder C:\Documents and Settings\All Users\Documents\Settings - Removed
Folder C:\DriverLoad - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"c:\\windows\\system32\\mstsdsc.exe"="c:\\windows\\system32\\mstsdsc.exe:*:Enabled:mstsdsc"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Documents and Settings\clinton\Local Settings\Temp\BIT14.tmp
C:\Documents and Settings\clinton\Local Settings\Temp\BIT5C.tmp
C:\Documents and Settings\clinton\Local Settings\Temp\BIT8.tmp
C:\Documents and Settings\clinton\Local Settings\Temp\BITC.tmp
C:\WINDOWS\SoftwareDistribution\Download\fec3752563e444ecc6182e8b7e8bd110\BIT1.tmp

Finished!


and here is the combofix log, looking forward to your reply.

ComboFix 07-09-12.4 - "clinton" 2007-09-12 15:23:07.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.141 [GMT 10:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\CLINTO~1\APPLIC~1\DriveCleaner Free
C:\DOCUME~1\CLINTO~1\APPLIC~1\DriveCleaner Free\Logs\update.log
C:\DOCUME~1\CLINTO~1\APPLIC~1\DriveCleaner Freeware
C:\DOCUME~1\CLINTO~1\APPLIC~1\DriveCleaner Freeware\Logs\update.log
C:\DOCUME~1\CLINTO~1\APPLIC~1\macromedia\Flash Player\#SharedObjects\8VSWCWMF\iforex.com
C:\DOCUME~1\CLINTO~1\APPLIC~1\macromedia\Flash Player\#SharedObjects\8VSWCWMF\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\DOCUME~1\CLINTO~1\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\DOCUME~1\CLINTO~1\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\DOCUME~1\CLINTO~1\APPLIC~1\Microsoft\25319.dat
C:\DOCUME~1\CLINTO~1\Desktop\Error Cleaner.url
C:\DOCUME~1\CLINTO~1\Desktop\Privacy Protector.url
C:\DOCUME~1\CLINTO~1\Desktop\Spyware&Malware Protection.url
C:\DOCUME~1\CLINTO~1\err.log
C:\DOCUME~1\CLINTO~1\FAVORI~1\Error Cleaner.url
C:\DOCUME~1\CLINTO~1\FAVORI~1\Privacy Protector.url
C:\DOCUME~1\CLINTO~1\FAVORI~1\Spyware&Malware Protection.url
C:\DOCUME~1\CLINTO~1\ResErrors.log
C:\DOCUME~1\LOCALS~1\APPLIC~1\Microsoft\25319.dat
C:\Program Files\Common Files\drivecleaner free
C:\Program Files\Common Files\drivecleaner free\errors.log
C:\Program Files\Common Files\drivecleaner free\laststat.dat
C:\Program Files\Microsoft Security Adviser
C:\UGA6P
C:\WINDOWS\o.exe
C:\WINDOWS\system32\_003567_.tmp.dll
C:\WINDOWS\system32\_003739_.tmp.dll
C:\WINDOWS\system32\_003740_.tmp.dll
C:\WINDOWS\system32\_003741_.tmp.dll
C:\WINDOWS\system32\_003742_.tmp.dll
C:\WINDOWS\system32\_003747_.tmp.dll
C:\WINDOWS\system32\_003748_.tmp.dll
C:\WINDOWS\system32\_003749_.tmp.dll
C:\WINDOWS\system32\_003750_.tmp.dll
C:\WINDOWS\system32\_003757_.tmp.dll
C:\WINDOWS\system32\_003758_.tmp.dll
C:\WINDOWS\system32\_003759_.tmp.dll
C:\WINDOWS\system32\_003761_.tmp.dll
C:\WINDOWS\system32\_003762_.tmp.dll
C:\WINDOWS\system32\_003765_.tmp.dll
C:\WINDOWS\system32\_003766_.tmp.dll
C:\WINDOWS\system32\_003768_.tmp.dll
C:\WINDOWS\system32\_003769_.tmp.dll
C:\WINDOWS\system32\_003770_.tmp.dll
C:\WINDOWS\system32\_003772_.tmp.dll
C:\WINDOWS\system32\_003773_.tmp.dll
C:\WINDOWS\system32\_003775_.tmp.dll
C:\WINDOWS\system32\_003779_.tmp.dll
C:\WINDOWS\system32\_003780_.tmp.dll
C:\WINDOWS\system32\_003782_.tmp.dll
C:\WINDOWS\system32\_003783_.tmp.dll
C:\WINDOWS\system32\_003785_.tmp.dll
C:\WINDOWS\system32\_003787_.tmp.dll
C:\WINDOWS\system32\_003788_.tmp.dll
C:\WINDOWS\system32\_003789_.tmp.dll
C:\WINDOWS\system32\_003790_.tmp.dll
C:\WINDOWS\system32\_003793_.tmp.dll
C:\WINDOWS\system32\_003795_.tmp.dll
C:\WINDOWS\system32\_003796_.tmp.dll
C:\WINDOWS\system32\_003797_.tmp.dll
C:\WINDOWS\system32\_003801_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2007-08-12 to 2007-09-12 )))))))))))))))))))))))))))))))
.

2007-09-12 15:22 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-12 15:01 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-08 12:41 512,096 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\amon.sys
2007-09-08 12:41 298,104 --a------ C:\WINDOWS\SYSTEM32\imon.dll
2007-09-08 12:41 15,424 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\nod32drv.sys
2007-09-07 10:41 364,544 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\npdsplay.dll
2007-09-07 10:40 1,110,528 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msxml3.dll
2007-09-07 10:38 68,992 --------- C:\WINDOWS\SYSTEM32\DRIVERS\_003724_.tmp.dll
2007-09-07 02:54 <DIR> d--h----- C:\WINDOWS\$hf_mig$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-12 15:30 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-08 18:23 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-07 23:03 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Media Directory
2007-09-07 03:26 --------- d-------- C:\DOCUME~1\clinton\APPLIC~1\Google
2007-07-31 04:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-31 04:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-31 04:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-31 04:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-31 04:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-31 04:19 271224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-31 04:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-31 04:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-31 04:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-31 04:18 207736 --a------ C:\WINDOWS\SYSTEM32\muweb.dll
2007-01-14 22:36 24192 --a------ C:\DOCUME~1\CLINTO~1\usbsermptxp.sys
2007-01-14 22:36 22768 --a------ C:\DOCUME~1\CLINTO~1\usbsermpt.sys
2006-12-04 04:41 23852 --a------ C:\DOCUME~1\CLINTO~1\o.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 10:01]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-12 05:15]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 20:43]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2003-08-09 03:02]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-23 04:29]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 22:05]
"VirusScan"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2003-08-18 07:50]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-06-03 04:25]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 08:46]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-07-14 22:35]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 12:48]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-09-14 20:01]
"IS CfgWiz"="C:\Program Files\Norton Internet Security\cfgwiz.exe" [2004-09-01 23:35]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [2004-08-31 10:29]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-09-06 23:13]
"AGRSMMSG"="AGRSMMSG.exe" [2003-11-20 00:41 C:\WINDOWS\AGRSMMSG.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-02-03 00:32]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-09-08 12:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 22:00]
"DriverLoad"="" []
"DriverCheck"="" []
"SystemDriverLoad"="" []
"alpha"="c:\DriverLoad\windrv0.exe" []
"beta"="c:\DriverLoad\windrv0.exe" []
"gamma"="c:\DriverLoad\windrv0.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 09:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"WinMedia"=svchost
"alpha"=c:\DriverLoad\windrv0.exe
"beta"=c:\DriverLoad\windrv0.exe
"gamma"=c:\DriverLoad\windrv0.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 07:05:26]
DESKTOP.INI [2003-09-07 22:45:18]
Ralink Wireless Utility.lnk - C:\Program Files\RALINK\Common\RaUI.exe [2003-08-09 15:18:20]
Utility Tray.lnk - C:\WINDOWS\SYSTEM32\sistray.exe [2004-07-14 22:26:20]

C:\DOCUME~1\CLINTO~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 18:00:00]

C:\DOCUME~1\clinton\STARTM~1\Programs\Startup\
DESKTOP.INI [2003-09-07 22:45:18]

C:\DOCUME~1\DEFAUL~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2003-09-07 22:45:18]

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 18:00:00]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Clinton Brown^Start Menu^Programs^Startup^Morpheus.lnk]
path=C:\Documents and Settings\Clinton Brown\Start Menu\Programs\Startup\Morpheus.lnk
backup=C:\WINDOWS\pss\Morpheus.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BullsEye Network]
C:\Program Files\BullsEye Network\bin\bargains.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power Scan]
C:\Program Files\Power Scan\powerscan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

R2 STEC3;STEC3;\??\C:\WINDOWS\System32\STEC3.sys
S2 Nsynas32;Nsynas32;C:\WINDOWS\System32\drivers\Nsynas32.sys
S2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs
S2 windev-7fe4-2353;windev-7fe4-2353;\??\C:\WINDOWS\System32\windev-7fe4-2353.sys
S2 WinLd01Service;WinLd01Service;"C:\Documents and Settings\Clinton Brown\Application Data\Microsoft\svchost.exe"
S3 NaiFiltr;NaiFiltr;C:\WINDOWS\System32\DRIVERS\NaiFiltr.sys

.
Contents of the 'Scheduled Tasks' folder
"2003-06-26 21:11:32 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2003-06-26 19:13:03 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-12 15:31:16
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-12 15:36:46 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-12 15:36
.
--- E O F ---

Once again thanks for your help, Rob
  • 0

#4
jwbirdsong
Posted 12 September 2007 - 10:25 PM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
Open notepad and copy/paste the text in the quotebox below into it:

http://www.geekstogo...ms-t170190.html

File::
C:\WINDOWS\SYSTEM32\DRIVERS\_003724_.tmp.dll
c:\DriverLoad\windrv0.exe
C:\Documents and Settings\clinton\Local Settings\Temp\BIT14.tmp
C:\Documents and Settings\clinton\Local Settings\Temp\BIT5C.tmp
C:\Documents and Settings\clinton\Local Settings\Temp\BIT8.tmp
C:\Documents and Settings\clinton\Local Settings\Temp\BITC.tmp
C:\DOCUME~1\CLINTO~1\o.exe

Folder::
c:\DriverLoad\

FileLook::
C:\Documents and Settings\Clinton Brown\Application Data\Microsoft\svchost.exe

Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DriverLoad"=-
"DriverCheck"=-
"SystemDriverLoad"=-
"alpha"=-
"beta"=-
"gamma"=-
[-HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BullsEye Network]

Suspect::
C:\WINDOWS\System32\windev-7fe4-2353.sys
C:\WINDOWS\System32\STEC3.sys


Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you at C:ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report and the combofix log from above

  • 0

#5
bruntyblue
Posted 13 September 2007 - 01:36 AM

bruntyblue

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Ok here we go, ran the script as instructed, after the reboot and combofix inished it did not give me the message box to click ok on. tried to access the internet and I had not had a chance to make sure the connection was up, and as a result got the old page not available, tried to refresh but I dont know if it did. Saved the logs and will post them now, I spoke to the PC owner and he will come and do the uninstall of norton as he understands Dutch, please let me know when the right time to do this is.
HERE is the Combofix Log


ComboFix 07-09-12.4 - "clinton" 2007-09-13 15:16:53.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.141 [GMT 10:00]
* Created a new restore point

FILE::
C:\WINDOWS\SYSTEM32\DRIVERS\_003724_.tmp.dll
c:\DriverLoad\windrv0.exe
C:\Documents and Settings\clinton\Local Settings\Temp\BIT14.tmp
C:\Documents and Settings\clinton\Local Settings\Temp\BIT5C.tmp
C:\Documents and Settings\clinton\Local Settings\Temp\BIT8.tmp
C:\Documents and Settings\clinton\Local Settings\Temp\BITC.tmp
C:\DOCUME~1\CLINTO~1\o.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\CLINTO~1\o.exe
C:\Documents and Settings\clinton\Local Settings\Temp\BIT14.tmp
C:\Documents and Settings\clinton\Local Settings\Temp\BIT5C.tmp
C:\Documents and Settings\clinton\Local Settings\Temp\BIT8.tmp
C:\Documents and Settings\clinton\Local Settings\Temp\BITC.tmp
C:\WINDOWS\SYSTEM32\DRIVERS\_003724_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2007-08-13 to 2007-09-13 )))))))))))))))))))))))))))))))
.

2007-09-12 15:22 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-12 15:01 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-08 12:41 512,096 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\amon.sys
2007-09-08 12:41 298,104 --a------ C:\WINDOWS\SYSTEM32\imon.dll
2007-09-08 12:41 15,424 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\nod32drv.sys
2007-09-07 10:41 364,544 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\npdsplay.dll
2007-09-07 10:40 1,110,528 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msxml3.dll
2007-09-07 02:54 <DIR> d--h----- C:\WINDOWS\$hf_mig$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-13 15:22 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-08 18:23 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-07 23:03 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Media Directory
2007-09-07 03:26 --------- d-------- C:\DOCUME~1\clinton\APPLIC~1\Google
2007-07-31 04:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-31 04:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-31 04:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-31 04:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-31 04:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-31 04:19 271224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-31 04:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-31 04:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-31 04:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-31 04:18 207736 --a------ C:\WINDOWS\SYSTEM32\muweb.dll
2007-01-14 22:36 24192 --a------ C:\DOCUME~1\CLINTO~1\usbsermptxp.sys
2007-01-14 22:36 22768 --a------ C:\DOCUME~1\CLINTO~1\usbsermpt.sys
.

((((((((((((((((((((((((((((( snapshot_2007-09-12_153527.75 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 17,474,680 2007-09-06 02:50:42 C:\WINDOWS\SYSTEM32\MRT.exe
.
----a-w 16,789,464 2007-08-02 11:34:12 C:\WINDOWS\SYSTEM32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 10:01]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-12 05:15]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 20:43]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2003-08-09 03:02]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-23 04:29]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 22:05]
"VirusScan"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2003-08-18 07:50]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-06-03 04:25]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 08:46]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-07-14 22:35]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 12:48]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-09-14 20:01]
"IS CfgWiz"="C:\Program Files\Norton Internet Security\cfgwiz.exe" [2004-09-01 23:35]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [2004-08-31 10:29]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-09-06 23:13]
"AGRSMMSG"="AGRSMMSG.exe" [2003-11-20 00:41 C:\WINDOWS\AGRSMMSG.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-02-03 00:32]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-09-08 12:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 22:00]
"DriverLoad"="" []
"DriverCheck"="" []
"SystemDriverLoad"="" []
"alpha"="c:\DriverLoad\windrv0.exe" []
"beta"="c:\DriverLoad\windrv0.exe" []
"gamma"="c:\DriverLoad\windrv0.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 09:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"WinMedia"=svchost
"alpha"=c:\DriverLoad\windrv0.exe
"beta"=c:\DriverLoad\windrv0.exe
"gamma"=c:\DriverLoad\windrv0.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 07:05:26]
DESKTOP.INI [2003-09-07 22:45:18]
Ralink Wireless Utility.lnk - C:\Program Files\RALINK\Common\RaUI.exe [2003-08-09 15:18:20]
Utility Tray.lnk - C:\WINDOWS\SYSTEM32\sistray.exe [2004-07-14 22:26:20]

C:\DOCUME~1\CLINTO~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 18:00:00]

C:\DOCUME~1\clinton\STARTM~1\Programs\Startup\
DESKTOP.INI [2003-09-07 22:45:18]

C:\DOCUME~1\DEFAUL~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2003-09-07 22:45:18]

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 18:00:00]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Clinton Brown^Start Menu^Programs^Startup^Morpheus.lnk]
path=C:\Documents and Settings\Clinton Brown\Start Menu\Programs\Startup\Morpheus.lnk
backup=C:\WINDOWS\pss\Morpheus.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BullsEye Network]
C:\Program Files\BullsEye Network\bin\bargains.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power Scan]
C:\Program Files\Power Scan\powerscan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

R2 STEC3;STEC3;\??\C:\WINDOWS\System32\STEC3.sys
S2 Nsynas32;Nsynas32;C:\WINDOWS\System32\drivers\Nsynas32.sys
S2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs
S2 windev-7fe4-2353;windev-7fe4-2353;\??\C:\WINDOWS\System32\windev-7fe4-2353.sys
S2 WinLd01Service;WinLd01Service;"C:\Documents and Settings\Clinton Brown\Application Data\Microsoft\svchost.exe"
S3 NaiFiltr;NaiFiltr;C:\WINDOWS\System32\DRIVERS\NaiFiltr.sys

.
Contents of the 'Scheduled Tasks' folder
"2003-06-26 21:11:32 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2003-06-26 19:13:03 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-13 15:23:36
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-13 15:28:57 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-13 15:28
C:\ComboFix2.txt ... 2007-09-12 15:36
.
--- E O F ---
HERE is the activescan log



Incident Status Location

Adware:adware/exact.bargainbuddy Not disinfected c:\windows\msxct1.ini
Potentially unwanted tool:application/altnet Not disinfected c:\windows\smdat32a.sys
Potentially unwanted tool:application/bestoffer Not disinfected c:\windows\smdat32m.sys
Potentially unwanted tool:application/regclean32 Not disinfected c:\program files\Registry Cleaner Trial
Adware:adware/wupd Not disinfected Windows Registry
Dialer:dialer.cn Not disinfected hkey_classes_root\clsid\{511F9316-771B-4953-A268-1C36DA667FE9}
Adware:adware/picsplace Not disinfected Windows Registry
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\clinton\Cookies\clinton@winantivirus[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\clinton\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\clinton\Desktop\SDFix.exe[SDFix\apps\Process.exe]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Clinton Brown\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-53b20018-13bab9de.zip[Gummy.class]
Virus:Trj/Downloader.LFO Disinfected C:\Documents and Settings\Clinton Brown\Application Data\TuneUp Software\TuneUp Utilities\Backups000003.rcb[00000001.fil]
Virus:Trj/Xorpix.V Disinfected C:\Documents and Settings\Clinton Brown\Application Data\TuneUp Software\TuneUp Utilities\Backups000003.rcb[00000002.fil]
Virus:Trj/Xorpix.V Disinfected C:\Documents and Settings\Clinton Brown\Application Data\TuneUp Software\TuneUp Utilities\Backups000003.rcb[00000003.fil]
Virus:Generic Malware Disinfected C:\Documents and Settings\Clinton Brown\Application Data\TuneUp Software\TuneUp Utilities\Backups000003.rcb[00000004.fil]
Virus:Trj/Banker.HZH Disinfected C:\Documents and Settings\Clinton Brown\Application Data\TuneUp Software\TuneUp Utilities\Backups000003.rcb[00000006.fil]
Virus:Trj/AVKiller.AO Disinfected C:\Documents and Settings\Clinton Brown\Application Data\TuneUp Software\TuneUp Utilities\Backups000003.rcb[00000007.fil]
Virus:W32/IRCBot.AXZ.worm Disinfected C:\Documents and Settings\Clinton Brown\Application Data\TuneUp Software\TuneUp Utilities\Backups000003.rcb[00000008.fil]
Virus:Generic Trojan Disinfected C:\Program Files\Internet Explorer\BTOW Shared Files\btwebcontrol.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
Virus:Trj/Qhost.gen Disinfected C:\SDFix\backups\HOSTS
Virus:Trj/Downloader.MDW Disinfected C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP388\A0182975.exe
Virus:Generic Malware Disinfected C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP388\A0183061.exe
Virus:Trj/Downloader.MDW Disinfected C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP388\A0183062.exe
Dialer:Dialer.KIZ Not disinfected C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP388\A0183064.exe
Dialer:Dialer.KIZ Not disinfected C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP388\A0183065.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
Thanks and will be waiting paitiently
  • 0

#6
jwbirdsong
Posted 16 September 2007 - 02:35 PM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
Delete the Combofix you now have and download a fresh/updated version (use same link)

Open Notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\msxct1.ini
c:\windows\smdat32a.sys
c:\windows\smdat32m.sys

Folder::
C:\Program Files\Internet Explorer\BTOW Shared Files\

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DriverLoad"=-
"DriverCheck"=-
"SystemDriverLoad"=-
"alpha"=-
"beta"=-
"gamma"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"WinMedia"=-
"alpha"=-
"beta"=-
"gamma"=-

Save this as CFScript.txt

Then drag/drop the CFScript.txt onto ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

How the computer running now?
  • 0

#7
bruntyblue
Posted 16 September 2007 - 06:13 PM

bruntyblue

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hi the PC is running much better, quicker boot and shutdown times, just let me know when its time to get rid of the Norton, the owner is quite happy to go with AVG free.
Here is the combo fix log. (Pc did NOT reboot after running combofix script).

ComboFix 07-09-17.2 - "clinton" 2007-09-17 10:00:14.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.146 [GMT 10:00]
* Created a new restore point

FILE::
c:\windows\msxct1.ini
c:\windows\smdat32a.sys
c:\windows\smdat32m.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Internet Explorer\BTOW Shared Files\
c:\windows\msxct1.ini
c:\windows\smdat32a.sys
c:\windows\smdat32m.sys

.
((((((((((((((((((((((((( Files Created from 2007-08-17 to 2007-09-17 )))))))))))))))))))))))))))))))
.

2007-09-13 15:34 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-09-12 15:01 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-07 02:54 <DIR> d--h----- C:\WINDOWS\$hf_mig$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-17 09:46 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-13 16:48 --------- d-------- C:\Program Files\Norton Internet Security
2007-09-13 16:43 --------- d-------- C:\Program Files\Google
2007-09-13 16:42 --------- d-------- C:\Program Files\Dell AIO Printer A920
2007-09-13 16:39 --------- d-------- C:\Program Files\Apoint
2007-09-08 18:23 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-08 12:40 512096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-09-08 12:40 298104 --a------ C:\WINDOWS\SYSTEM32\imon.dll
2007-09-08 12:40 15424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-09-07 23:03 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Media Directory
2007-09-07 03:26 --------- d-------- C:\DOCUME~1\clinton\APPLIC~1\Google
2007-07-31 04:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-31 04:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-31 04:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-31 04:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-31 04:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-31 04:19 271224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-31 04:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-31 04:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-31 04:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-31 04:18 207736 --a------ C:\WINDOWS\SYSTEM32\muweb.dll
2007-01-14 22:36 24192 --a------ C:\DOCUME~1\CLINTO~1\usbsermptxp.sys
2007-01-14 22:36 22768 --a------ C:\DOCUME~1\CLINTO~1\usbsermpt.sys
.

((((((((((((((((((((((((((((( snapshot_2007-09-12_153527.75 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 141,424 2006-08-23 22:28:54 C:\WINDOWS\Downloaded Program Files\asinst.dll
----a-w 383,376 2007-05-02 00:20:14 C:\WINDOWS\SoftwareDistribution\Download\Install\CAPICOM-KB931906-v2102.exe
----a-w 73,728 2006-08-02 02:39:06 C:\WINDOWS\SYSTEM32\asuninst.exe
----a-w 17,474,680 2007-09-06 02:50:42 C:\WINDOWS\SYSTEM32\MRT.exe
----a-w 11,776 2003-03-25 08:53:50 C:\WINDOWS\SYSTEM32\ZPORT4AS.dll
----a-w 110,592 2007-03-28 23:20:50 C:\WINDOWS\SYSTEM32\ActiveScan\as.dll
----a-w 233,472 2006-10-05 06:15:26 C:\WINDOWS\SYSTEM32\ActiveScan\ascontrol.dll
----a-w 96,256 2005-06-03 04:03:18 C:\WINDOWS\SYSTEM32\ActiveScan\asmdat.dll
----a-w 36,864 2003-08-01 01:00:16 C:\WINDOWS\SYSTEM32\ActiveScan\certdll.dll
----a-w 86,016 2005-05-20 03:42:44 C:\WINDOWS\SYSTEM32\ActiveScan\instlsp.dll
----a-w 4,608 2006-02-16 08:20:20 C:\WINDOWS\SYSTEM32\ActiveScan\memvfile.dll
----a-w 348,160 2005-10-25 08:08:32 C:\WINDOWS\SYSTEM32\ActiveScan\msvcr71.dll
----a-w 139,264 2004-05-04 05:01:02 C:\WINDOWS\SYSTEM32\ActiveScan\pavaleas.dll
----a-w 45,056 2006-07-14 03:04:10 C:\WINDOWS\SYSTEM32\ActiveScan\pavdr.exe
----a-w 159,832 2006-04-10 00:50:02 C:\WINDOWS\SYSTEM32\ActiveScan\pavexcom.dll
----a-w 94,208 2006-02-14 03:05:38 C:\WINDOWS\SYSTEM32\ActiveScan\pavinas.dll
----a-w 180,224 2006-02-16 08:35:38 C:\WINDOWS\SYSTEM32\ActiveScan\pavoe.dll
----a-w 122,880 2006-10-05 06:15:38 C:\WINDOWS\SYSTEM32\ActiveScan\pavpz.dll
----a-w 8,704 2006-06-30 04:13:38 C:\WINDOWS\SYSTEM32\ActiveScan\pfdnnt.exe
----a-w 49,152 2004-02-04 04:08:42 C:\WINDOWS\SYSTEM32\ActiveScan\port32.dll
----a-w 69,632 2006-08-01 03:23:10 C:\WINDOWS\SYSTEM32\ActiveScan\pscpu.dll
----a-w 1,388,544 2006-08-23 03:06:08 C:\WINDOWS\SYSTEM32\ActiveScan\pskahk.dll
----a-w 10,752 2006-08-17 01:38:14 C:\WINDOWS\SYSTEM32\ActiveScan\pskalloc.dll
----a-w 61,440 2006-09-04 01:49:54 C:\WINDOWS\SYSTEM32\ActiveScan\pskas.dll
----a-w 779,264 2006-08-17 22:46:18 C:\WINDOWS\SYSTEM32\ActiveScan\pskavs.dll
----a-w 417,792 2007-03-26 04:25:34 C:\WINDOWS\SYSTEM32\ActiveScan\pskcmp.dll
----a-w 90,112 2006-08-09 00:42:24 C:\WINDOWS\SYSTEM32\ActiveScan\pskfss.dll
----a-w 208,896 2006-07-19 00:55:58 C:\WINDOWS\SYSTEM32\ActiveScan\pskhtml.dll
----a-w 9,728 2006-01-20 06:57:00 C:\WINDOWS\SYSTEM32\ActiveScan\pskmas.dll
----a-w 14,336 2006-05-16 23:50:12 C:\WINDOWS\SYSTEM32\ActiveScan\pskmdfs.dll
----a-w 33,280 2006-08-16 00:58:12 C:\WINDOWS\SYSTEM32\ActiveScan\pskpack.dll
----a-w 266,240 2006-06-30 04:42:36 C:\WINDOWS\SYSTEM32\ActiveScan\pskscs.dll
----a-w 62,976 2006-08-17 04:33:14 C:\WINDOWS\SYSTEM32\ActiveScan\pskutil.dll
----a-w 13,312 2006-08-08 03:13:10 C:\WINDOWS\SYSTEM32\ActiveScan\pskvfile.dll
----a-w 69,632 2006-08-17 22:53:08 C:\WINDOWS\SYSTEM32\ActiveScan\pskvfs.dll
----a-w 167,936 2006-08-17 22:49:50 C:\WINDOWS\SYSTEM32\ActiveScan\pskvm.dll
----a-w 353,840 2007-04-18 07:16:04 C:\WINDOWS\SYSTEM32\ActiveScan\psscan.dll
----a-w 35,328 2007-01-22 04:42:48 C:\WINDOWS\SYSTEM32\ActiveScan\rawvfile.dll
----a-w 9,488 1997-09-17 20:12:32 C:\WINDOWS\SYSTEM32\ActiveScan\sporder.dll
----a-w 69,632 2006-02-28 07:23:40 C:\WINDOWS\SYSTEM32\ActiveScan\tcpvfile.dll
.
----a-w 16,789,464 2007-08-02 11:34:12 C:\WINDOWS\SYSTEM32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 10:01]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-12 05:15]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 20:43]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2003-08-09 03:02]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-23 04:29]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 22:05]
"VirusScan"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2003-08-18 07:50]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-06-03 04:25]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 08:46]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-07-14 22:35]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 12:48]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-09-14 20:01]
"IS CfgWiz"="C:\Program Files\Norton Internet Security\cfgwiz.exe" [2004-09-01 23:35]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [2004-08-31 10:29]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-09-06 23:13]
"AGRSMMSG"="AGRSMMSG.exe" [2003-11-20 00:41 C:\WINDOWS\AGRSMMSG.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-02-03 00:32]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-09-08 12:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 22:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 09:56]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 07:05:26]
DESKTOP.INI [2003-09-07 22:45:18]
Ralink Wireless Utility.lnk - C:\Program Files\RALINK\Common\RaUI.exe [2003-08-09 15:18:20]
Utility Tray.lnk - C:\WINDOWS\SYSTEM32\sistray.exe [2004-07-14 22:26:20]

C:\DOCUME~1\CLINTO~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 18:00:00]

C:\DOCUME~1\clinton\STARTM~1\Programs\Startup\
DESKTOP.INI [2003-09-07 22:45:18]

C:\DOCUME~1\DEFAUL~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2003-09-07 22:45:18]

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 18:00:00]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Clinton Brown^Start Menu^Programs^Startup^Morpheus.lnk]
path=C:\Documents and Settings\Clinton Brown\Start Menu\Programs\Startup\Morpheus.lnk
backup=C:\WINDOWS\pss\Morpheus.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BullsEye Network]
C:\Program Files\BullsEye Network\bin\bargains.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power Scan]
C:\Program Files\Power Scan\powerscan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

R2 STEC3;STEC3;\??\C:\WINDOWS\System32\STEC3.sys
S2 Nsynas32;Nsynas32;C:\WINDOWS\System32\drivers\Nsynas32.sys
S2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs
S2 windev-7fe4-2353;windev-7fe4-2353;\??\C:\WINDOWS\System32\windev-7fe4-2353.sys
S2 WinLd01Service;WinLd01Service;"C:\Documents and Settings\Clinton Brown\Application Data\Microsoft\svchost.exe"
S3 NaiFiltr;NaiFiltr;C:\WINDOWS\System32\DRIVERS\NaiFiltr.sys

.
Contents of the 'Scheduled Tasks' folder
"2003-06-26 21:11:32 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2003-06-26 19:13:03 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-17 10:02:59
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-17 10:04:11
C:\ComboFix-quarantined-files.txt ... 2007-09-17 10:03
C:\ComboFix2.txt ... 2007-09-13 15:28
C:\ComboFix3.txt ... 2007-09-12 15:36
.
--- E O F ---
  • 0

#8
jwbirdsong
Posted 18 September 2007 - 07:41 PM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts

just let me know when its time to get rid of the Norton, the owner is quite happy to go with AVG free.


Personally I'd do it immediately. I believe you will notice even more performance improvement. For what It's worth the Nod32 that is on there is as good as it gets, But sadly not free. Just make SURE to end up with only 1 installed/active Anti-virus.

Other than that I believe we are done here, unless there are any issues not relected in the logs.


You can delete the combofix SDFix, C:\Qoobox folder/files now..

First, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

You also NEED to update your Java...follow guidelines HERE

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

More info and download is available at links in the following article by TonyKlein

Make SURE to read How Did I Get Infected in the First Place??
  • 0

#9
bruntyblue
Posted 18 September 2007 - 10:39 PM

bruntyblue

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Ok have tuned system restore of and then back on. When trying to remove Java still getting a windows installer error. Have tried to load Service Pack 2 for XP and get this error.

Service Pack 2 setup Error
Service Pack 2 could not backup registry key
HKCR\.DVR-MS
to file C:\WINDOWS\$NtServicePackUninstall$\reg00013. 5:Access is denied.
Abort Retry Ignore
Unsure what to do PC is still running I am on my home PC typing this.
p.s I use Nod32 on my own PC, the one you are helping me with is a friends.
looking forward to any advice.
Pc is running better all the time, I will get the owner to remove norton as soon as possible.
Rob
  • 0

#10
jwbirdsong
Posted 24 September 2007 - 06:24 PM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
Did you try to ignore that error? ( Sorry you seemed to skip by the way side.

Well he has/had Nod32on this box at one time

"C:\Program Files\Eset\nod32kui.exe"


  • 0

#11
bruntyblue
Posted 25 September 2007 - 05:07 AM

bruntyblue

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
I removed McAfee manually after following a thread on another forum, The owner removed the norton, I have updated all spyware and loaded service pack 2. all good, (P.S I loaded nod32 as AVG kept stalling at the start of all this), I would like to give a BIG THANK YOU for all the help and I think tthis thread can be marked as resolved. Once again a big thank you for all the help.
Rob
  • 0

#12
jwbirdsong
Posted 25 September 2007 - 05:00 PM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP