Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

PSW.Delf.2.AQ Virus [CLOSED]


  • This topic is locked This topic is locked

#1
wgreene

wgreene

    New Member

  • Member
  • Pip
  • 2 posts
[ComboFix 08-02-25.2 - Administrator 2008-02-24 19:42:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.195 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.

2008-02-24 17:07 . 2008-02-24 19:17 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-24 12:47 . 2008-02-24 12:47 <DIR> d-------- C:\kav
2008-02-22 13:05 . 2008-02-22 13:08 <DIR> d-------- C:\Documents and Settings\Administrator\Tracing
2008-02-22 13:04 . 2008-02-22 13:04 <DIR> d-------- C:\Program Files\DIFX
2008-02-22 13:04 . 2007-09-28 23:08 84,992 --a------ C:\WINDOWS\system32\lmdimon8.dll
2008-02-22 13:03 . 2008-02-22 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Applications
2008-02-19 20:51 . 2008-02-19 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-02-19 20:45 . 2008-02-19 20:45 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-13 15:34 . 2006-10-13 05:23 163,584 -----c--- C:\WINDOWS\system32\dllcache\nwrdr.sys
2008-02-13 15:34 . 2006-10-13 07:35 142,336 -----c--- C:\WINDOWS\system32\dllcache\nwprovau.dll
2008-02-13 15:34 . 2006-10-13 07:35 65,536 -----c--- C:\WINDOWS\system32\dllcache\nwwks.dll
2008-02-10 22:24 . 2008-02-10 23:15 349 --a------ C:\WINDOWS\wininit.ini
2008-02-10 21:02 . 2008-02-24 12:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-02-10 20:59 . 2008-02-10 20:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-10 17:05 . 2008-02-10 19:44 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-10 17:05 . 2008-02-10 19:46 6,472 --a------ C:\WINDOWS\unins000.dat
2008-02-10 16:51 . 2008-02-10 20:19 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-10 16:51 . 2008-02-19 20:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-08 00:29 . 2008-02-10 20:36 0 --a------ C:\1.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-25 00:44 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-02-25 00:22 --------- d-----w C:\Program Files\QuickTime
2008-02-25 00:20 --------- d-----w C:\Program Files\Napster
2008-02-25 00:15 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-02-20 01:55 --------- d-----w C:\Program Files\Yahoo!
2008-02-20 01:55 --------- d-----w C:\Program Files\Verizon Wireless
2008-02-20 01:55 --------- d-----w C:\Program Files\Common Files\Scanner
2008-02-20 01:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-20 01:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2008-02-20 01:46 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Move Networks
2008-02-20 01:45 --------- d-----w C:\Program Files\InterActual
2008-02-12 13:44 --------- d-----w C:\Program Files\Nick Jr. Arcade
2008-02-07 15:44 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-16 04:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-11 03:48 720,896 ----a-w C:\WINDOWS\iun6002ev.exe
2007-11-27 13:07 27,952 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.
Files Infected - Win32.Agent.zb
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A75FC807-03FB-437F-AB4F-6F3B30989DF5}]
2002-08-29 17:08 84992 --a------ C:\WINDOWS\system32\atipdlx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 13:44 196608]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-06-08 14:18 23233576]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-19 17:05 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-29 16:21 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"AtiPTA"="atiptaxx.exe" [2002-05-24 16:32 286720 C:\WINDOWS\system32\atiptaxx.exe]
"GWMDMMSG"="GWMDMMSG.exe" [2002-05-06 19:12 65536 C:\WINDOWS\GWMDMMSG.exe]
"GWMDMpi"="C:\WINDOWS\GWMDMpi.exe" [2002-06-12 17:23 27648]
"Multi-function Keyboard"="GWHotKey.exe" [2001-08-28 14:13 98361 C:\WINDOWS\GWHotKey.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2002-03-07 11:10 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2002-03-07 11:10 413696]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-06-19 04:05 684032]
"AirCardEnabler"="C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe" [2003-06-24 20:54 163840]
"Lexmark X6100 Series"="C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-09-23 02:01 57344]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 16:32 221184]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 14:24 458752]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 14:14 217088]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-10 21:00 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-10 21:00 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"IETI"="C:\Program Files\Skype\Phone\IEPlugin\unins000.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2006-07-05 17:31:54 450560]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 03:01:04 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 nkaydkyf;nkaydkyf;C:\WINDOWS\system32\drivers\nouwcrti.dat []
S3 AIR555;Sierra Wireless AirCard 555 NIC + Modem (NIC Interface);C:\WINDOWS\system32\DRIVERS\air555.sys [2003-07-29 17:39]
S3 IFCUSB;IFCUSB;C:\WINDOWS\system32\drivers\IFCUSB.SYS [2001-05-23 00:55]
S3 iscFlash;iscFlash;C:\WINDOWS\SYSTEM32\DRIVERS\iscflash.sys []
S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\pwi_bus.sys [2005-05-04 08:59]
S3 pwi_mdfl;Curitel PC Card Filter;C:\WINDOWS\system32\DRIVERS\pwi_mdfl.sys [2005-05-04 09:00]
S3 pwi_mdm;Curitel PC Card Drivers;C:\WINDOWS\system32\DRIVERS\pwi_mdm.sys [2005-05-04 09:00]
S3 pwi_oflt;Curitel PC Card OHCI Filter;C:\WINDOWS\system32\DRIVERS\pwi_oflt.sys [2005-05-04 09:01]
S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\pwi_serd.sys [2005-05-04 09:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{603ef1e0-4051-11da-a442-00e0b85349eb}]
\Shell\AutoRun\command - E:\Setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-20 02:19:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-24 22:58:52 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-24 19:45:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-24 19:46:54
.
2008-02-24 17:40:40 --- E O F ---
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

First of all... not sure where you have read the instructions to use Combofix, but the first step required before you run it is to install the Recovery Console.
Read here how to do this with Combofix:

http://www.bleepingc...to-use-combofix

The reason why Recovery Console is recommended is because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged. Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

After you have installed the Recovery Console...

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\drivers\nouwcrti.dat
C:\WINDOWS\system32\atipdlx.dll
C:\WINDOWS\wininit.ini
C:\1.bat
Driver::
nkaydkyf
Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"IETI"=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A75FC807-03FB-437F-AB4F-6F3B30989DF5}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • 0

#3
wgreene

wgreene

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
ComboFix 08-02-25.3 - Administrator 2008-02-26 0:08:29.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.196 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\1.bat
C:\WINDOWS\system32\atipdlx.dll
C:\WINDOWS\system32\drivers\nouwcrti.dat
C:\WINDOWS\wininit.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\1.bat
C:\WINDOWS\system32\atipdlx.dll
C:\WINDOWS\system32\drivers\nouwcrti.dat
C:\WINDOWS\wininit.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NKAYDKYF
-------\nkaydkyf


((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.

2008-02-25 06:56 . 2006-08-21 04:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-02-25 06:56 . 2006-08-21 04:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-02-25 06:56 . 2006-08-21 07:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-02-24 17:07 . 2008-02-24 19:17 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-24 12:47 . 2008-02-24 12:47 <DIR> d-------- C:\kav
2008-02-22 13:05 . 2008-02-22 13:08 <DIR> d-------- C:\Documents and Settings\Administrator\Tracing
2008-02-22 13:04 . 2008-02-22 13:04 <DIR> d-------- C:\Program Files\DIFX
2008-02-22 13:04 . 2007-09-28 23:08 84,992 --a------ C:\WINDOWS\system32\lmdimon8.dll
2008-02-22 13:03 . 2008-02-22 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Applications
2008-02-19 20:51 . 2008-02-19 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-02-19 20:45 . 2008-02-19 20:45 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-14 23:02 . 2007-12-18 04:51 179,584 -----c--- C:\WINDOWS\system32\dllcache\mrxdav.sys
2008-02-13 15:34 . 2006-10-13 05:23 163,584 -----c--- C:\WINDOWS\system32\dllcache\nwrdr.sys
2008-02-13 15:34 . 2006-10-13 07:35 142,336 -----c--- C:\WINDOWS\system32\dllcache\nwprovau.dll
2008-02-13 15:34 . 2006-10-13 07:35 65,536 -----c--- C:\WINDOWS\system32\dllcache\nwwks.dll
2008-02-10 21:02 . 2008-02-25 19:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-02-10 20:59 . 2008-02-10 20:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-10 17:05 . 2008-02-10 19:44 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-10 17:05 . 2008-02-10 19:46 6,472 --a------ C:\WINDOWS\unins000.dat
2008-02-10 16:51 . 2008-02-10 20:19 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-10 16:51 . 2008-02-19 20:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-26 05:15 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-02-25 00:22 --------- d-----w C:\Program Files\QuickTime
2008-02-25 00:20 --------- d-----w C:\Program Files\Napster
2008-02-25 00:15 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-02-20 01:55 --------- d-----w C:\Program Files\Yahoo!
2008-02-20 01:55 --------- d-----w C:\Program Files\Verizon Wireless
2008-02-20 01:55 --------- d-----w C:\Program Files\Common Files\Scanner
2008-02-20 01:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-20 01:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2008-02-20 01:46 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Move Networks
2008-02-20 01:45 --------- d-----w C:\Program Files\InterActual
2008-02-12 13:44 --------- d-----w C:\Program Files\Nick Jr. Arcade
2008-02-07 15:44 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-16 04:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-11 03:48 720,896 ----a-w C:\WINDOWS\iun6002ev.exe
2007-11-27 13:07 27,952 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 13:44 196608]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-06-08 14:18 23233576]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-19 17:05 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-29 16:21 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"AtiPTA"="atiptaxx.exe" [2002-05-24 16:32 286720 C:\WINDOWS\system32\atiptaxx.exe]
"GWMDMMSG"="GWMDMMSG.exe" [2002-05-06 19:12 65536 C:\WINDOWS\GWMDMMSG.exe]
"GWMDMpi"="C:\WINDOWS\GWMDMpi.exe" [2002-06-12 17:23 27648]
"Multi-function Keyboard"="GWHotKey.exe" [2001-08-28 14:13 98361 C:\WINDOWS\GWHotKey.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2002-03-07 11:10 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2002-03-07 11:10 413696]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-06-19 04:05 684032]
"AirCardEnabler"="C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe" [2003-06-24 20:54 163840]
"Lexmark X6100 Series"="C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-09-23 02:01 57344]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 16:32 221184]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 14:24 458752]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 14:14 217088]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-10 21:00 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-10 21:00 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2006-07-05 17:31:54 450560]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 03:01:04 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

S3 AIR555;Sierra Wireless AirCard 555 NIC + Modem (NIC Interface);C:\WINDOWS\system32\DRIVERS\air555.sys [2003-07-29 17:39]
S3 IFCUSB;IFCUSB;C:\WINDOWS\system32\drivers\IFCUSB.SYS [2001-05-23 00:55]
S3 iscFlash;iscFlash;C:\WINDOWS\SYSTEM32\DRIVERS\iscflash.sys []
S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\pwi_bus.sys [2005-05-04 08:59]
S3 pwi_mdfl;Curitel PC Card Filter;C:\WINDOWS\system32\DRIVERS\pwi_mdfl.sys [2005-05-04 09:00]
S3 pwi_mdm;Curitel PC Card Drivers;C:\WINDOWS\system32\DRIVERS\pwi_mdm.sys [2005-05-04 09:00]
S3 pwi_oflt;Curitel PC Card OHCI Filter;C:\WINDOWS\system32\DRIVERS\pwi_oflt.sys [2005-05-04 09:01]
S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\pwi_serd.sys [2005-05-04 09:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{603ef1e0-4051-11da-a442-00e0b85349eb}]
\Shell\AutoRun\command - E:\Setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-20 02:19:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-24 22:58:52 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 00:15:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-02-26 0:19:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-26 05:19:03
ComboFix2.txt 2008-02-25 06:02:23
ComboFix3.txt 2008-02-25 00:46:55
.
2008-02-25 11:58:27 --- E O F ---
  • 0

#4
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Post a new HijackThislog in your next reply.
  • 0

#5
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP