Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

win32.trojandownloader.zlob [CLOSED]

Started by befnme , Feb 01 2008 11:16 AM

  • This topic is locked This topic is locked

#1
befnme
Posted 01 February 2008 - 11:16 AM

befnme

    New Member

  • Member
  • Pip
  • 4 posts
this thing is killing my pc. i have read here and done ad-aware, spyboy, combofix, avg, registry mechanic, hjkths, and smitfraud fix. i still have it and everytime i run adaware it is still there. help please. here is my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16, on 2008-02-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
F3 - REG:win.ini: load=C:\WINDOWS\system32\geebc.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe /autorun
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [b420deac] rundll32.exe "C:\WINDOWS\system32\cqhoborq.dll",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather .exe 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {F2D35D99-63B1-46D3-970C-6E22320D5DCB} (kSoloCntrlIE Class) - http://www.ksolo.com...kSoloIEHDSD.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

--
End of file - 6890 bytes
  • 0

Advertisements

#2
Rorschach112
Posted 01 February 2008 - 01:06 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Delete your version of ComboFix.exe and the folder C:\qoobox then do this


Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
befnme
Posted 01 February 2008 - 05:44 PM

befnme

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
sorry it took so long was at work.....

ComboFix 08-02.01.6 - Owner 2008-02-02 18:17:32.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.328 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\geebc.dll
C:\WINDOWS\system32\wxracdom.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\bepxniwp.dll
C:\WINDOWS\system32\cbeeg.ini
C:\WINDOWS\system32\cbeeg.ini2
C:\WINDOWS\system32\cfasnuwn.dll
C:\WINDOWS\system32\cqhoborq.dll
C:\WINDOWS\system32\ebcqtihi.ini
C:\WINDOWS\system32\fsdloxvl.exe
C:\WINDOWS\system32\geebc.dll
C:\WINDOWS\system32\geebc.exe
C:\WINDOWS\system32\ihitqcbe.dll
C:\WINDOWS\system32\imcbanwa.dll
C:\WINDOWS\system32\iqxqislo.ini
C:\WINDOWS\system32\kngfstbj.dll
C:\WINDOWS\system32\mtpxjrjr.dll
C:\WINDOWS\system32\nwunsafc.ini
C:\WINDOWS\system32\onxvixdk.dll
C:\WINDOWS\system32\pwinxpeb.ini
C:\WINDOWS\system32\qhedpken.exe
C:\WINDOWS\system32\qrobohqc.ini
C:\WINDOWS\system32\sgcnuikf.dll
C:\WINDOWS\system32\uqknokyo.dll
C:\WINDOWS\system32\wwoehvtt.ini
C:\WINDOWS\system32\wxracdom.dll
C:\WINDOWS\system32\wxracdom.dllbox
C:\WINDOWS\system32\ykltemgb.dll

----- BITS: Possible infected sites -----

hxxp://au.download.windowsupdate.com
hxxp://www.download.windowsupdate.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-02-02 12:47 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-01-31 07:24 . 2008-01-31 07:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-01-31 03:07 . 2008-02-02 12:39 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-30 19:23 . 2008-01-30 19:23 <DIR> d-------- C:\Program Files\Opera
2008-01-30 08:31 . 2007-10-10 18:55 6,065,664 --a--c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-30 08:31 . 2007-06-30 22:31 2,455,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-30 08:31 . 2007-06-30 22:36 991,232 --a--c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-30 08:31 . 2007-10-10 18:55 459,264 --a--c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-30 08:31 . 2007-10-10 18:55 383,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-30 08:31 . 2007-10-10 18:55 267,776 --a--c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-30 08:31 . 2007-10-10 18:55 63,488 --a--c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-30 08:31 . 2007-10-10 18:55 52,224 --a--c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-30 08:31 . 2007-10-10 05:59 13,824 --a--c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-29 20:31 . 2008-01-29 20:31 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-01-29 20:02 . 2008-01-29 20:32 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-29 20:02 . 2008-01-29 20:02 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-01-29 20:02 . 2008-01-29 20:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-29 19:59 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-29 19:58 . 2008-01-29 19:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-28 22:38 . 2008-01-28 22:38 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Template
2008-01-25 18:17 . 2004-08-27 04:54 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-01-25 18:17 . 2007-12-15 21:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-01-25 18:17 . 2007-12-15 21:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\McAfee
2008-01-25 15:55 . 2008-02-02 12:49 2,050 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-25 15:54 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-01-25 15:54 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-01-22 16:56 . 2008-01-22 16:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-22 16:53 . 2008-01-22 16:53 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-01-22 14:49 . 2008-01-22 14:49 51,355 --a------ C:\WINDOWS\system32\muzika.xm
2008-01-22 11:57 . 2008-02-02 07:51 <DIR> d-------- C:\Program Files\XoftSpySE
2008-01-21 23:21 . 2008-01-21 23:21 60 --a------ C:\WINDOWS\system32\SYSDRV.DAT
2008-01-21 20:02 . 2008-01-21 20:02 338,140 --a------ C:\WINDOWS\system32\RCX412.tmp
2008-01-20 20:28 . 2008-01-20 20:28 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-20 20:28 . 2008-01-20 20:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-20 20:27 . 2008-01-29 20:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-20 19:18 . 2008-01-22 14:22 801 --a------ C:\WINDOWS\wininit.ini
2008-01-20 18:40 . 2008-01-21 19:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-17 22:56 . 2008-01-17 22:56 <DIR> d-------- C:\Program Files\AWS
2008-01-17 22:56 . 2008-01-20 14:15 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\WeatherBug
2008-01-17 00:07 . 2008-01-17 02:37 49 --a------ C:\WINDOWS\NeroDigital.ini
2008-01-16 20:39 . 2008-01-16 22:48 <DIR> d-------- C:\Program Files\Yahoo SiteBuilder
2008-01-16 07:48 . 2008-01-16 07:48 278 --a------ C:\7b7ce1af9e682b1.dat
2008-01-16 07:42 . 2008-01-16 07:42 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Chief Architect Trial Version 11
2008-01-16 07:42 . 2008-01-20 15:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Chief Architect Full Version 11
2008-01-13 10:29 . 2008-01-13 10:42 <DIR> d-------- C:\Program Files\CommentKahuna
2008-01-12 00:54 . 2008-02-01 21:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-11 23:55 . 2008-01-12 14:57 <DIR> d-------- C:\Program Files\Flipz4Flash
2008-01-11 07:37 . 2008-01-11 07:37 <DIR> d-------- C:\Program Files\Meta Tags Retriever
2008-01-10 21:11 . 2008-01-10 21:11 <DIR> d-------- C:\Program Files\uTorrent
2008-01-10 21:11 . 2008-01-24 07:14 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2008-01-06 13:37 . 2008-01-06 13:37 <DIR> d-------- C:\WINDOWS\PixArt
2008-01-06 13:37 . 2008-01-06 13:37 <DIR> d-------- C:\Program Files\PC CIF Camer@
2008-01-06 13:37 . 2008-01-06 13:37 <DIR> d-------- C:\Program Files\Common Files\PAC207
2008-01-06 13:37 . 2007-02-12 01:06 408 --a------ C:\WINDOWS\system32\Remover.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 01:32 --------- d-----w C:\Program Files\QuickTime
2008-01-30 01:32 --------- d-----w C:\Program Files\Norton AntiVirus
2008-01-30 01:32 --------- d-----w C:\Program Files\Digital Media Reader
2008-01-30 01:32 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-22 00:06 --------- d-----w C:\Program Files\Google
2008-01-06 18:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-02 03:03 --------- d-----w C:\Program Files\Java
2007-12-31 02:21 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-12-26 16:57 --------- d-----w C:\Documents and Settings\Owner\Application Data\Viewpoint
2007-12-26 16:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-25 22:22 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-12-25 22:22 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2007-12-25 20:54 --------- d-----w C:\Program Files\Cinemaware Marquee
2007-12-22 21:55 --------- d-----w C:\Program Files\Audacity
2007-12-22 21:37 --------- d-----w C:\Program Files\MtStudio
2007-12-22 21:37 --------- d-----w C:\Documents and Settings\Owner\Application Data\MtStudio
2007-12-22 21:11 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-22 21:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-12-19 23:29 --------- d-----w C:\Program Files\Motorola
2007-12-19 23:27 --------- d-----w C:\Program Files\Common Files\Motorola Shared
2007-12-18 08:01 --------- d-----w C:\Program Files\MSXML 4.0
2007-12-17 00:20 --------- d-----w C:\Program Files\OOBOX
2007-12-16 22:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-16 02:31 --------- d-----w C:\Program Files\McAfee.com
2007-12-16 02:31 --------- d-----w C:\Program Files\McAfee
2007-12-16 02:31 --------- d-----w C:\Program Files\Common Files\McAfee
2007-12-16 02:31 --------- d-----w C:\Documents and Settings\Owner\Application Data\McAfee
2007-12-16 02:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-12-16 02:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-16 02:30 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-16 02:29 --------- d-----w C:\Documents and Settings\Owner\Application Data\SampleView
2007-12-16 02:27 --------- d-----w C:\Program Files\Microsoft Picture It! 9
2007-12-16 02:27 --------- d-----w C:\Program Files\CyberLink
2007-12-16 02:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-12-16 02:26 --------- d-----w C:\Program Files\Microsoft Works
2007-12-16 02:25 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-16 02:25 --------- d-----w C:\Program Files\Common Files\Ahead
2007-12-16 02:25 --------- d-----w C:\Program Files\BigFix
2007-12-16 02:25 --------- d-----w C:\Program Files\AOL Companion
2007-12-16 02:25 --------- d-----w C:\Program Files\America Online 9.0
2007-12-16 02:25 --------- d-----w C:\Program Files\Ahead
2007-12-16 02:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pure Networks
2007-12-16 02:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-16 02:24 8,552 ----a-w C:\WINDOWS\system32\drivers\asctrm.sys
2007-12-16 02:24 --------- d-----w C:\Program Files\Real
2007-12-16 02:24 --------- d-----w C:\Program Files\Pure Networks
2007-12-16 02:24 --------- d-----w C:\Program Files\Learn2.com
2007-12-16 02:24 --------- d-----w C:\Program Files\Common Files\Real
2007-12-16 02:24 --------- d-----w C:\Program Files\Common Files\Nullsoft
2007-12-16 02:24 --------- d-----w C:\Program Files\Common Files\aolshare
2007-12-16 02:24 --------- d-----w C:\Program Files\AOL Toolbar
2007-12-16 02:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2007-12-16 02:22 --------- d-----w C:\Program Files\MSN Encarta Plus
2007-12-16 02:22 --------- d-----w C:\Program Files\Microsoft Money
2007-12-16 02:21 --------- d-----w C:\Program Files\Realtek
2007-12-16 02:21 --------- d-----w C:\Program Files\Common Files\New Boundary
2007-12-16 02:21 --------- d-----w C:\Program Files\Common Files\Java
2007-12-16 02:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Prism Deploy
2007-12-16 02:18 --------- d-----w C:\Program Files\Symantec
2007-12-16 02:16 --------- d-----w C:\Program Files\Intel
2007-12-16 02:13 --------- d-----w C:\Program Files\CONEXANT
.
<pre>
----a-w		   132,496 2008-01-30 01:29:58  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w			15,360 2008-02-02 17:39:50  C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather .exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [ ]
"_AntiSpyware"="C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe" [ ]
"RegistryMechanic"="" []
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [ ]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [ ]
"SoundMan"="SOUNDMAN.EXE" [2004-09-23 22:27 77824 C:\WINDOWS\SOUNDMAN.EXE]
"ShowWnd"="ShowWnd.exe" [2003-09-19 12:09 36864 C:\WINDOWS\ShowWnd.exe]
"McRegWiz"="C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe" [ ]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [ ]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 18:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"CHotkey"="zHotkey.exe" [2004-05-17 21:30 543232 C:\WINDOWS\zHotkey.exe]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [ ]
"AlcWzrd"="ALCWZRD.EXE" [2004-09-24 21:06 2559488 C:\WINDOWS\ALCWZRD.EXE]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" [ ]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{F2A0229A-C4CA-4789-B606-973D24DCDD1C}"= C:\Program Files\McAfee\McAfee AntiSpyware\MssShell.dll [2004-10-19 04:00 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]

S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;C:\DOCUME~1\Owner\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys []
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-05-04 17:04]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-05-04 16:54]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-02 02:00:00 C:\WINDOWS\Tasks\McAfee AntiSpyware.job"
- C:\PROGRA~1\McAfee\MCAFEE~1\McSpy.ex
- C:\PROGRA~1\McAfee\MCAFEE~1
"2008-02-02 23:30:00 C:\WINDOWS\Tasks\McAfee.com Update Check (YOUR-55CE2A1EF0-Owner).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate .ex
- C:\PROGRA~1\mcafee.com\agent
"2007-12-16 02:19:06 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-02-02 23:27:14 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-02-02 12:51:47 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 18:27:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-02 18:32:19 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-02-02 23:32:15
ComboFix2.txt 2008-01-23 23:39:20
.
2008-02-01 08:01:13 --- E O F ---
  • 0

#4
befnme
Posted 01 February 2008 - 05:45 PM

befnme

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:43:56 PM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe /autorun
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather .exe 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {F2D35D99-63B1-46D3-970C-6E22320D5DCB} (kSoloCntrlIE Class) - http://www.ksolo.com...kSoloIEHDSD.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

--
End of file - 7321 bytes
  • 0

#5
Rorschach112
Posted 01 February 2008 - 07:09 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]

RenV::
----a-w 132,496 2008-01-30 01:29:58 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 15,360 2008-02-02 17:39:50 C:\WINDOWS\system32\ctfmon .exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  • 0

#6
befnme
Posted 03 February 2008 - 05:43 PM

befnme

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
thank you so much, all seems to be fixed now.
  • 0

#7
Rorschach112
Posted 03 February 2008 - 06:04 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Still go and post the logs please
  • 0

#8
Rorschach112
Posted 08 February 2008 - 07:37 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP