Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Purity, Outerinfo, virtumonde, vibrant, etc...


  • Please log in to reply

#1
everlast

everlast

    New Member

  • Member
  • Pip
  • 7 posts
Ive ran thru the steps and a lot of the stuff seems to be gone but i am still getting pop up adds, new pages loaded automatically. some adds come from vibrant, other "take over" images already on the page and change them, usually to a system warning, click here to scan type add.

also, i get redirects to the follow page
Edited malware link


ran AVG spyware, Spybot, super antispyware, and panda online
all detected some various problems, cleaned using them, finally panda online came up none detected. but as i said, still having some issues, please help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:22:22 PM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\REFN\PDF-X\PDFSaver.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Tracker Software\PDF-XChange Lite 3\pdfSaver\pdfSaver3l.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hub.zipform.net/map/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O1 - Hosts: 4.79.12.82 www.zipformonline.com
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BMafd42567] Rundll32.exe "C:\WINDOWS\system32\daybqlht.dll",s
O4 - HKLM\..\Run: [ace716fb] rundll32.exe "C:\WINDOWS\system32\klyeisir.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Nmzmn] "C:\Documents and Settings\Erouls\My Documents\?ystem32\?poolsv.exe"
O4 - HKCU\..\Run: [Tair] "C:\WINDOWS\CROSOF~1.NET\chkntfs.exe" -vt yazb
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1188417399243
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1189521411221
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = zipform.local
O17 - HKLM\Software\..\Telephony: DomainName = zipform.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = zipform.local
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 5613 bytes

Edited by kahdah, 28 March 2008 - 10:34 AM.

  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello everlast

Welcome to G2Go. :)
=====================
The first thing I will need you to do is to Download this anti-virus program and install it because you have no antivirus running.
This is free.
AVG free

=================================
After that Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
everlast

everlast

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
approx how long does combofix usually run for? the typical time?
  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
ten minutes usually.
If it fails to work then delete the icon from your desktop and redownload it again.
Then try running it again please.
  • 0

#5
everlast

everlast

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
dont know if this matters, but now i get an error message on bootup
Rundll
error loading c:\windows\system32\wyadusns.dll

combo

ComboFix 08-04-02.1 - erouls 2008-04-03 8:13:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.817 [GMT -4:00]
Running from: C:\Documents and Settings\Erouls\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Erouls\My Documents\YSTEM3~1
C:\Temp\gbRve12
C:\WINDOWS\BMafd42567.xml
C:\WINDOWS\crosof~1.net
C:\WINDOWS\crosof~1.net\??crosoft.NET\
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\daybqlht.dll
C:\WINDOWS\system32\jjkkj.ini2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pqstv.ini
C:\WINDOWS\system32\pqstv.ini2

----- BITS: Possible infected sites -----

hxxp://lan
.
((((((((((((((((((((((((( Files Created from 2008-03-03 to 2008-04-03 )))))))))))))))))))))))))))))))
.

2008-04-02 15:41 . 2008-04-02 15:41 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-02 15:41 . 2008-04-02 15:45 <DIR> d-------- C:\Documents and Settings\Erouls\Application Data\AVG7
2008-04-02 15:40 . 2008-04-02 15:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-31 11:17 . 2008-03-31 11:17 1,158 --a------ C:\WINDOWS\mozver.dat
2008-03-31 11:11 . 2008-04-02 08:52 1,066 ---hs---- C:\WINDOWS\system32\snsudayw.ini
2008-03-30 11:08 . 2008-03-31 11:09 826 ---hs---- C:\WINDOWS\system32\cemgdkbw.ini
2008-03-29 11:11 . 2008-03-29 11:12 766 ---hs---- C:\WINDOWS\system32\clhtstbm.ini
2008-03-28 12:22 . 2008-03-28 12:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-28 09:32 . 2008-04-02 09:00 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-28 09:31 . 2008-03-28 09:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-28 08:38 . 2008-03-28 08:38 <DIR> d-------- C:\Documents and Settings\Erouls\Application Data\Grisoft
2008-03-28 08:38 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-28 08:37 . 2008-04-02 15:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-27 14:28 . 2008-03-28 08:48 714 ---hs---- C:\WINDOWS\system32\rlftgjom.ini
2008-03-27 14:11 . 2008-04-02 16:33 <DIR> d-------- C:\VundoFix Backups
2008-03-27 13:35 . 2008-03-27 13:35 <DIR> d--h----- C:\WINDOWS\PIF
2008-03-27 13:00 . 2008-03-27 14:25 354 ---hs---- C:\WINDOWS\system32\fctvabiq.ini
2008-03-27 12:04 . 2008-03-27 12:04 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2008-03-27 12:04 . 2008-03-27 12:04 0 --a------ C:\WINDOWS\ORUN32.EXE
2008-03-27 11:50 . 2008-03-27 11:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-27 11:49 . 2008-03-27 11:49 <DIR> d-------- C:\Documents and Settings\Erouls\Application Data\SUPERAntiSpyware.com
2008-03-27 09:48 . 2008-03-28 12:04 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-27 09:48 . 2008-03-28 11:05 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-27 09:48 . 2008-03-28 11:05 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-27 09:48 . 2008-03-28 11:05 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-27 08:08 . 2008-03-27 08:08 294 --ahs---- C:\WINDOWS\system32\qwmkpuwq.ini
2008-03-26 16:11 . 2008-03-27 09:13 533 --a------ C:\WINDOWS\wininit.ini
2008-03-26 15:36 . 2008-03-27 13:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-26 13:46 . 2008-03-26 13:46 <DIR> d-------- C:\Documents and Settings\Erouls\Application Data\Printer Info Cache
2008-03-26 13:46 . 2008-03-26 13:46 <DIR> d-------- C:\Documents and Settings\Erouls\Application Data\Image Zone Express
2008-03-26 13:11 . 2008-04-02 16:33 <DIR> d-------- C:\WINDOWS\system32\aqVreo01
2008-03-26 13:11 . 2008-04-03 08:13 <DIR> d-------- C:\Temp
2008-03-26 13:06 . 2008-03-26 13:06 <DIR> d-------- C:\WINDOWS\Sun
2008-03-24 09:08 . 2008-03-31 10:07 1,117 --a------ C:\WINDOWS\wise.ini
2008-03-24 09:08 . 2008-03-24 09:08 28 --a------ C:\WINDOWS\Wise32.INI
2008-03-20 11:10 . 2008-03-20 11:10 <DIR> d-------- C:\Program Files\MSECache
2008-03-20 09:26 . 2008-03-20 09:26 <DIR> d-------- C:\Documents and Settings\Erouls\Application Data\SmartFTP
2008-03-17 10:21 . 2008-03-17 10:21 <DIR> d-------- C:\Program Files\Edoctus
2008-03-17 09:39 . 2008-03-28 11:12 <DIR> d-------- C:\ChunkerDotNet
2008-03-17 08:50 . 2008-03-17 08:50 <DIR> d-------- C:\Documents and Settings\Erouls\WINDOWS
2008-03-17 08:49 . 2008-03-17 08:49 <DIR> d-------- C:\Program Files\I-32 Forms Solutions
2008-03-17 08:49 . 1996-04-02 18:36 151,552 --a------ C:\WINDOWS\system\HYPERTOP.DLL
2008-03-17 08:49 . 1996-02-23 11:39 81,408 --a------ C:\WINDOWS\system\CNT31.DLL
2008-03-17 08:49 . 2000-03-30 02:19 79,360 --a------ C:\WINDOWS\system\ABYSS16.DLL
2008-03-17 08:49 . 2000-11-06 08:56 33,158 --a------ C:\WINDOWS\system\Jetfonts.fs
2008-03-17 08:49 . 1999-12-07 08:00 27,200 --a------ C:\WINDOWS\system\CTL3DV2.DLL
2008-03-17 08:49 . 2008-04-01 11:13 429 --a------ C:\WINDOWS\I32fd5.fxc
2008-03-17 08:49 . 2003-04-28 13:07 283 --a------ C:\WINDOWS\I32FONTS.INI
2008-03-17 08:49 . 2008-04-01 11:13 37 --a------ C:\WINDOWS\I32fd5.fxp
2008-03-14 10:54 . 2008-03-14 10:54 <DIR> d-------- C:\Documents and Settings\Erouls\Application Data\Microsoft Web Folders
2008-03-14 10:51 . 2008-03-14 10:51 <DIR> d-------- C:\Program Files\Tracker Software
2008-03-14 10:46 . 2008-03-14 10:46 <DIR> d-------- C:\Documents and Settings\Erouls\Application Data\HP
2008-03-14 10:07 . 2008-03-27 11:57 35 --a------ C:\WINDOWS\PRINTUFF.INI
2008-03-14 10:04 . 2008-03-14 10:04 <DIR> d-------- C:\Program Files\UFF5
2008-03-14 09:29 . 2008-03-14 10:50 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-13 17:05 . 2008-03-13 17:05 <DIR> d-------- C:\Documents and Settings\Erouls\Application Data\Jasc Software Inc
2008-03-13 16:47 . 2008-03-13 16:47 <DIR> d-------- C:\Program Files\Ipswitch
2008-03-13 16:47 . 2008-03-13 16:47 <DIR> d-------- C:\Documents and Settings\Erouls\Application Data\Ipswitch
2008-03-13 16:38 . 2008-04-01 14:49 <DIR> d-------- C:\Program Files\ZipForm Desktop
2008-03-13 16:31 . 2008-03-14 09:29 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-03-13 16:08 . 2008-03-13 16:08 <DIR> d-------- C:\New Folder (2)
2008-03-13 15:55 . 2008-03-13 15:55 <DIR> d-------- C:\Documents and Settings\Erouls\Application Data\IDMComp
2008-03-13 15:28 . 2008-03-13 15:28 <DIR> d-------- C:\Documents and Settings\administrator.DOMAIN\Application Data\HP
2008-03-13 15:27 . 2008-03-13 15:27 <DIR> d-------- C:\Program Files\Common Files\HP
2008-03-13 15:26 . 2008-03-13 15:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-03-13 15:26 . 2008-03-13 15:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-03-13 15:25 . 2008-03-13 15:25 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-03-13 15:25 . 2008-03-13 15:25 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-03-13 15:25 . 2007-01-16 01:52 438,272 -ra------ C:\WINDOWS\system32\hp8200co.dll
2008-03-13 15:25 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-03-13 15:25 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-03-13 15:24 . 2008-03-13 15:27 <DIR> d-------- C:\Program Files\HP
2008-03-13 15:22 . 2008-03-13 15:28 127,762 --a------ C:\WINDOWS\hpgins23.dat
2008-03-13 15:22 . 2007-04-27 06:05 280 --------- C:\WINDOWS\hpgmdl23.dat
2008-03-13 13:52 . 2008-03-13 15:09 <DIR> d-------- C:\HP
2008-03-13 13:49 . 2008-03-13 13:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-03-13 13:48 . 2008-03-13 13:48 <DIR> d-------- C:\Program Files\Common Files\Jasc Software Inc
2008-03-13 13:48 . 2008-03-13 13:48 <DIR> d-------- C:\Documents and Settings\administrator.DOMAIN\Application Data\Jasc Software Inc
2008-03-13 13:47 . 2008-03-13 13:48 <DIR> d-------- C:\Program Files\Jasc Software Inc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 15:44 --------- d-----w C:\Program Files\SmartFTP Client
2008-03-28 15:35 --------- d-----w C:\Program Files\Microsoft Virtual PC
2008-03-28 15:27 --------- d-----w C:\Program Files\Google
2008-03-14 14:55 --------- d-----w C:\Program Files\Snapshot Viewer
2008-03-14 14:44 --------- d-----w C:\Program Files\IDM Computer Solutions
2008-03-13 20:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-13 20:46 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-13 20:35 --------- d-----w C:\Program Files\REFN
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{861f78a0-f783-465a-8440-6cf1db73c616}]
C:\WINDOWS\system32\jsoqqafq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Nmzmn"="C:\Documents and Settings\Erouls\My Documents\?ystem32\?poolsv.exe" [ ]
"Tair"="C:\WINDOWS\CROSOF~1.NET\chkntfs.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 17:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 17:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 17:36 114688]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]
"ace716fb"="C:\WINDOWS\system32\wyadusns.dll" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-02 15:42 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-02 15:41 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-04-02 09:00 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrrrpm]
rqrrrpm.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-04-26 10:04 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 19:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SQLWriter"=3 (0x3)
"SQLSERVERAGENT"=2 (0x2)
"SQLBrowser"=2 (0x2)
"MSSQLSERVER"=2 (0x2)
"msftesql"=2 (0x2)
"IISADMIN"=2 (0x2)
"W3SVC"=2 (0x2)
"SMTPSVC"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []
S4 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 07:00]
S4 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2006-04-14 10:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-03 08:19:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]
"ImagePath"="\"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
.
**************************************************************************
.
Completion time: 2008-04-03 8:23:09 - machine was rebooted [erouls]
ComboFix-quarantined-files.txt 2008-04-03 12:23:05
Pre-Run: 21,613,363,200 bytes free
Post-Run: 21,487,583,232 bytes free
.
2008-03-21 07:01:36 --- E O F ---
  • 0

#6
everlast

everlast

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:25, on 2008-04-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hub.zipform.net/map/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: Microsoft Web Test Recorder Helper - {62355041-605D-4469-84FD-5D66ED67A7E3} - C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO.dll
O2 - BHO: {616c37bd-1fc6-0448-a564-387f0a87f168} - {861f78a0-f783-465a-8440-6cf1db73c616} - C:\WINDOWS\system32\jsoqqafq.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ace716fb] rundll32.exe "C:\WINDOWS\system32\wyadusns.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Nmzmn] "C:\Documents and Settings\Erouls\My Documents\?ystem32\?poolsv.exe"
O4 - HKCU\..\Run: [Tair] "C:\WINDOWS\CROSOF~1.NET\chkntfs.exe" -vt yazb
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1188417399243
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1189521411221
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = zipform.local
O17 - HKLM\Software\..\Telephony: DomainName = zipform.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = zipform.local
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: rqrrrpm - rqrrrpm.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 6584 bytes
  • 0

#7
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\snsudayw.ini
C:\WINDOWS\system32\cemgdkbw.ini
C:\WINDOWS\system32\clhtstbm.ini
C:\WINDOWS\system32\rlftgjom.ini
C:\WINDOWS\system32\fctvabiq.ini
C:\WINDOWS\system32\qwmkpuwq.ini
C:\WINDOWS\system32\wyadusns.dll
Folder
C:\WINDOWS\system32\aqVreo01
C:\VundoFix Backups
Dirlook::
C:\Temp
C:\ChunkerDotNet
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{861f78a0-f783-465a-8440-6cf1db73c616}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Nmzmn"=-
"Tair"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ace716fb"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrrrpm]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#8
everlast

everlast

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
just to let you know ChunkerDotNet is software i use, its not part of the problem, not sure if you would need to edit that script or not.
  • 0

#9
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok yes only edit that info out please, I couldn't find anything on it so I was trying to see what was present in the folder.
  • 0

#10
everlast

everlast

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
ComboFix 08-04-03.5 - erouls 2008-04-04 8:14:13.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.771 [GMT -4:00]
Running from: C:\Documents and Settings\Erouls\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Erouls\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\cemgdkbw.ini
C:\WINDOWS\system32\clhtstbm.ini
C:\WINDOWS\system32\fctvabiq.ini
C:\WINDOWS\system32\qwmkpuwq.ini
C:\WINDOWS\system32\rlftgjom.ini
C:\WINDOWS\system32\snsudayw.ini
C:\WINDOWS\system32\wyadusns.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\ORUN32.EXE
C:\WINDOWS\system32\cemgdkbw.ini
C:\WINDOWS\system32\clhtstbm.ini
C:\WINDOWS\system32\CMMGR32.EXE
C:\WINDOWS\system32\fctvabiq.ini
C:\WINDOWS\system32\qwmkpuwq.ini
C:\WINDOWS\system32\rlftgjom.ini
C:\WINDOWS\system32\snsudayw.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-04 to 2008-04-04 )))))))))))))))))))))))))))))))
.

2008-04-02 15:41 . 2008-04-02 15:41 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-02 15:41 . 2008-04-02 15:45 <DIR> d-------- C:\Documents and Settings\Erouls\Application Data\AVG7
2008-04-02 15:40 . 2008-04-02 15:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-31 11:17 . 2008-03-31 11:17 1,158 --a------ C:\WINDOWS\mozver.dat
2008-03-28 12:22 . 2008-03-28 12:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-28 09:32 . 2008-04-02 09:00 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-28 09:31 . 2008-03-28 09:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-28 08:38 . 2008-03-28 08:38 <DIR> d-------- C:\Documents and Settings\Erouls\Application Data\Grisoft
2008-03-28 08:38 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-28 08:37 . 2008-04-02 15:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-27 13:35 . 2008-03-27 13:35 <DIR> d--h----- C:\WINDOWS\PIF
2008-03-27 11:50 . 2008-03-27 11:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-27 11:49 . 2008-03-27 11:49 <DIR> d-------- C:\Documents and Settings\Erouls\Application Data\SUPERAntiSpyware.com
2008-03-27 09:48 . 2008-03-28 12:04 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-27 09:48 . 2008-03-28 11:05 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-27 09:48 . 2008-03-28 11:05 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-27 09:48 . 2008-03-28 11:05 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-26 16:11 . 2008-03-27 09:13 533 --a------ C:\WINDOWS\wininit.ini
2008-03-26 15:36 . 2008-03-27 13:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-26 13:46 . 2008-03-26 13:46 <DIR> d-------- C:\Documents and Settings\Erouls\Application Data\Printer Info Cache
2008-03-26 13:46 . 2008-03-26 13:46 <DIR> d-------- C:\Documents and Settings\Erouls\Application Data\Image Zone Express
2008-03-26 13:11 . 2008-04-02 16:33 <DIR> d-------- C:\WINDOWS\system32\aqVreo01
2008-03-26 13:11 . 2008-04-03 08:13 <DIR> d-------- C:\Temp
2008-03-26 13:06 . 2008-03-26 13:06 <DIR> d-------- C:\WINDOWS\Sun
2008-03-24 09:08 . 2008-03-31 10:07 1,117 --a------ C:\WINDOWS\wise.ini
2008-03-24 09:08 . 2008-03-24 09:08 28 --a------ C:\WINDOWS\Wise32.INI
2008-03-20 11:10 . 2008-03-20 11:10 <DIR> d-------- C:\Program Files\MSECache
2008-03-20 09:26 . 2008-03-20 09:26 <DIR> d-------- C:\Documents and Settings\Erouls\Application Data\SmartFTP
2008-03-17 10:21 . 2008-03-17 10:21 <DIR> d-------- C:\Program Files\Edoctus
2008-03-17 09:39 . 2008-03-28 11:12 <DIR> d-------- C:\ChunkerDotNet
2008-03-17 08:50 . 2008-03-17 08:50 <DIR> d-------- C:\Documents and Settings\Erouls\WINDOWS
2008-03-17 08:49 . 2008-03-17 08:49 <DIR> d-------- C:\Program Files\I-32 Forms Solutions
2008-03-17 08:49 . 1996-04-02 18:36 151,552 --a------ C:\WINDOWS\system\HYPERTOP.DLL
2008-03-17 08:49 . 1996-02-23 11:39 81,408 --a------ C:\WINDOWS\system\CNT31.DLL
2008-03-17 08:49 . 2000-03-30 02:19 79,360 --a------ C:\WINDOWS\system\ABYSS16.DLL
2008-03-17 08:49 . 2000-11-06 08:56 33,158 --a------ C:\WINDOWS\system\Jetfonts.fs
2008-03-17 08:49 . 1999-12-07 08:00 27,200 --a------ C:\WINDOWS\system\CTL3DV2.DLL
2008-03-17 08:49 . 2008-04-03 09:42 401 --a------ C:\WINDOWS\I32fd5.fxc
2008-03-17 08:49 . 2003-04-28 13:07 283 --a------ C:\WINDOWS\I32FONTS.INI
2008-03-17 08:49 . 2008-04-03 09:42 37 --a------ C:\WINDOWS\I32fd5.fxp
2008-03-14 10:54 . 2008-03-14 10:54 <DIR> d-------- C:\Documents and Settings\Erouls\Application Data\Microsoft Web Folders
2008-03-14 10:51 . 2008-03-14 10:51 <DIR> d-------- C:\Program Files\Tracker Software
2008-03-14 10:46 . 2008-03-14 10:46 <DIR> d-------- C:\Documents and Settings\Erouls\Application Data\HP
2008-03-14 10:07 . 2008-03-27 11:57 35 --a------ C:\WINDOWS\PRINTUFF.INI
2008-03-14 10:04 . 2008-03-14 10:04 <DIR> d-------- C:\Program Files\UFF5
2008-03-14 09:29 . 2008-03-14 10:50 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-13 17:05 . 2008-03-13 17:05 <DIR> d-------- C:\Documents and Settings\Erouls\Application Data\Jasc Software Inc
2008-03-13 16:47 . 2008-03-13 16:47 <DIR> d-------- C:\Program Files\Ipswitch
2008-03-13 16:47 . 2008-03-13 16:47 <DIR> d-------- C:\Documents and Settings\Erouls\Application Data\Ipswitch
2008-03-13 16:38 . 2008-04-03 09:39 <DIR> d-------- C:\Program Files\ZipForm Desktop
2008-03-13 16:31 . 2008-03-14 09:29 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-03-13 16:08 . 2008-03-13 16:08 <DIR> d-------- C:\New Folder (2)
2008-03-13 15:55 . 2008-03-13 15:55 <DIR> d-------- C:\Documents and Settings\Erouls\Application Data\IDMComp
2008-03-13 15:28 . 2008-03-13 15:28 <DIR> d-------- C:\Documents and Settings\administrator.DOMAIN\Application Data\HP
2008-03-13 15:27 . 2008-03-13 15:27 <DIR> d-------- C:\Program Files\Common Files\HP
2008-03-13 15:26 . 2008-03-13 15:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-03-13 15:26 . 2008-03-13 15:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-03-13 15:25 . 2008-03-13 15:25 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-03-13 15:25 . 2008-03-13 15:25 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-03-13 15:25 . 2007-01-16 01:52 438,272 -ra------ C:\WINDOWS\system32\hp8200co.dll
2008-03-13 15:25 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-03-13 15:25 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-03-13 15:24 . 2008-03-13 15:27 <DIR> d-------- C:\Program Files\HP
2008-03-13 15:22 . 2008-03-13 15:28 127,762 --a------ C:\WINDOWS\hpgins23.dat
2008-03-13 15:22 . 2007-04-27 06:05 280 --------- C:\WINDOWS\hpgmdl23.dat
2008-03-13 13:52 . 2008-03-13 15:09 <DIR> d-------- C:\HP
2008-03-13 13:49 . 2008-03-13 13:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-03-13 13:48 . 2008-03-13 13:48 <DIR> d-------- C:\Program Files\Common Files\Jasc Software Inc
2008-03-13 13:48 . 2008-03-13 13:48 <DIR> d-------- C:\Documents and Settings\administrator.DOMAIN\Application Data\Jasc Software Inc
2008-03-13 13:47 . 2008-03-13 13:48 <DIR> d-------- C:\Program Files\Jasc Software Inc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 15:44 --------- d-----w C:\Program Files\SmartFTP Client
2008-03-28 15:35 --------- d-----w C:\Program Files\Microsoft Virtual PC
2008-03-28 15:27 --------- d-----w C:\Program Files\Google
2008-03-14 14:55 --------- d-----w C:\Program Files\Snapshot Viewer
2008-03-14 14:44 --------- d-----w C:\Program Files\IDM Computer Solutions
2008-03-13 20:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-13 20:46 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-13 20:35 --------- d-----w C:\Program Files\REFN
2008-01-11 05:53 44,544 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-01-10 18:44 369,664 ----a-w C:\WINDOWS\system32\dllcache\asp51.dll
2008-01-10 05:20 257,024 ----a-w C:\WINDOWS\system32\dllcache\infocomm.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Temp ----



((((((((((((((((((((((((((((( [email protected]_ 8.22.41.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 12:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2000-08-31 12:00:00 73,728 ----a-w C:\WINDOWS\fdsv.exe
+ 2000-08-31 12:00:00 80,412 ----a-w C:\WINDOWS\grep.exe
+ 2000-08-31 12:00:00 98,816 ----a-w C:\WINDOWS\sed.exe
+ 2000-08-31 12:00:00 161,792 ----a-w C:\WINDOWS\swreg.exe
+ 2000-08-31 12:00:00 136,704 ----a-w C:\WINDOWS\swsc.exe
+ 2000-08-31 12:00:00 212,480 ----a-w C:\WINDOWS\swxcacls.exe
- 2008-04-02 17:18:00 115,624 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-03 12:23:06 115,624 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-02 17:18:00 573,966 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-03 12:23:06 573,966 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2000-08-31 12:00:00 49,152 ----a-w C:\WINDOWS\VFind.exe
+ 2000-08-31 12:00:00 68,096 ----a-w C:\WINDOWS\zip.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 17:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 17:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 17:36 114688]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-02 15:42 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-02 15:41 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-04-02 09:00 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-04-26 10:04 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 19:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SQLWriter"=3 (0x3)
"SQLSERVERAGENT"=2 (0x2)
"SQLBrowser"=2 (0x2)
"MSSQLSERVER"=2 (0x2)
"msftesql"=2 (0x2)
"IISADMIN"=2 (0x2)
"W3SVC"=2 (0x2)
"SMTPSVC"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []
S4 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 07:00]
S4 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2006-04-14 10:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-04 08:16:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql]
"ImagePath"="\"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
.
Completion time: 2008-04-04 8:17:39
ComboFix-quarantined-files.txt 2008-04-04 12:17:23
Pre-Run: 21,485,166,592 bytes free
Post-Run: 21,472,808,960 bytes free
.
2008-03-21 07:01:36 --- E O F ---
  • 0

#11
everlast

everlast

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:20, on 2008-04-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\REFN\PDF-X\PDFSaver.EXE
C:\Program Files\Tracker Software\PDF-XChange Lite 3\pdfSaver\pdfSaver3l.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hub.zipform.net/map/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: Microsoft Web Test Recorder Helper - {62355041-605D-4469-84FD-5D66ED67A7E3} - C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1188417399243
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1189521411221
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = zipform.local
O17 - HKLM\Software\..\Telephony: DomainName = zipform.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = zipform.local
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 6366 bytes
  • 0

#12
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
=================================================================
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP