Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Bagle Worm, cant access Antivirus/hijackthis!plz help [RESOLVED]


  • This topic is locked This topic is locked

#1
verve

verve

    Member

  • Member
  • PipPip
  • 71 posts
hello,

I've somehow managed to get my pc infected with the bagle worm. Xoftspy (practically the only antispyware that willopen up except for pestpatrol) finds the Bagle IX and Bagle GI and offers removing them. but when i restart i get the same thing again. Avast cant be opened and doesnt even load on startup. it says its not a valid win32 application. I cant even open hijackthis. when i click the exe it simply freezes.

Also, i noticed desktop.ini in my startup folder and in a few other locations.

The only thing that ran so far is COMBOFIX and here is the log for it. I truely hope someone can help me here, as this is the most recommended place I found. I'm a graphic designer and under a very tight schedule, so not being able to fix this in the next few days will have horrible consequences on me.


THANKS FOR THE HELP IN ADVANCE!!!

david.


ComboFix 08-03-23.2 - dave 2008-03-23 23:42:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1591 [GMT 0:00]
Running from: C:\Documents and Settings\dave\Local Settings\Temporary Internet Files\Content.IE5\ORUF9Q70\ComboFix[1].exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
-- Other TimeOuts --
Findstr -MIF:/ "\\TTC\.pdb InsertAdvertisement"
GREP -i "C:\\Program Files\\[^\\]*\\[^\\]*$"
VFind -tf -s282624 "C:\Program Files\????????*[0-9].dll"
CF15905.exe /c " VFind.exe -ltf -s-1000000 -d+2007-12-23 "C:\Program Files\*" >progfile.dat"
VFind.exe -ltf -s-1000000 -d+2007-12-23 "C:\Program Files\*"
CF15905.exe /c " dir /a/s/b C:\_desktop.ini C:\desktop_.ini C:\cnsmin* C:\_install.exe >DirRoot"

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\recover.reg
C:\WINDOWS\system32\ban_list.txt
C:\WINDOWS\system32\drivers\down
C:\WINDOWS\system32\drivers\down\100328.exe
C:\WINDOWS\system32\drivers\down\101062.exe
C:\WINDOWS\system32\drivers\down\101312.exe
C:\WINDOWS\system32\drivers\down\101687.exe
C:\WINDOWS\system32\drivers\down\103515.exe
C:\WINDOWS\system32\drivers\down\104421.exe
C:\WINDOWS\system32\drivers\down\106687.exe
C:\WINDOWS\system32\drivers\down\108015.exe
C:\WINDOWS\system32\drivers\down\108421.exe
C:\WINDOWS\system32\drivers\down\108796.exe
C:\WINDOWS\system32\drivers\down\109718.exe
C:\WINDOWS\system32\drivers\down\111781.exe
C:\WINDOWS\system32\drivers\down\112265.exe
C:\WINDOWS\system32\drivers\down\112359.exe
C:\WINDOWS\system32\drivers\down\112656.exe
C:\WINDOWS\system32\drivers\down\112843.exe
C:\WINDOWS\system32\drivers\down\114453.exe
C:\WINDOWS\system32\drivers\down\117375.exe
C:\WINDOWS\system32\drivers\down\117968.exe
C:\WINDOWS\system32\drivers\down\118046.exe
C:\WINDOWS\system32\drivers\down\121296.exe
C:\WINDOWS\system32\drivers\down\124250.exe
C:\WINDOWS\system32\drivers\down\125609.exe
C:\WINDOWS\system32\drivers\down\131531.exe
C:\WINDOWS\system32\drivers\down\132234.exe
C:\WINDOWS\system32\drivers\down\134671.exe
C:\WINDOWS\system32\drivers\down\147187.exe
C:\WINDOWS\system32\drivers\down\147484.exe
C:\WINDOWS\system32\drivers\down\153296.exe
C:\WINDOWS\system32\drivers\down\153765.exe
C:\WINDOWS\system32\drivers\down\157578.exe
C:\WINDOWS\system32\drivers\down\163703.exe
C:\WINDOWS\system32\drivers\down\169375.exe
C:\WINDOWS\system32\drivers\down\176234.exe
C:\WINDOWS\system32\drivers\down\51031.exe
C:\WINDOWS\system32\drivers\down\52265.exe
C:\WINDOWS\system32\drivers\down\52968.exe
C:\WINDOWS\system32\drivers\down\53140.exe
C:\WINDOWS\system32\drivers\down\53796.exe
C:\WINDOWS\system32\drivers\down\54250.exe
C:\WINDOWS\system32\drivers\down\54937.exe
C:\WINDOWS\system32\drivers\down\56250.exe
C:\WINDOWS\system32\drivers\down\56312.exe
C:\WINDOWS\system32\drivers\down\58093.exe
C:\WINDOWS\system32\drivers\down\58328.exe
C:\WINDOWS\system32\drivers\down\58640.exe
C:\WINDOWS\system32\drivers\down\58734.exe
C:\WINDOWS\system32\drivers\down\60406.exe
C:\WINDOWS\system32\drivers\down\60718.exe
C:\WINDOWS\system32\drivers\down\61734.exe
C:\WINDOWS\system32\drivers\down\62875.exe
C:\WINDOWS\system32\drivers\down\63125.exe
C:\WINDOWS\system32\drivers\down\63515.exe
C:\WINDOWS\system32\drivers\down\65515.exe
C:\WINDOWS\system32\drivers\down\66000.exe
C:\WINDOWS\system32\drivers\down\66140.exe
C:\WINDOWS\system32\drivers\down\68531.exe
C:\WINDOWS\system32\drivers\down\69421.exe
C:\WINDOWS\system32\drivers\down\70937.exe
C:\WINDOWS\system32\drivers\down\72687.exe
C:\WINDOWS\system32\drivers\down\75531.exe
C:\WINDOWS\system32\drivers\down\77562.exe
C:\WINDOWS\system32\drivers\down\79093.exe
C:\WINDOWS\system32\drivers\down\79234.exe
C:\WINDOWS\system32\drivers\down\79875.exe
C:\WINDOWS\system32\drivers\down\81734.exe
C:\WINDOWS\system32\drivers\down\82562.exe
C:\WINDOWS\system32\drivers\down\84375.exe
C:\WINDOWS\system32\drivers\down\85859.exe
C:\WINDOWS\system32\drivers\down\87953.exe
C:\WINDOWS\system32\drivers\down\89406.exe
C:\WINDOWS\system32\drivers\down\89781.exe
C:\WINDOWS\system32\drivers\down\90046.exe
C:\WINDOWS\system32\drivers\down\92484.exe
C:\WINDOWS\system32\drivers\down\92984.exe
C:\WINDOWS\system32\drivers\down\93234.exe
C:\WINDOWS\system32\drivers\down\93843.exe
C:\WINDOWS\system32\drivers\down\94109.exe
C:\WINDOWS\system32\drivers\down\95421.exe
C:\WINDOWS\system32\drivers\down\95796.exe
C:\WINDOWS\system32\drivers\down\97703.exe
C:\WINDOWS\system32\drivers\down\99125.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\lsprst7.dll
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\prsgrc.dll
C:\WINDOWS\system32\ssprs.dll
C:\WINDOWS\system32\wintems.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SROSA


((((((((((((((((((((((((( Files Created from 2008-02-23 to 2008-03-23 )))))))))))))))))))))))))))))))
.

2008-03-23 14:45 . 2008-03-23 14:45 <DIR> d-------- C:\Program Files\Vara Software
2008-03-21 16:05 . 2008-03-22 11:34 <DIR> d-------- C:\Program Files\WH GBP Casino
2008-03-21 16:05 . 2007-06-22 17:02 107,520 --a------ C:\WINDOWS\system32\UnCasino5.exe
2008-03-21 16:04 . 2008-03-22 18:26 <DIR> d-------- C:\Program Files\William Hill Poker
2008-03-19 19:10 . 2004-08-04 00:56 16,384 --a------ C:\WINDOWS\system32\ipsink.ax
2008-03-19 19:10 . 2004-08-04 00:56 16,384 --a--c--- C:\WINDOWS\system32\dllcache\ipsink.ax
2008-03-19 19:10 . 2004-08-03 23:10 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2008-03-19 19:10 . 2004-08-03 23:10 15,360 --a--c--- C:\WINDOWS\system32\dllcache\streamip.sys
2008-03-19 19:10 . 2004-08-03 23:10 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2008-03-19 19:10 . 2004-08-03 23:10 11,136 --a--c--- C:\WINDOWS\system32\dllcache\slip.sys
2008-03-19 19:10 . 2004-08-03 23:10 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2008-03-19 19:10 . 2004-08-03 23:10 10,880 --a--c--- C:\WINDOWS\system32\dllcache\ndisip.sys
2008-03-19 19:10 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2008-03-19 19:10 . 2004-08-03 22:58 5,504 --a--c--- C:\WINDOWS\system32\dllcache\mstee.sys
2008-03-19 19:07 . 2004-08-03 23:10 48,128 --a------ C:\WINDOWS\system32\drivers\61883.sys
2008-03-19 19:07 . 2004-08-03 23:10 48,128 --a--c--- C:\WINDOWS\system32\dllcache\61883.sys
2008-03-19 18:56 . 2008-03-19 18:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Vara Software
2008-03-19 18:50 . 2008-03-19 18:50 <DIR> d-------- C:\Documents and Settings\dave\Application Data\Vara Software
2008-03-19 18:29 . 2005-08-13 02:11 61,312 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2008-03-19 18:29 . 2005-08-13 02:11 61,312 --a--c--- C:\WINDOWS\system32\dllcache\ohci1394.sys
2008-03-19 18:29 . 2004-08-03 23:10 53,248 --a------ C:\WINDOWS\system32\drivers\1394bus.sys
2008-03-19 18:29 . 2004-08-03 23:10 53,248 --a--c--- C:\WINDOWS\system32\dllcache\1394bus.sys
2008-03-19 18:29 . 2001-08-17 13:46 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2008-03-19 18:29 . 2001-08-17 13:46 6,400 --a--c--- C:\WINDOWS\system32\dllcache\enum1394.sys
2008-03-16 14:31 . 2001-11-05 09:23 299,923 --a------ C:\WINDOWS\system32\drivers\sonyhcs.sys
2008-03-16 14:31 . 2002-10-15 22:41 102,220 --a------ C:\WINDOWS\system32\drivers\sonypvs1.sys
2008-03-16 14:31 . 2001-07-03 20:33 53,248 --a------ C:\WINDOWS\system32\SONYHCY.DLL
2008-03-16 14:31 . 2001-11-05 09:23 38,739 --a------ C:\WINDOWS\system32\drivers\sonyhcc.sys
2008-03-16 14:31 . 2001-11-05 09:23 6,097 --a------ C:\WINDOWS\system32\drivers\sonyhcb.sys
2008-03-16 14:31 . 2001-07-03 20:39 3,654 --a------ C:\WINDOWS\system32\drivers\Sonyhcp.dll
2008-03-05 18:38 . 2008-03-19 18:50 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-05 18:38 . 2008-03-05 18:38 1,409 --a------ C:\WINDOWS\system32\tmp10298.FOT
2008-03-05 18:38 . 2008-03-05 18:38 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-03 20:05 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-03-03 19:45 . 2008-03-03 23:15 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-03 19:45 . 2008-03-03 23:15 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-03 17:58 . 2008-03-03 17:58 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-03 17:58 . 2008-03-03 17:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-03 15:31 . 2007-08-01 10:03 93,184 --a------ C:\WINDOWS\system32\UnPoker.exe
2008-03-02 17:07 . 2007-11-28 14:03 1,048,576 --a------ C:\WINDOWS\P5B-ASUS-1803.ROM
2008-03-02 17:05 . 2008-03-02 17:07 606,107 --a------ C:\WINDOWS\P5B-ASUS-1803.zip
2008-03-02 16:51 . 2007-11-02 09:29 1,048,576 --a------ C:\WINDOWS\P5B-ASUS-1705.ROM
2008-03-02 16:48 . 2008-03-02 16:51 603,850 --a------ C:\WINDOWS\P5B1705.zip
2008-03-02 16:31 . 2007-01-30 15:40 1,048,576 --a------ C:\WINDOWS\P5B-ASUS-1102.ROM
2008-03-02 16:31 . 2008-03-02 16:31 583,607 --a------ C:\WINDOWS\P5B-1102.zip
2008-03-02 16:16 . 2006-10-26 20:35 1,048,576 -ra------ C:\WINDOWS\P5B-0806.ROM
2008-03-02 16:15 . 2008-03-02 16:16 579,246 --a------ C:\WINDOWS\P5B-0806.zip
2008-03-02 16:01 . 2006-10-02 17:42 1,048,576 --a------ C:\WINDOWS\P5B-0701.ROM
2008-03-02 16:00 . 2008-03-02 16:01 577,571 --a------ C:\WINDOWS\P5B-0701.zip
2008-03-02 15:46 . 2006-09-06 20:32 1,048,576 --a------ C:\WINDOWS\P5B-ASUS-0509.ROM
2008-03-02 15:41 . 2008-03-02 15:46 575,646 --a------ C:\WINDOWS\P5B-0509.zip
2008-03-02 14:11 . 2008-03-02 14:36 <DIR> d-------- C:\Program Files\ASUS
2008-03-02 14:11 . 2006-01-10 08:50 24,576 -ra------ C:\WINDOWS\system32\AsIO.dll
2008-03-02 14:11 . 2005-12-22 02:22 5,685 -ra------ C:\WINDOWS\system32\drivers\AsIO.sys
2008-03-02 14:11 . 2005-07-05 10:43 5,120 --a------ C:\WINDOWS\system32\drivers\AsInsHelp64.sys
2008-03-02 14:11 . 2005-07-05 10:43 3,328 --a------ C:\WINDOWS\system32\drivers\AsInsHelp32.sys
2008-03-02 14:09 . 2008-03-02 14:09 <DIR> dr------- C:\WINDOWS\AsDmiHtm
2008-02-29 21:34 . 2008-02-29 21:34 <DIR> d-------- C:\Program Files\Classic Menu for Office
2008-02-29 21:34 . 2008-03-23 01:32 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-29 16:48 . 2008-02-29 16:48 <DIR> d-------- C:\Documents and Settings\dave\Application Data\GridIron
2008-02-29 16:47 . 2008-02-29 16:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GridIron Software
2008-02-29 15:51 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-02-29 15:49 . 2008-02-29 15:49 <DIR> d-------- C:\Program Files\MSBuild
2008-02-29 15:49 . 2008-02-29 15:49 <DIR> d-------- C:\Program Files\Microsoft Works
2008-02-29 15:48 . 2008-02-29 15:48 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-02-29 15:40 . 2008-03-12 03:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-29 15:39 . 2008-02-29 15:39 <DIR> dr-h----- C:\MSOCache
2008-02-29 15:18 . 2008-03-04 00:10 <DIR> d-------- C:\Program Files\PowerISO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-23 22:16 --------- d-----w C:\Documents and Settings\dave\Application Data\uTorrent
2008-03-23 15:44 --------- d-----w C:\Program Files\XoftSpySE
2008-03-21 23:32 --------- d-----w C:\Program Files\Soulseek
2008-03-20 16:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-13 09:54 --------- d-----w C:\Documents and Settings\dave\Application Data\BSplayer Pro
2008-03-12 00:03 --------- d-----w C:\Documents and Settings\dave\Application Data\Ahead
2008-03-04 00:14 --------- d-----w C:\Program Files\Vtune
2008-03-04 00:14 --------- d-----w C:\Program Files\uTorrent
2008-03-04 00:08 --------- d-----w C:\Program Files\MagicISO
2008-03-04 00:06 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-03-04 00:05 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-03-03 23:58 --------- d-----w C:\Program Files\Bonjour
2008-03-03 23:58 --------- d-----w C:\Program Files\Avant Browser
2008-02-22 14:24 --------- d-----w C:\Program Files\GenArts
2008-02-14 15:42 --------- d-----w C:\Program Files\Disc2Phone
2008-02-14 15:30 --------- d-----w C:\Documents and Settings\dave\Application Data\Teleca
2008-02-14 15:29 --------- d-----w C:\Documents and Settings\dave\Application Data\Sony Ericsson
2008-02-14 15:27 --------- d-----w C:\Program Files\Sony Ericsson
2008-02-14 15:27 --------- d-----w C:\Program Files\Common Files\Sony Ericsson Shared
2008-02-14 15:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Teleca
2008-02-14 15:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-02-12 23:56 --------- d-----w C:\Program Files\Vertus Fluid Mask 3
2008-02-12 23:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\VertusTech
2008-01-31 19:25 --------- d-----w C:\Program Files\DivX
2008-01-31 13:57 --------- d-----w C:\Program Files\THQ
2008-01-31 13:37 --------- d-----w C:\Program Files\Ulead Systems
2008-01-24 00:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-01-23 23:58 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2008-01-23 23:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-01-23 23:23 --------- d-----w C:\Documents and Settings\dave\Application Data\InterVideo
2008-01-23 23:20 --------- d-----w C:\Program Files\InterVideo Information Service
2008-01-23 23:20 --------- d-----w C:\Program Files\Common Files\Ulead
2008-01-23 23:20 --------- d-----w C:\Program Files\Common Files\InterVideo
2008-01-23 23:19 --------- d-----w C:\Program Files\InterVideo
2008-01-23 22:50 --------- d-----w C:\Documents and Settings\dave\Application Data\Ulead Systems
2008-01-23 22:46 --------- d-----w C:\Documents and Settings\dave\Application Data\DivX
2008-01-23 22:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\InterVideo
2008-01-17 00:49 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-15 15:40 3,727,360 ----a-w C:\WINDOWS\system32\sapphire_ae.dll
2008-01-09 11:18 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-01-09 11:18 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-01-09 11:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-01-09 11:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-01-09 11:16 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-01-09 11:16 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-01-09 11:16 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-01-09 11:16 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-01-09 11:16 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-01-09 11:16 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2006-06-23 06:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe
2007-10-15 11:52 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
2007-10-15 11:52 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2007-10-15 11:52 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007101520071016\index.dat
2007-10-15 11:52 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-04-10 08:19 729088]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-06-02 08:45 385024]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 10:07 843776]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 17:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 17:14 1626112 C:\WINDOWS\system32\nwiz.exe]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 09:51 57344]
"P17Helper"="P17.dll" [2005-05-03 11:38 64512 C:\WINDOWS\system32\P17.dll]
"CreativeTaskScheduler"="C:\Program Files\Creative\Shared Files\CTSched.exe" [2006-01-09 02:43 53340]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 15:40 1884160]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-04 19:25 180269]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-23 23:44 79224]
"CaISSDT"="C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe" [2006-04-21 14:42 165416]
"atwtusb"="atwtusb.exe" [2005-09-21 18:08 290816 C:\WINDOWS\system32\ATWTUSB.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-06-02 13:22 28160 C:\WINDOWS\KHALMNPR.Exe]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00 90112]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 17:34 213936]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 17:14 81920]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"AsusServiceProvider"="C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe" [2006-06-30 14:57 582144]
"Ai Nap"="C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [2006-07-10 15:49 1093632]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 21:34 155648]
"eTrustPPAP"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe" [2008-01-02 21:14 258048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-01-11 16:55:20 450560]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Program Files\\Avant Browser\\avant.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\Sorenson Media\\Sorenson Squeeze\\Squeeze.exe"=
"C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"C:\\Program Files\\Adobe\\Adobe After Effects CS3\\Support Files\\AfterFX.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\William Hill Poker\\UA.exe"=
"C:\\Program Files\\Vara Software\\Wirecast\\Wirecast.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

S1 aiptektp;HyperPen;C:\WINDOWS\system32\DRIVERS\aiptektp.sys [2004-07-07 16:02]
S1 srosa;Megadrv3;C:\WINDOWS\system32\drivers\srosa.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59c4e1c2-9ae8-11dc-bd15-00173183073c}]
\Shell\AutoRun\command - F:\oufddh.exe
\Shell\explore\Command - F:\oufddh.exe
\Shell\open\Command - F:\oufddh.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{608ef21c-7b6c-11dc-bce5-00173183073c}]
\Shell\Auto\command - F:\activexdebugger32.exe f
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - F:\activexdebugger32.exe f
\Shell\open\Command - F:\activexdebugger32.exe f

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{61ab118e-9f6d-11dc-bd19-00173183073c}]
\Shell\auto\command - F:\Knight.exe open
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
\Shell\explore\command - F:\Knight.exe open
\Shell\find\command - F:\Knight.exe open
\Shell\install\command - F:\Knight.exe open
\Shell\open\command - F:\Knight.exe open

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a02e8e40-83de-11dc-bcf7-00173183073c}]
\Shell\Auto\command - activexdebugger32.exe f
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - activexdebugger32.exe f
\Shell\find\command - Knight.exe open
\Shell\install\command - Knight.exe open
\Shell\open\Command - activexdebugger32.exe f

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a02e8e43-83de-11dc-bcf7-00173183073c}]
\Shell\Auto\command - G:\activexdebugger32.exe f
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - G:\activexdebugger32.exe f
\Shell\open\Command - G:\activexdebugger32.exe f

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a123f9d6-8ba6-11dc-bd08-00173183073c}]
\Shell\Auto\command - F:\activexdebugger32.exe f
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - F:\activexdebugger32.exe f
\Shell\open\Command - F:\activexdebugger32.exe f

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a123f9d9-8ba6-11dc-bd08-00173183073c}]
\Shell\Auto\command - F:\activexdebugger32.exe f
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - F:\activexdebugger32.exe f
\Shell\open\Command - F:\activexdebugger32.exe f

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b4582c0c-8e2b-11dc-bd0c-00173183073c}]
\Shell\Auto\command - F:\activexdebugger32.exe f
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - F:\activexdebugger32.exe f
\Shell\open\Command - F:\activexdebugger32.exe f

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fdec1a0f-818f-11dc-bcf3-00173183073c}]
\Shell\Auto\command - activexdebugger32.exe f
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - activexdebugger32.exe f
\Shell\find\command - Knight.exe open
\Shell\install\command - Knight.exe open
\Shell\open\Command - activexdebugger32.exe f

.
Contents of the 'Scheduled Tasks' folder
"2008-03-23 23:47:14 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-01-07 16:23:56 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-23 23:47:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2008-03-23 23:54:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-23 23:54:42
.
2008-03-12 03:03:09 --- E O F ---
  • 0

Advertisements


#2
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,

Welcome to GeeksToGo. My name is RatHat, and I will help you get through the process of cleaning the malware from your computer.


OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with. Please ensure you turn off word wrap in Notepad. To do this, open Notepad, choose Format, then Un-check Word Wrap. (Word Wrap makes reading your log difficult).


Now it was a mistake for you to run Combofix without supervision, you could cause your computer to be damaged by doing this, so please do not run any other fixes unless I tell you to OK.

We need to get rid of the version of Combofix that you had as you have saved it in your temporary internet files folder. The easiest way to do this is as follows:

Download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

If you have any other versions of Combofix on your computer, please delete them and run ATF cleaner again.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Now we need to download a new version of Combofix, and rename it, so follow these instructions very carefully.

Please read this Combofix tutorial before continuing, then follow the instructions below.

Download ComboFix from Here, Here or Here to your Desktop. (If you already have ComboFix, please delete it and download this new version).

  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Save this log to your desktop as Combofix.txt and post it in your next reply.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, DSS will open two Notepad files: main.txt and extra.txt
  • Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Note: A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next reply, please include the Combofix.txt and also the two DSS logs.

Regards,
RatHat
  • 0

#3
verve

verve

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts
hello rathat.

thank you for the help. i've followed ur first step carefully. i ran combofix and it restarted my pc. now all i get is a black screen. its been like that for at least 15minutes and im scared to restart it in case it disturbs the combofix somehow and really messes up my pc. all i can see is my mouse pointer...why is this happening and what should i do next? im writing this from a laptop...
  • 0

#4
verve

verve

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts
my pc seems to be now royaly F'd. i restarted again and it simply goes back to the blackscreen... i dont know what to do next...
  • 0

#5
verve

verve

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts
safemode done the exact same thing. black screen with mouse pointer. i dont understand why combofix would cause my pc even more harm than before i tried running it....?
  • 0

#6
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
It is likely due to running it before against bagle. I will check with the developer of Combofix and get back to you.

Regards,
RatHat
  • 0

#7
verve

verve

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts
ok, hope you can find me a solution as of now i cant work and have lost all my work in progress if my pc doesnt start windows again.
  • 0

#8
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
OK, when you start your computer, allow it to boot to normal Windows.

When you get to the black screen, hit Ctrl, Alt and Delete at the same time to bring up Task Manager.

Click the New Task... button at the bottom right

Type in explorer.exe and hit OK

Let me know if you now have your desktop back.
  • 0

#9
verve

verve

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts
control alt delete doesnt do anything. black screen and that's it.
  • 0

#10
verve

verve

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts
please tell me i dont need to reformat my pc......... :)
  • 0

Advertisements


#11
verve

verve

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts
i've tried to restart the pc again, and instead of a short beep it made a very alarming long beep. i turned it off and started it on again, and it didnt recognize my 2nd hard drive in the BIOS!!!! i've now disconnected the 2nd hard drive of fear that its already been deleted completely from this virus and after booting with the OS hard drive the same black screen appears. I've tried hooking up a non wireless keyboard and still nothing happens when i ctrl alt delete.


what is going on here?!?!
  • 0

#12
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
OK, I will get back to you shortly with a new fix to restore your desktop. Please don't be too alarmed, there are means of recovering your PC without you losing all your work.

Regards,
RatHat
  • 0

#13
verve

verve

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts
thank you rathat. i dont mean to sound stressed, but im so clueless about these things, so when my pc doesnt start and it contains months of work in progress for clients, ITS FREAKOUT TIME...LOL


hope we can get this sorted today still..?

thanks again for the help.
  • 0

#14
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts

hope we can get this sorted today still..?

We'll do our best to get this sorted, I am at work at the moment, and in front of a computer, so I will be able to check in often. Just as long as the boss doesn't catch me! :)

OK, we are going to have to use the Windows Recovery Console to restore a backed up copy of your registry, so it would best if you could print this out from another computer so you can follow the instructions exactly.

Now I need you to find your original Windows installation CD then follow the directions below:

1. Inset your Windows Install disc to boot from CD.
Note: if you cannot boot from the CD, go into your BIOS and set the computer to boot from CD first

2. Press any key on the keyboard when prompted.
3. Press R to load the Recovery Console.
4. Enter your password when prompted.
5. You must enter which Windows installation to log onto. Type 1 and press enter.
6. At the C:\Windows prompt, type the following bolded text, and press Enter:

cd ERDNT\Hiv-backup

7. At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

8. The erunt backups will begin copying.
9. At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading.

When Windows has loaded up again, post me the contents of the Combofix log located at C:\Combofix.txt

Regards,
RatHat
  • 0

#15
verve

verve

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts
hooray windows has started...

there is no combofix.txt

i have C:\combo-fix folder... any idea?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP