Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

help webbuying [RESOLVED]


  • This topic is locked This topic is locked

#1
cokane

cokane

    Member

  • Member
  • PipPip
  • 61 posts
Logfile of HijackThis v1.99.1
Scan saved at 10:18:30 AM, on 2/19/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\spywear\Owner.exe

O2 - BHO: 0 - {09EA7AA7-084D-4A70-CAB5-255FDF6B5D9C} - C:\Program Files\MSN\lavuqaj.dll
O2 - BHO: (no name) - {C415010D-9BF9-4EB6-B500-33D373FD535D} - C:\Program Files\Online Services\naqudan89104.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Igc] C:\WINDOWS\??sembly\n?tdde.exe
O4 - HKCU\..\Run: [xInsIDE] C:\Program Files\xInsIDE\xInsIDE.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: Sysosavi - {5565E69B-A763-4AB7-86FA-7DEE64B1269B} - C:\WINDOWS\System32\liboheng.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

This actually doesn't suprise me at all...

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
  • 0

#3
cokane

cokane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
i would like to give more info but my browser keeps closeing down on me thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:50 AM, on 2/20/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\gsdfr5yhgjng.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\xInsIDE\xInsIDE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: 0 - {065639B6-E1AE-4F39-039E-ED448A115021} - C:\Program Files\MSN\lavuqaj48.dll (file missing)
O2 - BHO: (no name) - {8EE4E8F7-679F-47A9-97B7-00B18F3451BA} - C:\WINDOWS\System32\cmpbk3.dll
O2 - BHO: (no name) - {C415010D-9BF9-4EB6-B500-33D373FD535D} - C:\Program Files\Online Services\naqudan89104.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Igc] C:\WINDOWS\??sembly\n?tdde.exe
O4 - HKCU\..\Run: [xInsIDE] C:\Program Files\xInsIDE\xInsIDE.exe
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [IESet] IExplorer.dll .dbt (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O21 - SSODL: Sysosavi - {5565E69B-A763-4AB7-86FA-7DEE64B1269B} - C:\WINDOWS\System32\liboheng.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 3512 bytes

AntiVir PersonalEdition Classic
Report file date: Wednesday, February 20, 2008 09:44

Scanning for 1118258 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 1) [5.1.2600]
Username: SYSTEM
Computer name: NONE-IN6FRH4HL5

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 19:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 18:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 21:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 18:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 20:27:15
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 12/14/2007 14:44:00
ANTIVIR2.VDF : 7.0.2.113 1673728 Bytes 2/8/2008 14:44:00
ANTIVIR3.VDF : 7.0.2.167 305664 Bytes 2/20/2008 14:44:00
AVEWIN32.DLL : 7.6.0.67 3293696 Bytes 2/20/2008 14:44:00
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 16:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 13:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 19:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 2/20/2008 14:44:00
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 13:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 18:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 13:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 17:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 18:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 18:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 15:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Wednesday, February 20, 2008 09:44

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'taskmgr.exe' - '1' Module(s) have been scanned
Scan process 'WasherSvc.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
22 processes with 22 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '20' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\89ABCDEF\2892gazvkyoa[1].exe
[DETECTION] Is the Trojan horse TR/Dropper.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\89ABCDEF\CA3T1ZD3.htm
[DETECTION] Contains detection pattern of the HTML script virus HTML/Infected.WebPage.Gen
[INFO] The file was moved to '47ef3e5b.qua'!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\89ABCDEF\CANZL5P1.htm
[DETECTION] Contains detection pattern of the HTML script virus HTML/Infected.WebPage.Gen
[INFO] The file was moved to '480a3e5c.qua'!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\CA43Q7KV.htm
[DETECTION] Contains detection pattern of the HTML script virus HTML/Infected.WebPage.Gen
[INFO] The file was moved to '47f03e63.qua'!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\tk58[1].exe
[DETECTION] Is the Trojan horse TR/BHO.AB.4
[INFO] The file was deleted!
C:\Program Files\MSN\lavuqaj.dll
[DETECTION] Is the Trojan horse TR/BHO.AB.6
[INFO] The file was deleted!
C:\Program Files\MSN\lavuqaj33.dll
[DETECTION] Is the Trojan horse TR/BHO.AB.6
[INFO] The file was deleted!
C:\Program Files\MSN\lavuqaj48.dll
[DETECTION] Is the Trojan horse TR/BHO.AB.6
[INFO] The file was deleted!
C:\Program Files\MSN\lavuqaj888.dll
[DETECTION] Is the Trojan horse TR/BHO.AB.6
[INFO] The file was deleted!
C:\QooBox\Quarantine\catchme2008-02-17_102247.25.zip
[0] Archive type: ZIP
--> pmnnl.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
--> pmnnl.dll.1
[DETECTION] Is the Trojan horse TR/Trash.Gen
--> yayyaaa.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\QooBox\Quarantine\catchme2008-02-19_100308.29.zip
[0] Archive type: ZIP
--> ddcca.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
--> ddcca.dll.1
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was deleted!
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinAdmin.exe.vir
[DETECTION] Is the Trojan horse TR/Dldr.Purity.BV.7
[INFO] The file was deleted!
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinUninstaller.exe.vir
[DETECTION] Contains detection pattern of the dropper DR/PurityScan.GP
[INFO] The file was deleted!
C:\QooBox\Quarantine\C\Program Files\MSN\lavuqaj.dll.vir
[DETECTION] Is the Trojan horse TR/BHO.AB.6
[INFO] The file was deleted!
C:\QooBox\Quarantine\C\Program Files\MSN\lavuqaj10.dll.vir
[DETECTION] Is the Trojan horse TR/BHO.AB.6
[INFO] The file was deleted!
C:\QooBox\Quarantine\C\Program Files\MSN\lavuqaj43.dll.vir
[DETECTION] Is the Trojan horse TR/BHO.AB.6
[INFO] The file was deleted!
C:\QooBox\Quarantine\C\Program Files\MSN\lavuqaj878.dll.vir
[DETECTION] Is the Trojan horse TR/BHO.AB.6
[INFO] The file was deleted!
C:\QooBox\Quarantine\C\Program Files\Temporary\InsiDERIns.exe.vir
[DETECTION] Is the Trojan horse TR/Agent.fow.2
[INFO] The file was deleted!
C:\QooBox\Quarantine\C\WINDOWS\mrofinu1000106.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\QooBox\Quarantine\C\WINDOWS\mrofinu572.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\QooBox\Quarantine\C\WINDOWS\tk58.exe.vir
[DETECTION] Is the Trojan horse TR/BHO.AB.4
[INFO] The file was deleted!
C:\QooBox\Quarantine\C\WINDOWS\amFtZXM\command.exe.vir
[DETECTION] Is the Trojan horse TR/Spy.Banbra.df.199
[INFO] The file was deleted!
C:\QooBox\Quarantine\C\WINDOWS\system32\ddcca.dll.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was deleted!
C:\QooBox\Quarantine\C\WINDOWS\system32\fccayyv.dll.vir
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\QooBox\Quarantine\C\WINDOWS\system32\opnkjhi.dll.vir
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnnl.dll.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was deleted!
C:\QooBox\Quarantine\C\WINDOWS\system32\tuvvvvv.dll.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was deleted!
C:\QooBox\Quarantine\C\WINDOWS\system32\yayyaaa.dll.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was deleted!
C:\QooBox\Quarantine\C\WINDOWS\system32\a1\tliamdll2.exe.vir
[DETECTION] Is the Trojan horse TR/Dldr.CWS.gen.2
[INFO] The file was deleted!
C:\QooBox\Quarantine\C\WINDOWS\system32\nGpxx01\nGpxx011065.exe.vir
[DETECTION] Is the Trojan horse TR/Dldr.VB.cgu.2
[INFO] The file was deleted!
C:\QooBox\Quarantine\C\WINDOWS\system32\p9\liopud89104.exe.vir
[DETECTION] Contains detection pattern of the dropper DR/TTC.D
[INFO] The file was deleted!
C:\QooBox\Quarantine\C\WINDOWS\system32\SSTEM~1\dllhost.exe.vir
[DETECTION] Is the Trojan horse TR/Dldr.PurityScan.FJ
[INFO] The file was deleted!
C:\System Volume Information\_restore{EDAF3163-403F-40F6-AC1F-D07563A12755}\RP2\A0000040.dll
[DETECTION] Is the Trojan horse TR/BHO.AB.6
[INFO] The file was deleted!
C:\System Volume Information\_restore{EDAF3163-403F-40F6-AC1F-D07563A12755}\RP2\A0000041.dll
[DETECTION] Is the Trojan horse TR/BHO.AB.6
[INFO] The file was deleted!
C:\System Volume Information\_restore{EDAF3163-403F-40F6-AC1F-D07563A12755}\RP2\A0000042.dll
[DETECTION] Is the Trojan horse TR/BHO.AB.6
[INFO] The file was deleted!
C:\System Volume Information\_restore{EDAF3163-403F-40F6-AC1F-D07563A12755}\RP2\A0000043.dll
[DETECTION] Is the Trojan horse TR/BHO.AB.6
[INFO] The file was deleted!
C:\WINDOWS\gfderygfh.exe
[DETECTION] Is the Trojan horse TR/Dldr.VB.VLG.36
[INFO] The file was deleted!
C:\WINDOWS\tk58.exe
[DETECTION] Is the Trojan horse TR/BHO.AB.4
[INFO] The file was deleted!
C:\WINDOWS\system32\cmpbk3.dll
[DETECTION] Is the Trojan horse TR/Delphi.Downloader.Gen
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\hjjtgyg.exe
[DETECTION] Is the Trojan horse TR/Dldr.VB.VLG.36
[INFO] The file was deleted!
C:\WINDOWS\system32\lanmanwrk.exe
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was deleted!


End of the scan: Wednesday, February 20, 2008 10:08
Used time: 23:34 min

The scan has been done completely.

3220 Scanning directories
109165 Files were scanned
41 viruses and/or unwanted programs were found
3 Files were classified as suspicious:
37 files were deleted
0 files were repaired
3 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
109124 Files not concerned
738 Archives were scanned
2 Warnings
0 Notes
  • 0

#4
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
The reason why your system is crashing all the time is because your system is severly infected!

Anyway, perform next steps in the right order...

Please download DAFT and save it to your desktop:
  • Double-click the daft.exe icon.
  • Click on the Scan button.
  • Select everything it is displaying there
  • Click the Fix button.
  • Then rescan with DAFT again - it should say now that "All associations are OK"
  • Close DAFT if you receive that message. This means that it is fixed now.
Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#5
cokane

cokane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
I was trying to install the recovery console but my desktop wont read the cd and i cant even get it to boot from when i go in the bios and set up the boot sequence. the computer is getting old and if i have to buy a new xp cd i might be better off getting a new computer.
  • 0

#6
cokane

cokane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:12:18 PM, on 2/20/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\xInsIDE\xInsIDE.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: 0 - {065639B6-E1AE-4F39-039E-ED448A115021} - C:\Program Files\MSN\lavuqaj48.dll (file missing)
O2 - BHO: (no name) - {C415010D-9BF9-4EB6-B500-33D373FD535D} - C:\Program Files\Online Services\naqudan89104.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Igc] C:\WINDOWS\??sembly\n?tdde.exe
O4 - HKCU\..\Run: [xInsIDE] C:\Program Files\xInsIDE\xInsIDE.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O21 - SSODL: Sysosavi - {5565E69B-A763-4AB7-86FA-7DEE64B1269B} - C:\WINDOWS\System32\liboheng.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 3009 bytes

ComboFix 08-02-17.2 - Owner 2008-02-20 15:05:14.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.452 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cmpbk3.dll
C:\WINDOWS\system32\drivers\qbrjjuzw.dat
C:\windows\system32\explorer.exe
C:\WINDOWS\system32\iexplorer.dll .dbt
C:\WINDOWS\system32\lanmandrv.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CTXMURMJ
-------\ctxmurmj


((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-20 09:39 . 2008-02-20 09:39 <DIR> d-------- C:\Program Files\Avira
2008-02-20 09:39 . 2008-02-20 09:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-02-19 13:22 . 2008-02-19 13:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-19 10:23 . 2008-02-19 10:23 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-19 10:23 . 2008-02-19 10:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-19 10:12 . 2008-02-19 10:12 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-19 10:12 . 2001-08-17 22:36 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2008-02-19 10:12 . 2001-08-17 22:36 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
2008-02-19 10:12 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll
2008-02-19 10:12 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll
2008-02-19 10:12 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll
2008-02-19 10:12 . 2001-08-17 14:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll
2008-02-19 10:10 . 2008-02-19 10:10 <DIR> d-------- C:\Deckard
2008-02-19 09:54 . 2008-02-19 09:54 36,864 --a------ C:\WINDOWS\system32\fwehg.exe
2008-02-19 09:54 . 2008-02-19 09:54 36,864 --a------ C:\WINDOWS\gsdfr5yhgjng.exe
2008-02-19 09:48 . 2008-02-19 09:48 612 --a------ C:\wr5rbs.exe
2008-02-19 09:47 . 2008-02-19 09:47 <DIR> d-------- C:\Program Files\xInsIDE
2008-02-18 15:46 . 2008-02-18 15:46 <DIR> d-------- C:\VundoFix Backups
2008-02-18 15:31 . 2008-02-19 09:54 20,480 --a------ C:\WINDOWS\quit.exe
2008-02-16 17:56 . 2008-02-16 17:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-02-02 18:32 . 2002-08-29 03:41 150,528 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-02-02 18:32 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-01-22 20:00 . 2008-02-19 19:44 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-22 20:00 . 2008-01-22 20:00 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-19 15:07 --------- d-----w C:\Program Files\Soulseek-Test
2008-02-19 15:07 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-02-16 23:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-16 23:07 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-08 14:32 152,648 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_02_08_09_25_07_small.dmp.zip
2007-10-26 12:48 137,727 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_24_19_32_46_small.dmp.zip
2007-08-19 01:39 75,921 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_08_12_06_07_15_small.dmp.zip
2007-08-19 01:39 133,265 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_08_12_06_01_19_small.dmp.zip
2007-07-29 15:01 130,622 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_07_23_01_31_16_small.dmp.zip
2007-07-29 15:01 116,427 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_07_23_06_39_56_small.dmp.zip
2007-05-20 01:52 127,581 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_05_19_17_11_10_small.dmp.zip
2007-05-18 00:52 137,149 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_05_17_11_58_10_small.dmp.zip
2006-12-24 00:44 133,124 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_12_23_08_31_02_small.dmp.zip
2006-01-31 21:33 443,774 ----a-w C:\Documents and Settings\Owner\ac3filter_1_01a_rc5.exe
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 49,152 2005-05-12 03:12:54 C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe

----a-w 278,528 2006-02-23 19:45:20 C:\Program Files\iTunes\bak\iTunesHelper.exe

----a-w 36,975 2005-11-10 18:03:52 C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe

----a-w 1,511,453 2002-08-20 20:08:38 C:\Program Files\Messenger\bak\msmsgs.exe

----a-w 212,992 2005-02-26 00:28:03 C:\Program Files\Nero\data\Xtras\bak\mssysmgr.exe

----a-w 77,824 2006-04-10 00:28:43 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 282,624 2007-04-27 13:41:54 C:\Program Files\QuickTime\qttask.exe

----a-w 3,096,576 2005-12-08 18:55:10 C:\Program Files\Yahoo!\Messenger\bak\ypager.exe

----a-w 118,784 2003-10-02 18:19:44 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 155,648 2003-10-02 18:37:36 C:\WINDOWS\system32\bak\igfxtray.exe

----a-w 155,648 2001-07-09 15:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe

----a-w 22,016 2003-10-10 07:08:45 C:\WINDOWS\system32\PAL\KLP\bak\explorer.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{065639B6-E1AE-4F39-039E-ED448A115021}]
C:\Program Files\MSN\lavuqaj48.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C415010D-9BF9-4EB6-B500-33D373FD535D}]
2008-02-07 20:07 217088 --a------ C:\Program Files\Online Services\naqudan89104.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2007-09-05 14:43 1261384]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54 5674352]
"Igc"="C:\WINDOWS\??sembly\n?tdde.exe" [ ]
"xInsIDE"="C:\Program Files\xInsIDE\xInsIDE.exe" [2008-02-19 09:47 53248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41 282624]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-20 09:43 249896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 19:04 5562368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Sysosavi"= {5565E69B-A763-4AB7-86FA-7DEE64B1269B} - C:\WINDOWS\System32\liboheng.dll [2003-07-16 15:31 835584]

R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgntmgr.sys [2007-07-18 14:22]
R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys [2007-08-09 13:04]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\AN983.sys [2002-08-28 21:59]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-20 20:00:00 C:\WINDOWS\Tasks\B7B2F95D98256BD9.job"
- c:\docume~1\owner\applic~1\acehel~1\Acideachinside.exe
"2008-02-20 20:09:57 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 15:10:19
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2800.1106]
-> C:\WINDOWS\System32\liboheng.dll
-> C:\WINDOWS\System32\autumrip.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
.
**************************************************************************
.
Completion time: 2008-02-20 15:11:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-20 20:11:46
ComboFix2.txt 2008-02-19 15:05:01
ComboFix3.txt 2008-02-17 15:28:14
ComboFix4.txt 2007-11-15 23:17:43
ComboFix5.txt 2007-11-12 23:30:44
  • 0

#7
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Please read the Combofix instructions where it is explained how to install the Recovery console with Combofix.
You don't need your cd for that.
  • 0

#8
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
The reason why Recovery Console is recommended is because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged. Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

So after you have installed the Recovery Console,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\Tasks\B7B2F95D98256BD9.job
C:\Program Files\Online Services\naqudan89104.dll
C:\wr5rbs.exe
C:\WINDOWS\quit.exe
C:\WINDOWS\system32\fwehg.exe
C:\WINDOWS\gsdfr5yhgjng.exe
Folder::
C:\Documents and Settings\All Users\Application Data\Rabio
C:\VundoFix Backups
C:\Program Files\xInsIDE
Collect::[8]
C:\WINDOWS\System32\autumrip.dll
C:\WINDOWS\System32\liboheng.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{065639B6-E1AE-4F39-039E-ED448A115021}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C415010D-9BF9-4EB6-B500-33D373FD535D}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Igc"=-
"xInsIDE"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Sysosavi"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.
* it will create a zipped file on your Desktop - [8]-Submit_Date_Time.zip
* another file will be present on your desktop: CF-Submit.htm which will open after you ran Combofix.
* Where it says: "Submit files for further analysis", click OK and a browser Window will open. There you'll see: "copy/paste filepath into the box & click OK". You'll find the filepath below, so copy and paste this in the above field and click OK.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • 0

#9
cokane

cokane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
i do the steps it opens up the system properties but nothing downloads

Click on the Start button.

Click on the Run menu option.

In the Open: field type the following: sysdm.cpl and then click on the OK button.

A screen will appear showing information about your installation. Under the System: category you should see your Windows version and the installed Service Pack. When you are done determining this information continue with Step 2.


Once the Microsoft file has finished downloading, you should drag it on top of the ComboFix icon and let your mouse button go. This is shown in the following image.
  • 0

#10
cokane

cokane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
what should i do with the zip file after i sent it?

ComboFix 08-02-17.2 - Owner 2008-02-20 19:00:12.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.441 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Program Files\Online Services\naqudan89104.dll
C:\WINDOWS\gsdfr5yhgjng.exe
C:\WINDOWS\quit.exe
C:\WINDOWS\system32\fwehg.exe
C:\WINDOWS\Tasks\B7B2F95D98256BD9.job
C:\wr5rbs.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Rabio
C:\Program Files\Online Services\naqudan89104.dll
C:\Program Files\xInsIDE
C:\Program Files\xInsIDE\xInsIDE.exe
C:\VundoFix Backups
C:\WINDOWS\gsdfr5yhgjng.exe
C:\WINDOWS\quit.exe
C:\WINDOWS\System32\autumrip.dll
C:\WINDOWS\system32\fwehg.exe
C:\WINDOWS\System32\liboheng.dll
C:\WINDOWS\Tasks\B7B2F95D98256BD9.job
C:\wr5rbs.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-21 to 2008-02-21 )))))))))))))))))))))))))))))))
.

2008-02-20 09:39 . 2008-02-20 09:39 <DIR> d-------- C:\Program Files\Avira
2008-02-20 09:39 . 2008-02-20 09:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-02-19 13:22 . 2008-02-19 13:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-19 10:23 . 2008-02-19 10:23 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-19 10:23 . 2008-02-19 10:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-19 10:12 . 2008-02-19 10:12 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-19 10:12 . 2001-08-17 22:36 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2008-02-19 10:12 . 2001-08-17 22:36 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
2008-02-19 10:12 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll
2008-02-19 10:12 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll
2008-02-19 10:12 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll
2008-02-19 10:12 . 2001-08-17 14:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll
2008-02-19 10:10 . 2008-02-19 10:10 <DIR> d-------- C:\Deckard
2008-02-02 18:32 . 2002-08-29 03:41 150,528 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-02-02 18:32 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-01-22 20:00 . 2008-02-19 19:44 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-22 20:00 . 2008-01-22 20:00 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-19 15:07 --------- d-----w C:\Program Files\Soulseek-Test
2008-02-19 15:07 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-02-16 23:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-08 14:32 152,648 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_02_08_09_25_07_small.dmp.zip
2007-10-26 12:48 137,727 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_24_19_32_46_small.dmp.zip
2007-08-19 01:39 75,921 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_08_12_06_07_15_small.dmp.zip
2007-08-19 01:39 133,265 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_08_12_06_01_19_small.dmp.zip
2007-07-29 15:01 130,622 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_07_23_01_31_16_small.dmp.zip
2007-07-29 15:01 116,427 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_07_23_06_39_56_small.dmp.zip
2007-05-20 01:52 127,581 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_05_19_17_11_10_small.dmp.zip
2007-05-18 00:52 137,149 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_05_17_11_58_10_small.dmp.zip
2006-12-24 00:44 133,124 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_12_23_08_31_02_small.dmp.zip
2006-01-31 21:33 443,774 ----a-w C:\Documents and Settings\Owner\ac3filter_1_01a_rc5.exe
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 49,152 2005-05-12 03:12:54 C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe

----a-w 278,528 2006-02-23 19:45:20 C:\Program Files\iTunes\bak\iTunesHelper.exe

----a-w 36,975 2005-11-10 18:03:52 C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe

----a-w 1,511,453 2002-08-20 20:08:38 C:\Program Files\Messenger\bak\msmsgs.exe

----a-w 212,992 2005-02-26 00:28:03 C:\Program Files\Nero\data\Xtras\bak\mssysmgr.exe

----a-w 77,824 2006-04-10 00:28:43 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 282,624 2007-04-27 13:41:54 C:\Program Files\QuickTime\qttask.exe

----a-w 3,096,576 2005-12-08 18:55:10 C:\Program Files\Yahoo!\Messenger\bak\ypager.exe

----a-w 118,784 2003-10-02 18:19:44 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 155,648 2003-10-02 18:37:36 C:\WINDOWS\system32\bak\igfxtray.exe

----a-w 155,648 2001-07-09 15:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe

----a-w 22,016 2003-10-10 07:08:45 C:\WINDOWS\system32\PAL\KLP\bak\explorer.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2007-09-05 14:43 1261384]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41 282624]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-20 09:43 249896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 19:04 5562368]

R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgntmgr.sys [2007-07-18 14:22]
R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys [2007-08-09 13:04]
R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-09-05 14:43]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\AN983.sys [2002-08-28 21:59]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-21 00:04:30 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 19:04:20
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-02-20 19:05:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-21 00:05:49
ComboFix2.txt 2008-02-20 20:11:56
ComboFix3.txt 2008-02-19 15:05:01
ComboFix4.txt 2008-02-17 15:28:14
ComboFix5.txt 2007-11-15 23:17:43

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:09:51 PM, on 2/20/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 2452 bytes
  • 0

Advertisements


#11
cokane

cokane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
i think every thing is fixed and i thank you for the help, i have been useing the computer with out any problems. but i would still like to resovle the recovery console.
once again i thank you .
  • 0

#12
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

For the recovery console, you can skip it if you want, but if you really want to install it:

STEP #1

Go to Microsoft's website => http://www.microsoft...05-719f45c382a4
Download the winxpsp1_en_hom_bf.exe and save it on your desktop

STEP #2

Drag the winxpsp1_en_hom_bf.exe file you've downloaded from the Microsoft website into Combofix.exe as you see in the image below:

Posted Image

This will install the Recovery console.

Then,

* Please download the following file to your desktop:
http://noahdfear.gee...com/FindAWF.exe

* Start FindAWF.exe
Select option 2 by pressing 2 and then enter. A text file will open (files.txt).
In that files.txt, copy & paste next list of files to be restored:

"C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe"
"C:\Program Files\Messenger\bak\msmsgs.exe"
"C:\Program Files\Nero\data\Xtras\bak\mssysmgr.exe"
"C:\Program Files\Yahoo!\Messenger\bak\ypager.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\bak\igfxtray.exe"
"C:\WINDOWS\system32\bak\NeroCheck.exe"
"C:\WINDOWS\system32\PAL\KLP\bak\explorer.exe"


Close the files.txt and click Yes to save the changes.
FindAWF wil now terminate the bad processes if running, delete the bad files and restore/replace them with the good files.
Then it will open a log. Copy and paste the contents of that log in your next reply

Edited to add the downloadlink for FindAWF

Edited by miekiemoes, 21 February 2008 - 05:53 AM.

  • 0

#13
cokane

cokane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Thu 02/21/2008
The current time is: 9:22:34.59


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

02/23/2006 02:45 PM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

08/20/2002 03:08 PM 1,511,453 msmsgs.exe
1 File(s) 1,511,453 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

04/09/2006 07:28 PM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

10/02/2003 01:19 PM 118,784 hkcmd.exe
10/02/2003 01:37 PM 155,648 igfxtray.exe
07/09/2001 10:50 AM 155,648 NeroCheck.exe
3 File(s) 430,080 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

05/11/2005 10:12 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes
  • 0

#14
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

In FindAWF, select option 3, by pressing 3 and then enter.
This will open the text file folders.txt
Copy and paste next list in it:

C:\Program Files\HP\HP Software Update\bak
C:\Program Files\iTunes\bak
C:\Program Files\Java\jre1.5.0_06\bin\bak
C:\Program Files\Messenger\bak
C:\Program Files\Nero\data\Xtras\bak
C:\Program Files\Yahoo!\Messenger\bak
C:\WINDOWS\system32\bak
C:\WINDOWS\system32\PAL\KLP\bak


Then close folders.txt and let it save the changes.
FindAWF will now remove the bak folders and open a log aferwards.
Copy and paste the contents of that log in your next reply

Edited by miekiemoes, 21 February 2008 - 08:53 AM.

  • 0

#15
cokane

cokane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Thu 02/21/2008
The current time is: 10:48:28.10


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

04/09/2006 07:28 PM 77,824 qttask.exe
1 File(s) 77,824 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

282624 Apr 27 2007 "C:\Program Files\QuickTime\qttask.exe"
77824 Apr 9 2006 "C:\Program Files\QuickTime\bak\qttask.exe"


end of report
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP