Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

help!infected with smitfraud

Started by mik2 , Jan 25 2008 04:34 PM

  • This topic is locked This topic is locked

#1
mik2
Posted 25 January 2008 - 04:34 PM

mik2

    New Member

  • Member
  • Pip
  • 4 posts
been infected with smitfraud, i tried the tutorial and it worked last night,but today it came back again



heres the rapport:

SmitFraudFix v2.274

Scan done at 14:30:41.04, Fri 01/25/2008
Run from C:\Documents and Settings\Kuya MicMic Astig!\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 NtKrnlpa.info
127.0.0.1 localhost
127.0.0.1 bin.errorprotector.com ## added by CiD
127.0.0.1 br.errorsafe.com ## added by CiD
127.0.0.1 br.winantivirus.com ## added by CiD
127.0.0.1 br.winfixer.com ## added by CiD
127.0.0.1 cdn.drivecleaner.com ## added by CiD
127.0.0.1 cdn.errorsafe.com ## added by CiD
127.0.0.1 cdn.winsoftware.com ## added by CiD
127.0.0.1 de.errorsafe.com ## added by CiD
127.0.0.1 de.winantivirus.com ## added by CiD
127.0.0.1 download.cdn.drivecleaner.com ## added by CiD
127.0.0.1 download.cdn.errorsafe.com ## added by CiD
127.0.0.1 download.cdn.winsoftware.com ## added by CiD
127.0.0.1 download.errorsafe.com ## added by CiD
127.0.0.1 download.systemdoctor.com ## added by CiD
127.0.0.1 download.winantispyware.com ## added by CiD
127.0.0.1 download.windrivecleaner.com ## added by CiD
127.0.0.1 download.winfixer.com ## added by CiD
127.0.0.1 drivecleaner.com ## added by CiD
127.0.0.1 dynamique.drivecleaner.com ## added by CiD
127.0.0.1 errorprotector.com ## added by CiD
127.0.0.1 errorsafe.com ## added by CiD
127.0.0.1 es.winantivirus.com ## added by CiD
127.0.0.1 fr.winantivirus.com ## added by CiD
127.0.0.1 fr.winfixer.com ## added by CiD
127.0.0.1 go.drivecleaner.com ## added by CiD
127.0.0.1 go.errorsafe.com ## added by CiD
127.0.0.1 go.winantispyware.com ## added by CiD
127.0.0.1 go.winantivirus.com ## added by CiD
127.0.0.1 hk.winantivirus.com ## added by CiD
127.0.0.1 instlog.errorsafe.com ## added by CiD
127.0.0.1 instlog.winantivirus.com ## added by CiD
127.0.0.1 instlog.winfixer.com ## added by CiD
127.0.0.1 jsp.drivecleaner.com ## added by CiD
127.0.0.1 kb.errorsafe.com ## added by CiD
127.0.0.1 kb.winantivirus.com ## added by CiD
127.0.0.1 nl.errorsafe.com ## added by CiD
127.0.0.1 se.errorsafe.com ## added by CiD
127.0.0.1 secure.drivecleaner.com ## added by CiD
127.0.0.1 secure.errorsafe.com ## added by CiD
127.0.0.1 secure.winantispam.com ## added by CiD
127.0.0.1 secure.winantispy.com ## added by CiD
127.0.0.1 secure.winantivirus.com ## added by CiD
127.0.0.1 support.winantivirus.com ## added by CiD
127.0.0.1 trial.updates.winsoftware.com ## added by CiD
127.0.0.1 ulog.winantivirus.com ## added by CiD
127.0.0.1 utils.errorsafe.com ## added by CiD
127.0.0.1 utils.winantivirus.com ## added by CiD
127.0.0.1 utils.winfixer.com ## added by CiD
127.0.0.1 winantispyware.com ## added by CiD
127.0.0.1 winantivirus.com ## added by CiD
127.0.0.1 winfixer.com ## added by CiD
127.0.0.1 winfixer2006.com ## added by CiD
127.0.0.1 winsoftware.com ## added by CiD
127.0.0.1 www.drivecleaner.com ## added by CiD
127.0.0.1 www.errorprotector.com ## added by CiD
127.0.0.1 www.errorsafe.com ## added by CiD
127.0.0.1 www.systemdoctor.com ## added by CiD
127.0.0.1 www.utils.winfixer.com ## added by CiD
127.0.0.1 www.win-anti-virus-pro.com ## added by CiD
127.0.0.1 www.win-virus-pro.com ## added by CiD
127.0.0.1 www.winantispam.com ## added by CiD
127.0.0.1 www.winantispy.com ## added by CiD
127.0.0.1 www.winantispyware.com ## added by CiD
127.0.0.1 www.winantivirus.com ## added by CiD
127.0.0.1 www.winantiviruspro.com ## added by CiD
127.0.0.1 www.windrivecleaner.com ## added by CiD
127.0.0.1 www.windrivesafe.com ## added by CiD
127.0.0.1 www.winfixer.com ## added by CiD
127.0.0.1 www.winfixer2006.com ## added by CiD
127.0.0.1 www.winsoftware.com ## added by CiD



»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{A467F617-E586-4957-930F-1A0E98A2ECFB}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A467F617-E586-4957-930F-1A0E98A2ECFB}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{A467F617-E586-4957-930F-1A0E98A2ECFB}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{A467F617-E586-4957-930F-1A0E98A2ECFB}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


the logs from vundofix:
VundoFix V6.7.7

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 8:09:44 PM 1/23/2008

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\awtsrsp.dll
C:\WINDOWS\SYSTEM32\awvtr.dll
C:\WINDOWS\SYSTEM32\awvtr.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\windows\SYSTEM32\drvjinr.dll
C:\WINDOWS\system32\mjkuyjlp.dll
C:\windows\SYSTEM32\mjkuyjlp.dllbox
C:\windows\SYSTEM32\qyhdcrrk.dllbox
C:\WINDOWS\SYSTEM32\rtvwa.ini
C:\WINDOWS\SYSTEM32\rtvwa.ini2
C:\WINDOWS\SYSTEM32\tmp1964.tmp.dll
C:\WINDOWS\SYSTEM32\tmp1970.tmp.dll
C:\WINDOWS\SYSTEM32\tmp1A24.tmp.dll
C:\WINDOWS\SYSTEM32\winrkp32.dll

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\awtsrsp.dll
C:\WINDOWS\SYSTEM32\awtsrsp.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\awvtr.dll
C:\WINDOWS\SYSTEM32\awvtr.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\awvtr.exe
C:\WINDOWS\SYSTEM32\awvtr.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe Could not be deleted.

Attempting to delete C:\windows\SYSTEM32\drvjinr.dll
C:\windows\SYSTEM32\drvjinr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mjkuyjlp.dll
C:\WINDOWS\system32\mjkuyjlp.dll Has been deleted!

Attempting to delete C:\windows\SYSTEM32\mjkuyjlp.dllbox
C:\windows\SYSTEM32\mjkuyjlp.dllbox Has been deleted!

Attempting to delete C:\windows\SYSTEM32\qyhdcrrk.dllbox
C:\windows\SYSTEM32\qyhdcrrk.dllbox Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\rtvwa.ini
C:\WINDOWS\SYSTEM32\rtvwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\rtvwa.ini2
C:\WINDOWS\SYSTEM32\rtvwa.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\tmp1964.tmp.dll
C:\WINDOWS\SYSTEM32\tmp1964.tmp.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\tmp1970.tmp.dll
C:\WINDOWS\SYSTEM32\tmp1970.tmp.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\tmp1A24.tmp.dll
C:\WINDOWS\SYSTEM32\tmp1A24.tmp.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\winrkp32.dll
C:\WINDOWS\SYSTEM32\winrkp32.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.7

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 9:31:37 PM 1/23/2008



and log from highjackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:34:34 PM, on 1/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Kuya MicMic Astig!\Desktop\VundoFix.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ask.askredir........dis&o=13010
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....aceUploader.cab
O20 - AppInit_DLLs: sQusiStub.dll
O21 - SSODL: aswmklt - {5EAA4F1A-6449-49DC-A059-A3E9CD72FC4F} - C:\WINDOWS\aswmklt.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 7723 bytes

Edited by mik2, 25 January 2008 - 05:43 PM.

  • 0

Advertisements

#2
JSntgRvr
Posted 25 January 2008 - 07:45 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, mik2 :)

Welcome!

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#3
mik2
Posted 26 January 2008 - 03:37 PM

mik2

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
the smitfraud,vundofix and combofix worked so far, and i changed all the security in my internet explorer and firefox. still getting the pop ups now and then but the browser blocks it most of the time.im really glad i added 3gig to my ram. here's the log from combofix

ComboFix 08-01-23.1C - Kuya MicMic Astig! 2008-01-26 13:18:45.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2783 [GMT -8:00]
Running from: C:\Documents and Settings\Kuya MicMic Astig!\Desktop\anti virus&spyware programs\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Application Data\storageprotector
C:\Documents and Settings\All Users\Application Data\storageprotector\Data\ac
C:\Documents and Settings\All Users\Application Data\storageprotector\Data\em
C:\Documents and Settings\All Users\Application Data\storageprotector\Data\oid
C:\Documents and Settings\All Users\Application Data\storageprotector\Data\user
C:\Documents and Settings\Kuya MicMic Astig!\Application Data\storageprotector
C:\Documents and Settings\Kuya MicMic Astig!\Application Data\storageprotector\Logs\update.log
C:\Documents and Settings\Kuya MicMic Astig!\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Kuya MicMic Astig!\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Kuya MicMic Astig!\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\StorageProtector
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\OinUninstall.exe
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\OuterinfoUpdate.exe~
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\outlook
C:\Program Files\outlook\p.zip
C:\WINDOWS\dat.txt
C:\WINDOWS\rs.txt
C:\WINDOWS\search_res.txt
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\SYSTEM32\ghkmp.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tmp1944.tmp.dll
C:\WINDOWS\system32\tmp1979.tmp.dll
C:\WINDOWS\system32\tmp19C5.tmp.dll
C:\WINDOWS\system32\tmp1A26.tmp.dll
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\UpMedia
C:\WINDOWS\SYSTEM32\vbxsdyst.ini
C:\WINDOWS\SYSTEM32\vbxsdyst.ini2
C:\WINDOWS\SYSTEM32\vbxsdyst.tmp
C:\WINDOWS\system32\windows
C:\WINDOWS\wr.txt

----- BITS: Possible infected sites -----

hxxp://216.40.219.141
hxxp://softworldnetwork.com
hxxp://onsafepro.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-12-26 to 2008-01-26 )))))))))))))))))))))))))))))))
.

2008-01-26 13:17 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-25 23:04 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-01-25 23:04 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-01-25 23:04 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-01-25 23:04 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-01-25 23:04 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-01-25 23:04 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-01-25 20:32 . 2008-01-25 20:32 2,312 --a------ C:\autorun.PNF
2008-01-25 20:18 . 2008-01-25 21:10 <DIR> d-------- C:\Program Files\Steam
2008-01-25 18:44 . 2008-01-25 18:44 <DIR> d-------- C:\Program Files\Valve
2008-01-25 00:57 . 2008-01-25 23:05 1,092 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-01-25 00:06 . 2008-01-25 00:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-24 23:47 . 2008-01-24 23:47 <DIR> d-------- C:\WINDOWS\Performance
2008-01-24 16:26 . 2008-01-24 11:50 229,376 --a------ C:\WINDOWS\aswmklt.dll
2008-01-24 16:26 . 2008-01-24 11:50 176,128 --a------ C:\WINDOWS\elfwgps.dll
2008-01-24 16:26 . 2008-01-24 11:50 98,304 --a------ C:\WINDOWS\fvqkfsp.exe
2008-01-24 16:15 . 2008-01-24 16:15 <DIR> d-------- C:\Program Files\AudioToolsFactory
2008-01-23 20:09 . 2008-01-25 15:28 <DIR> d-------- C:\VundoFix Backups
2008-01-23 14:36 . 2008-01-23 14:37 1,117,442 ---hs---- C:\WINDOWS\SYSTEM32\wrtqyaio.ini
2008-01-22 05:54 . 2008-01-26 13:28 4,988,960 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2008-01-22 05:54 . 2008-01-26 13:21 152,352 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.dat
2008-01-22 05:54 . 2008-01-26 13:21 59,492 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx
2008-01-22 05:54 . 2008-01-26 13:21 15,284 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.idx
2008-01-21 22:17 . 2007-12-04 04:54 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2008-01-21 22:17 . 2007-12-04 06:51 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2008-01-21 22:17 . 2007-12-04 06:49 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2008-01-21 22:17 . 2007-12-04 06:53 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2008-01-21 22:16 . 2007-12-04 05:04 837,496 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2008-01-21 22:16 . 2007-12-04 06:55 94,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2008-01-21 22:16 . 2007-12-04 06:56 93,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2008-01-21 12:24 . 2008-01-21 12:25 1,449 --a------ C:\Config.ini
2008-01-21 09:52 . 2008-01-21 16:33 1,089,556 ---hs---- C:\WINDOWS\SYSTEM32\kswvsiov.ini
2008-01-19 11:29 . 2008-01-19 11:29 <DIR> d-------- C:\Program Files\Analog Devices
2008-01-18 22:33 . 2008-01-18 22:33 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-18 22:08 . 2006-03-24 17:08 28,778 --a------ C:\WINDOWS\SYSTEM32\klogon.dll
2008-01-17 18:06 . 2008-01-24 14:38 15,360 --a------ C:\WINDOWS\SYSTEM32\ctfmon .exe
2008-01-15 12:22 . 2008-01-15 12:23 212,008 --a------ C:\WINDOWS\SYSTEM32\iphttphl2.dll
2007-12-30 23:58 . 2007-12-30 23:58 <DIR> d-------- C:\Program Files\Red Kawa
2007-12-26 16:28 . 2005-04-12 07:21 225,280 --a------ C:\WINDOWS\SYSTEM32\rewire.dll
2007-12-26 16:26 . 2007-12-26 16:29 <DIR> d-------- C:\Program Files\Image-Line

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 06:05 --------- d-----w C:\Program Files\Real
2008-01-19 19:15 --------- d-----w C:\Program Files\Dell Support
2007-12-26 01:22 --------- d-----w C:\Program Files\Nokia
2007-12-26 01:22 --------- d-----w C:\Program Files\Common Files\Nokia
2007-12-18 21:51 --------- d-----w C:\Program Files\Paint
2007-12-18 18:50 --------- d-----w C:\Program Files\LimeWire
2007-12-12 18:44 --------- d-----w C:\Program Files\TaxCut07
2007-12-05 04:09 --------- d-----w C:\Program Files\Common Files\Download Manager
2007-12-03 20:22 --------- d-----w C:\Program Files\Common Files\Stardock
2007-12-02 06:25 --------- d-----w C:\Program Files\Stardock
2007-11-29 07:55 65,536 -c--a-w C:\WINDOWS\IFinst27.exe
2007-07-16 02:32 1,192,890 -csh--w C:\WINDOWS\wwybcf.ini2
2005-11-30 01:23 411,925 -csha-w C:\WINDOWS\SYSTEM32\ijjlm.bak1
2005-12-04 18:22 365,153 -csha-w C:\WINDOWS\SYSTEM32\ijjlm.bak2
2005-12-05 07:42 374,151 -csha-w C:\WINDOWS\SYSTEM32\ijjlm.ini2
2005-11-12 06:23 347,361 -csha-w C:\WINDOWS\SYSTEM32\jjkkj.bak1
2005-11-29 07:50 410,848 -csha-w C:\WINDOWS\SYSTEM32\jjkkj.bak2
2005-11-29 17:43 413,024 -csha-w C:\WINDOWS\SYSTEM32\jjkkj.ini2
2005-10-22 23:53 381,055 -csha-w C:\WINDOWS\SYSTEM32\oqtwa.bak1
2005-11-12 01:03 384,897 -csha-w C:\WINDOWS\SYSTEM32\oqtwa.bak2
2005-11-12 01:04 384,380 -csha-w C:\WINDOWS\SYSTEM32\oqtwa.ini2
.
<pre>
----a-w			79,224 2008-01-22 23:21:53  C:\Program Files\Alwil Software\Avast4\ashDisp .exe
----a-w		 1,404,928 2008-01-20 04:20:22  C:\Program Files\Analog Devices\Core\smax4pnp .exe
----a-w		   227,328 2008-01-20 23:38:00  C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication .exe
----a-w			15,360 2008-01-24 22:38:58  C:\WINDOWS\SYSTEM32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
-ra--c--- 2004-08-25 09:52 339968 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellMCM]
-ra--c--- 2004-07-27 11:08 262144 C:\Program Files\Dell Photo AIO Printer 942\memcard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2007-04-27 08:41 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-11-17 11:10 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2005-08-11 18:02]
S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {3CBBEE47-C8F4-316A-92FF-ED7E3DFAE41E} /qb
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-26 13:28:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-26 13:31:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-26 21:31:02
.
2008-01-26 05:11:42 --- E O F ---
  • 0

#4
JSntgRvr
Posted 26 January 2008 - 04:59 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, mik2 :)

  • Copy the entire contents of the Code Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
File::C:\autorun.PNFC:\WINDOWS\aswmklt.dllC:\WINDOWS\elfwgps.dllC:\WINDOWS\fvqkfsp.exeC:\WINDOWS\SYSTEM32\wrtqyaio.iniC:\WINDOWS\SYSTEM32\kswvsiov.iniC:\WINDOWS\SYSTEM32\iphttphl2.dllC:\WINDOWS\IFinst27.exeC:\WINDOWS\wwybcf.ini2C:\WINDOWS\SYSTEM32\ijjlm.bak1C:\WINDOWS\SYSTEM32\ijjlm.bak2C:\WINDOWS\SYSTEM32\ijjlm.ini2C:\WINDOWS\SYSTEM32\jjkkj.bak1C:\WINDOWS\SYSTEM32\jjkkj.bak2C:\WINDOWS\SYSTEM32\jjkkj.ini2C:\WINDOWS\SYSTEM32\oqtwa.bak1C:\WINDOWS\SYSTEM32\oqtwa.bak2C:\WINDOWS\SYSTEM32\oqtwa.ini2RenV::C:\Program Files\Alwil Software\Avast4\ashDisp .exeC:\Program Files\Analog Devices\Core\smax4pnp .exeC:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication .exeC:\WINDOWS\SYSTEM32\ctfmon .exeDriver::MSControlService

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post along with a Hijackthis log..

  • 0

#5
mik2
Posted 27 January 2008 - 05:29 PM

mik2

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
ComboFix 08-01-23.1C - Kuya MicMic Astig! 2008-01-27 15:15:11.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2802 [GMT -8:00]
Running from: C:\Documents and Settings\Kuya MicMic Astig!\Desktop\anti virus&spyware programs\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\WINDOWS\SYSTEM32\kswvsiov.ini
C:\WINDOWS\SYSTEM32\wrtqyaio.ini

.
((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.

2008-01-26 13:17 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-25 23:04 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-01-25 23:04 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-01-25 23:04 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-01-25 23:04 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-01-25 23:04 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-01-25 23:04 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-01-25 20:32 . 2008-01-25 20:32 2,312 --a------ C:\autorun.PNF
2008-01-25 20:18 . 2008-01-25 21:10 <DIR> d-------- C:\Program Files\Steam
2008-01-25 18:44 . 2008-01-25 18:44 <DIR> d-------- C:\Program Files\Valve
2008-01-25 00:57 . 2008-01-25 23:05 1,092 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-01-25 00:06 . 2008-01-25 00:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-24 23:47 . 2008-01-24 23:47 <DIR> d-------- C:\WINDOWS\Performance
2008-01-24 16:26 . 2008-01-24 11:50 229,376 --a------ C:\WINDOWS\aswmklt.dll
2008-01-24 16:26 . 2008-01-24 11:50 176,128 --a------ C:\WINDOWS\elfwgps.dll
2008-01-24 16:26 . 2008-01-24 11:50 98,304 --a------ C:\WINDOWS\fvqkfsp.exe
2008-01-24 16:15 . 2008-01-24 16:15 <DIR> d-------- C:\Program Files\AudioToolsFactory
2008-01-23 20:09 . 2008-01-25 15:28 <DIR> d-------- C:\VundoFix Backups
2008-01-22 05:54 . 2008-01-27 15:16 6,516,768 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2008-01-22 05:54 . 2008-01-27 15:16 167,712 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.dat
2008-01-22 05:54 . 2008-01-27 02:58 73,148 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx
2008-01-22 05:54 . 2008-01-27 02:58 16,268 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.idx
2008-01-21 22:17 . 2007-12-04 04:54 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2008-01-21 22:17 . 2007-12-04 06:51 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2008-01-21 22:17 . 2007-12-04 06:49 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2008-01-21 22:17 . 2007-12-04 06:53 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2008-01-21 22:16 . 2007-12-04 05:04 837,496 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2008-01-21 22:16 . 2007-12-04 06:55 94,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2008-01-21 22:16 . 2007-12-04 06:56 93,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2008-01-21 12:24 . 2008-01-21 12:25 1,449 --a------ C:\Config.ini
2008-01-19 11:29 . 2008-01-19 11:29 <DIR> d-------- C:\Program Files\Analog Devices
2008-01-18 22:33 . 2008-01-18 22:33 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-18 22:08 . 2006-03-24 17:08 28,778 --a------ C:\WINDOWS\SYSTEM32\klogon.dll
2008-01-17 18:06 . 2008-01-24 14:38 15,360 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ctfmon.exe
2008-01-17 18:06 . 2008-01-24 14:38 15,360 --a------ C:\WINDOWS\SYSTEM32\ctfmon.exe
2008-01-15 12:22 . 2008-01-15 12:23 212,008 --a------ C:\WINDOWS\SYSTEM32\iphttphl2.dll
2007-12-30 23:58 . 2007-12-30 23:58 <DIR> d-------- C:\Program Files\Red Kawa

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 06:05 --------- d-----w C:\Program Files\Real
2008-01-19 19:15 --------- d-----w C:\Program Files\Dell Support
2007-12-27 00:29 --------- d-----w C:\Program Files\Image-Line
2007-12-26 01:22 --------- d-----w C:\Program Files\Nokia
2007-12-26 01:22 --------- d-----w C:\Program Files\Common Files\Nokia
2007-12-18 21:51 --------- d-----w C:\Program Files\Paint
2007-12-18 18:50 --------- d-----w C:\Program Files\LimeWire
2007-12-12 18:44 --------- d-----w C:\Program Files\TaxCut07
2007-12-05 04:09 --------- d-----w C:\Program Files\Common Files\Download Manager
2007-12-03 20:22 --------- d-----w C:\Program Files\Common Files\Stardock
2007-12-02 06:25 --------- d-----w C:\Program Files\Stardock
2007-11-29 07:55 65,536 -c--a-w C:\WINDOWS\IFinst27.exe
2007-11-14 07:26 450,560 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jscript.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\lsasrv.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2007-10-30 09:55 3,065,856 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
2007-07-16 02:32 1,192,890 -csh--w C:\WINDOWS\wwybcf.ini2
2005-11-30 01:23 411,925 -csha-w C:\WINDOWS\SYSTEM32\ijjlm.bak1
2005-12-04 18:22 365,153 -csha-w C:\WINDOWS\SYSTEM32\ijjlm.bak2
2005-12-05 07:42 374,151 -csha-w C:\WINDOWS\SYSTEM32\ijjlm.ini2
2005-11-12 06:23 347,361 -csha-w C:\WINDOWS\SYSTEM32\jjkkj.bak1
2005-11-29 07:50 410,848 -csha-w C:\WINDOWS\SYSTEM32\jjkkj.bak2
2005-11-29 17:43 413,024 -csha-w C:\WINDOWS\SYSTEM32\jjkkj.ini2
2005-10-22 23:53 381,055 -csha-w C:\WINDOWS\SYSTEM32\oqtwa.bak1
2005-11-12 01:03 384,897 -csha-w C:\WINDOWS\SYSTEM32\oqtwa.bak2
2005-11-12 01:04 384,380 -csha-w C:\WINDOWS\SYSTEM32\oqtwa.ini2
.

((((((((((((((((((((((((((((( snapshot@2008-01-26_13.30.42.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-26 21:18:22 233,472 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-27 23:07:28 233,472 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-26 21:18:22 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-27 23:07:28 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-26 21:18:22 233,472 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-27 23:07:28 233,472 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-26 21:18:22 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-27 23:07:28 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-26 21:18:22 9,605,120 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-27 23:07:28 9,605,120 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-26 21:18:23 352,256 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-27 23:07:28 352,256 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2004-07-15 06:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1764\_aspnet_isapi.dll
+ 2004-07-15 05:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1764\_CORPerfMonExt.dll
+ 2004-07-15 05:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1764\_FUSION.DLL
+ 2004-07-15 05:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1764\_MSCORJIT.DLL
+ 2004-07-15 19:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1764\_MSCORLIB.DLL
+ 2003-02-21 00:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1764\_MSCORSN.DLL
+ 2004-07-15 05:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1764\_MSCORSVR.DLL
+ 2004-07-15 05:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1764\_MSCORWKS.DLL
+ 2003-02-21 09:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1764\_MSVCR71.DLL
+ 2004-07-15 05:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1764\_PerfCounter.dll
+ 2004-07-15 06:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2516\_aspnet_isapi.dll
+ 2004-07-15 05:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2516\_CORPerfMonExt.dll
+ 2004-07-15 05:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2516\_FUSION.DLL
+ 2004-07-15 05:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2516\_MSCORJIT.DLL
+ 2004-07-15 19:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2516\_MSCORLIB.DLL
+ 2003-02-21 00:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2516\_MSCORSN.DLL
+ 2004-07-15 05:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2516\_MSCORSVR.DLL
+ 2004-07-15 05:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2516\_MSCORWKS.DLL
+ 2003-02-21 09:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2516\_MSVCR71.DLL
+ 2004-07-15 05:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2516\_PerfCounter.dll
+ 2004-07-15 06:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2552\_aspnet_isapi.dll
+ 2004-07-15 05:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2552\_CORPerfMonExt.dll
+ 2004-07-15 05:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2552\_FUSION.DLL
+ 2004-07-15 05:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2552\_MSCORJIT.DLL
+ 2004-07-15 19:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2552\_MSCORLIB.DLL
+ 2003-02-21 00:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2552\_MSCORSN.DLL
+ 2004-07-15 05:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2552\_MSCORSVR.DLL
+ 2004-07-15 05:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2552\_MSCORWKS.DLL
+ 2003-02-21 09:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2552\_MSVCR71.DLL
+ 2004-07-15 05:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2552\_PerfCounter.dll
+ 2004-07-15 06:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3636\_aspnet_isapi.dll
+ 2004-07-15 05:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3636\_CORPerfMonExt.dll
+ 2004-07-15 05:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3636\_FUSION.DLL
+ 2004-07-15 05:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3636\_MSCORJIT.DLL
+ 2004-07-15 19:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3636\_MSCORLIB.DLL
+ 2003-02-21 00:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3636\_MSCORSN.DLL
+ 2004-07-15 05:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3636\_MSCORSVR.DLL
+ 2004-07-15 05:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3636\_MSCORWKS.DLL
+ 2003-02-21 09:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3636\_MSVCR71.DLL
+ 2004-07-15 05:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3636\_PerfCounter.dll
+ 2004-07-15 06:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3872\_aspnet_isapi.dll
+ 2004-07-15 05:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3872\_CORPerfMonExt.dll
+ 2004-07-15 05:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3872\_FUSION.DLL
+ 2004-07-15 05:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3872\_MSCORJIT.DLL
+ 2004-07-15 19:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3872\_MSCORLIB.DLL
+ 2003-02-21 00:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3872\_MSCORSN.DLL
+ 2004-07-15 05:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3872\_MSCORSVR.DLL
+ 2004-07-15 05:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3872\_MSCORWKS.DLL
+ 2003-02-21 09:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3872\_MSVCR71.DLL
+ 2004-07-15 05:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3872\_PerfCounter.dll
+ 2008-01-27 19:44:27 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4c4.dat
+ 2008-01-27 19:44:15 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_66c.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-24 14:38 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
-ra--c--- 2004-08-25 09:52 339968 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellMCM]
-ra--c--- 2004-07-27 11:08 262144 C:\Program Files\Dell Photo AIO Printer 942\memcard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2008-01-20 15:38 227328 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2007-04-27 08:41 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-11-17 11:10 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2005-08-11 18:02]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {3CBBEE47-C8F4-316A-92FF-ED7E3DFAE41E} /qb
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 15:16:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-27 15:17:09
ComboFix-quarantined-files.txt 2008-01-27 23:17:07
.
2008-01-27 23:00:52 --- E O F ---
  • 0

#6
JSntgRvr
Posted 27 January 2008 - 07:41 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
You have not followed any of my instructions. Please remove Combofix from the current location:

C:\Documents and Settings\Kuya MicMic Astig!\Desktop\anti virus&spyware programs\ComboFix.exe

And download a new version directly into your desktop. (This is important. The program must be on your desktop) Then proceed with the instructions on Post #4.
  • 0

#7
mik2
Posted 29 January 2008 - 04:26 PM

mik2

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
ok sory i'll do it again

Edited by mik2, 29 January 2008 - 04:27 PM.

  • 0

#8
JSntgRvr
Posted 04 February 2008 - 12:06 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP