Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

trojan.win32.killAV.oh [RESOLVED]

Started by wheelhorse guy , Feb 09 2008 02:56 PM

  • This topic is locked This topic is locked

#1
wheelhorse guy
Posted 09 February 2008 - 02:56 PM

wheelhorse guy

    New Member

  • Member
  • Pip
  • 5 posts
:) I give up, need your help in properly removing this without creating more problems hopefully - please help!!! As you can see my AV Software isn't able to do it. What are your suggestions or instructions?

My Highjack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:37:57 PM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\FSGK32.EXE
C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EMBARQ Online Security\Common\FSMB32.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\EMBARQ Online Security\Common\FCH32.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsqh.exe
C:\Program Files\EMBARQ Online Security\Common\FAMEH32.EXE
C:\Program Files\EMBARQ Online Security\FSPC\fspc.exe
C:\Program Files\EMBARQ Online Security\FSGUI\fsguidll.exe
C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fssm32.exe
C:\Program Files\EMBARQ Online Security\FSAUA\program\fsus.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsav32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myembarq.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunKistEM] "C:\Program Files\Digital Media Reader\shwiconem.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\EMBARQ Online Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [QuickenScheduledUpdates] C:\Program Files\Quicken\billmind.exe
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.0xe
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\Program Files\Common Files\Microsoft Shared\MSInfo\MSINF16H.EXE
O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk = C:\Program Files\Common Files\Microsoft Shared\MSInfo\MSINF16H.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Common Files\Microsoft Shared\MSInfo\MSINF16H.EXE
O8 - Extra context menu item: &Block this popup - C:\Program Files\EMBARQ Online Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\Anti-Spyware\ieshield.dll (file missing)
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\Anti-Spyware\ieshield.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: EMBARQ Online Security (BackWeb Plug-in - 7211241) - Unknown owner - C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 8895 bytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

My anti-virus software log:

Scanning Report
09 February 2008 10:59:03 - 12:43:04
Computer name: JOHNSON5
Scanning type: Perform full computer check
Target: C:\ D:\ + system + rootkits


--------------------------------------------------------------------------------

Result: 11 malware found
Trojan.Win32.KillAV.oh (virus)
C:\WINDOWS\hpfsched.0xe Action: FAILED
C:\Program Files\REGSHAVE\REGSHAVE.0XE Action: FAILED
C:\Program Files\QuickTime\qttask.0xe Action: FAILED
C:\Program Files\Quicken\billmind.0xe Action: FAILED
C:\Program Files\Java\jre1.6.0_03\bin\jusched.0xe Action: FAILED
C:\Program Files\iTunes\iTunesHelper.0xe Action: FAILED
C:\Program Files\Digital Media Reader\shwiconem.0xe Action: FAILED
C:\Program Files\CyberLink\PowerDVD\PDVDServ.0xe Action: FAILED
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.0xe Action: FAILED
Trojan-Downloader.SWF.Gida.a (virus)
C:\Documents and Settings\Lamby\Local Settings\Temporary Internet Files\Content.IE5\NTHMRT5N\gnida[1].0wf Action: FAILED
C:\Documents and Settings\Lamby\Local Settings\Temporary Internet Files\Content.IE5\4DYN4LYZ\gnida[1].0wf Action: FAILED



--------------------------------------------------------------------------------

Riskware found
RemoteAdmin.Win32.WinVNC-based.b (riskware)
C:\Documents and Settings\Owner\Local Settings\Temp\EMBARQ\software\EMBARQSoftware.exe
C:\Documents and Settings\Owner\Local Settings\Temp\EMBARQ\software\VirtualAssistant.exe


--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 311959
Not scanned: 47
Result:
Viruses: 11
Spyware: 0
Suspicious items: 0
Riskware: 2
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
Quarantined: 0
Failed: 11
Boot Sectors:
Scanned: 1
Infected: 0
Suspicious items: 0
Disinfected: 0
Files not scanned:
Cannot open file (click here for more info) C:\HIBERFIL.SYS
Cannot open file (click here for more info) C:\PAGEFILE.SYS
Cannot open file (click here for more info) C:\WINDOWS\TEMP\PERFLIB_PERFDATA_868.DAT
Cannot open a file in archive C:\WINDOWS\SYSTEM32\BIOS1.ROM
Cannot open file (click here for more info) C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
Cannot open file (click here for more info) C:\WINDOWS\SYSTEM32\CONFIG\SAM
Cannot open file (click here for more info) C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
Cannot open file (click here for more info) C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
Cannot open file (click here for more info) C:\WINDOWS\SYSTEM32\CATROOT2\EDB.LOG
Cannot open file (click here for more info) C:\WINDOWS\SYSTEM32\CATROOT2\TMP.EDB
Cannot open a file in archive bios1.rom
Cannot open a file in archive C:\WINDOWS\.JAGEX_CACHE_32\RUNESCAPE\MAIN_FILE_CACHE.DAT2
Cannot open a file in archive C:\PROGRAM FILES\RAGE\INCOMING\ASC\PADS\PAD2.CTL
Cannot open a file in archive C:\PROGRAM FILES\LIMEWIRE\DOWNLOADS\PINK - STUPID GIRLS.MP3
Cannot open a file in archive C:\PROGRAM FILES\FINEPIXVIEWER\RESOURCE\IIPARAM\SETUP\DSC\SETUP12_10.DAT
Cannot open a file in archive C:\PROGRAM FILES\FINEPIXVIEWER\EXTENSIONS\HELPERS\MVFILTERS\PARAM\SETUP\SRGB\SETUP12_10.DAT
Cannot open a file in archive C:\PROGRAM FILES\FINEPIXVIEWER\EXTENSIONS\HELPERS\MVFILTERS\PARAM\SETUP\DSC\SETUP12_10.DAT
Cannot open file (click here for more info) C:\PROGRAM FILES\EMBARQ ONLINE SECURITY\COMMON\POLICY.IPF
Cannot open a file in archive C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\GRPHFLT\MS.PCT
Cannot open a file in archive C:\DOCUMENTS AND SETTINGS\ALL USERS.LOG
Cannot open a file in archive C:\DOCUMENTS AND SETTINGS\DEFAULT USER.LOG
Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\OWNER\NTUSER.DAT
Cannot open a file in archive C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\MY PICTURES\IPOD PHOTO CACHE\F33\T845.ITHMB
Cannot open a file in archive C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\MY PICTURES\IPOD PHOTO CACHE\F32\T844.ITHMB
Cannot open a file in archive C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\MY PICTURES\IPOD PHOTO CACHE\F29\T637.ITHMB
Cannot open a file in archive C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\MY PICTURES\IPOD PHOTO CACHE\F28\T636.ITHMB
Cannot open a file in archive C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\MY PICTURES\IPOD PHOTO CACHE\F27\T635.ITHMB
Cannot open a file in archive C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\MY PICTURES\IPOD PHOTO CACHE\F26\T634.ITHMB
Cannot open a file in archive C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\MY PICTURES\IPOD PHOTO CACHE\F25\T276.ITHMB
Cannot open a file in archive C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\MY PICTURES\IPOD PHOTO CACHE\F25\T633.ITHMB
Cannot open a file in archive C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\MY PICTURES\IPOD PHOTO CACHE\F24\T275.ITHMB
Cannot open a file in archive C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\MY PICTURES\IPOD PHOTO CACHE\F24\T632.ITHMB
Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT
Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT
Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
File D:\i386\Apps\App30921\vs\agentins.ui\agentins.ini is encrypted
File D:\i386\Apps\App30921\vs\vsoins.ui\common_utils.js is encrypted
File D:\i386\Apps\App30921\vs\shared\agentcfg.cab\screm.ui\agntcons.vbs is encrypted
File D:\i386\Apps\App30921\msk\agentins.ui\agentins.ini is encrypted
File D:\i386\Apps\App30921\msk\mskins.ui\appcons.vbs is encrypted
File D:\i386\Apps\App30921\msk\shared\agentcfg.cab\screm.ui\agntcons.vbs is encrypted
File D:\i386\Apps\App30921\mpf\agentins.ui\agentins.ini is encrypted
File D:\i386\Apps\App30921\mpf\mpfins.ui\appcons.vbs is encrypted
File D:\i386\Apps\App30921\mpf\shared\agentcfg.cab\screm.ui\agntcons.vbs is encrypted
File D:\i386\Apps\App30921\mpf\mpfplus\en-us\us\mpfcfg.cab\mpfrem.ui\appconst.vbs is encrypted


--------------------------------------------------------------------------------

Options
Definitions version:
Viruses: 2008-02-09_01
Spyware: 2008-02-09_01
Scanning Engines:
F-Secure AVP: 7.00.171, 2008-02-09
F-Secure Libra: 2.04.01, 2008-02-07
F-Secure Orion: 1.02.37, 2008-02-09
F-Secure Draco: 1.00.35, 2008-02-04
F-Secure BlackLight: 1.00.54
Scanning options:
Scan all files
Scan inside archives
Actions:
Viruses: Ask after scan
Spyware: Ask after scan
Show suspicious items after a full computer check

--------------------------------------------------------------------------------

Error information
"Cannot open file" error occurred:
The "Cannot open file" error message means that the scanner was unable to open a file and that this file was not scanned. You can normally ignore this error message as there are many reasons for this message that do not imply a security threat, including:
The file was a system file. System files are protected by the operation system by design. You can ignore this message in this case.
You do not have permission to read the file. To scan the file, log in with a user account with sufficient permissions (for example the computer's administrator account) and rescan.
The file was in use by an application when the scan was performed. To scan this file, close all applications and rescan.

--------------------------------------------------------------------------------

Copyright © 1998-2007 Product support | Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name. This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • 0

Advertisements

#2
greyknight17
Posted 15 February 2008 - 10:20 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe or http://download.blee...Bs/ComboFix.exe
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#3
wheelhorse guy
Posted 17 February 2008 - 06:35 PM

wheelhorse guy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thanks for your assistance, much appreciated!!!

Here is my combofix log:

ComboFix 08-02-18.1 - Owner 2008-02-17 18:25:27.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.368 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FF1DIOJI\ComboFix[1].exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-01-18 to 2008-02-18 )))))))))))))))))))))))))))))))
.

2008-02-13 21:13 . 2008-02-13 21:13 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\pdf995
2008-02-13 21:13 . 2008-02-13 21:13 28 --a------ C:\WINDOWS\pdf995.ini
2008-02-13 21:10 . 2008-02-13 21:11 <DIR> d-------- C:\Program Files\pdf995
2008-02-13 21:10 . 2008-02-13 21:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\pdf995
2008-02-13 21:10 . 2008-02-13 21:10 249,856 --a------ C:\WINDOWS\system32\pdfmona.dll
2008-02-13 21:10 . 2008-02-13 21:10 51,716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2008-02-13 21:10 . 2008-02-13 21:13 59 --a------ C:\WINDOWS\wpd99.drv
2008-02-13 20:31 . 2008-02-13 20:31 <DIR> d-------- C:\PureSight
2008-02-09 14:37 . 2008-02-09 14:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-09 10:49 . 2008-02-09 10:49 134 --a------ C:\WINDOWS\system32\CTSTATUS.FCS
2008-02-09 10:34 . 2008-02-09 10:34 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\F-Secure
2008-02-09 10:28 . 2007-11-01 05:42 57,824 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
2008-02-09 10:28 . 2008-02-13 15:54 30,016 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys
2008-02-09 10:26 . 2008-02-14 03:06 <DIR> d-------- C:\Program Files\EMBARQ Online Security
2008-02-09 10:26 . 2008-02-09 10:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\fssg
2008-02-09 10:26 . 2008-02-09 10:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\F-Secure
2008-02-09 10:23 . 2008-02-09 10:23 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-02-09 09:54 . 2004-08-27 03:54 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-02-09 09:54 . 2005-10-30 05:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-02-09 09:54 . 2005-10-30 06:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-02-09 09:54 . 2006-09-27 19:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-02-09 07:41 . 2008-02-09 07:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-09 07:41 . 2008-02-09 07:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-08 00:00 . 2008-02-08 04:27 143 --a------ C:\infect.htm
2008-02-08 00:00 . 2008-02-08 04:17 137 --a------ C:\error.htm
2008-02-04 20:27 . 2008-02-04 20:27 <DIR> d-------- C:\WINDOWS\bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-18 00:07 --------- d-----w C:\Program Files\Quicken
2008-02-18 00:04 18,880 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-02-11 13:04 --------- d-----w C:\Program Files\REGSHAVE
2008-02-11 13:04 --------- d-----w C:\Program Files\QuickTime
2008-02-11 13:04 --------- d-----w C:\Program Files\Digital Media Reader
2008-02-09 16:01 --------- d-----w C:\Program Files\Virtual Assistant
2008-02-09 16:01 --------- d-----w C:\Program Files\FinePixViewer
2008-02-09 13:41 --------- d-----w C:\Program Files\Lavasoft
2008-02-08 06:26 --------- d-----w C:\Program Files\iTunes
2008-01-14 18:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2007-12-25 17:36 --------- d-----w C:\Program Files\Java
2007-12-18 13:46 2,180 ----a-w C:\Documents and Settings\Lamby\Application Data\wklnhst.dat
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 00:44 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-11-25 16:32 77,824 ----a-w C:\WINDOWS\zipexe_r.exe
2007-04-07 03:45 10,240 --sha-w C:\WINDOWS\rnapxs\rnapxs.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-r 313,472 2006-03-30 21:45:08 C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe

----a-w 32,768 2004-11-03 04:24:46 C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe

----a-w 135,168 2004-11-15 23:04:32 C:\Program Files\Digital Media Reader\bak\shwiconem.exe

----a-w 256,576 2006-10-30 15:36:36 C:\Program Files\iTunes\bak\iTunesHelper.exe

----a-w 132,496 2007-09-25 07:11:35 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe

----a-w 34,080 2007-09-20 23:09:18 C:\Program Files\Quicken\bak\billmind.exe

----a-w 282,624 2006-10-26 00:58:18 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 53,248 2002-02-05 03:32:10 C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE

----a-w 35,328 1998-08-05 18:00:22 C:\WINDOWS\bak\hpfsched.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"QuickenScheduledUpdates"="C:\Program Files\Quicken\billmind.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [ ]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [ ]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 17:07 90112 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 13:00 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2005-09-18 10:32 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 13:00 33280 C:\WINDOWS\system32\rundll32.exe]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"hpfsched"="C:\WINDOWS\hpfsched.exe" [ ]
"F-Secure Manager"="C:\Program Files\EMBARQ Online Security\Common\FSM32.exe" [2007-11-01 05:42 182936]
"F-Secure TNB"="C:\Program Files\EMBARQ Online Security\FSGUI\TNBUtil.exe" [2007-11-01 05:42 739936]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Event Reminder.lnk - C:\pmw\PMREMIND.EXE [1997-07-30 08:05:58 255408]
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2005-10-30 05:04:10 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2005-10-30 05:16:44 2168360]

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2007-11-01 05:42]
R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\EMBARQ Online Security\HIPS\fshs.sys [2008-02-13 15:53]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\EMBARQ Online Security\Anti-Virus\minifilter\fsgk.sys [2007-11-01 05:42]
S2 BackWeb Plug-in - 7211241;EMBARQ Online Security;C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE []
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\EMBARQ Online Security\Anti-Virus\Win2K\FSfilter.sys [2007-11-01 05:42]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\EMBARQ Online Security\Anti-Virus\Win2K\FSrec.sys [2007-11-01 05:42]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97401071-4932-11da-95ca-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b462ef81-4ca6-11da-8ce3-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cec000c0-cc21-11da-95f3-0040cab0e7e9}]
\Shell\AutoRun\command - J:\JDSecure\Windows\JDSecure31.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e8a360e1-6121-11da-b4dd-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-02-04 18:22:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-18 00:00:42 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\EMBARQ~1\ANTI-V~1\fsav.exeQ /HARD /POLICY /SCHED /NOBREAK /REPORT=C:\PROGRA~1\EMBARQ~1\ANTI-V~1\report.txt
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 18:27:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-17 18:28:18
ComboFix-quarantined-files.txt 2008-02-18 00:28:15
.
2008-02-14 09:02:59 --- E O F ---
  • 0

#4
greyknight17
Posted 18 February 2008 - 01:41 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

File::
C:\infect.htm
C:\error.htm

RENV::
C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe
C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe
C:\Program Files\Digital Media Reader\bak\shwiconem.exe
C:\Program Files\iTunes\bak\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe
C:\Program Files\Quicken\bak\billmind.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE
C:\WINDOWS\bak\hpfsched.exe

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#5
wheelhorse guy
Posted 18 February 2008 - 08:05 PM

wheelhorse guy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I have a silly problem - I can't seem to find ComboFix.exe to drag the CFScript.txt into it. I've done all the other steps but am stuck. I'm thinking I apparently didn't originally download ComboFix onto the desktop and run it from there so could it have ended up in a temp folder, prefetch or somewhere else that the ATF Cleaner just removed??? I've searched the whole C: drive and ComboFix.exe doesn't come up.

Where did I go wrong? How can I get back on track?? Sorry... :)
  • 0

#6
greyknight17
Posted 18 February 2008 - 10:10 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Just download it again and save it to your desktop this time :)
  • 0

#7
wheelhorse guy
Posted 19 February 2008 - 08:07 AM

wheelhorse guy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thanks greyknight17, I thought that was going to be the direction but I don't have a good understanding of what ComboFix is actually doing - I believe I earned my stripes on my propeller beanie as a new member on that one... :)

Thanks again for your patients and let me know what is next,

Here is the log:

ComboFix 08-02-18.1 - Owner 2008-02-18 22:21:10.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.386 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\error.htm
C:\infect.htm
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\error.htm
C:\infect.htm

.
((((((((((((((((((((((((( Files Created from 2008-01-19 to 2008-02-19 )))))))))))))))))))))))))))))))
.

2008-02-13 21:13 . 2008-02-13 21:13 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\pdf995
2008-02-13 21:13 . 2008-02-13 21:13 28 --a------ C:\WINDOWS\pdf995.ini
2008-02-13 21:10 . 2008-02-13 21:11 <DIR> d-------- C:\Program Files\pdf995
2008-02-13 21:10 . 2008-02-13 21:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\pdf995
2008-02-13 21:10 . 2008-02-13 21:10 249,856 --a------ C:\WINDOWS\system32\pdfmona.dll
2008-02-13 21:10 . 2008-02-13 21:10 51,716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2008-02-13 21:10 . 2008-02-13 21:13 59 --a------ C:\WINDOWS\wpd99.drv
2008-02-13 20:31 . 2008-02-13 20:31 <DIR> d-------- C:\PureSight
2008-02-09 14:37 . 2008-02-09 14:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-09 10:49 . 2008-02-09 10:49 134 --a------ C:\WINDOWS\system32\CTSTATUS.FCS
2008-02-09 10:34 . 2008-02-09 10:34 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\F-Secure
2008-02-09 10:28 . 2007-11-01 05:42 57,824 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
2008-02-09 10:28 . 2008-02-13 15:54 30,016 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys
2008-02-09 10:26 . 2008-02-14 03:06 <DIR> d-------- C:\Program Files\EMBARQ Online Security
2008-02-09 10:26 . 2008-02-09 10:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\fssg
2008-02-09 10:26 . 2008-02-09 10:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\F-Secure
2008-02-09 10:23 . 2008-02-09 10:23 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-02-09 09:54 . 2004-08-27 03:54 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-02-09 09:54 . 2005-10-30 05:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-02-09 09:54 . 2005-10-30 06:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-02-09 09:54 . 2006-09-27 19:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-02-09 07:41 . 2008-02-09 07:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-09 07:41 . 2008-02-09 07:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-04 20:27 . 2008-02-04 20:27 <DIR> d-------- C:\WINDOWS\bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-18 21:03 19,188 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-02-18 00:07 --------- d-----w C:\Program Files\Quicken
2008-02-11 13:04 --------- d-----w C:\Program Files\REGSHAVE
2008-02-11 13:04 --------- d-----w C:\Program Files\QuickTime
2008-02-11 13:04 --------- d-----w C:\Program Files\Digital Media Reader
2008-02-09 16:01 --------- d-----w C:\Program Files\Virtual Assistant
2008-02-09 16:01 --------- d-----w C:\Program Files\FinePixViewer
2008-02-09 13:41 --------- d-----w C:\Program Files\Lavasoft
2008-02-08 06:26 --------- d-----w C:\Program Files\iTunes
2008-01-14 18:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2007-12-25 17:36 --------- d-----w C:\Program Files\Java
2007-12-18 13:46 2,180 ----a-w C:\Documents and Settings\Lamby\Application Data\wklnhst.dat
2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 00:44 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-11-25 16:32 77,824 ----a-w C:\WINDOWS\zipexe_r.exe
2007-04-07 03:45 10,240 --sha-w C:\WINDOWS\rnapxs\rnapxs.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-r 313,472 2006-03-30 21:45:08 C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe

----a-w 32,768 2004-11-03 04:24:46 C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe

----a-w 135,168 2004-11-15 23:04:32 C:\Program Files\Digital Media Reader\bak\shwiconem.exe

----a-w 256,576 2006-10-30 15:36:36 C:\Program Files\iTunes\bak\iTunesHelper.exe

----a-w 132,496 2007-09-25 07:11:35 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe

----a-w 34,080 2007-09-20 23:09:18 C:\Program Files\Quicken\bak\billmind.exe

----a-w 282,624 2006-10-26 00:58:18 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 53,248 2002-02-05 03:32:10 C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE

----a-w 35,328 1998-08-05 18:00:22 C:\WINDOWS\bak\hpfsched.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"QuickenScheduledUpdates"="C:\Program Files\Quicken\billmind.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [ ]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [ ]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 17:07 90112 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 13:00 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2005-09-18 10:32 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 13:00 33280 C:\WINDOWS\system32\rundll32.exe]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"hpfsched"="C:\WINDOWS\hpfsched.exe" [ ]
"F-Secure Manager"="C:\Program Files\EMBARQ Online Security\Common\FSM32.exe" [2007-11-01 05:42 182936]
"F-Secure TNB"="C:\Program Files\EMBARQ Online Security\FSGUI\TNBUtil.exe" [2007-11-01 05:42 739936]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Event Reminder.lnk - C:\pmw\PMREMIND.EXE [1997-07-30 08:05:58 255408]
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2005-10-30 05:04:10 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2005-10-30 05:16:44 2168360]

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2007-11-01 05:42]
R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\EMBARQ Online Security\HIPS\fshs.sys [2008-02-13 15:53]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\EMBARQ Online Security\Anti-Virus\minifilter\fsgk.sys [2007-11-01 05:42]
S2 BackWeb Plug-in - 7211241;EMBARQ Online Security;C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE []
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\EMBARQ Online Security\Anti-Virus\Win2K\FSfilter.sys [2007-11-01 05:42]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\EMBARQ Online Security\Anti-Virus\Win2K\FSrec.sys [2007-11-01 05:42]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97401071-4932-11da-95ca-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b462ef81-4ca6-11da-8ce3-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cec000c0-cc21-11da-95f3-0040cab0e7e9}]
\Shell\AutoRun\command - J:\JDSecure\Windows\JDSecure31.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e8a360e1-6121-11da-b4dd-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-02-18 18:22:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-19 00:00:56 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\EMBARQ~1\ANTI-V~1\fsav.exeQ /HARD /POLICY /SCHED /NOBREAK /REPORT=C:\PROGRA~1\EMBARQ~1\ANTI-V~1\report.txt
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 22:23:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-18 22:23:44
ComboFix-quarantined-files.txt 2008-02-19 04:23:37
ComboFix2.txt 2008-02-18 00:28:19
.
2008-02-14 09:02:59 --- E O F ---
  • 0

#8
greyknight17
Posted 19 February 2008 - 12:14 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No problem. Don't worry about it. Combofix is not a tool you want to be using alone as it can cause damage...

So, how's everything running so far? :)

Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#9
wheelhorse guy
Posted 20 February 2008 - 07:17 AM

wheelhorse guy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Yes, it appears to be clean and it appears to be working well with only 1 exception. The only thing I've noticed that isn't working that I believe the virus affected, was in my Quicken software. When I try to launch the billminder (billmind.Oxe) it says it can't be found and I can't seem to locate it either - do you recommend I just backup my data and then reload the software or is there another recommendation to get that working correctly again. I noticed billmind.Oxe was one spot the virus was detected before...

Also, I've seen instructions on other posts at GTG about uninstalling combofix - can I just go ahead and do that?

Again, Thanks so much for your help on this you did a great job in a relatively short time. :)
  • 0

#10
greyknight17
Posted 20 February 2008 - 11:18 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes, please backup any templates/data you have for Quicken and reinstall it. The same applies for the below programs which were affected:

C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe
C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe
C:\Program Files\Digital Media Reader\bak\shwiconem.exe
C:\Program Files\iTunes\bak\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE
C:\WINDOWS\bak\hpfsched.exe

They may malfunction due that that infection.

You may go ahead with the combofix removal tool. Go to Start->Run and type in combofix /u to get it removed.

No problem. Glad to help out. Sorry it took so long for us to get back to your initial posts. It's very crowded in the forums :)
  • 0

#11
greyknight17
Posted 20 February 2008 - 11:18 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP