Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Virtumonde? [RESOLVED]

Started by Azrael1415 , Mar 29 2008 11:56 PM

  • This topic is locked This topic is locked

#16
BHowett
Posted 04 April 2008 - 09:33 AM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hi Azrael1415 ,

All most there… but the rundll32 is being pretty stubborn so we will do it the old fashion way.
Using Windows Explorer (to get there right-click your Start button and go to "My Computer", or Hold down the Windows Key + E ), please navigate to
C:\Program Files\Common Files\??stem32 <== this folder will have letters instead of ?? more then likely it will be sy so it will read as system32 ( DO NOT confuse this with your real system32 folder that is located at C:\WINDOWS\system32 ) Remember the one we are looking for is located at C:\Program Files\Common Files\??stem32 open this folder and see if rundll32.exe is present… if so, and it is the only file inside you can delete the entire folder. If there are more files just delete rundll32.exe and report back to me what the other files are.

===============================================


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\lcntskdn.exe
C:\WINDOWS\mrofinu1188.exe
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ywl]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

Advertisements

#17
Azrael1415
Posted 04 April 2008 - 03:03 PM

Azrael1415

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I'm not seeing any folder in "C:\Program Files\Common Files" that has "**stem32". All I have that even resembles it is "System". In it is:

[ado]
[msadc]
[Ole DB]
directdb.dll
wab32.dll
wab32res.dll
  • 0

#18
BHowett
Posted 04 April 2008 - 03:21 PM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Lets try it again, but first lets show your hidden files.


To enable the viewing of Hidden files follow these steps:
  • From your desktop.
  • Double-click on the My Computer icon (or click Start, then select My Computer)
  • Select the Tools menu and click Folder Options.
  • After the new window appears select the View tab.
  • Put a checkmark in the checkbox labeled Display the contents of system folders.
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  • Remove the checkmark from the checkbox labeled Hide protected operating system files.
  • Press the Apply button and then the OK button and shutdown My Computer.
    Now your computer is configured to show all hidden files.

Edited by BHowett, 04 April 2008 - 03:22 PM.

  • 0

#19
Azrael1415
Posted 04 April 2008 - 11:39 PM

Azrael1415

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Same.
  • 0

#20
BHowett
Posted 04 April 2008 - 11:44 PM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
please follow this next step.....


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\lcntskdn.exe
C:\WINDOWS\mrofinu1188.exe
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ywl]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#21
Azrael1415
Posted 05 April 2008 - 01:20 AM

Azrael1415

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
ComboFix:

ComboFix 08-03-30.3 - Azrael 2008-04-05 1:15:25.3 - NTFSx86

Running from: C:\Documents and Settings\Azrael\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Azrael\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\system32\lcntskdn.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\lcntskdn.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-05 to 2008-04-05 )))))))))))))))))))))))))))))))
.

2008-04-03 23:37 . 2008-04-03 23:37 <DIR> d-------- C:\Program Files\Panda Security
2008-04-03 23:33 . 2008-04-03 23:33 <DIR> d-------- C:\Deckard
2008-04-03 21:00 . 2008-04-03 21:03 <DIR> d-------- C:\Documents and Settings\Crystal\Application Data\AVG7
2008-04-03 19:43 . 2008-04-03 19:43 <DIR> d-------- C:\Documents and Settings\Azrael\Application Data\Malwarebytes
2008-04-03 19:43 . 2008-04-03 19:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-03 19:38 . 2008-04-03 19:41 <DIR> d-------- C:\fixwareout
2008-04-03 18:48 . 2008-04-03 20:11 <DIR> d-------- C:\Documents and Settings\Azrael\Application Data\AVG7
2008-04-03 18:47 . 2008-04-03 18:47 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-03 18:47 . 2008-04-03 18:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-03 18:39 . 2008-04-03 18:39 <DIR> d-------- C:\Program Files\Sygate
2008-04-03 18:39 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-04-03 18:39 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-04-03 18:39 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-04-03 18:39 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-04-03 18:39 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-04-03 18:39 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-04-03 18:39 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-04-02 08:14 . 2008-04-02 08:27 <DIR> d-------- C:\Documents and Settings\Azrael\VASSAL
2008-03-31 01:36 . 2008-03-31 01:36 <DIR> d-------- C:\Documents and Settings\Crystal\Application Data\Lavasoft
2008-03-31 01:18 . 2006-02-28 06:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2008-03-31 01:16 . 2006-02-28 06:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-03-31 01:15 . 2004-05-12 23:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-03-31 01:12 . 2008-03-31 01:12 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-03-31 01:11 . 2008-03-31 01:11 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-03-31 01:11 . 2008-03-31 01:11 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-03-31 01:11 . 2008-03-31 01:11 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-03-31 01:11 . 2008-03-31 01:11 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-03-31 01:11 . 2008-03-31 01:11 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-03-31 01:10 . 2006-02-28 06:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-03-31 01:09 . 2006-02-28 06:00 214,528 --a--c--- C:\WINDOWS\system32\dllcache\icwconn1.exe
2008-03-31 01:09 . 2006-02-28 06:00 86,016 --a--c--- C:\WINDOWS\system32\dllcache\icwconn2.exe
2008-03-31 01:09 . 2006-02-28 06:00 32,768 --a--c--- C:\WINDOWS\system32\dllcache\icwdl.dll
2008-03-31 01:09 . 2006-02-28 06:00 20,480 --a--c--- C:\WINDOWS\system32\dllcache\inetwiz.exe
2008-03-31 01:06 . 2006-02-28 06:00 7,680 --a--c--- C:\WINDOWS\system32\dllcache\migregdb.exe
2008-03-30 16:19 . 2006-03-20 16:33 73,728 --a------ C:\WINDOWS\system32\ISUSPM.cpl
2008-03-30 13:03 . 2008-03-30 13:03 <DIR> d-------- C:\Program Files\Namco Bandai
2008-03-30 09:56 . 2008-04-02 00:26 <DIR> d--h----- C:\WHM
2008-03-29 23:52 . 2008-03-29 23:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-29 22:08 . 2008-03-29 22:50 164 --a------ C:\install.dat
2008-03-29 21:23 . 2008-04-03 20:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-29 17:04 . 2008-03-29 17:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-29 17:03 . 2008-03-29 16:56 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-29 17:03 . 2008-03-29 17:03 2,544 --a------ C:\WINDOWS\unins000.dat
2008-03-29 16:59 . 2008-03-29 16:59 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-03-29 16:42 . 2008-03-29 16:42 907 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-03-29 16:41 . 2008-03-29 17:48 <DIR> d-------- C:\WINDOWS\system32\xTmp
2008-03-29 16:41 . 2008-03-29 19:09 <DIR> d-------- C:\WINDOWS\system32\winz1
2008-03-29 16:41 . 2008-03-29 16:41 <DIR> d-------- C:\WINDOWS\system32\IDME
2008-03-29 16:41 . 2008-03-29 19:09 <DIR> d-------- C:\WINDOWS\system32\bz3
2008-03-29 16:41 . 2008-03-29 23:17 <DIR> d--hs---- C:\WINDOWS\QnJhbmRvbiBOZXdidXJn
2008-03-29 16:41 . 2008-03-29 16:41 39,883 --a------ C:\WINDOWS\system32\targetedbanner-uninst.exe
2008-03-26 08:13 . 2008-03-26 08:13 <DIR> d-------- C:\Program Files\Flagship Studios
2008-03-25 23:28 . 2008-03-25 23:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-03-25 23:12 . 2008-03-25 23:12 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-03-25 20:40 . 2006-02-28 06:00 359,040 --a------ C:\WINDOWS\system32\drivers\tcpip.sys.ORIGINAL
2008-03-24 08:29 . 2008-03-05 14:56 3,786,760 --a------ C:\WINDOWS\system32\D3DX9_37.dll
2008-03-24 08:29 . 2008-03-05 14:56 1,420,824 --a------ C:\WINDOWS\system32\D3DCompiler_37.dll
2008-03-24 08:29 . 2008-03-05 15:03 479,752 --a------ C:\WINDOWS\system32\XAudio2_0.dll
2008-03-24 08:29 . 2008-02-05 22:07 462,864 --a------ C:\WINDOWS\system32\d3dx10_37.dll
2008-03-24 08:29 . 2008-03-05 15:03 238,088 --a------ C:\WINDOWS\system32\xactengine3_0.dll
2008-03-24 08:29 . 2008-03-05 15:00 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-23 09:23 . 2008-03-23 09:23 <DIR> d-------- C:\Program Files\PopCap Games
2008-03-23 09:23 . 2008-04-02 18:48 39 --a------ C:\WINDOWS\popcinfot.dat
2008-03-23 09:23 . 2008-03-23 09:23 0 --a------ C:\WINDOWS\popcreg.dat
2008-03-21 22:21 . 2008-03-23 19:52 3,145,784 --a------ C:\WINDOWS\war.bmp
2008-03-13 17:06 . 2008-03-13 17:06 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-03-11 07:18 . 2008-03-11 21:27 <DIR> d-------- C:\Documents and Settings\Azrael\Application Data\.clue-by-4.org
2008-03-07 09:17 . 2008-03-07 09:17 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2008-03-06 20:42 . 2008-03-06 20:42 <DIR> d-------- C:\Program Files\Common Files\Viewpoint
2008-03-06 14:21 . 2008-03-06 23:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-05 21:54 . 2008-03-05 21:54 <DIR> d-------- C:\Program Files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-05 07:06 --------- d-----w C:\Program Files\Trillian
2008-04-04 05:33 --------- d-----w C:\Documents and Settings\Azrael\Application Data\Xfire
2008-04-03 19:59 --------- d-----w C:\Program Files\Xfire
2008-03-30 22:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-29 23:14 --------- d-----w C:\Documents and Settings\Azrael\Application Data\LimeWire
2008-03-29 23:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-29 18:19 --------- d-----w C:\Program Files\SmartFTP Client
2008-03-26 05:24 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-24 13:58 --------- d-----w C:\Program Files\Tunebite
2008-03-12 03:27 --------- d-----w C:\Documents and Settings\Azrael\Application Data\.clue-by-4.org
2008-03-05 14:33 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-03-05 14:32 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-03-03 21:49 --------- d-----w C:\Documents and Settings\Azrael\Application Data\tunebite
2008-02-29 07:01 --------- d-----w C:\Documents and Settings\Azrael\Application Data\RTPlayer
2008-02-22 13:39 --------- d-----w C:\Program Files\iTunes
2008-02-22 13:39 --------- d-----w C:\Program Files\iPod
2008-02-22 13:38 --------- d-----w C:\Program Files\QuickTime
2008-02-18 05:15 --------- d-----w C:\Documents and Settings\Azrael\Application Data\Realtime Soft
2008-02-11 21:19 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-16 04:01 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-01-08 04:42 22,328 ----a-w C:\Documents and Settings\Azrael\Application Data\PnkBstrK.sys
2007-11-21 04:58 11,976 ----a-w C:\Program Files\install.log
2007-04-18 02:19 25,464 ----a-w C:\Documents and Settings\Azrael\Application Data\GDIPFONTCACHEV1.DAT
2007-03-19 22:14 25,464 ----a-w C:\Documents and Settings\Crystal\Application Data\GDIPFONTCACHEV1.DAT
2006-03-31 02:53 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [ ]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-03-05 21:54 29744]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-03 18:47 579072]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2006-02-28 06:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-03 18:47 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=??
?C?D  C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EA_RESTART_001.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EA_RESTART_001.lnk
backup=C:\WINDOWS\pss\EA_RESTART_001.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EA_RESTART_002.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EA_RESTART_002.lnk
backup=C:\WINDOWS\pss\EA_RESTART_002.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Azrael^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=C:\Documents and Settings\Azrael\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=C:\WINDOWS\pss\GameSpot Download Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Azrael^Start Menu^Programs^Startup^Kirby Alarm.lnk]
path=C:\Documents and Settings\Azrael\Start Menu\Programs\Startup\Kirby Alarm.lnk
backup=C:\WINDOWS\pss\Kirby Alarm.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Azrael^Start Menu^Programs^Startup^Screenza.lnk]
path=C:\Documents and Settings\Azrael\Start Menu\Programs\Startup\Screenza.lnk
backup=C:\WINDOWS\pss\Screenza.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Azrael^Start Menu^Programs^Startup^TrueAssistant.lnk]
path=C:\Documents and Settings\Azrael\Start Menu\Programs\Startup\TrueAssistant.lnk
backup=C:\WINDOWS\pss\TrueAssistant.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Azrael^Start Menu^Programs^Startup^Yahoo! Widgets.lnk]
path=C:\Documents and Settings\Azrael\Start Menu\Programs\Startup\Yahoo! Widgets.lnk
backup=C:\WINDOWS\pss\Yahoo! Widgets.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atiupdate]
C:\WINDOWS\System32\msshed32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-04-03 18:47 579072 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2006-02-28 06:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-04-03 16:29 165784 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
C:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGServices]
C:\Program Files\ESPNRunTime\DIGServices.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
C:\Program Files\DIGStream\digstream.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe]
C:\WINDOWS\System32\dxdllreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
C:\Program Files\Electronic Arts\EA Downloader\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ElbyCheckElbyCDFL]
C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process]
C:\WINDOWS\Fonts\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2004-06-03 00:50 204800 C:\Program Files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
--a------ 2001-11-29 01:00 28672 C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSA Shellu]
C:\Documents and Settings\Azrael\lsass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXSUPMON]
--a------ 2002-01-28 11:48 885760 C:\WINDOWS\system32\LXSUPMON.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 01:41 8523776 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-12-05 01:41 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Oamc]
C:\WINDOWS\System32\WNSXS~1\winspool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperFreeEdition]
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PostSetupCheck]
--a------ 2006-02-28 06:00 33280 C:\WINDOWS\System32\Rundll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegPowerClean]
C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SchedulingAgent]
--a------ 2004-08-04 01:56 12288 C:\WINDOWS\system32\mstinit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmcService]
--a------ 2004-10-15 19:40 2577632 C:\PROGRA~1\Sygate\SPF\smc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 10:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-11-09 15:07 49263 C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheLionCluster]
C:\Program Files\The Lion\skinkers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ThrustTSR]
C:\Program Files\Thrustmaster\Thrustmapper\TMTMTSR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tunebite.exe]
C:\Program Files\Tunebite\tunebite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
--a------ 2002-07-02 17:56 24576 C:\WINDOWS\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMC_AutoUpdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XemiComputers Scheduler]
C:\Program Files\XemiComputers\Smooth Program Scheduler\Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12087:TCP"= 12087:TCP:BitComet 12087 TCP
"12087:UDP"= 12087:UDP:BitComet 12087 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009


.
Contents of the 'Scheduled Tasks' folder
"2008-04-01 16:31:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-05 01:17:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-04-05 1:18:10
ComboFix-quarantined-files.txt 2008-04-05 07:17:56
Pre-Run: 20,225,744,896 bytes free
Post-Run: 20,203,687,936 bytes free
.
2007-10-28 08:37:29 --- E O F ---


HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18:48 AM, on 4/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Azrael/My%20Documents/Important%20Documents/Home%20Page/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-507921405-436374069-682003330-1010\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcente...trolLite_EN.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com...OnlineGames.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198802631296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1193548030030
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload....GPlugin9USA.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS4\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS5\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: ??
?C?D  C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 9501 bytes
  • 0

#22
BHowett
Posted 05 April 2008 - 07:12 AM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hi Azrael1415 ,

Your logs look good, all we have now is a little bit of clean up to do. Are you still having the problem of RunDLL32.exe running all the time?
Please let me know either way… but if it is still running, let’s do a search for it, so we can see the file path(s).
  • Click Start.
  • Click Search.
  • Click All files and folders.
  • Expand More advanced options and then check Search system folders, Search hidden files and folders and Search Subfolders.
  • then copy and Paste each of the following (one at a time) into the box:

    RunDLL32.exe

When these files are found please make note of their file paths and post them here in you next reply.
  • 0

#23
Azrael1415
Posted 05 April 2008 - 04:22 PM

Azrael1415

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
No, it's not running all the time anymore.

Here's what search found:

C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dllcache\rundll32.exe

Edited by Azrael1415, 05 April 2008 - 04:23 PM.

  • 0

#24
BHowett
Posted 05 April 2008 - 07:06 PM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hi Azrael1415 ,

Rundll32.exe should really only be in your system32 folder so let’s run an online scan…

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#25
Azrael1415
Posted 05 April 2008 - 09:24 PM

Azrael1415

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, April 05, 2008 10:22:58 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/04/2008
Kaspersky Anti-Virus database records: 685569
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 87944
Number of viruses found: 5
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 01:11:06

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\f687ec838c2f0329b5893d8e2942d4c1_a2e17db2-e586-490b-9a9d-3f4532e28ad7 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\51c58036c00d08268bdab36074aa5564_a2e17db2-e586-490b-9a9d-3f4532e28ad7 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Azrael\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Azrael\Local Settings\Application Data\Google\Google Desktop\74e71deaa4f5\dbc2e.ht1 Object is locked skipped
C:\Documents and Settings\Azrael\Local Settings\Application Data\Google\Google Desktop\74e71deaa4f5\dbdam Object is locked skipped
C:\Documents and Settings\Azrael\Local Settings\Application Data\Google\Google Desktop\74e71deaa4f5\dbdao Object is locked skipped
C:\Documents and Settings\Azrael\Local Settings\Application Data\Google\Google Desktop\74e71deaa4f5\dbeam Object is locked skipped
C:\Documents and Settings\Azrael\Local Settings\Application Data\Google\Google Desktop\74e71deaa4f5\dbeao Object is locked skipped
C:\Documents and Settings\Azrael\Local Settings\Application Data\Google\Google Desktop\74e71deaa4f5\dbm Object is locked skipped
C:\Documents and Settings\Azrael\Local Settings\Application Data\Google\Google Desktop\74e71deaa4f5\dbu2d.ht1 Object is locked skipped
C:\Documents and Settings\Azrael\Local Settings\Application Data\Google\Google Desktop\74e71deaa4f5\dbvm.cf1 Object is locked skipped
C:\Documents and Settings\Azrael\Local Settings\Application Data\Google\Google Desktop\74e71deaa4f5\dbvmh.ht1 Object is locked skipped
C:\Documents and Settings\Azrael\Local Settings\Application Data\Google\Google Desktop\74e71deaa4f5\fii.cf1 Object is locked skipped
C:\Documents and Settings\Azrael\Local Settings\Application Data\Google\Google Desktop\74e71deaa4f5\fiih.ht1 Object is locked skipped
C:\Documents and Settings\Azrael\Local Settings\Application Data\Google\Google Desktop\74e71deaa4f5\hp Object is locked skipped
C:\Documents and Settings\Azrael\Local Settings\Application Data\Google\Google Desktop\74e71deaa4f5\hpt2i.ht1 Object is locked skipped
C:\Documents and Settings\Azrael\Local Settings\Application Data\Google\Google Desktop\74e71deaa4f5\rpm.cf1 Object is locked skipped
C:\Documents and Settings\Azrael\Local Settings\Application Data\Google\Google Desktop\74e71deaa4f5\rpm1m.cf1 Object is locked skipped
C:\Documents and Settings\Azrael\Local Settings\Application Data\Google\Google Desktop\74e71deaa4f5\rpm1mh.ht1 Object is locked skipped
C:\Documents and Settings\Azrael\Local Settings\Application Data\Google\Google Desktop\74e71deaa4f5\rpmh.ht1 Object is locked skipped
C:\Documents and Settings\Azrael\Local Settings\Application Data\Google\Google Desktop\74e71deaa4f5\safeweb\goog-black-enchashm.cf1 Object is locked skipped
C:\Documents and Settings\Azrael\Local Settings\Application Data\Google\Google Desktop\74e71deaa4f5\safeweb\goog-black-enchashmh.ht1 Object is locked skipped
C:\Documents and Settings\Azrael\Local Settings\Application Data\Google\Google Desktop\74e71deaa4f5\safeweb\goog-black-urlm.cf1 Object is locked skipped
C:\Documents and Settings\Azrael\Local Settings\Application Data\Google\Google Desktop\74e71deaa4f5\safeweb\goog-black-urlmh.ht1 Object is locked skipped
C:\Documents and Settings\Azrael\Local Settings\Application Data\Google\Google Desktop\74e71deaa4f5\safeweb\goog-malware-domainm.cf1 Object is locked skipped
C:\Documents and Settings\Azrael\Local Settings\Application Data\Google\Google Desktop\74e71deaa4f5\safeweb\goog-malware-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\Azrael\Local Settings\Application Data\Google\Google Desktop\74e71deaa4f5\safeweb\goog-white-domainm.cf1 Object is locked skipped
C:\Documents and Settings\Azrael\Local Settings\Application Data\Google\Google Desktop\74e71deaa4f5\safeweb\goog-white-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\Azrael\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Azrael\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Azrael\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Azrael\Local Settings\Temp\~DF7E48.tmp Object is locked skipped
C:\Documents and Settings\Azrael\Local Settings\Temp\~DF9469.tmp Object is locked skipped
C:\Documents and Settings\Azrael\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Azrael\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Azrael\My Documents\My Games\WormsArmageddon-dm[1].exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped
C:\Documents and Settings\Azrael\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Azrael\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Crystal\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Crystal\Local Settings\Application Data\Google\Google Desktop\8096975104b5\dbc2e.ht1 Object is locked skipped
C:\Documents and Settings\Crystal\Local Settings\Application Data\Google\Google Desktop\8096975104b5\dbdam Object is locked skipped
C:\Documents and Settings\Crystal\Local Settings\Application Data\Google\Google Desktop\8096975104b5\dbdao Object is locked skipped
C:\Documents and Settings\Crystal\Local Settings\Application Data\Google\Google Desktop\8096975104b5\dbeam Object is locked skipped
C:\Documents and Settings\Crystal\Local Settings\Application Data\Google\Google Desktop\8096975104b5\dbeao Object is locked skipped
C:\Documents and Settings\Crystal\Local Settings\Application Data\Google\Google Desktop\8096975104b5\dbm Object is locked skipped
C:\Documents and Settings\Crystal\Local Settings\Application Data\Google\Google Desktop\8096975104b5\dbu2d.ht1 Object is locked skipped
C:\Documents and Settings\Crystal\Local Settings\Application Data\Google\Google Desktop\8096975104b5\dbvm.cf1 Object is locked skipped
C:\Documents and Settings\Crystal\Local Settings\Application Data\Google\Google Desktop\8096975104b5\dbvmh.ht1 Object is locked skipped
C:\Documents and Settings\Crystal\Local Settings\Application Data\Google\Google Desktop\8096975104b5\fii.cf1 Object is locked skipped
C:\Documents and Settings\Crystal\Local Settings\Application Data\Google\Google Desktop\8096975104b5\fiih.ht1 Object is locked skipped
C:\Documents and Settings\Crystal\Local Settings\Application Data\Google\Google Desktop\8096975104b5\hp Object is locked skipped
C:\Documents and Settings\Crystal\Local Settings\Application Data\Google\Google Desktop\8096975104b5\hpt2i.ht1 Object is locked skipped
C:\Documents and Settings\Crystal\Local Settings\Application Data\Google\Google Desktop\8096975104b5\rpm.cf1 Object is locked skipped
C:\Documents and Settings\Crystal\Local Settings\Application Data\Google\Google Desktop\8096975104b5\rpm1m.cf1 Object is locked skipped
C:\Documents and Settings\Crystal\Local Settings\Application Data\Google\Google Desktop\8096975104b5\rpm1mh.ht1 Object is locked skipped
C:\Documents and Settings\Crystal\Local Settings\Application Data\Google\Google Desktop\8096975104b5\rpmh.ht1 Object is locked skipped
C:\Documents and Settings\Crystal\Local Settings\Application Data\Google\Google Desktop\8096975104b5\safeweb\goog-black-enchashm.cf1 Object is locked skipped
C:\Documents and Settings\Crystal\Local Settings\Application Data\Google\Google Desktop\8096975104b5\safeweb\goog-black-enchashmh.ht1 Object is locked skipped
C:\Documents and Settings\Crystal\Local Settings\Application Data\Google\Google Desktop\8096975104b5\safeweb\goog-black-urlm.cf1 Object is locked skipped
C:\Documents and Settings\Crystal\Local Settings\Application Data\Google\Google Desktop\8096975104b5\safeweb\goog-black-urlmh.ht1 Object is locked skipped
C:\Documents and Settings\Crystal\Local Settings\Application Data\Google\Google Desktop\8096975104b5\safeweb\goog-malware-domainm.cf1 Object is locked skipped
C:\Documents and Settings\Crystal\Local Settings\Application Data\Google\Google Desktop\8096975104b5\safeweb\goog-malware-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\Crystal\Local Settings\Application Data\Google\Google Desktop\8096975104b5\safeweb\goog-white-domainm.cf1 Object is locked skipped
C:\Documents and Settings\Crystal\Local Settings\Application Data\Google\Google Desktop\8096975104b5\safeweb\goog-white-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\Crystal\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Crystal\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Crystal\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Crystal\Local Settings\temp\~DF3646.tmp Object is locked skipped
C:\Documents and Settings\Crystal\Local Settings\temp\~DF7828.tmp Object is locked skipped
C:\Documents and Settings\Crystal\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Crystal\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Crystal\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Sygate\SPF\debug.log Object is locked skipped
C:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped
C:\Program Files\Sygate\SPF\seclog.log Object is locked skipped
C:\Program Files\Sygate\SPF\syslog.log Object is locked skipped
C:\Program Files\Sygate\SPF\tralog.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lcntskdn.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.aw skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{7A154173-848F-4F71-A219-F4A596D9A3ED}\RP1\A0000023.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lrz skipped
C:\System Volume Information\_restore{7A154173-848F-4F71-A219-F4A596D9A3ED}\RP15\A0001685.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.aw skipped
C:\System Volume Information\_restore{7A154173-848F-4F71-A219-F4A596D9A3ED}\RP16\change.log Object is locked skipped
C:\WHM\Warhammer_MarkOfChaos-dm.exe Infected: not-a-virus:AdWare.Win32.Trymedia.d skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Download SamAndMax_SituationComedy_Setup_offer now.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
  • 0

Advertisements

#26
BHowett
Posted 06 April 2008 - 10:48 AM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hi Azrael1415

Things are looking good, so lets finish up.. :)

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\Documents and Settings\Azrael\My Documents\My Games\WormsArmageddon-dm[1].exe
C:\WHM\Warhammer_MarkOfChaos-dm.exe
C:\WINDOWS\Download SamAndMax_SituationComedy_Setup_offer now.exe


==============================================


Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image

==============================================


To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

==============================================


This is my standard post for when you are clear - which you now are - or seem to be. Please advise me of any questions or problems you still have.

I know you already have some of the programs like Antivirus, or 3rd party firewall, but I still like to share the information incase you ever need it, or want to change them.


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Posted Image 1.) Watch what you download!
Many freeware programs, and P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself. If you insist on using a P2P program, please read This Article written by Mike Healan of Spywareinfo.com fame. It is an updated and comprehensive article that gives in-depth detail about which P2P programs are "safe" to use.

Posted Image 2.) Go to Intenet Explorer > Tools > Windows Update > Product Updates, and install ALL High-Priority Security Updates listed. If you're running Windows XP, that of course includes the Service Pack 2! If you suspect your computer is infected with Malware of any type, we advise you to not install SP2 if you don't already have it. You can post a HijackThis log on our Forums to get free Expert help cleaning your machine. Once you are sure you have a clean system, it is highly recommended to install SP2 to help prevent against future infections.

It's important to always keep current with the latest security fixes from Microsoft.
Install those patches for Internet Explorer, and make sure your installation of Java VM is up-to-date. There are some well known security bugs with Microsoft Java VM which are exploited regularly by browser hijackers.

Posted Image 3.) Open Intenet Explorer and go to Internet Options > Security > Internet, then press "Default Level", then OK. Now press "Custom Level." In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".

Now you will be asked whether you want ActiveX objects to be executed and whether you want software to be installed.
Sites that you know for sure are above suspicion can be moved to the Trusted Zone in Internet Option > Security.

So why is ActiveX so dangerous that you have to increase the security for it?
When your browser runs an activex control, it is running an executable program. It's no different from doubleclicking an exe file on your hard drive.
Would you run just any random file downloaded off a web site without knowing what it is and what it does?

Posted Image 4.) Install Javacool's SpywareBlaster

It will protect you from most spy/foistware in it's database by blocking installation of their ActiveX objects.

Download and install, download the latest updates, and you'll see a list of all spyware programs covered by the program (NOTE: this is NOT spyware found on your computer) Press "Enable All Protection", and you're done.
The spyware that you told Spywareblaster to set the "kill bit" for won't be a hazard to you any longer. Although it won't protect you from every form of spyware known to man, it is a very potent extra layer of protection.
Don't forget to check for updates every week or so.

Posted Image 5.) Let's also not forget that Spybot Search & Destroy has the Immunize feature which works roughly the same way. Another feature within Spybot is the TeaTimer option. This option immediately detects known malicious processes wanting to start and terminates them. TeaTimer also detects when something wants to change some critical registry keys and gives you an option to allow them or not.

Posted Image 6.) Microsoft now offers their own free malicious software blocking tool. Windows Defender improves Internet browsing safety by guarding over fifty (50) ways spyware can enter your PC.

Posted Image 7.) Another excellent program by Javacool we recommend is SpywareGuard.
It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.

Posted Image 8.) IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Another good hosts program is mvpshosts. This little program packs a powerful punch as it block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial.

*It is important to note that all of the above programs/files can be run simultaneously on your system. They will work together in layers, so to speak, to help protect your computer. However, the following suggestions are designed to only run one of each. It is not a good idea to run more than one firewall, and one anti-virus program. Running more than one of these at a time can cause system crashes, high system usage and/or conflicts with each other.*

Posted Image 9.) It is critical that you use a firewall to protect your computer from hackers. We don't recommend the firewall that comes built in to Windows. It doesn't block everything that may try to get in, and the entire firewall is written to the registry. As various kinds of malware hack the Registry in order to disable the Windows firewall, it's far preferable to install one of the excellent third party solutions. Three good ones that are freeware to boot are ZoneAlarm, Kerio and Sygate

Posted Image 10.) An Anti-Virus product is a necessity. There are many excellent programs that you can purchase. However, we choose to advocate the use of free programs whenever possible. Some very good and easy-to-use free A/V programs are AVG, Avast, and AntiVir. It's a good idea to set these to receive automatic updates so you are always as fully protected as possible from the newest virus threats.
NOTE: DO NOT install more than one anti-virus program. They will conflict, and provide less protection, not more.

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.


Follow this list and your potential for being infected again will reduce dramatically.


Thanks for letting us help you!
  • 0

#27
Azrael1415
Posted 06 April 2008 - 12:17 PM

Azrael1415

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Done. Running great. Thanks!
  • 0

#28
BHowett
Posted 06 April 2008 - 12:45 PM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP