Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Slow Internet Connection, keep getting disconnected and Pop ups [RESOL


  • This topic is locked This topic is locked

#1
tenny10

tenny10

    New Member

  • Member
  • Pip
  • 7 posts
I am a complete newbie that has unfortunately been struck with some type of virus or trojan or something i don't even know what. I have posted the hijackthis log below. Please help me out. My computer is driving me nuts. Please be as detailed as possible when providing a solution. Greatly appreciated and u guys ROCK!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:39:29 PM, on 2/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\XoftSpySE\XoftSpy.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [301881a5] rundll32.exe "C:\WINDOWS\system32\kckmtydr.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1196836493562
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{32DCA582-5C86-4721-B04A-26C5BA2B3C4E}: NameServer = 10.1.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{32DCA582-5C86-4721-B04A-26C5BA2B3C4E}: NameServer = 10.1.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{32DCA582-5C86-4721-B04A-26C5BA2B3C4E}: NameServer = 10.1.1.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{32DCA582-5C86-4721-B04A-26C5BA2B3C4E}: NameServer = 10.1.1.1
O20 - AppInit_DLLs: cru629.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello tenny10

Welcome to G2Go. :)
===============
The first thing I will need you to do is to Download this anti-virus program and install it because you don't have any antivirus protection.
This is free.
AVG free
===================
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
================
After that download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
tenny10

tenny10

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
kahdah,

Thank you so much for your help. I REALLY appreciate it. I have listed below the new HIJACKTHIS LOG, along with the SDFIX Report Log and the ComboFix Log. Please let me know if there is anything else that i need to do. Thanks.

HIJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:11 AM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1196836493562
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{32DCA582-5C86-4721-B04A-26C5BA2B3C4E}: NameServer = 10.1.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{32DCA582-5C86-4721-B04A-26C5BA2B3C4E}: NameServer = 10.1.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{32DCA582-5C86-4721-B04A-26C5BA2B3C4E}: NameServer = 10.1.1.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{32DCA582-5C86-4721-B04A-26C5BA2B3C4E}: NameServer = 10.1.1.1
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe




SDFIX REPORT LOG:
SDFix: Version 1.145

Run by Admin on Sat 02/23/2008 at 09:13 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name:
wer32

Path:
\??\C:\WINDOWS\system32\jkghje.dll

wer32 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Resetting AppInit_DLLs value


Rebooting


Infected beep.sys Found!

beep.sys File Locations:

"C:\WINDOWS\system32\dllcache\beep.sys" 29184 02/13/2008 09:37 PM

Infected File Listed Below:

C:\WINDOWS\system32\dllcache\beep.sys

File copied to Backups Folder
Attempting to replace beep.sys with original version


Original beep.sys Restored

"C:\WINDOWS\system32\dllcache\beep.sys" 4224 02/23/2008 03:25 AM
"C:\WINDOWS\system32\drivers\beep.sys" 4224 02/23/2008 03:25 AM



Checking Files :

Trojan Files Found:

C:\WPOHL.EXE - Deleted
C:\.protected - Deleted
C:\WINDOWS\system32\drivers\etc\.protected - Deleted
C:\WINDOWS\cru629.dat - Deleted
C:\WINDOWS\system32\cru629.dat - Deleted
C:\WINDOWS\system32\users32.dat - Deleted
C:\WINDOWS\system32\jkghje.dll - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 09:25:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 23 Feb 2008 25,712 ..SH. --- "C:\WINDOWS\system32\qnehgqxc.dllbox"
Tue 15 Jan 2008 6,912,420 A..H. --- "C:\Documents and Settings\All Users\Application Data\Google Updater\cache\BIT4EEB.tmp"

Finished!




COMBOFIX LOG:
ComboFix 08-02-23.2 - Admin 2008-02-23 9:38:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.93 [GMT -5:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bfnvppnt.ini
C:\WINDOWS\system32\eexvacxa.dll
C:\WINDOWS\system32\envffdau.dll
C:\WINDOWS\system32\gxajrenp.dll
C:\WINDOWS\system32\homwfqww.dll
C:\WINDOWS\system32\isrgletc.ini
C:\WINDOWS\system32\jkkihec.dll
C:\WINDOWS\system32\jrjeksfq.dll
C:\WINDOWS\system32\jrnggecm.dll
C:\WINDOWS\system32\kckmtydr.dll
C:\WINDOWS\system32\kgpcwdka.ini
C:\WINDOWS\system32\kpoudgxa.dll
C:\WINDOWS\system32\oxgiawhc.dll
C:\WINDOWS\system32\qnehgqxc.dll
C:\WINDOWS\system32\qnehgqxc.dllbox
C:\WINDOWS\system32\qopqjtnl.dll
C:\WINDOWS\system32\rdytmkck.ini
C:\WINDOWS\system32\rvhqqlcn.ini
C:\WINDOWS\system32\slkaxrtm.dll
C:\WINDOWS\system32\srhbkaoy.ini
C:\WINDOWS\system32\tnppvnfb.dll
C:\WINDOWS\system32\tsvut.ini
C:\WINDOWS\system32\tsvut.ini2
C:\WINDOWS\system32\tuvst.dll
C:\WINDOWS\system32\usyiwgnp.ini
C:\WINDOWS\system32\vackxgrj.dll
C:\WINDOWS\system32\vvihsltf.dll
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\xtrbmbqe.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-23 to 2008-02-23 )))))))))))))))))))))))))))))))
.

2008-02-23 09:19 . 2008-02-23 09:19 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-02-23 09:12 . 2008-02-23 03:25 4,224 --a------ C:\WINDOWS\system32\drivers\beep.sys
2008-02-23 09:12 . 2008-02-23 03:25 4,224 --a--c--- C:\WINDOWS\system32\dllcache\beep.sys
2008-02-23 09:09 . 2008-02-23 09:09 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-23 09:01 . 2008-02-23 09:29 <DIR> d-------- C:\SDFix
2008-02-23 08:59 . 2008-02-23 08:59 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-22 23:46 . 2008-02-23 09:49 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-22 23:46 . 2008-02-22 23:46 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-22 22:39 . 2008-02-22 22:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-20 22:59 . 2008-02-20 23:01 <DIR> d-------- C:\Program Files\Google
2008-02-20 22:59 . 2008-02-23 08:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-02-16 10:10 . 2008-02-16 10:10 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-16 10:10 . 2008-02-16 10:10 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-16 09:46 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-16 09:46 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-16 09:46 . 2008-02-08 23:55 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-16 09:46 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-16 09:46 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-16 09:46 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-15 23:08 . 2008-02-16 09:47 2,942 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-13 23:30 . 2008-02-13 23:31 <DIR> d-------- C:\Program Files\XoftSpySE
2008-02-13 23:15 . 2008-02-13 23:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-13 23:13 . 2008-02-13 23:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-13 22:15 . 2008-02-13 22:15 16,384 --a------ C:\WINDOWS\system32\nod32se.exe
2008-02-13 22:09 . 2008-02-13 23:17 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Lavasoft
2008-02-13 22:08 . 2008-02-13 23:17 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-13 21:47 . 2008-02-14 11:48 534 --ahs---- C:\WINDOWS\system32\stfbcyit.ini
2008-02-13 21:41 . 2008-02-15 23:53 160,568 --a------ C:\WINDOWS\system32\winivstr.exe
2008-02-13 21:37 . 2008-02-13 21:37 49,664 --a------ C:\arbfikac.exe
2008-02-13 21:37 . 2008-02-13 21:37 10,101 --a------ C:\qsdjpwpb.exe
2008-02-13 21:37 . 2008-02-13 21:37 3,584 --a------ C:\qrwkjyd.exe
2008-01-26 11:11 . 2008-01-26 11:11 <DIR> d-------- C:\Program Files\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-21 04:52 --------- d-----w C:\Documents and Settings\Admin\Application Data\Azureus
2008-02-16 19:02 --------- d-----w C:\Documents and Settings\Admin\Application Data\LimeWire
2008-01-07 03:55 21,032 ----a-w C:\Documents and Settings\Admin\Application Data\GDIPFONTCACHEV1.DAT
2008-01-07 02:00 --------- d-----w C:\Program Files\MSECache
2008-01-02 01:40 --------- d-----w C:\Documents and Settings\Admin\Application Data\vlc
2008-01-02 01:39 --------- d-----w C:\Program Files\VideoLAN
2008-01-02 01:33 --------- d-----w C:\Program Files\LimeWire
2008-01-02 01:30 --------- d-----w C:\Program Files\eMule
2008-01-01 03:52 --------- d-----w C:\Program Files\Azureus
2007-12-31 04:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2007-12-24 05:54 --------- d-----w C:\Program Files\AIM6
2007-12-24 05:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-24 05:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Aim6"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-20 23:00 68856]
"eMuleAutoStart"="C:\Program Files\eMule\emule.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\System32\igfxtray.exe" [2005-07-19 18:09 94208]
"igfxhkcmd"="C:\WINDOWS\System32\hkcmd.exe" [2005-07-19 18:06 77824]
"igfxpers"="C:\WINDOWS\System32\igfxpers.exe" [2005-07-19 18:10 114688]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 12:48 761947]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 11:19 819200]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 11:17 970752]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-02-20 22:59:47 125624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\301881a5]
C:\WINDOWS\system32\tnppvnfb.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\\system32\\sessmgr.exe:@xpsp2res.dll,-22019
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\\Network Diagnostic\\xpnetdiag.exe:@xpsp3res.dll,-20000
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 tifm;tifm;C:\WINDOWS\system32\drivers\tifm.sys [2006-07-21 12:42]
S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []

.
Contents of the 'Scheduled Tasks' folder
"2008-02-18 14:12:15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-14 04:30:50 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 09:49:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-02-23 9:50:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-23 14:50:30
.
2008-02-13 08:03:41 --- E O F ---
  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please submit the following files to one of these online file scanners.
(All you have to do is copy and paste them in one at a time)

C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\system32\dllcache\beep.sys


Jotti File Scan
VirusTotal File Scan

This will produce a report after the scan is complete, please copy and paste those results in your next post.
  • 0

#5
tenny10

tenny10

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I am not sure if i did this right but here are the scan results from Jotti File Scan:

C:\WINDOWS\system32\dllcache\beep.sys

Scan taken on 23 Feb 2008 17:58:41 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

C:\WINDOWS\system32\drivers\beep.sys

Last file scanned at least one scanner reported something about: _patch.zip (MD5: 84c92ab8885ed68599f92b8304abeb5e, size: 66885 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir TR/Agent.99840.A
ArcaVir X
Avast X
AVG Antivirus Generic5.WHM
BitDefender X
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Ikarus X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control W32/Malware.ACEN
Panda Antivirus X
Rising Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 X
  • 0

#6
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Yep you did it right.
==============
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\system32\stfbcyit.ini
C:\WINDOWS\system32\winivstr.exe
C:\arbfikac.exe
C:\qsdjpwpb.exe
C:\qrwkjyd.exe
C:\WINDOWS\system32\tnppvnfb.dll
Folder::
C:\WINDOWS\system32\windows 
C:\Program Files\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\301881a5]
Driver::
Microsoft cache control
MSControlService
Viewpoint Manager Service


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#7
tenny10

tenny10

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Here you go boss. Let me know what the next step is. Again thank you so much.

COMBOFIX LOG:
ComboFix 08-02-23.2 - Admin 2008-02-23 13:27:16.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.140 [GMT -5:00]
Running from: C:\Documents and Settings\Admin\Desktop\Anti-Virus Software\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\arbfikac.exe
C:\qrwkjyd.exe
C:\qsdjpwpb.exe
C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\system32\stfbcyit.ini
C:\WINDOWS\system32\tnppvnfb.dll
C:\WINDOWS\system32\winivstr.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\arbfikac.exe
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Common\VistaBoot.sdll
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentMgr.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VETScriptInterpreter.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPSpeech.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo2.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\HostRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamConfig.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.xpt
C:\qrwkjyd.exe
C:\qsdjpwpb.exe
C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\system32\stfbcyit.ini
C:\WINDOWS\system32\winivstr.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_MSCONTROLSERVICE
-------\LEGACY_VIEWPOINT_MANAGER_SERVICE
-------\MSControlService
-------\Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2008-01-23 to 2008-02-23 )))))))))))))))))))))))))))))))
.

2008-02-23 10:02 . 2008-02-23 10:03 1,158 --a------ C:\WINDOWS\mozver.dat
2008-02-23 09:19 . 2008-02-23 09:19 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-02-23 09:12 . 2008-02-23 03:25 4,224 --a--c--- C:\WINDOWS\system32\dllcache\beep.sys
2008-02-23 09:09 . 2008-02-23 09:09 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-23 09:01 . 2008-02-23 09:29 <DIR> d-------- C:\SDFix
2008-02-23 08:59 . 2008-02-23 08:59 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-22 23:46 . 2008-02-23 13:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-22 23:46 . 2008-02-22 23:46 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-22 22:39 . 2008-02-22 22:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-20 22:59 . 2008-02-20 23:01 <DIR> d-------- C:\Program Files\Google
2008-02-20 22:59 . 2008-02-23 08:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-02-16 10:10 . 2008-02-16 10:10 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-16 10:10 . 2008-02-16 10:10 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-16 09:46 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-16 09:46 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-16 09:46 . 2008-02-08 23:55 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-16 09:46 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-16 09:46 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-16 09:46 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-15 23:08 . 2008-02-16 09:47 2,942 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-13 23:30 . 2008-02-13 23:31 <DIR> d-------- C:\Program Files\XoftSpySE
2008-02-13 23:15 . 2008-02-13 23:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-13 23:13 . 2008-02-13 23:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-13 22:15 . 2008-02-13 22:15 16,384 --a------ C:\WINDOWS\system32\nod32se.exe
2008-02-13 22:09 . 2008-02-13 23:17 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Lavasoft
2008-02-13 22:08 . 2008-02-13 23:17 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-26 11:11 . 2008-01-26 11:11 <DIR> d-------- C:\Program Files\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-21 04:52 --------- d-----w C:\Documents and Settings\Admin\Application Data\Azureus
2008-02-16 19:02 --------- d-----w C:\Documents and Settings\Admin\Application Data\LimeWire
2008-01-07 03:55 21,032 ----a-w C:\Documents and Settings\Admin\Application Data\GDIPFONTCACHEV1.DAT
2008-01-07 02:00 --------- d-----w C:\Program Files\MSECache
2008-01-02 01:40 --------- d-----w C:\Documents and Settings\Admin\Application Data\vlc
2008-01-02 01:39 --------- d-----w C:\Program Files\VideoLAN
2008-01-02 01:33 --------- d-----w C:\Program Files\LimeWire
2008-01-02 01:30 --------- d-----w C:\Program Files\eMule
2008-01-01 03:52 --------- d-----w C:\Program Files\Azureus
2007-12-31 04:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2007-12-24 05:54 --------- d-----w C:\Program Files\AIM6
2007-12-24 05:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Aim6"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-20 23:00 68856]
"eMuleAutoStart"="C:\Program Files\eMule\emule.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\System32\igfxtray.exe" [2005-07-19 18:09 94208]
"igfxhkcmd"="C:\WINDOWS\System32\hkcmd.exe" [2005-07-19 18:06 77824]
"igfxpers"="C:\WINDOWS\System32\igfxpers.exe" [2005-07-19 18:10 114688]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 12:48 761947]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 11:19 819200]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 11:17 970752]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-02-20 22:59:47 125624]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\\system32\\sessmgr.exe:@xpsp2res.dll,-22019
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\\Network Diagnostic\\xpnetdiag.exe:@xpsp3res.dll,-20000
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

R3 tifm;tifm;C:\WINDOWS\system32\drivers\tifm.sys [2006-07-21 12:42]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-18 14:12:15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-14 04:30:50 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 13:30:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-02-23 13:31:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-23 18:31:32
ComboFix2.txt 2008-02-23 14:50:41
.
2008-02-13 08:03:41 --- E O F ---


HIJACKTHIS LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:32:16 PM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1196836493562
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{32DCA582-5C86-4721-B04A-26C5BA2B3C4E}: NameServer = 10.1.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{32DCA582-5C86-4721-B04A-26C5BA2B3C4E}: NameServer = 10.1.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{32DCA582-5C86-4721-B04A-26C5BA2B3C4E}: NameServer = 10.1.1.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{32DCA582-5C86-4721-B04A-26C5BA2B3C4E}: NameServer = 10.1.1.1
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 5598 bytes
  • 0

#8
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You are welcome. :)
======================

I do not see the antivirus that I asked you to install in my first post.
Please re-read the first post and install Avg free.

After that Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
  • 0

#9
tenny10

tenny10

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Here you go. Sorry about not installing AVG. I completely missed that part in the beginning. I have AVG installed now. Below is the MBAM Log. Thanks



Malwarebytes' Anti-Malware 1.05
Database version: 396

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 60551
Time elapsed: 30 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 48

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\arbfikac.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\qrwkjyd.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\qsdjpwpb.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\windows.vir (Trojan.Zapchast) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\winivstr.exe.vir (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP100\A0018488.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP100\A0018489.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP100\A0018494.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP100\A0018495.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP100\A0018503.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP100\A0018504.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP100\A0018515.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP100\A0018516.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP100\A0018525.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP100\A0018526.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP100\A0018531.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP100\A0018532.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP101\A0018556.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP101\A0018557.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP101\A0019556.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP101\A0019557.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP101\A0020556.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP101\A0020557.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP101\A0021556.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP101\A0021557.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP102\A0021578.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP102\A0021579.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP102\A0021585.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP102\A0021586.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP102\A0021598.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP102\A0021599.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP102\A0021608.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP102\A0021609.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP102\A0021621.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP102\A0021622.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP103\A0021636.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP103\A0021637.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP103\A0021643.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP103\A0021644.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP103\A0021657.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP103\A0021658.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP103\A0022657.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP103\A0022658.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP104\A0023742.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP104\A0023743.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP110\A0026078.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP99\A0017488.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Desktop\Help and Support Center.lnk (Rogue.Link) -> Quarantined and deleted successfully.
  • 0

#10
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#11
tenny10

tenny10

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Here is the online log. Thanks

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, February 23, 2008 3:51:14 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/02/2008
Kaspersky Anti-Virus database records: 577001
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 39483
Number of viruses found: 8
Number of infected objects: 31
Number of suspicious objects: 0
Duration of the scan process: 00:52:37

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Admin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\History\History.IE5\MSHist012008022320080224\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Admin\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Admin\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\eexvacxa.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\envffdau.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gxajrenp.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\homwfqww.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jrjeksfq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ixf skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jrnggecm.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kckmtydr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kpoudgxa.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\oxgiawhc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qnehgqxc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qopqjtnl.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\slkaxrtm.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tnppvnfb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vackxgrj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vvihsltf.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ixf skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xtrbmbqe.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-02-23_ 94918.56.zip/jkkihec.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-02-23_ 94918.56.zip/qnehgqxc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-02-23_ 94918.56.zip/tuvst.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.imh skipped
C:\QooBox\Quarantine\catchme2008-02-23_ 94918.56.zip ZIP: infected - 3 skipped
C:\SDFix\backups\backups.zip/backups/users32.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped
C:\SDFix\backups\backups.zip/backups/wpohl.exe Infected: Trojan.Win32.Inject.wc skipped
C:\SDFix\backups\backups.zip ZIP: infected - 2 skipped
C:\SDFix\backups\catchme.zip/beep.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.af skipped
C:\SDFix\backups\catchme.zip/beep.sys.1 Infected: not-a-virus:FraudTool.Win32.UltimateDefender.af skipped
C:\SDFix\backups\catchme.zip/jkghje.dll Infected: Trojan.Win32.Agent.fgw skipped
C:\SDFix\backups\catchme.zip ZIP: infected - 3 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP100\A0017502.exe Object is locked skipped
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP101\A0020570.exe Object is locked skipped
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP101\A0021558.dll Object is locked skipped
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP104\A0023752.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP104\A0023752.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP104\A0023752.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP104\A0023759.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP109\A0025981.dll Object is locked skipped
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP109\A0025982.dll Object is locked skipped
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP109\A0025983.dll Object is locked skipped
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP109\A0025984.dll Object is locked skipped
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP109\A0025985.dll Object is locked skipped
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP109\A0025986.dll Object is locked skipped
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP109\A0025987.dll Object is locked skipped
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP109\A0025988.dll Object is locked skipped
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP109\A0025989.dll Object is locked skipped
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP109\A0025990.dll Object is locked skipped
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP109\A0026001.dll Object is locked skipped
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP109\A0026002.dll Object is locked skipped
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP109\A0026003.dll Object is locked skipped
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP109\A0026007.dll Object is locked skipped
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP110\A0026079.exe Object is locked skipped
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP110\A0026080.exe Object is locked skipped
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP110\A0026083.exe Object is locked skipped
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP112\change.log Object is locked skipped
C:\System Volume Information\_restore{9BE361E6-EEB4-407F-8330-D7D9B0A20DD8}\RP99\A0017489.sys Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
  • 0

#12
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Great it is almost over.

Please delete this folder:
C:\SdFix

ALso uninstall MAlware Bytes anti malware.


Also I recommend getting rid of thse programs:
eMule
LimeWire
Azureus



Having P2p programs such as these raise the possibility of getting infected again.
See here for information on P2P's.
I will leave it up to you if you want to remove it.
To remove them just simply uninstall them.
=================================
Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK


    • Posted Image

    The above procedure will delete and do the following:

    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Clean System Restore points.

Also delete anything that we used that is left over.
====================================
After that Your log is clean. :)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein ->Here
  • 0

#13
tenny10

tenny10

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Kahdah,

Did exactly what you told me. Thanks for the help. I really appreciate it. You are a genius. My computer seems back to normal and I am very happy. Hope we can stay in touch incase i ever need you again. Thanks.
  • 0

#14
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
If you ever need help again just come to geekstogo.

You are welcome :)


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

#15
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP