Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Infected. Here's my log [CLOSED]


  • This topic is locked This topic is locked

#16
jbraves17

jbraves17

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
ComboFix 08-03-17.1 - Jim and Les 2008-03-17 18:42:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.179 [GMT -7:00]Running from: C:\Documents and Settings\Jim and Les\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Jim and Les\err.log
C:\Program Files\SoftPortal
C:\Program Files\SoftPortal\Soft\ATGE\ATGE.part001.rar
C:\Program Files\SoftPortal\Soft\ATGE\ATGE.part002.rar
C:\Program Files\SoftPortal\Soft\ATGE\info.txt
C:\Program Files\SoftPortal\Soft\ATHtBt\ATHtBt.part001.rar
C:\Program Files\SoftPortal\Soft\ATHtBt\ATHtBt.part002.rar
C:\Program Files\SoftPortal\Soft\ATHtBt\info.txt
C:\Program Files\SoftPortal\Soft\Auswise\ui.uim
C:\Program Files\SoftPortal\Soft\RTNKa\ui.uim
C:\Program Files\SoftPortal\Soft\XBS\ui.uim
C:\Program Files\SoftPortal\Soft\YellowB\info.txt
C:\Program Files\SoftPortal\Soft\YellowB\YellowB.part01.rar
C:\Program Files\SoftPortal\Soft\YellowB\YellowB.part02.rar
C:\Program Files\SoftPortal\Soft\YellowB\YellowB.part03.rar
C:\Program Files\SoftPortal\Soft\YellowB\YellowB.part04.rar
C:\Program Files\SoftPortal\Soft\YellowB\YellowB.part06.rar
C:\Program Files\SoftPortal\Soft\YellowB\YellowB.part07.rar
C:\Program Files\SoftPortal\Soft\YellowB\YellowB.part08.rar
C:\Program Files\SoftPortal\Soft\YellowB\YellowB.part09.rar
C:\Program Files\SoftPortal\Soft\YellowB\YellowB.part10.rar
C:\Program Files\SoftPortal\Soft\YellowB\YellowB.part11.rar
C:\Program Files\SoftPortal\Soft\YellowB\YellowB.part12.rar
C:\Program Files\SoftPortal\Soft\YellowB\YellowB.part13.rar
C:\WINDOWS\Help\access.hp
C:\WINDOWS\Help\verifier.hp
C:\WINDOWS\System32\advpackc.dll
C:\WINDOWS\system32\appcert
C:\WINDOWS\system32\baaecedadbfcdc.dll
C:\WINDOWS\system32\clbcat.dll
C:\WINDOWS\system32\drivers\trwlfepy.dat
C:\WINDOWS\system32\rtnka.dat
C:\WINDOWS\system32\rtnka.dll
C:\WINDOWS\system32\SoUI.dll

----- BITS: Possible infected sites -----

hxxp://xpsite.org
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EMMIAZFS
-------\Legacy_MICROSOFT_INTERNET_EXPLORER
-------\Legacy_WINDOWS_MANAGEMENT_SERVICE
-------\Legacy_XNIHXKWC
-------\Service_emmiazfs
-------\Service_xnihxkwc
-------\emmiazfs\Parameters


((((((((((((((((((((((((( Files Created from 2008-02-18 to 2008-03-18 )))))))))))))))))))))))))))))))
.

2008-03-16 21:24 . 2008-03-17 05:15 <DIR> d-------- C:\fixwareout
2008-03-16 21:15 . 2008-03-16 21:15 486,449 --a------ C:\Fixwareout.exe
2008-03-16 16:01 . 2008-03-16 16:01 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-16 15:22 . 2008-03-16 15:22 28,672 --a------ C:\tmp.hiv
2008-03-16 15:22 . 2008-03-16 15:22 102 --a------ C:\Pass2.reg
2008-03-16 15:19 . 2008-03-16 15:20 275,025 --a------ C:\Pass2.cmd
2008-03-16 14:48 . 2008-03-16 15:19 2,492 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-16 14:46 . 2008-03-16 15:36 <DIR> d-------- C:\SmitfraudFix
2008-03-16 14:45 . 2008-03-16 14:45 1,305,211 --a------ C:\SmitfraudFix.exe
2008-03-16 14:45 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-16 14:45 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-16 14:45 . 2008-03-14 09:09 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-16 14:45 . 2008-03-15 17:16 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-16 14:45 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-16 14:45 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-16 14:45 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-16 13:07 . 2008-03-16 13:07 <DIR> d-------- C:\Deckard
2008-03-10 10:52 . 2008-03-10 10:52 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2008-03-10 10:52 . 2008-03-10 10:52 741,632 --a------ C:\WINDOWS\system32\ikmlqnun.dat
2008-03-10 10:52 . 2008-03-10 10:52 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2008-03-10 10:52 . 2008-03-10 10:52 42,752 --a------ C:\WINDOWS\system32\eycdbwuq.dat
2008-03-10 10:52 . 2008-03-10 10:52 35,072 --a------ C:\WINDOWS\system32\ynhxpntj.dat
2008-03-10 10:50 . 2008-03-10 10:50 36,608 --a------ C:\WINDOWS\system32\xchwskfb.dat
2008-03-10 10:42 . 2008-03-10 10:42 108,563 --------- C:\WINDOWS\system32\243e38a674668a2ab05932ac045a0ffb.TMP
2008-03-09 14:54 . 2008-03-09 14:54 108,563 --------- C:\WINDOWS\system32\75588ec1ce7b49203a0dbb8f0c3c3034.TMP
2008-03-09 14:24 . 2008-03-09 14:24 108,563 --------- C:\WINDOWS\system32\93acf499499ef41725ca99c8f19d5d66.TMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-17 02:25 1,631,232 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2008-03-09 21:18 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-09 21:01 2,654,208 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-03-09 21:01 1,609,216 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2007-08-18 21:52 1,442,304 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2007-08-17 12:29 1,440,768 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2007-07-09 23:28 2,646,016 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2007-06-28 15:54 2,638,848 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2007-06-23 00:14 1,541,632 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2007-06-20 02:55 2,641,408 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2007-06-20 02:55 1,409,536 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2007-06-13 17:43 17,144 ----a-w C:\Documents and Settings\Jim and Les\Application Data\GDIPFONTCACHEV1.DAT
2007-03-13 17:36 784 ----a-w C:\Documents and Settings\Jim and Les\Application Data\mpauth.dat
2004-03-03 23:21 5,248,688 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2004-01-06 22:15 1,131,008 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2003-12-05 23:31 452,608 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2003-12-05 23:31 1,518,592 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2003-12-05 20:29 585,728 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2003-12-05 20:29 1,518,080 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2003-12-05 12:07 1,486,336 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2003-12-05 04:51 764,928 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2003-12-05 00:43 246,784 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2003-12-05 00:43 1,513,984 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2003-12-04 23:09 344,576 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2003-12-04 19:47 7,769,600 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37FF719A-A736-4FAB-8CBF-7B905277648D}]
C:\DOCUME~1\JIMAND~1\LOCALS~1\Temp\~util32.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2004-03-08 18:11 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2004-03-08 18:11 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2004-03-08 18:11 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\B2CSoUI]
@={44619834-2625-3355-7114-2227808DB8A3}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\RTNK.a]
@={D224AC35-D67A-811A-5D3D-D9C74C09A83B}

[HKEY_CLASSES_ROOT\CLSID\{44619834-2625-3355-7114-2227808DB8A3}]
C:\WINDOWS\System32\SoUI.dll

[HKEY_CLASSES_ROOT\CLSID\{D224AC35-D67A-811A-5D3D-D9C74C09A83B}]
C:\WINDOWS\System32\\rtnka.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2003-04-14 20:05 1498032]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-03-12 22:16 171448]
"MSI Configuration"="msiconf.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-09 14:17 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 18:23 67584 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23 75520]
"iRiver Updater"="\Updater.exe" [2004-07-01 14:20 212992]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 16:28 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 07:38 241664]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 08:14 270648]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-06-01 16:22 7618560]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25 6731312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 00:48:20 40048]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe [2003-09-16 04:19:24 237568]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 04:10:26 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{020487CC-FC04-4B1E-863F-D9801796230B}"= C:\DOCUME~1\JIMAND~1\LOCALS~1\Temp\wndutl32.dll [ ]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-03-09 14:17 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001


.
Contents of the 'Scheduled Tasks' folder
"2007-10-02 20:01:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-17 18:50:01
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Updater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
.
**************************************************************************
.
Completion time: 2008-03-17 18:54:41 - machine was rebooted [Jim and Les]
ComboFix-quarantined-files.txt 2008-03-18 01:54:36



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:03 PM, on 3/17/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Updater.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DirectPluginX Class - {37FF719A-A736-4FAB-8CBF-7B905277648D} - C:\DOCUME~1\JIMAND~1\LOCALS~1\Temp\~util32.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.h...llMgr_v01_5.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1187710023227
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1187709996290
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlonte...2ie06041001.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Windows Installer Class - {020487CC-FC04-4B1E-863F-D9801796230B} - C:\DOCUME~1\JIMAND~1\LOCALS~1\Temp\wndutl32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7275 bytes
  • 0

Advertisements


#17
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
with luck, in this post we should be able to clear the other infections i can see - though i estimate there are 4 more posts from me to come after this one before we wrap this up.


====STEP 1====
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlonte...2ie06041001.cab

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.


====STEP 2====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::C:\WINDOWS\system32\ikmlqnun.datC:\WINDOWS\system32\eycdbwuq.datC:\WINDOWS\system32\ynhxpntj.datC:\WINDOWS\system32\xchwskfb.datC:\WINDOWS\system32\243e38a674668a2ab05932ac045a0ffb.TMPC:\WINDOWS\system32\75588ec1ce7b49203a0dbb8f0c3c3034.TMPC:\WINDOWS\system32\93acf499499ef41725ca99c8f19d5d66.TMPC:\DOCUME~1\JIMAND~1\LOCALS~1\Temp\~util32.dllC:\DOCUME~1\JIMAND~1\LOCALS~1\Temp\wndutl32.dllRegistry::[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"MSI Configuration"=-[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]"{020487CC-FC04-4B1E-863F-D9801796230B}"=-[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]"SecurityProviders"=-[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]"SecurityProviders"=" msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37FF719A-A736-4FAB-8CBF-7B905277648D}][-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\B2CSoUI][-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\RTNK.a][-HKEY_CLASSES_ROOT\CLSID\{44619834-2625-3355-7114-2227808DB8A3}][-HKEY_CLASSES_ROOT\CLSID\{D224AC35-D67A-811A-5D3D-D9C74C09A83B}]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

andrewuk

Edited by andrewuk, 18 March 2008 - 04:23 PM.

  • 0

#18
jbraves17

jbraves17

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
ComboFix 08-03-17.1 - Jim and Les 2008-03-18 20:27:10.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.209 [GMT -7:00]
Running from: C:\Documents and Settings\Jim and Les\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jim and Les\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
File::C:\WINDOWS\system32\ikmlqnun.datC:\WINDOWS\system32\eycdbwuq.datC:\WINDOWS\system32\ynhxpntj.datC:\WINDOWS\system32\xchwskfb.datC:\WINDOWS\system32\243e38a674668a2ab05932ac045a0ffb.TMPC:\WINDOWS\system32\75588ec1ce7b49203a0dbb8f0c3c3034.TMPC:\WINDOWS\system32\93acf499499ef41725ca99c8f19d5d66.TMPC:\DOCUME~1\JIMAND~1\LOCALS~1\Temp\~util32.dllC:\DOCUME~1\JIMAND~1\LOCALS~1\Temp\wndutl32.dllRegistry::[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"MSI Configuration"=-[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]"{020487CC-FC04-4B1E-863F-D9801796230B}"=-[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]"SecurityProviders"=-[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]"SecurityProviders"=" msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37FF719A-A736-4FAB-8CBF-7B905277648D}][-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\B2CSoUI][-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\RTNK.a][-HKEY_CLASSES_ROOT\CLSID\{44619834-2625-3355-7114-2227808DB8A3}][-HKEY_CLASSES_ROOT\CLSID\{D224AC35-D67A-811A-5D3D-D9C74C09A83B}]
.

((((((((((((((((((((((((( Files Created from 2008-02-19 to 2008-03-19 )))))))))))))))))))))))))))))))
.

2008-03-16 21:24 . 2008-03-17 05:15 <DIR> d-------- C:\fixwareout
2008-03-16 21:15 . 2008-03-16 21:15 486,449 --a------ C:\Fixwareout.exe
2008-03-16 16:01 . 2008-03-16 16:01 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-16 15:22 . 2008-03-16 15:22 28,672 --a------ C:\tmp.hiv
2008-03-16 15:22 . 2008-03-16 15:22 102 --a------ C:\Pass2.reg
2008-03-16 15:19 . 2008-03-16 15:20 275,025 --a------ C:\Pass2.cmd
2008-03-16 14:48 . 2008-03-16 15:19 2,492 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-16 14:46 . 2008-03-16 15:36 <DIR> d-------- C:\SmitfraudFix
2008-03-16 14:45 . 2008-03-16 14:45 1,305,211 --a------ C:\SmitfraudFix.exe
2008-03-16 14:45 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-16 14:45 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-16 14:45 . 2008-03-14 09:09 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-16 14:45 . 2008-03-15 17:16 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-16 14:45 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-16 14:45 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-16 14:45 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-16 13:07 . 2008-03-16 13:07 <DIR> d-------- C:\Deckard
2008-03-10 10:52 . 2008-03-10 10:52 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2008-03-10 10:52 . 2008-03-10 10:52 741,632 --a------ C:\WINDOWS\system32\ikmlqnun.dat
2008-03-10 10:52 . 2008-03-10 10:52 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2008-03-10 10:52 . 2008-03-10 10:52 42,752 --a------ C:\WINDOWS\system32\eycdbwuq.dat
2008-03-10 10:52 . 2008-03-10 10:52 35,072 --a------ C:\WINDOWS\system32\ynhxpntj.dat
2008-03-10 10:50 . 2008-03-10 10:50 36,608 --a------ C:\WINDOWS\system32\xchwskfb.dat
2008-03-10 10:42 . 2008-03-10 10:42 108,563 --------- C:\WINDOWS\system32\243e38a674668a2ab05932ac045a0ffb.TMP
2008-03-09 14:54 . 2008-03-09 14:54 108,563 --------- C:\WINDOWS\system32\75588ec1ce7b49203a0dbb8f0c3c3034.TMP
2008-03-09 14:24 . 2008-03-09 14:24 108,563 --------- C:\WINDOWS\system32\93acf499499ef41725ca99c8f19d5d66.TMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-17 02:25 1,631,232 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2008-03-09 21:18 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-09 21:01 2,654,208 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-03-09 21:01 1,609,216 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2007-08-18 21:52 1,442,304 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2007-08-17 12:29 1,440,768 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2007-07-09 23:28 2,646,016 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2007-06-28 15:54 2,638,848 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2007-06-23 00:14 1,541,632 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2007-06-20 02:55 2,641,408 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2007-06-20 02:55 1,409,536 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2007-06-13 17:43 17,144 ----a-w C:\Documents and Settings\Jim and Les\Application Data\GDIPFONTCACHEV1.DAT
2007-03-13 17:36 784 ----a-w C:\Documents and Settings\Jim and Les\Application Data\mpauth.dat
2004-03-03 23:21 5,248,688 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2004-01-06 22:15 1,131,008 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2003-12-05 23:31 452,608 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2003-12-05 23:31 1,518,592 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2003-12-05 20:29 585,728 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2003-12-05 20:29 1,518,080 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2003-12-05 12:07 1,486,336 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2003-12-05 04:51 764,928 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2003-12-05 00:43 246,784 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2003-12-05 00:43 1,513,984 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2003-12-04 23:09 344,576 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2003-12-04 19:47 7,769,600 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:32:29 PM, on 3/18/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Updater.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DirectPluginX Class - {37FF719A-A736-4FAB-8CBF-7B905277648D} - C:\DOCUME~1\JIMAND~1\LOCALS~1\Temp\~util32.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.h...llMgr_v01_5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1187710023227
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1187709996290
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Windows Installer Class - {020487CC-FC04-4B1E-863F-D9801796230B} - C:\DOCUME~1\JIMAND~1\LOCALS~1\Temp\wndutl32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6962 bytes
  • 0

#19
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
hmm.....seems there was a formatting issue in my last post....my fault.......so could we try the combofix part again please.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\ikmlqnun.dat
C:\WINDOWS\system32\eycdbwuq.dat
C:\WINDOWS\system32\ynhxpntj.datC:\WINDOWS\system32\xchwskfb.dat
C:\WINDOWS\system32\243e38a674668a2ab05932ac045a0ffb.TMP
C:\WINDOWS\system32\75588ec1ce7b49203a0dbb8f0c3c3034.TMP
C:\WINDOWS\system32\93acf499499ef41725ca99c8f19d5d66.TMP
C:\DOCUME~1\JIMAND~1\LOCALS~1\Temp\~util32.dll
C:\DOCUME~1\JIMAND~1\LOCALS~1\Temp\wndutl32.dll

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSI Configuration"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{020487CC-FC04-4B1E-863F-D9801796230B}"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=" msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37FF719A-A736-4FAB-8CBF-7B905277648D}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\B2CSoUI]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\RTNK.a]
[-HKEY_CLASSES_ROOT\CLSID\{44619834-2625-3355-7114-2227808DB8A3}]
[-HKEY_CLASSES_ROOT\CLSID\{D224AC35-D67A-811A-5D3D-D9C74C09A83B}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

andrewuk

Edited by andrewuk, 19 March 2008 - 01:45 AM.

  • 0

#20
jbraves17

jbraves17

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
ComboFix 08-03-17.1 - Jim and Les 2008-03-19 20:13:47.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.212 [GMT -7:00]
Running from: C:\Documents and Settings\Jim and Les\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jim and Les\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\DOCUME~1\JIMAND~1\LOCALS~1\Temp\~util32.dll
C:\DOCUME~1\JIMAND~1\LOCALS~1\Temp\wndutl32.dll
C:\WINDOWS\system32\243e38a674668a2ab05932ac045a0ffb.TMP
C:\WINDOWS\system32\75588ec1ce7b49203a0dbb8f0c3c3034.TMP
C:\WINDOWS\system32\93acf499499ef41725ca99c8f19d5d66.TMP
C:\WINDOWS\system32\eycdbwuq.dat
C:\WINDOWS\system32\ikmlqnun.dat
C:\WINDOWS\system32\ynhxpntj.datC:\WINDOWS\system32\xchwskfb.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\243e38a674668a2ab05932ac045a0ffb.TMP
C:\WINDOWS\system32\75588ec1ce7b49203a0dbb8f0c3c3034.TMP
C:\WINDOWS\system32\93acf499499ef41725ca99c8f19d5d66.TMP
C:\WINDOWS\system32\eycdbwuq.dat
C:\WINDOWS\system32\ikmlqnun.dat

.
((((((((((((((((((((((((( Files Created from 2008-02-20 to 2008-03-20 )))))))))))))))))))))))))))))))
.

2008-03-16 21:24 . 2008-03-17 05:15 <DIR> d-------- C:\fixwareout
2008-03-16 21:15 . 2008-03-16 21:15 486,449 --a------ C:\Fixwareout.exe
2008-03-16 16:01 . 2008-03-16 16:01 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-16 15:22 . 2008-03-16 15:22 28,672 --a------ C:\tmp.hiv
2008-03-16 15:22 . 2008-03-16 15:22 102 --a------ C:\Pass2.reg
2008-03-16 15:19 . 2008-03-16 15:20 275,025 --a------ C:\Pass2.cmd
2008-03-16 14:48 . 2008-03-16 15:19 2,492 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-16 14:46 . 2008-03-16 15:36 <DIR> d-------- C:\SmitfraudFix
2008-03-16 14:45 . 2008-03-16 14:45 1,305,211 --a------ C:\SmitfraudFix.exe
2008-03-16 14:45 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-16 14:45 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-16 14:45 . 2008-03-14 09:09 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-16 14:45 . 2008-03-15 17:16 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-16 14:45 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-16 14:45 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-16 14:45 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-16 13:07 . 2008-03-16 13:07 <DIR> d-------- C:\Deckard
2008-03-10 10:52 . 2008-03-10 10:52 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2008-03-10 10:52 . 2008-03-10 10:52 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2008-03-10 10:52 . 2008-03-10 10:52 35,072 --a------ C:\WINDOWS\system32\ynhxpntj.dat
2008-03-10 10:50 . 2008-03-10 10:50 36,608 --a------ C:\WINDOWS\system32\xchwskfb.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-20 03:01 6,059,454 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-03-17 02:25 1,631,232 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2008-03-09 21:18 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-09 21:01 2,654,208 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-03-09 21:01 1,609,216 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2007-08-18 21:52 1,442,304 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2007-08-17 12:29 1,440,768 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2007-07-09 23:28 2,646,016 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2007-06-28 15:54 2,638,848 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2007-06-23 00:14 1,541,632 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2007-06-20 02:55 2,641,408 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2007-06-20 02:55 1,409,536 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2007-06-13 17:43 17,144 ----a-w C:\Documents and Settings\Jim and Les\Application Data\GDIPFONTCACHEV1.DAT
2007-03-13 17:36 784 ----a-w C:\Documents and Settings\Jim and Les\Application Data\mpauth.dat
2004-01-06 22:15 1,131,008 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2003-12-05 23:31 452,608 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2003-12-05 23:31 1,518,592 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2003-12-05 20:29 585,728 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2003-12-05 20:29 1,518,080 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2003-12-05 12:07 1,486,336 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2003-12-05 04:51 764,928 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2003-12-05 00:43 246,784 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2003-12-05 00:43 1,513,984 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2003-12-04 23:09 344,576 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2003-12-04 19:47 7,769,600 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
.

((((((((((((((((((((((((((((( [email protected]_18.54.22.71 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-18 01:47:43 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-03-20 03:01:11 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-03-18 01:47:43 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-03-20 03:01:11 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-03-18 01:47:43 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-20 03:01:11 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2004-03-08 18:11 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2004-03-08 18:11 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2004-03-08 18:11 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2003-04-14 20:05 1498032]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-03-12 22:16 171448]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-09 14:17 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 18:23 67584 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23 75520]
"iRiver Updater"="\Updater.exe" [2004-07-01 14:20 212992]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 16:28 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 07:38 241664]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 08:14 270648]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-06-01 16:22 7618560]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25 6731312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 00:48:20 40048]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe [2003-09-16 04:19:24 237568]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 04:10:26 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-03-09 14:17 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001


.
Contents of the 'Scheduled Tasks' folder
"2007-10-02 20:01:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-19 20:16:14
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-19 20:17:00
ComboFix-quarantined-files.txt 2008-03-20 03:16:52
ComboFix2.txt 2008-03-19 03:30:30
ComboFix3.txt 2008-03-19 01:25:07
ComboFix4.txt 2008-03-18 01:54:41



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:17:41 PM, on 3/19/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Updater.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.h...llMgr_v01_5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1187710023227
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1187709996290
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6584 bytes
  • 0

#21
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
your logs are now looking much better. in this post we will remove some final parts and do a couple of scans to see if there is anything other infections on your machine.

the scans will likely take 2 hours, quite possibly much longer. so just let them run.

====STEP 1====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\ynhxpntj.dat
C:\WINDOWS\system32\xchwskfb.dat

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image



====STEP 2====
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


====STEP 3====
i see you already have SUPERantispyware.

Double-click the SUPERantispyware icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


====STEP 4====
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


In your next reply could i see:
1. the SUPERantispyware scan
2. the kaspersky scan log

(i dont need to see the combofix log this time)

andrewuk
  • 0

#22
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
still with us?
  • 0

#23
jbraves17

jbraves17

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/20/2008 at 05:55 PM

Application Version : 4.0.1154

Core Rules Database Version : 3422
Trace Rules Database Version: 1414

Scan type : Complete Scan
Total Scan Time : 00:46:53

Memory items scanned : 492
Memory threats detected : 0
Registry items scanned : 4894
Registry threats detected : 0
File items scanned : 39703
File threats detected : 1

Trojan.Unclassified-Packed/Suspicious
C:\SDFIX\BACKUPS_OLD\CLBCAT.DLL




KASPERSKY ONLINE SCANNER REPORT
Friday, March 21, 2008 3:25:59 AM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/03/2008
Kaspersky Anti-Virus database records: 648510


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 42993
Number of viruses found 10
Number of infected objects 22
Number of suspicious objects 0
Duration of the scan process 01:27:34

Infected Object Name Virus Name Last Action
C:\40.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped

C:\40.tmp NSIS: infected - 1 skipped

C:\41.tmp/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped

C:\41.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.ay skipped

C:\41.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.ay skipped

C:\41.tmp NSIS: infected - 3 skipped

C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\Jim and Les\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-3-20-2008( 18-15-57 ).LOG Object is locked skipped

C:\Documents and Settings\Jim and Les\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Jim and Les\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Jim and Les\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Jim and Les\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Jim and Les\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Jim and Les\Local Settings\History\History.IE5\MSHist012008032020080321\index.dat Object is locked skipped

C:\Documents and Settings\Jim and Les\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Jim and Les\Local Settings\Temporary Internet Files\Content.IE5\KD8HKHYR\wpad[1].htm Object is locked skipped

C:\Documents and Settings\Jim and Les\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Jim and Les\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\ie_updater.exe Object is locked skipped

C:\Program Files\Hp\hpcoretech\hpcmerr.log Object is locked skipped

C:\Program Files\Kodak\Kodak EasyShare software\bin\Catalog\EasyShare.me Object is locked skipped

C:\Program Files\Kodak\Kodak EasyShare software\bin\Catalog\EasyShare.mm Object is locked skipped

C:\QooBox\Quarantine\C\Program Files\SoftPortal\Soft\ATHtBt\ATHtBt.part001.rar.vir/HtBt.dll Infected: not-a-virus:FraudTool.Win32.ExpertAntivirus.c skipped

C:\QooBox\Quarantine\C\Program Files\SoftPortal\Soft\ATHtBt\ATHtBt.part001.rar.vir RAR: infected - 1 skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\243e38a674668a2ab05932ac045a0ffb.TMP.vir Infected: Trojan-Downloader.Win32.Agent.ebr skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\75588ec1ce7b49203a0dbb8f0c3c3034.TMP.vir Infected: Trojan-Downloader.Win32.Agent.ebr skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\93acf499499ef41725ca99c8f19d5d66.TMP.vir Infected: Trojan-Downloader.Win32.Agent.ebr skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\baaecedadbfcdc.dll.vir Infected: Trojan-Downloader.Win32.Agent.ebr skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\trwlfepy.dat.vir Object is locked skipped

C:\QooBox\Quarantine\catchme2008-03-17_184956.51.zip/kdwer.exe Infected: Trojan.Win32.DNSChanger.apn skipped

C:\QooBox\Quarantine\catchme2008-03-17_184956.51.zip/trwlfepy.dat Infected: Trojan.Win32.BHO.bbo skipped

C:\QooBox\Quarantine\catchme2008-03-17_184956.51.zip ZIP: infected - 2 skipped

C:\SDFix\backups_old\winiwod.exe Object is locked skipped

C:\SDFix\backups_old\wintxiq.exe Object is locked skipped

C:\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\SmitfraudFix.exe RarSFX: infected - 2 skipped

C:\syshgtw.exe Object is locked skipped

C:\sysqlmr.exe Object is locked skipped

C:\System Volume Information\_restore{808B7CE7-302F-4061-95F7-669A66E79382}\RP10\change.log Object is locked skipped

C:\System Volume Information\_restore{808B7CE7-302F-4061-95F7-669A66E79382}\RP6\A0001019.dll Object is locked skipped

C:\System Volume Information\_restore{808B7CE7-302F-4061-95F7-669A66E79382}\RP6\A0001021.dll Infected: SpamTool.Win32.Agent.fw skipped

C:\System Volume Information\_restore{808B7CE7-302F-4061-95F7-669A66E79382}\RP6\A0001037.dll Infected: Trojan-Downloader.Win32.Agent.ksk skipped

C:\sysuobt.exe Object is locked skipped

C:\WINDOWS\Debug\oakley.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Internet Logs\DECARO.ldb Object is locked skipped

C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped

C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped

C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped

C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped

C:\WINDOWS\mirra7.exe Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\syss.dll Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\kdcqd.exe Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\TEMP\ZLT01c19.TMP Object is locked skipped

C:\WINDOWS\TEMP\ZLT01c1c.TMP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Sorry. Went out of town for Easter. Thanks
  • 0

#24
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
the SUPERantispyware scan only picked up an item already safely quarantined. the kaspersky scan found 22 infections, though all but 2 were either in the system restore points (we will clear those later) or were also safely quarantined already.

in this post we will clear those files, do one final scan and see how your machine is running.

====STEP 1====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\40.tmp
C:\41.tmp


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


====STEP 2====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



In your next reply could i see:
1. the combofix log
2. the malwarebytes log
3. the hijackthis log
4. some idea of how your machine is running now

there will be a lot of information to post in the next reply, therefore you may need to post the information over more than one reply to ensure it is all posted.

andrewuk
  • 0

#25
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP