Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Desperately need help with win32.unknown.random.x anyone familliar wit


  • This topic is locked This topic is locked

#1
Engelzz

Engelzz

    Member

  • Member
  • PipPip
  • 14 posts
Hi all,

recently my desktop and taskbar disappeared.I tried all suggestions I could get from the net but did not solve the problem. I've also done a virus scan using RemoveItPro V4.32
and it said i've been infected with the following dangerous files:

1) Win32.Unknown.Random.X
2) Sys32.diskcheck
3) Sys32.explore
4) Sys32.Ismgr
5) Sys32.vtssp

Are all these files the cause of my disappearing desktop/taskbar problems? Also because RemoveItPro V4.32 is a trial version, I couldn't use it to remove these files. I've also tried to locate these files manually using the search icon, but couldn't locate any of them. Does anyone know of anyway I can remove them for free? Please help me :)
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
Engelzz

Engelzz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi Rorschach112, thx a lot for taking time to help me. :)
  • 0

#4
Engelzz

Engelzz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Deckard's System Scanner v20071014.68
Run by Eliezer on 2008-02-01 16:01:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-02-02 00:02:19 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2008-02-02 00:01:44 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 256 MiB (512 MiB recommended).
System Drive C: has 2.54 GiB (less than 15%) free.


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-02-01 16:04:28
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Eliezer\Desktop\dss.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccClient.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F0 - win.ini: load=C:\WINDOWS\system32\vtssp.exe
F3 - REG:win.ini: Load=C:\WINDOWS\system32\userinit.exe,
O1 - Hosts: 203.116.196.243 nprotect.maplesea.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A1803A60-7372-4941-AD70-62F179DD9B66} - C:\WINDOWS\system32\vtssp.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: mssgr Object - {EC564D32-0F1A-4367-8A9B-4A9F57688D03} - C:\WINDOWS\system32\lsmgr.dll
O2 - BHO: (no name) - {FC1B64D9-3499-4791-82D5-AABAC3FAEA45} - C:\WINDOWS\system32\cbxxyvw.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [RemoveIT Pro XT] C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-sg\msntabres.dll.mui/229?429a22aa785d44dba59ed015a789b609
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-sg\msntabres.dll.mui/230?429a22aa785d44dba59ed015a789b609
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: 精彩游蠒 - {D1EDDE84-E67E-4ccd-B28E-73AD3B71A7C9} - http://bars.duole8.com/ (file missing)
O9 - Extra 'Tools' menuitem: 精彩游蠒 - {D1EDDE84-E67E-4ccd-B28E-73AD3B71A7C9} - http://bars.duole8.com/ (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00000055-9980-0010-8000-00AA00389B71} () - http://codecs.micros...cs/i386/fhg.CAB
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} () - http://download.micr...D0C/wmv9dmo.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: cbxxyvw - C:\WINDOWS\system32\cbxxyvw.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe


--
End of file - 8317 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 npkcrypt - c:\program files\wizet\maplestory\npkcrypt.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-02-01 15:45:00 258 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-01-31 20:00:04 414 --a------ C:\WINDOWS\Tasks\AwcProUpdate.job
2008-01-31 16:30:01 402 --a------ C:\WINDOWS\Tasks\Advanced WindowsCare V2 Pro.job


-- Files created between 2008-01-01 and 2008-02-01 -----------------------------

2008-01-30 22:56:56 0 d-------- C:\InCode Solutions
2008-01-30 22:52:44 0 d-------- C:\Program Files\InCode Solutions
2008-01-30 21:52:16 0 d-------- C:\WINDOWS\Prefetch
2008-01-13 20:55:20 0 d-------- C:\WINDOWS\pss
2008-01-13 19:49:07 0 d-------- C:\Program Files\Enigma Software Group
2008-01-13 18:52:12 3584 --a------ C:\WINDOWS\system32\vtssp.exe
2008-01-13 00:12:14 7735 --ahs---- C:\WINDOWS\system32\psstv.ini2
2008-01-13 00:11:28 335360 -----n--- C:\WINDOWS\system32\vtssp.dll
2008-01-13 00:06:15 39424 --a------ C:\WINDOWS\system32\cbxxyvw.dll


-- Find3M Report ---------------------------------------------------------------

2008-01-30 22:26:40 0 d-------- C:\Program Files\Windows Live Toolbar
2008-01-30 22:26:39 0 d-------- C:\Program Files\VeryPDF PDF2Word v3.0
2008-01-30 22:26:39 0 d-------- C:\Program Files\Smart PDF Converter Pro
2008-01-30 22:26:38 0 d-------- C:\Program Files\Movie Maker
2008-01-30 22:26:34 0 d-------- C:\Program Files\Messenger
2008-01-30 22:26:34 0 d-------- C:\Program Files\DivX
2008-01-30 22:26:34 0 d-------- C:\Program Files\Codec Pack - All In 1
2008-01-30 21:32:48 22744 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-01-23 18:15:53 0 d-------- C:\Documents and Settings\Eliezer\Application Data\BitTorrent
2008-01-18 02:40:17 0 d-------- C:\Program Files\MSN Messenger
2008-01-17 14:23:35 0 d-------- C:\Program Files\Combined Community Codec Pack
2008-01-17 14:23:35 0 d-------- C:\Program Files\BlueVoda Website Builder
2008-01-13 02:49:59 0 d-------- C:\Documents and Settings\Eliezer\Application Data\AVG7
2008-01-13 00:26:51 0 d-------- C:\Program Files\PC Tools Firewall Plus
2008-01-12 02:21:23 1999 --a------ C:\Documents and Settings\Eliezer\Application Data\.googlewebacchosts
2008-01-03 04:53:31 0 d-------- C:\Program Files\Common Files\Adobe
2008-01-03 04:53:30 0 d-------- C:\Program Files\Common Files
2008-01-03 04:11:31 0 d-------- C:\Documents and Settings\Eliezer\Application Data\Adobe
2008-01-03 03:58:58 0 d-------- C:\Program Files\Java
2007-12-31 18:59:01 0 d-------- C:\Program Files\Viewpoint
2007-11-07 11:09:51 1541 --a----c- C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1803A60-7372-4941-AD70-62F179DD9B66}]
01/13/2008 12:12 AM 335360 --------- C:\WINDOWS\system32\vtssp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EC564D32-0F1A-4367-8A9B-4A9F57688D03}]
08/03/2004 05:07 PM 155648 --ahs---- C:\WINDOWS\system32\lsmgr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC1B64D9-3499-4791-82D5-AABAC3FAEA45}]
01/13/2008 12:06 AM 39424 --a------ C:\WINDOWS\system32\cbxxyvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00PCTFW"="C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 05:07 PM]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []
"RemoveIT Pro XT"="C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe" [02/01/2008 04:02 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [7/9/2007 9:24:38 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FC1B64D9-3499-4791-82D5-AABAC3FAEA45}"= C:\WINDOWS\system32\cbxxyvw.dll [01/13/2008 12:06 AM 39424]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxxyvw]
cbxxyvw.dll 01/13/2008 12:06 AM 39424 C:\WINDOWS\system32\cbxxyvw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtssp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL diskcheck.exe c:
播暸\command- C:\diskcheck.exe c:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{003e1db0-4648-11dc-bc9b-000000000000}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL diskcheck.exe f:
播暸\command- D:\diskcheck.exe f:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{003e1db1-4648-11dc-bc9b-000000000000}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL diskcheck.exe g:
播暸\command- G:\diskcheck.exe g:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{003e1db2-4648-11dc-bc9b-000000000000}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL diskcheck.exe h:
播暸\command- H:\diskcheck.exe h:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59489b00-214b-11dc-bc60-000000000000}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Boot.exe e
Open\command- Boot.exe e




-- Hosts -----------------------------------------------------------------------

203.116.196.243 nprotect.maplesea.com


-- End of Deckard's System Scanner: finished at 2008-02-01 16:05:39 ------------
  • 0

#5
Engelzz

Engelzz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP
Percentage of Memory in Use: 72%
Physical Memory (total/avail): 255.48 MiB / 69.23 MiB
Pagefile Memory (total/avail): 1002.27 MiB / 805.84 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1940.58 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 29.3 GiB total, 2.54 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - MAXTOR 6L060J3 - 55.91 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 29.3 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: PC Tools Firewall Plus v2.0.0 (PC Tools)
AV: AVG 7.5.516 v7.5.516 (Grisoft) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\WIZET\\MapleStory\\MapleStory.exe"="C:\\Program Files\\WIZET\\MapleStory\\MapleStory.exe:*:Enabled:MapleStory"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\BitTorrent_DNA\\dna.exe"="C:\\Program Files\\BitTorrent_DNA\\dna.exe:*:Enabled:BitTorrent DNA"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Eliezer\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ANGELINE-4FRQK1
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Eliezer
LOGONSERVER=\\ANGELINE-4FRQK1
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 6 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0602
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Eliezer\LOCALS~1\Temp
TMP=C:\DOCUME~1\Eliezer\LOCALS~1\Temp
USERDOMAIN=ANGELINE-4FRQK1
USERNAME=Eliezer
USERPROFILE=C:\Documents and Settings\Eliezer
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Eliezer (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
AbiWord 2.5.1 (remove only) --> C:\Program Files\AbiSuite2\UninstallAbiWord2.exe
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Advanced WindowsCare 2.55 Personal --> "C:\Program Files\IObit\Advanced WindowsCare V2\unins000.exe"
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
BitTorrent 6.0 Beta --> C:\Program Files\BitTorrent\uninst.exe
BitTorrent DNA --> "C:\Program Files\BitTorrent_DNA\dna.exe" /UNINSTALL
BlueVoda Website Builder 8.0 --> C:\WINDOWS\iun6002.exe "C:\Program Files\BlueVoda Website Builder\irunin.ini"
Codec Pack - All In 1 6.0.3.0 --> C:\WINDOWS\iun6002.exe "C:\Program Files\Codec Pack - All In 1\irunin.ini"
Combined Community Codec Pack 2007-07-22 --> "C:\Program Files\Combined Community Codec Pack\unins000.exe"
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Easy PDF to Text Converter v2.0 --> "C:\Program Files\Easy PDF to Text Converter\unins000.exe"
Google Web Accelerator --> MsiExec.exe /X{6A1975EB-27E6-491D-94BC-6355FA25F40F}
iMesh --> C:\Program Files\iMesh Applications\iMesh\UninstallSurvey.exe C:\PROGRA~1\IMESHA~1\iMesh\UNWISE.EXE C:\PROGRA~1\IMESHA~1\iMesh\INSTALL.LOG
IObit SmartDefrag Beta 2.1 --> "C:\Program Files\IObit\IObit SmartDefrag\unins000.exe"
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Java™ SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
LimeWire 4.13.6 --> "C:\Useful Computer Installations\LimeWire\uninstall.exe"
MapleStory --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{80EAC1F5-3067-4E57-A09F-3AF728C59FE5}\setup.exe" -l0x9 -removeonly
Microsoft Office PowerPoint Viewer 2003 --> MsiExec.exe /X{90AF0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Word Viewer 2003 --> MsiExec.exe /I{90850409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Mix-FX --> "C:\Program Files\Mix-FX\uninstall.exe"
Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
oggcodecs 0.71.0946 --> C:\Program Files\illiminable\oggcodecs\uninst.exe
OneCare Advisor (Windows Live Toolbar) --> MsiExec.exe /X{DF821FC5-C198-452B-A0D4-82433EFEAE9B}
OpenOffice.org 2.2 --> MsiExec.exe /I{A1C8D94A-4303-4489-B585-4B6E6CD408CB}
PC Tools Firewall Plus 2.0 --> "C:\Program Files\PC Tools Firewall Plus\unins000.exe"
Popup Blocker (Windows Live Toolbar) --> MsiExec.exe /X{117CD9C0-0F15-4633-93D7-F957B50535A5}
RemoveIT Pro v4 (Trial) --> C:\INCODE~1\REMOVE~1\UNWISE.EXE C:\INCODE~1\REMOVE~1\INSTALL.LOG
Smart Menus (Windows Live Toolbar) --> MsiExec.exe /X{95FC661A-A0C5-4B18-92CE-90347DA79CC9}
Smart PDF Converter Pro --> "C:\Program Files\Smart PDF Converter Pro\unins000.exe"
Tabbed Browsing (Windows Live Toolbar) --> MsiExec.exe /X{1707BF02-0F5C-4A6C-8F17-053BB73E443F}
TextPad 5 --> MsiExec.exe /X{B6EC7388-E277-4A5B-8C8F-71067A41BA64}
Total Backlink Analyzer 2.0 --> C:\Program Files\TopNet Solutions\Total Backlink Analyzer\uninst.exe
VeryPDF PDF2Word v3.0 --> "C:\Program Files\VeryPDF PDF2Word v3.0\unins000.exe"
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Windows Live Favorites for Windows Live Toolbar --> MsiExec.exe /X{DCE65B11-710D-4C54-9DE5-1A6A0BD2186B}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Outlook Toolbar (Windows Live Toolbar) --> MsiExec.exe /X{A40D6757-B145-4FE7-B694-89180A9F3F64}
Windows Live Sign-in Assistant --> MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {DA0FFF7B-DA9D-46A2-A329-87804ECA58EA}
Windows Live Toolbar --> MsiExec.exe /X{DA0FFF7B-DA9D-46A2-A329-87804ECA58EA}
Windows Live Toolbar Extension (Windows Live Toolbar) --> MsiExec.exe /X{3727B920-F5A3-46A4-AC02-94F421A039C7}
Windows Live Toolbar Feed Detector (Windows Live Toolbar) --> MsiExec.exe /X{38024121-D084-4E7D-B1A2-1A04CB5C4CF3}
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\unyext.exe
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1832 / Warning
Event Submitted/Written: 01/30/2008 09:41:05 PM
Event ID/Source: 4353 / EventSystem
Event Description:
The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.

Event Record #/Type1831 / Warning
Event Submitted/Written: 01/30/2008 09:41:05 PM
Event ID/Source: 4356 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}. CoGetObject returned HRESULT 80070422.

Event Record #/Type1830 / Warning
Event Submitted/Written: 01/30/2008 09:41:04 PM
Event ID/Source: 4353 / EventSystem
Event Description:
The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.

Event Record #/Type1829 / Warning
Event Submitted/Written: 01/30/2008 09:41:04 PM
Event ID/Source: 4356 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}. CoGetObject returned HRESULT 80070422.

Event Record #/Type1828 / Warning
Event Submitted/Written: 01/30/2008 09:40:49 PM
Event ID/Source: 5603 / WinMgmt
Event Description:
A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type13397 / Error
Event Submitted/Written: 02/01/2008 04:00:59 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Event Record #/Type13396 / Error
Event Submitted/Written: 02/01/2008 04:00:59 PM
Event ID/Source: 17 / W32Time
Event Description:
Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Event Record #/Type13388 / Error
Event Submitted/Written: 02/01/2008 04:00:40 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Event Record #/Type13387 / Error
Event Submitted/Written: 02/01/2008 04:00:40 PM
Event ID/Source: 17 / W32Time
Event Description:
Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Event Record #/Type13376 / Error
Event Submitted/Written: 02/01/2008 03:57:53 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {9B1F122C-2982-4E91-AA8B-E071D54F2A4D} did not register with DCOM within the required timeout.



-- End of Deckard's System Scanner: finished at 2008-02-01 16:05:39 ------------
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#7
Engelzz

Engelzz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi Rorschach112,

I've followed your instructions and managed to get the log produced by combofix, but how do i get the HiJackThis log?
Below is a copy of the log I've obtained by running combofix.exe
  • 0

#8
Engelzz

Engelzz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
ComboFix 08-02.01.6 - Eliezer 2008-02-01 23:54:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.109 [GMT -8:00]
Running from: C:\Documents and Settings\Eliezer\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cbxxyvw.dll
C:\WINDOWS\system32\vtssp.dll
C:\Autorun.inf
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\cbxxyvw.dll
C:\WINDOWS\system32\explore.exe
C:\WINDOWS\system32\iesysicon.ico
C:\WINDOWS\system32\psstv.ini
C:\WINDOWS\system32\psstv.ini2
C:\WINDOWS\system32\vtssp.dll

----- BITS: Possible infected sites -----

hxxp://au.download.windowsupdate.com
.
((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-02-01 15:55 . 2008-02-01 15:55 <DIR> d-------- C:\Deckard
2008-01-30 22:56 . 2008-01-30 22:56 <DIR> d-------- C:\InCode Solutions
2008-01-30 22:52 . 2008-01-30 22:52 <DIR> d-------- C:\Program Files\InCode Solutions
2008-01-30 22:33 . 2008-01-30 22:33 4,608 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-01-30 21:37 . 2008-01-30 21:37 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-01-30 21:36 . 2008-01-30 21:36 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-01-30 21:36 . 2008-01-30 21:36 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-01-30 21:36 . 2008-01-30 21:36 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-01-30 21:36 . 2008-01-30 21:36 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-01-30 21:36 . 2008-01-30 21:36 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-01-30 21:15 . 2004-08-03 17:07 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-01-30 21:15 . 2004-08-03 17:07 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-01-17 14:23 . 2008-01-30 22:33 33,280 --ahs---- C:\WINDOWS\Thumbs.db
2008-01-13 19:49 . 2008-01-13 20:25 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-13 18:52 . 2008-01-13 18:52 3,584 --a------ C:\WINDOWS\system32\vtssp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 06:26 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-01-31 06:26 --------- d-----w C:\Program Files\VeryPDF PDF2Word v3.0
2008-01-31 06:26 --------- d-----w C:\Program Files\Smart PDF Converter Pro
2008-01-31 06:26 --------- d-----w C:\Program Files\DivX
2008-01-31 06:26 --------- d-----w C:\Program Files\Codec Pack - All In 1
2008-01-24 02:15 --------- d-----w C:\Documents and Settings\Eliezer\Application Data\BitTorrent
2008-01-18 10:40 --------- d-----w C:\Program Files\MSN Messenger
2008-01-17 22:23 --------- d-----w C:\Program Files\Combined Community Codec Pack
2008-01-17 22:23 --------- d-----w C:\Program Files\BlueVoda Website Builder
2008-01-13 10:49 --------- d-----w C:\Documents and Settings\Eliezer\Application Data\AVG7
2008-01-13 08:26 --------- d-----w C:\Program Files\PC Tools Firewall Plus
2008-01-03 12:53 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-03 11:58 --------- d-----w C:\Program Files\Java
2008-01-01 02:59 --------- d-----w C:\Program Files\Viewpoint
2008-01-01 02:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-19 05:51 33,618 ----a-w C:\Program Files\MapleSEA_MSSetup070802a.exe.torrent
2007-09-08 09:00 22,304 ----a-w C:\Documents and Settings\Eliezer\Application Data\GDIPFONTCACHEV1.DAT
2007-09-08 07:55 0 ----a-w C:\Program Files\New Bitmap Image.bmp
2007-03-27 07:07 415,784 ----a-w C:\Program Files\msgr8us.exe
2007-03-26 03:36 177,152 ----a-w C:\Program Files\utorrent.exe
2004-07-22 17:51 3,432,656 ----a-w C:\Program Files\ManagedDX.CAB
2004-07-20 05:58 1,156,363 ----a-w C:\Program Files\BDANT.cab
2004-07-20 05:53 976,020 ----a-w C:\Program Files\BDAXP.cab
2004-07-09 21:17 13,265,040 ----a-w C:\Program Files\dxnt.cab
2004-07-09 16:13 703,080 -c--a-w C:\Program Files\BDA.cab
2004-07-09 16:13 15,493,481 ----a-w C:\Program Files\DirectX.cab
2007-09-16 06:37 88 --sha-r C:\WINDOWS\system32\8E0C878137.sys
2007-09-17 11:01 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2004-08-04 01:07 155,648 --sha-w C:\WINDOWS\system32\lsmgr.dll
2007-04-07 06:15 1,412,128 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-04-07 06:15 96,544 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EC564D32-0F1A-4367-8A9B-4A9F57688D03}]
2004-08-03 17:07 155648 --ahs---- C:\WINDOWS\system32\lsmgr.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 17:07 15360]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [ ]
"RemoveIT Pro XT"="C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe" [2008-02-01 16:16 939520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00PCTFW"="C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 07:53 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 21:24:38 1134592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL diskcheck.exe c:
\Shell\播放\command - C:\diskcheck.exe c:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{003e1db0-4648-11dc-bc9b-000000000000}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL diskcheck.exe f:
\Shell\播放\command - D:\diskcheck.exe f:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{003e1db1-4648-11dc-bc9b-000000000000}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL diskcheck.exe g:
\Shell\播放\command - G:\diskcheck.exe g:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{003e1db2-4648-11dc-bc9b-000000000000}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL diskcheck.exe h:
\Shell\播放\command - H:\diskcheck.exe h:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59489b00-214b-11dc-bc60-000000000000}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Boot.exe e
\Shell\Open\command - Boot.exe e

.
Contents of the 'Scheduled Tasks' folder
"2008-02-02 00:30:00 C:\WINDOWS\Tasks\Advanced WindowsCare V2 Pro.job"
- C:\Program Files\IObit\Advanced WindowsCare V2 Pro\AutoCare.exe
"2008-02-02 04:00:00 C:\WINDOWS\Tasks\AwcProUpdate.job"
- C:\Program Files\IObit\Advanced WindowsCare V2 Pro\AutoUpdate.ex
- C:\Program Files\IObit\Advanced WindowsCare V2 Pro\
"2008-02-02 07:45:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 00:04:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
.
**************************************************************************
.
Completion time: 2008-02-02 0:06:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-02 08:06:42
.
2008-01-10 11:14:43 --- E O F ---
  • 0

#9
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

  • 1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\vtssp.exe
C:\diskcheck.exe
D:\diskcheck.exe
G:\diskcheck.exe
H:\diskcheck.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{003e1db0-4648-11dc-bc9b-000000000000}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{003e1db1-4648-11dc-bc9b-000000000000}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{003e1db2-4648-11dc-bc9b-000000000000}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59489b00-214b-11dc-bc60-000000000000}]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Then run DSS and post that log
  • 0

#10
Engelzz

Engelzz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi Rorschach112,

I've created the CFscript.txt and obtained the log. Below are the CFscript log and DSS log.
  • 0

Advertisements


#11
Engelzz

Engelzz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
ComboFix 08-02.01.6 - Eliezer 2008-02-02 3:23:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.68 [GMT -8:00]
Running from: C:\Documents and Settings\Eliezer\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Eliezer\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\diskcheck.exe
C:\WINDOWS\system32\vtssp.exe
D:\diskcheck.exe
G:\diskcheck.exe
H:\diskcheck.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\diskcheck.exe
C:\WINDOWS\system32\vtssp.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-02-02 02:45 . 2008-02-02 02:45 <DIR> d-------- C:\Documents and Settings\Eliezer\Application Data\Grisoft
2008-02-02 02:45 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-01 15:55 . 2008-02-01 15:55 <DIR> d-------- C:\Deckard
2008-01-30 22:56 . 2008-01-30 22:56 <DIR> d-------- C:\InCode Solutions
2008-01-30 22:52 . 2008-01-30 22:52 <DIR> d-------- C:\Program Files\InCode Solutions
2008-01-30 22:33 . 2008-01-30 22:33 4,608 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-01-30 21:37 . 2008-01-30 21:37 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-01-30 21:36 . 2008-01-30 21:36 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-01-30 21:36 . 2008-01-30 21:36 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-01-30 21:36 . 2008-01-30 21:36 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-01-30 21:36 . 2008-01-30 21:36 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-01-30 21:36 . 2008-01-30 21:36 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-01-30 21:15 . 2004-08-03 17:07 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-01-30 21:15 . 2004-08-03 17:07 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-01-17 14:23 . 2008-01-30 22:33 33,280 --ahs---- C:\WINDOWS\Thumbs.db
2008-01-13 19:49 . 2008-01-13 20:25 <DIR> d-------- C:\Program Files\Enigma Software Group

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 06:26 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-01-31 06:26 --------- d-----w C:\Program Files\VeryPDF PDF2Word v3.0
2008-01-31 06:26 --------- d-----w C:\Program Files\Smart PDF Converter Pro
2008-01-31 06:26 --------- d-----w C:\Program Files\DivX
2008-01-31 06:26 --------- d-----w C:\Program Files\Codec Pack - All In 1
2008-01-24 02:15 --------- d-----w C:\Documents and Settings\Eliezer\Application Data\BitTorrent
2008-01-18 10:40 --------- d-----w C:\Program Files\MSN Messenger
2008-01-17 22:23 --------- d-----w C:\Program Files\Combined Community Codec Pack
2008-01-17 22:23 --------- d-----w C:\Program Files\BlueVoda Website Builder
2008-01-13 10:49 --------- d-----w C:\Documents and Settings\Eliezer\Application Data\AVG7
2008-01-13 08:26 --------- d-----w C:\Program Files\PC Tools Firewall Plus
2008-01-03 12:53 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-03 11:58 --------- d-----w C:\Program Files\Java
2008-01-01 02:59 --------- d-----w C:\Program Files\Viewpoint
2008-01-01 02:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-19 05:51 33,618 ----a-w C:\Program Files\MapleSEA_MSSetup070802a.exe.torrent
2007-09-08 09:00 22,304 ----a-w C:\Documents and Settings\Eliezer\Application Data\GDIPFONTCACHEV1.DAT
2007-09-08 07:55 0 ----a-w C:\Program Files\New Bitmap Image.bmp
2007-04-06 06:06 20,382,509 -c--a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_04_04_23_34_31_full.dmp.zip
2007-03-27 07:07 415,784 ----a-w C:\Program Files\msgr8us.exe
2007-03-26 03:36 177,152 ----a-w C:\Program Files\utorrent.exe
2004-07-22 17:51 3,432,656 ----a-w C:\Program Files\ManagedDX.CAB
2004-07-20 05:58 1,156,363 ----a-w C:\Program Files\BDANT.cab
2004-07-20 05:53 976,020 ----a-w C:\Program Files\BDAXP.cab
2004-07-09 21:17 13,265,040 ----a-w C:\Program Files\dxnt.cab
2004-07-09 16:13 703,080 -c--a-w C:\Program Files\BDA.cab
2004-07-09 16:13 15,493,481 ----a-w C:\Program Files\DirectX.cab
2007-09-16 06:37 88 --sha-r C:\WINDOWS\system32\8E0C878137.sys
2007-09-17 11:01 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2004-08-04 01:07 155,648 --sha-w C:\WINDOWS\system32\lsmgr.dll
2007-04-07 06:15 1,412,128 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-04-07 06:15 96,544 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EC564D32-0F1A-4367-8A9B-4A9F57688D03}]
2004-08-03 17:07 155648 --ahs---- C:\WINDOWS\system32\lsmgr.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 17:07 15360]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [ ]
"RemoveIT Pro XT"="C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe" [2008-02-01 16:16 939520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00PCTFW"="C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 07:53 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 21:24:38 1134592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)


*Newly Created Service* - AVGASCLN
*Newly Created Service* - AVG_ANTI-SPYWARE_DRIVER
.
Contents of the 'Scheduled Tasks' folder
"2008-02-02 00:30:00 C:\WINDOWS\Tasks\Advanced WindowsCare V2 Pro.job"
- C:\Program Files\IObit\Advanced WindowsCare V2 Pro\AutoCare.exe
"2008-02-02 04:00:00 C:\WINDOWS\Tasks\AwcProUpdate.job"
- C:\Program Files\IObit\Advanced WindowsCare V2 Pro\AutoUpdate.ex
- C:\Program Files\IObit\Advanced WindowsCare V2 Pro\
"2008-02-02 10:45:03 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 03:27:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-02 3:29:37
ComboFix-quarantined-files.txt 2008-02-02 11:29:19
ComboFix2.txt 2008-02-02 08:06:53
.
2008-01-10 11:14:43 --- E O F ---
  • 0

#12
Engelzz

Engelzz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Deckard's System Scanner v20071014.68
Run by Eliezer on 2008-02-02 03:37:02
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 79% (more than 75%).
Total Physical Memory: 256 MiB (512 MiB recommended).
System Drive C: has 2.39 GiB (less than 15%) free.


-- HijackThis (run as Eliezer.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:14 AM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Eliezer\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Eliezer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: mssgr Object - {EC564D32-0F1A-4367-8A9B-4A9F57688D03} - C:\WINDOWS\system32\lsmgr.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [RemoveIT Pro XT] C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-sg\msntabres.dll.mui/229?429a22aa785d44dba59ed015a789b609
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-sg\msntabres.dll.mui/230?429a22aa785d44dba59ed015a789b609
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe

--
End of file - 6599 bytes

-- Files created between 2008-01-02 and 2008-02-02 -----------------------------

2008-02-02 03:37:48 0 d-------- C:\Program Files\Trend Micro
2008-02-02 03:11:06 0 drahs---- C:\autorun.inf
2008-02-02 02:45:18 0 d-------- C:\Documents and Settings\Eliezer\Application Data\Grisoft
2008-01-30 22:56:56 0 d-------- C:\InCode Solutions
2008-01-30 22:52:44 0 d-------- C:\Program Files\InCode Solutions
2008-01-30 21:52:16 0 d-------- C:\WINDOWS\Prefetch
2008-01-13 20:55:20 0 d-------- C:\WINDOWS\pss
2008-01-13 19:49:07 0 d-------- C:\Program Files\Enigma Software Group


-- Find3M Report ---------------------------------------------------------------

2008-02-01 16:13:50 1999 --a------ C:\Documents and Settings\Eliezer\Application Data\.googlewebacchosts
2008-01-30 22:26:40 0 d-------- C:\Program Files\Windows Live Toolbar
2008-01-30 22:26:39 0 d-------- C:\Program Files\VeryPDF PDF2Word v3.0
2008-01-30 22:26:39 0 d-------- C:\Program Files\Smart PDF Converter Pro
2008-01-30 22:26:38 0 d-------- C:\Program Files\Movie Maker
2008-01-30 22:26:34 0 d-------- C:\Program Files\Messenger
2008-01-30 22:26:34 0 d-------- C:\Program Files\DivX
2008-01-30 22:26:34 0 d-------- C:\Program Files\Codec Pack - All In 1
2008-01-30 21:32:48 22744 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-01-23 18:15:53 0 d-------- C:\Documents and Settings\Eliezer\Application Data\BitTorrent
2008-01-18 02:40:17 0 d-------- C:\Program Files\MSN Messenger
2008-01-17 14:23:35 0 d-------- C:\Program Files\Combined Community Codec Pack
2008-01-17 14:23:35 0 d-------- C:\Program Files\BlueVoda Website Builder
2008-01-13 02:49:59 0 d-------- C:\Documents and Settings\Eliezer\Application Data\AVG7
2008-01-13 00:26:51 0 d-------- C:\Program Files\PC Tools Firewall Plus
2008-01-03 04:53:31 0 d-------- C:\Program Files\Common Files\Adobe
2008-01-03 04:53:30 0 d-------- C:\Program Files\Common Files
2008-01-03 04:11:31 0 d-------- C:\Documents and Settings\Eliezer\Application Data\Adobe
2008-01-03 03:58:58 0 d-------- C:\Program Files\Java
2007-12-31 18:59:01 0 d-------- C:\Program Files\Viewpoint
2007-11-07 11:09:51 1541 --a----c- C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EC564D32-0F1A-4367-8A9B-4A9F57688D03}]
08/03/2004 05:07 PM 155648 --ahs---- C:\WINDOWS\system32\lsmgr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00PCTFW"="C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 05:07 PM]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []
"RemoveIT Pro XT"="C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe" [02/01/2008 04:16 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [7/9/2007 9:24:38 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

*Newly Created Service* - AVGASCLN
*Newly Created Service* - AVG_ANTI-SPYWARE_DRIVER
*Newly Created Service* - PSEXESVC



-- End of Deckard's System Scanner: finished at 2008-02-02 03:38:49 ------------
  • 0

#13
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: mssgr Object - {EC564D32-0F1A-4367-8A9B-4A9F57688D03} - C:\WINDOWS\system32\lsmgr.dll

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\lsmgr.dll


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

  • 0

#14
Engelzz

Engelzz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi Rorschach112,

I've done as instructed and obtained the following log below:


ComboFix 08-02.01.6 - Eliezer 2008-02-02 10:20:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.53 [GMT -8:00]Running from: C:\Documents and Settings\Eliezer\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Eliezer\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\lsmgr.dll
.

((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-02-02 03:37 . 2008-02-02 03:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-02 02:45 . 2008-02-02 02:45 <DIR> d-------- C:\Documents and Settings\Eliezer\Application Data\Grisoft
2008-02-02 02:45 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-01 15:55 . 2008-02-01 15:55 <DIR> d-------- C:\Deckard
2008-01-30 22:56 . 2008-01-30 22:56 <DIR> d-------- C:\InCode Solutions
2008-01-30 22:52 . 2008-01-30 22:52 <DIR> d-------- C:\Program Files\InCode Solutions
2008-01-30 22:33 . 2008-01-30 22:33 4,608 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-01-30 21:37 . 2008-01-30 21:37 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-01-30 21:36 . 2008-01-30 21:36 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-01-30 21:36 . 2008-01-30 21:36 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-01-30 21:36 . 2008-01-30 21:36 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-01-30 21:36 . 2008-01-30 21:36 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-01-30 21:36 . 2008-01-30 21:36 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-01-30 21:15 . 2004-08-03 17:07 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-01-30 21:15 . 2004-08-03 17:07 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-01-17 14:23 . 2008-01-30 22:33 33,280 --ahs---- C:\WINDOWS\Thumbs.db
2008-01-13 19:49 . 2008-01-13 20:25 <DIR> d-------- C:\Program Files\Enigma Software Group

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 06:26 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-01-31 06:26 --------- d-----w C:\Program Files\VeryPDF PDF2Word v3.0
2008-01-31 06:26 --------- d-----w C:\Program Files\Smart PDF Converter Pro
2008-01-31 06:26 --------- d-----w C:\Program Files\DivX
2008-01-31 06:26 --------- d-----w C:\Program Files\Codec Pack - All In 1
2008-01-24 02:15 --------- d-----w C:\Documents and Settings\Eliezer\Application Data\BitTorrent
2008-01-18 10:40 --------- d-----w C:\Program Files\MSN Messenger
2008-01-17 22:23 --------- d-----w C:\Program Files\Combined Community Codec Pack
2008-01-17 22:23 --------- d-----w C:\Program Files\BlueVoda Website Builder
2008-01-13 10:49 --------- d-----w C:\Documents and Settings\Eliezer\Application Data\AVG7
2008-01-13 08:26 --------- d-----w C:\Program Files\PC Tools Firewall Plus
2008-01-03 12:53 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-03 11:58 --------- d-----w C:\Program Files\Java
2008-01-01 02:59 --------- d-----w C:\Program Files\Viewpoint
2008-01-01 02:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-19 05:51 33,618 ----a-w C:\Program Files\MapleSEA_MSSetup070802a.exe.torrent
2007-09-08 09:00 22,304 ----a-w C:\Documents and Settings\Eliezer\Application Data\GDIPFONTCACHEV1.DAT
2007-09-08 07:55 0 ----a-w C:\Program Files\New Bitmap Image.bmp
2007-04-06 06:06 20,382,509 -c--a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_04_04_23_34_31_full.dmp.zip
2007-03-27 07:07 415,784 ----a-w C:\Program Files\msgr8us.exe
2007-03-26 03:36 177,152 ----a-w C:\Program Files\utorrent.exe
2004-07-22 17:51 3,432,656 ----a-w C:\Program Files\ManagedDX.CAB
2004-07-20 05:58 1,156,363 ----a-w C:\Program Files\BDANT.cab
2004-07-20 05:53 976,020 ----a-w C:\Program Files\BDAXP.cab
2004-07-09 21:17 13,265,040 ----a-w C:\Program Files\dxnt.cab
2004-07-09 16:13 703,080 -c--a-w C:\Program Files\BDA.cab
2004-07-09 16:13 15,493,481 ----a-w C:\Program Files\DirectX.cab
2007-09-16 06:37 88 --sha-r C:\WINDOWS\system32\8E0C878137.sys
2007-09-17 11:01 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-04-07 06:15 1,412,128 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-04-07 06:15 96,544 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 17:07 15360]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [ ]
"RemoveIT Pro XT"="C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe" [2008-02-01 16:16 939520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00PCTFW"="C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 07:53 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 21:24:38 1134592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL diskcheck.exe c:
\Shell\播放\command - C:\diskcheck.exe c:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{003e1db0-4648-11dc-bc9b-000000000000}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL diskcheck.exe f:
\Shell\播放\command - D:\diskcheck.exe f:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{003e1db1-4648-11dc-bc9b-000000000000}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL diskcheck.exe g:
\Shell\播放\command - G:\diskcheck.exe g:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{003e1db2-4648-11dc-bc9b-000000000000}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL diskcheck.exe h:
\Shell\播放\command - H:\diskcheck.exe h:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59489b00-214b-11dc-bc60-000000000000}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Boot.exe e
\Shell\Open\command - Boot.exe e

.
Contents of the 'Scheduled Tasks' folder
"2008-02-02 00:30:00 C:\WINDOWS\Tasks\Advanced WindowsCare V2 Pro.job"
- C:\Program Files\IObit\Advanced WindowsCare V2 Pro\AutoCare.exe
"2008-02-02 04:00:00 C:\WINDOWS\Tasks\AwcProUpdate.job"
- C:\Program Files\IObit\Advanced WindowsCare V2 Pro\AutoUpdate.ex
- C:\Program Files\IObit\Advanced WindowsCare V2 Pro\
"2008-02-02 11:45:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 10:23:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-02 10:25:14
ComboFix-quarantined-files.txt 2008-02-02 18:25:02
ComboFix2.txt 2008-02-02 11:29:38
ComboFix3.txt 2008-02-02 08:06:53
.
2008-01-10 11:14:43 --- E O F ---
  • 0

#15
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


Also post a new HijackThis log and tell me how your PC is running
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP