Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

affected with outerinfo! :[ [RESOLVED]

Started by k0rr , Apr 08 2008 04:07 PM

This topic is locked

#16
greyknight17

Posted 16 April 2008 - 08:02 AM

Malware Expert

Visiting Consultant
16,560 posts

Uninstall Grisoft AVG Antivirus via your Add/Remove Programs panel if found. Then install version 7.5 of the antivirus from http://free.grisoft.com

Let's try disabling some startup programs to see if it helps with the speed issue. Check and fix these in HijackThis:

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe

Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoft.../activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.

Is outerinfo still found?

#17
k0rr

Posted 17 April 2008 - 03:57 PM

Member

Topic Starter
Member
90 posts

edit: fixed my problem

now back to the panda activescan...
i will have the results later tonight or tomorrow

Edited by k0rr, 17 April 2008 - 08:04 PM.

#18
k0rr

Posted 18 April 2008 - 07:16 AM

Member

Topic Starter
Member
90 posts

http://www.freewebs..../ActiveScan.txt

Edited by k0rr, 18 April 2008 - 07:17 AM.

#19
greyknight17

Posted 18 April 2008 - 06:47 PM

Malware Expert

Visiting Consultant
16,560 posts

Looks good. Just some remnants left behind which we can wrap up below...

Your log is clean.

Go to http://www.java.com/.../5000020300.xml and see how to clear your Java cache or follow the instructions below:

Go into the Control Panel and double-click the Java icon (looks like a coffee cup).

- Under Temporary Internet Files, click the Delete Files button.
- There are three options in the window to clear the cache - Leave ALL 3 Checked
- Downloaded Applets
- Downloaded Applications
- Other Files
- Click OK on Delete Temporary Files window (Note: This deletes ALL the Downloaded Java Applications and Applets from the CACHE.)
- Click OK to leave the Java Control Panel.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run and type in Combofix /u and hit OK to remove Combofix. You should be set to go.

#20
k0rr

Posted 19 April 2008 - 02:17 AM

Member

Topic Starter
Member
90 posts

dont think i'm completely clean yet..

fresh combofix log:

ComboFix 08-04-13.2 - Van 2008-04-19 2:28:12.18 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1601 [GMT -8:00]
Running from: C:\Documents and Settings\Van\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Van\Desktopblackbird.jpg
C:\Documents and Settings\Van\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\Van\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Van\Desktopfilemanagerclient.exe
C:\Documents and Settings\Van\Desktopfkwp1.5.exe
C:\Documents and Settings\Van\Desktopfkwp2.0.exe
C:\Documents and Settings\Van\Desktopfwebd.exe
C:\Documents and Settings\Van\DesktopFWebdEditor.exe
C:\Documents and Settings\Van\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\Van\Desktopvirii
C:\Documents and Settings\Van\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Van\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Van\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Van\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Van\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Van\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.exe
C:\Program Files\Common Files\crosof~1
C:\Program Files\Common Files\crosof~1\??crosoft\
C:\Program Files\Common Files\crosof~1\ping.exe
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\Inet Delivery
C:\Program Files\Inet Delivery\inetdl.exe
C:\Program Files\Inet Delivery\intdel.exe
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive15.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dicy.gz
C:\Program Files\QdrModule\kwdy.gz
C:\Program Files\QdrModule\QdrModule15.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\QdrPack15.exe
C:\Program Files\QdrPack\trgts.gz
C:\Program Files\webhancer
C:\Program Files\webhancer\Programs\license.txt
C:\Program Files\webhancer\Programs\readme.txt
C:\Program Files\webhancer\Programs\sporder.dll
C:\Program Files\webhancer\Programs\webhdll.dll
C:\Program Files\webhancer\Programs\whagent.exe
C:\Program Files\webhancer\Programs\whagent.ini
C:\Program Files\webhancer\Programs\whiehlpr.dll
C:\Program Files\webhancer\Programs\whinstaller.exe
C:\WINDOWS\123messenger.per
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\a.bat
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\base64.tmp
C:\WINDOWS\bdn.com
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\browserad.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\default.htm
C:\WINDOWS\didduid.ini
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\lfn.exe
C:\WINDOWS\licencia.txt
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\mslagent
C:\WINDOWS\mslagent\2_mslagent.dll
C:\WINDOWS\mslagent\mslagent.exe
C:\WINDOWS\mslagent\uninstall.exe
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssecu.exe
C:\WINDOWS\mssvr.exe
C:\WINDOWS\ntnut.exe
C:\WINDOWS\PerfInfo
C:\WINDOWS\PerfInfo\8ls6d0iomFwp.exe.bak
C:\WINDOWS\saiemod.dll
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\000090.exe
C:\WINDOWS\system32\ctoqll.dll
C:\WINDOWS\system32\fccdbAPJ.dll
C:\WINDOWS\system32\mcroso~1
C:\WINDOWS\system32\mcroso~1\s?ool32.exe
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32smp
C:\WINDOWS\system32smp\msrc.exe
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\telefonos.txt
C:\WINDOWS\textos.txt
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\voiceip.dll
C:\WINDOWS\Web\def.htm
C:\WINDOWS\winsb.dll
C:\WINDOWS\winself.exe
C:\WINDOWS\winsystem.exe
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MsSecurity1.209.4
-------\MsSecurity1.209.4

((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.

2008-04-19 02:00 . 2008-04-19 02:00 29,248 --a------ C:\WINDOWS\system32\NC0j64pd.exe
2008-04-19 01:47 . 2008-04-19 01:47 <DIR> d-------- C:\WINDOWS\mgwwgmke
2008-04-19 01:47 . 2008-04-19 01:49 <DIR> d-------- C:\Program Files\Bat
2008-04-19 01:47 . 2008-04-19 01:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\afwlsnsz
2008-04-19 01:47 . 2008-04-19 01:47 192,512 --a------ C:\WINDOWS\fibmxsfe.dll
2008-04-19 01:47 . 2008-04-19 01:47 65,024 --a------ C:\WINDOWS\vyfudihs.dll
2008-04-19 01:47 . 2008-04-19 01:47 65,024 --a------ C:\Documents and Settings\All Users\Application Data\szmhovqp.dll
2008-04-19 01:47 . 2008-04-19 01:47 138 -r-hs---- C:\WINDOWS\mainms.vpi
2008-04-19 01:47 . 2008-04-19 02:24 33 -r-hs---- C:\WINDOWS\muotr.so
2008-04-19 01:47 . 2008-04-19 02:22 4 --------- C:\WINDOWS\megavid.cdt
2008-04-19 01:46 . 2008-04-19 01:46 398 --a------ C:\WINDOWS\system32\L59FF.tmp
2008-04-19 01:46 . 2008-04-19 01:46 398 --a------ C:\WINDOWS\system32\L5934.tmp
2008-04-19 01:46 . 2008-04-19 01:46 398 --a------ C:\WINDOWS\system32\L5869.tmp
2008-04-19 01:46 . 2008-04-19 01:46 398 --a------ C:\WINDOWS\system32\L5740.tmp
2008-04-17 17:27 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-04-17 17:26 . 2004-08-03 22:59 5,504 --a------ C:\WINDOWS\system32\drivers\intelide.sys
2008-04-17 17:26 . 2004-08-03 22:59 5,504 --a--c--- C:\WINDOWS\system32\dllcache\intelide.sys
2008-04-17 16:20 . 2004-08-03 23:56 502,272 --a------ C:\WINDOWS\system32\winlogon.exe
2008-04-16 16:21 . 2008-04-19 02:25 <DIR> d-------- C:\Documents and Settings\Van\Application Data\AVG7
2008-04-16 16:21 . 2008-04-16 16:21 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-16 16:21 . 2008-04-16 16:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-16 16:21 . 2008-04-17 17:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-16 16:20 . 2008-04-16 16:20 <DIR> d-------- C:\Program Files\Panda Security
2008-04-15 14:19 . 2008-04-15 14:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-04-15 01:08 . 2008-04-15 01:08 <DIR> d-------- C:\Program Files\AVG
2008-04-14 18:33 . 2008-04-14 19:01 <DIR> d-------- C:\k0rr
2008-04-14 03:48 . 2008-04-15 14:19 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-04-12 18:51 . 2008-04-12 18:51 <DIR> d-------- C:\Documents and Settings\Van\WINDOWS
2008-04-09 23:56 . 2008-04-09 23:56 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-09 23:56 . 2008-04-09 23:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-29 14:18 . 2008-03-29 14:18 <DIR> d-------- C:\Program Files\Outsim
2008-03-29 14:13 . 2008-03-29 14:13 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-03-27 17:56 . 2008-03-27 17:56 <DIR> d-------- C:\Documents and Settings\Van\Application Data\Publish Providers
2008-03-27 17:56 . 2008-03-27 17:56 <DIR> d-------- C:\Documents and Settings\Van\Application Data\NetMedia Providers
2008-03-27 17:53 . 2008-03-27 17:53 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2008-03-27 17:53 . 1998-10-29 15:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-03-27 17:53 . 2002-12-17 16:23 33,340 --a------ C:\WINDOWS\system32\dbmsqlgc.dll
2008-03-27 17:53 . 2002-10-20 14:05 24,576 --a------ C:\WINDOWS\system32\dbmsgnet.dll
2008-03-27 17:52 . 2008-03-27 17:52 <DIR> d-------- C:\Program Files\Sony
2008-03-27 17:52 . 2008-03-27 17:52 <DIR> d-------- C:\Documents and Settings\Van\Application Data\Sony
2008-03-27 17:52 . 2008-03-27 17:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony
2008-03-27 17:51 . 2008-03-27 17:51 <DIR> d-------- C:\Program Files\Sony Setup
2008-03-27 13:21 . 2008-03-27 13:22 <DIR> d-------- C:\Program Files\VirtualDJ
2008-03-27 12:20 . 2008-04-01 11:20 <DIR> d-------- C:\Program Files\VstPlugins
2008-03-27 12:20 . 2008-03-27 12:20 <DIR> d-------- C:\Program Files\ASIO4ALL v2
2008-03-27 12:18 . 2008-04-01 11:19 <DIR> d-------- C:\Program Files\Image-Line
2008-03-26 12:40 . 2008-03-26 12:40 <DIR> d-------- C:\Program Files\Activision
2008-03-26 10:42 . 2008-03-26 12:50 22,328 --a------ C:\Documents and Settings\Van\Application Data\PnkBstrK.sys
2008-03-26 10:31 . 2008-04-09 02:23 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-03-25 10:16 . 2008-03-25 10:16 <DIR> d-------- C:\Program Files\WinPcap
2008-03-25 10:16 . 2008-03-25 11:03 <DIR> d-------- C:\Program Files\WC3Banlist
2008-03-21 02:21 . 2005-01-22 11:12 679,936 --a------ C:\WINDOWS\system32\D3DX81ab.dll
2008-03-21 01:43 . 2008-03-21 01:54 139,264 --a------ C:\WINDOWS\War3Unin.exe
2008-03-21 01:43 . 2008-03-21 02:11 75,965 --a------ C:\WINDOWS\War3Unin.dat
2008-03-21 01:43 . 2008-03-21 01:54 2,829 --a------ C:\WINDOWS\War3Unin.pif
2008-03-21 01:41 . 2008-04-18 23:55 <DIR> d-------- C:\Program Files\Warcraft III

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-10 09:02 --------- d-----w C:\Program Files\Steam
2008-04-09 10:23 --------- d-----w C:\Program Files\THQ
2008-04-09 01:17 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-08 21:51 --------- d-----w C:\Program Files\Avant Browser
2008-04-07 09:51 --------- d-----w C:\Documents and Settings\Van\Application Data\.BitTornado
2008-04-05 06:09 --------- d-----w C:\Program Files\World of Warcraft
2008-04-04 01:25 --------- d-----w C:\Documents and Settings\Van\Application Data\Aim
2008-04-01 03:23 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 4
2008-03-30 22:35 --------- d-----w C:\Program Files\Blaze Media Pro
2008-03-29 22:13 --------- d-----w C:\Program Files\Stardock
2008-03-28 17:04 --------- d-----w C:\Program Files\coolpro2
2008-03-26 20:50 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-03-26 01:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-17 05:20 --------- d-----w C:\Program Files\Magnus Brading
2008-03-14 03:52 --------- d-----w C:\Program Files\America's Army
2008-03-11 06:21 --------- d-----w C:\Program Files\AIM
2008-03-07 18:05 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-03-07 18:04 --------- d-----w C:\Program Files\NVIDIA nTune Performance Application
2008-03-07 09:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-05 06:30 --------- d-----w C:\Program Files\PowerISO
2008-03-02 01:47 --------- d-----w C:\Program Files\Java Web Start
2008-03-02 01:47 --------- d-----w C:\Program Files\Java
2008-02-29 21:36 --------- d-----w C:\Documents and Settings\Van\Application Data\Microsoft Games
2008-02-29 20:02 --------- d-----w C:\Program Files\Microsoft Games
2008-02-27 07:59 --------- d-----w C:\Program Files\3ivx
2008-02-26 01:15 --------- d-----w C:\Program Files\Realtek
2008-02-25 07:01 --------- d-----w C:\Documents and Settings\Van\Application Data\Atari
2008-02-24 09:18 --------- d-----w C:\Program Files\Common Files\PocketSoft
2008-02-24 09:18 --------- d-----w C:\Documents and Settings\Van\Application Data\Leadertech
2008-02-24 09:15 --------- d-----w C:\Program Files\Atari
2008-02-09 07:54 47,360 ----a-w C:\Documents and Settings\Van\Application Data\pcouffin.sys
2003-09-18 21:50 129,904 ----a-w C:\Documents and Settings\Van\e10002ke.sys
.

------- Sigcheck -------

2004-08-04 04:00 17408 bf36170ea928c6c92f20809393468b6a C:\WINDOWS\system32\svchost.exe

2004-08-04 04:00 1034752 d13cc9dfe4917e1d3f056c7a42330cb5 C:\WINDOWS\explorer.exe
.
((((((((((((((((((((((((((((( snapshot_2008-04-14_18.43.38.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-15 02:39:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-19 10:33:26 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-03-26 02:13:04 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
+ 2007-07-18 21:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
+ 2008-04-17 00:21:12 821,856 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys
+ 2008-04-17 00:21:17 4,224 ----a-w C:\WINDOWS\system32\drivers\avg7rsw.sys
+ 2008-04-17 00:21:19 27,776 ----a-w C:\WINDOWS\system32\drivers\avg7rsxp.sys
+ 2008-04-17 00:21:21 10,760 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
+ 2008-04-17 00:21:21 26,952 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1a8523dc-1dd2-11b2-8f50-a0f5b7cb9b7f}]
2008-04-19 01:47 65024 --a------ C:\WINDOWS\vyfudihs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63F7460B-C831-4142-A4AA-5EC303EC4343}]
2008-03-07 21:15 413696 --a------ C:\Program Files\Bat\Bat.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [ ]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 19:25 81920]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"AIM"="C:\Program Files\AIM\aim.exe" [2004-06-07 12:53 61440]
"Teso"="C:\PROGRA~1\COMMON~1\CROSOF~1\ping.exe" [ ]
"Gmeu"="C:\WINDOWS\system32\M?crosoft\s?ool32.exe" [ ]
"QdrModule15"="C:\Program Files\QdrModule\QdrModule15.exe" [ ]
"QdrPack15"="C:\Program Files\QdrPack\QdrPack15.exe" [ ]
"weowxyqy"="C:\WINDOWS\system32\lmbcdmjq.exe" [2008-04-19 02:35 114688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 15:03 16125440 C:\WINDOWS\RTHDCPL.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-16 16:21 579584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-16 16:21 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"8ls6d0iomF"= C:\Documents and Settings\All Users\Application Data\afwlsnsz\odetcbul.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2005-01-31 14:13 49152 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2007-12-26 12:13 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=
"C:\\Program Files\\Avant Browser\\avant.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Warcraft III\\war3.exe"=

S3 E100E;E100E;C:\WINDOWS\system32\DRIVERS\e100ent.sys [2004-08-25 10:12]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 13:10]

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 02:34:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\lmbcdmjq.exe 114688 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Bat\X_Bat.exe
C:\Program Files\Avant Browser\avant.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\BitTornado\btdownloadgui.exe
.
**************************************************************************
.
Completion time: 2008-04-19 2:39:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-19 10:38:59
ComboFix2.txt 2008-04-15 08:54:08
ComboFix3.txt 2008-04-15 02:44:07
ComboFix4.txt 2008-04-13 00:28:19
ComboFix5.txt 2008-01-21 22:48:28

Pre-Run: 68,149,149,696 bytes free
Post-Run: 68,108,828,672 bytes free

Edited by k0rr, 19 April 2008 - 03:39 AM.

#21
greyknight17

Posted 19 April 2008 - 02:53 PM

Malware Expert

Visiting Consultant
16,560 posts

DO you still have AVG Antivirus 7.5 & 8 installed? If so, uninstall one of them now. If you bought version 8 already, keep that. Otherwise, uninstall version 8 and keep version 7.5 (free edition).

Download OTMoveIt2 at http://download.blee...r/OTMoveIt2.exe
* Save it to your desktop.
* Double-click OTMoveIt2.exe to run it. (Vista users, right click on OTMoveIt2.exe and select Run as an Administrator).
* Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

[kill explorer]

C:\WINDOWS\system32\NC0j64pd.exe
C:\WINDOWS\fibmxsfe.dll
C:\WINDOWS\vyfudihs.dll
C:\Documents and Settings\All Users\Application Data\szmhovqp.dll
C:\WINDOWS\mainms.vpi
C:\WINDOWS\muotr.so
C:\WINDOWS\megavid.cdt
C:\WINDOWS\system32\L59FF.tmp
C:\WINDOWS\system32\L5934.tmp
C:\WINDOWS\system32\L5869.tmp
C:\WINDOWS\system32\L5740.tmp
C:\WINDOWS\vyfudihs.dll
C:\WINDOWS\system32\lmbcdmjq.exe
C:\WINDOWS\mgwwgmke
C:\Program Files\Bat
C:\Documents and Settings\All Users\Application Data\afwlsnsz
C:\Program Files\QdrPack\
C:\Program Files\QdrModule\
C:\PROGRA~1\COMMON~1\CROSOF~1\
C:\WINDOWS\system32\M?crosoft\ /u
C:\Documents and Settings\All Users\Application Data\afwlsnsz\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects\{1a8523dc-1dd2-11b2-8f50-a0f5b7cb9b7f}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects\{63F7460B-C831-4142-A4AA-5EC303EC4343}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Teso
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Gmeu
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\QdrModule15
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\QdrPack15
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\weowxyqy
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run\\8ls6d0iomF
purity

[start explorer]

* Return to OTMoveIt2. Right click in the Paste List of Files/Folders to Move window (under the Yellow bar) and choose Paste.
* Click the red Moveit! button.
* A log of files and folders moved will be created in the C:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
* Close OTMoveIt2.

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Double click on Combofix and post that log here.

#22
k0rr

Posted 19 April 2008 - 10:33 PM

Member

Topic Starter
Member
90 posts

jesus

now i can't even get the desktop up
i get past the XP boot screen, and when its supposed to load windows logon/desktop, it doesnt.
i'm stuck with a black background with no icons and a mouse cursor, ctrl alt del does nothing.
can't boot into safe mode either

arggghhh

currently running a chkdsk /r on it

Edited by k0rr, 19 April 2008 - 11:26 PM.

#23
greyknight17

Posted 20 April 2008 - 10:18 AM

Malware Expert

Visiting Consultant
16,560 posts

Power down the computer if you are still having problems. Turn it back on and try giving it a bit more time to see if it loads the desktop. None of the entries/files deleted above should have caused this problem.

#24
k0rr

Posted 20 April 2008 - 09:44 PM

Member

Topic Starter
Member
90 posts

nope

after running that combofix, i was just playing some games when all of a sudden my explorer.exe shuts down and my ctrl alt del was "disabled by administrator".

still stuck.
can't run any programs

when i boot from XP CD, it doesn't give me the option to do a repair installation.
do i have to have an SP2 CD? or does an old XP CD usually work?

Edited by k0rr, 21 April 2008 - 12:51 PM.

#25
greyknight17

Posted 21 April 2008 - 04:11 PM

Malware Expert

Visiting Consultant
16,560 posts

Does it boot into Windows now? If it's still just a blank desktop background, see if you can hit Ctrl+Alt+Del to bring up the Task Manager. If you can do that, go to File->New Task and enter explorer and hit OK to see if it brings up the desktop. If so, try running Combofix again.

#26
k0rr

Posted 21 April 2008 - 10:54 PM

Member

Topic Starter
Member
90 posts

edit: i can now boot into safe mode and only into safe mode.

seems like it's gonna be a long and tedious process getting my computer back to norm, so to save you the trouble, i'm currently backing up my files and am planning to reformat.

i've been wanting to dual-boot linux and give it a try anyway

but, thanks for sticking through this with me, i appreciate the help.

keep up the good work for the community.
/salute

Edited by k0rr, 22 April 2008 - 02:05 PM.

#27
greyknight17

Posted 22 April 2008 - 05:23 PM

Malware Expert

Visiting Consultant
16,560 posts

No problem k0rr. Sorry to hear it had to come down to a Windows install in the end after all this.

Good luck on the rebuild.

FYI for your new Windows install:

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

#28
greyknight17

Posted 22 April 2008 - 05:23 PM

Malware Expert

Visiting Consultant
16,560 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.