Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Infected with several viruses. [RESOLVED]


  • This topic is locked This topic is locked

#16
Daniel Q.

Daniel Q.

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
ComboFix 08-01-23.1C - Daniel 2008-01-27 9:50:19.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.296 [GMT -5:00]
Running from: C:\Documents and Settings\Daniel\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Daniel\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\Daniel\Desktop\Adobe Photoshop CS2\crack.exe
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\DYTMJXAR\AntiVirusInstallFreeNM_en[1].exe
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\DYTMJXAR\tr[1]
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\K9MB0DQF\apst377[1]
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\K9MB0DQF\gamadril20071203[1]
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\K9MB0DQF\hctp[1]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Daniel\Desktop\Adobe Photoshop CS2\crack.exe
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\DYTMJXAR\AntiVirusInstallFreeNM_en[1].exe
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\DYTMJXAR\tr[1]
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\K9MB0DQF\apst377[1]
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\K9MB0DQF\gamadril20071203[1]
C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\K9MB0DQF\hctp[1]
C:\VundoFix Backups
C:\VundoFix Backups\dqhkhdsc.dll.bad
C:\VundoFix Backups\drvpovr.dll.bad
C:\VundoFix Backups\ffhkj.ini.bad
C:\VundoFix Backups\ffhkj.ini2.bad
C:\VundoFix Backups\iewcrkvu.dll.bad
C:\VundoFix Backups\iewcrkvu.dllbox.bad
C:\VundoFix Backups\jfoggjlc.dll.bad
C:\VundoFix Backups\jkhff.dll.bad
C:\VundoFix Backups\jkhff.exe.bad
C:\VundoFix Backups\keidvfqq.dll.bad
C:\VundoFix Backups\ldecenvx.dll.bad
C:\VundoFix Backups\nplbnipu.exe.bad
C:\VundoFix Backups\sfepwkff.exe.bad
C:\VundoFix Backups\ssqrsro.dll.bad
C:\VundoFix Backups\winjgf32.dll.bad
C:\VundoFix Backups\xooupmlq.exe.bad
C:\VundoFix Backups\xpikronn.dll.bad
C:\VundoFix Backups\yayxvww.dll.bad

.
((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.

2008-01-26 22:48 . 2008-01-26 22:48 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-26 19:50 . 2008-01-26 19:50 <DIR> d--h-c--- C:\WINDOWS\$SQLUninstallMDAC28-KB911562-x86-ENU$
2008-01-26 19:23 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-26 18:54 . 2008-01-26 18:54 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-01-26 18:54 . 2008-01-26 18:54 <DIR> d-------- C:\WINDOWS\ehome
2008-01-26 18:49 . 2005-10-20 17:33 991,232 --a------ C:\WINDOWS\system32\esent.dll
2008-01-26 09:32 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-01-26 09:32 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-01-26 09:32 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-01-26 09:32 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-01-26 09:32 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-26 09:32 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-01-26 09:32 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-26 09:32 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-26 09:32 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-26 09:28 . 2008-01-26 09:29 <DIR> d-------- C:\WINDOWS\Windows Update Setup Files
2008-01-26 09:28 . 2008-01-26 09:29 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-01-22 10:14 . 2008-01-22 10:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-22 09:19 . 2008-01-22 09:19 <DIR> d-------- C:\Program Files\Acceleration Software
2008-01-22 09:18 . 2008-01-22 09:18 <DIR> d-------- C:\Program Files\eAcceleration
2008-01-22 09:18 . 2008-01-22 09:19 <DIR> d-------- C:\Program Files\Common Files\eAcceleration
2008-01-21 18:52 . 2008-01-22 08:48 90,112 --a------ C:\WINDOWS\UpdReg.EXE
2008-01-16 14:31 . 2008-01-18 17:30 <DIR> d-------- C:\Program Files\Opera
2008-01-10 18:24 . 2006-03-07 13:27 507,904 --a--c--- C:\WINDOWS\system32\dllcache\msado15.dll
2008-01-10 18:23 . 2008-01-10 18:23 126,976 --a------ C:\WINDOWS\system32\odbcconf.dll
2008-01-10 18:23 . 2008-01-10 18:23 126,976 --a--c--- C:\WINDOWS\system32\dllcache\odbcconf.dll
2008-01-10 18:23 . 2008-01-10 18:23 69,632 --a------ C:\WINDOWS\system32\odbcconf.exe
2008-01-10 18:23 . 2008-01-10 18:23 69,632 --a--c--- C:\WINDOWS\system32\dllcache\odbcconf.exe
2008-01-10 18:23 . 2008-01-10 18:23 253 --a------ C:\WINDOWS\system32\mdaccore.rsp
2008-01-10 18:23 . 2008-01-10 18:23 181 --a------ C:\WINDOWS\system32\sqlclnt.rsp
2008-01-10 18:23 . 2008-01-10 18:23 28 --a------ C:\WINDOWS\system32\redist.rsp
2008-01-10 16:52 . 2008-01-27 08:41 <DIR> d-------- C:\Program Files\Steam
2008-01-10 16:29 . 2008-01-10 16:29 <DIR> d-------- C:\Program Files\Ideazon
2008-01-10 16:29 . 2005-05-02 15:41 49,152 --a------ C:\WINDOWS\system32\ZboardConfig.cpl
2008-01-10 16:29 . 2003-09-03 07:14 49,152 --a------ C:\WINDOWS\system32\Winlognotif.dll
2008-01-10 16:28 . 2002-08-29 02:06 51,072 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys
2008-01-10 16:28 . 2002-08-29 02:06 51,072 --a--c--- C:\WINDOWS\system32\dllcache\i8042prt.sys
2008-01-10 16:28 . 2005-09-22 01:22 30,976 -ra------ C:\WINDOWS\system32\drivers\OmniDrv.sys
2008-01-10 16:28 . 2005-09-22 01:22 28,800 -ra------ C:\WINDOWS\system32\drivers\OmniUsb.sys
2008-01-10 16:28 . 2002-08-29 01:27 23,424 --a------ C:\WINDOWS\system32\drivers\kbdclass.sys
2008-01-10 16:28 . 2002-08-29 01:27 23,424 --a--c--- C:\WINDOWS\system32\dllcache\kbdclass.sys
2008-01-10 16:28 . 2001-08-17 13:48 13,952 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-01-10 16:28 . 2001-08-17 13:48 13,952 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-01-10 16:28 . 2005-09-22 01:22 9,696 -ra------ C:\WINDOWS\system32\drivers\OmniUsbl.sys
2008-01-10 16:02 . 2002-08-29 03:40 20,480 --a------ C:\WINDOWS\system32\hidserv.dll
2008-01-10 16:02 . 2002-08-29 03:40 20,480 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-01-10 16:01 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-01-10 16:01 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-01-07 19:16 . 2008-01-07 19:16 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-07 19:16 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-01-07 19:16 . 2008-01-10 18:25 453 --a------ C:\WINDOWS\ODBC.INI
2008-01-07 19:15 . 2008-01-07 19:15 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-01-07 19:12 . 2008-01-07 19:12 <DIR> dr-h----- C:\MSOCache
2008-01-07 19:08 . 2008-01-07 19:08 <DIR> d-------- C:\Program Files\MagicISO
2008-01-07 19:06 . 2008-01-26 22:40 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-01-07 19:03 . 2008-01-07 19:03 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-01-06 10:08 . 2008-01-06 10:08 <DIR> d-------- C:\WINDOWS\Sun
2008-01-01 10:51 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-01 10:50 . 2008-01-01 10:51 <DIR> d-------- C:\Program Files\Java
2008-01-01 10:50 . 2008-01-01 10:50 <DIR> d-------- C:\Program Files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 00:30 --------- d-----w C:\Program Files\MSN Messenger
2008-01-26 01:08 --------- d-----w C:\Program Files\World of Warcraft
2008-01-21 14:18 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-10 23:25 --------- d--h--w C:\Program Files\Uninstall Information
2008-01-10 21:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-02 14:58 --------- d-----w C:\Program Files\DivX
2007-12-24 05:28 --------- d-----w C:\Program Files\Galactic Magnate
2007-12-19 06:37 --------- d-----w C:\Program Files\AutoIt3
2007-12-19 06:23 --------- d-----w C:\Program Files\AIM6
2007-12-19 06:22 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-18 21:21 --------- d-----w C:\Program Files\QuickTime
2007-12-18 21:21 --------- d-----w C:\Program Files\iTunes
2007-12-18 21:21 --------- d-----w C:\Program Files\iPod
2007-12-18 21:20 --------- d-----w C:\Program Files\Apple Software Update
2007-12-18 15:13 --------- d-----w C:\Program Files\WowEquip
2007-12-06 19:35 --------- d-----w C:\Program Files\BitLord
2007-12-04 02:50 --------- d-----w C:\Program Files\Ventrilo
2007-12-04 02:50 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-04 01:43 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2007-12-04 01:26 --------- d-----w C:\Program Files\Creative
2007-12-04 01:22 --------- d-----w C:\Program Files\ATI Technologies
2007-12-04 01:21 --------- d-----w C:\Program Files\Intel
2007-12-04 01:17 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-04 01:12 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-04 01:11 558,142 ----a-w C:\WINDOWS\java\Packages\O1ZJRHB1.ZIP
2007-12-04 01:11 155,995 ----a-w C:\WINDOWS\java\Packages\1R7FLF3F.ZIP
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
.

((((((((((((((((((((((((((((( snapshot_2008-01-26_22.42.38.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-27 05:06:01 860,160 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\23f55ce1560dd24f8cf8ab0f912754f9\AspNetMMCExt.ni.dll
+ 2008-01-27 05:06:13 1,724,416 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\84ceb3f25f4b57419c29600d4743284a\Microsoft.VisualBasic.ni.dll
+ 2008-01-27 05:07:46 2,310,144 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\3ee9d09332040643888f6ef1f3129510\System.Web.Mobile.ni.dll
+ 2008-01-27 05:08:13 1,945,600 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Services\b4f4112315fa2b4594fd775f898c929d\System.Web.Services.ni.dll
+ 2008-01-27 05:07:28 11,845,632 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\b2454ca71a334f4c9b83e29d6797c1ec\System.Web.ni.dll
- 2008-01-27 03:40:26 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-27 14:50:17 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-27 03:40:26 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-27 14:50:17 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-27 03:40:26 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-27 14:50:17 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-27 03:40:26 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-27 14:50:17 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-27 03:40:27 1,490,944 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-27 14:50:17 1,490,944 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-27 03:40:27 143,360 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-27 14:50:17 143,360 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-27 02:23:09 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-27 13:40:50 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-27 02:23:09 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-27 13:40:50 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-27 02:23:09 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-27 13:40:50 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [ ]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-22 08:49 486856]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-01-22 08:49 1266936]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-11-15 16:18 1670144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 16:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-01-22 08:48 290816]
"StopSignSsTsMon"="C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll" [2007-11-26 12:40 149152]
"StopSignSsSsMon"="C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll" [2007-11-26 12:40 132768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"StopSignSsTsMon"="C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll" [2007-11-26 12:40 149152]
"StopSignSsSsMon"="C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll" [2007-11-26 12:40 132768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"ZboardTray"= "C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe" /autolaunch

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Zboard]
Winlognotif.dll 2003-09-03 07:14 49152 C:\WINDOWS\system32\Winlognotif.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-10-04 10:20 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-11-15 16:18 1670144 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 10:56 286720 C:\Program Files\QuickTime\QTTask.exe


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 09:52:00
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-27 9:52:37
ComboFix-quarantined-files.txt 2008-01-27 14:52:29
ComboFix2.txt 2008-01-27 03:43:10
ComboFix3.txt 2008-01-27 00:33:48
.
2008-01-27 01:10:04 --- E O F ---
  • 0

Advertisements


#17
Daniel Q.

Daniel Q.

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:01 AM, on 1/27/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [StopSignSsSsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll",VerifyStatus
O4 - HKLM\..\RunOnce: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus /ro
O4 - HKLM\..\RunOnce: [StopSignSsSsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll",VerifyStatus /ro
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKLM\..\Policies\Explorer\Run: [ZboardTray] "C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe" /autolaunch
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1201357860359
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4062 bytes
  • 0

#18
Daniel Q.

Daniel Q.

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
It seems to be doing fine. I did a restart and right away I noticed that I did not have any of the critical error popups.
Also i dont have the little icon on the lower right hand corner telling me that I have suspicious files and stuff like that.
So far so good.

Thanks a million for the assistance and all the help you have provided.
  • 0

#19
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, Daniel Q.. :)

Congratulations.Posted Image

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.


    • Posted Image

  • If the disclaimer notice is displayed, select "2" and press Enter

The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Set a new, clean Restore Point.
Create a Restore point (If the above process fails):
  • Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  • In the System Restore dialog box, click Create a restore point, and then click Next.
  • Type a description for your restore point, such as "After Cleanup", then click Create.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Microsoft Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

Best wishes! Posted Image
  • 0

#20
Daniel Q.

Daniel Q.

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Wow amazing.

Thanks so much for your help, and the forums.

Seriously if anyone is reading this MAKE A DONATION. This kind of work anywhere else costs money and many times its not cheap.
And worst of all many times when there is a virus we end up rebooting our pc's and losing valuable information.
Many thanks go out to the geekstogo staff and my best wishes.

Cya all,
Dan
  • 0

#21
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP