Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

google redirect spyware virus [CLOSED]

Started by carsonswheel , Apr 12 2008 08:36 PM

  • This topic is locked This topic is locked

#1
carsonswheel
Posted 12 April 2008 - 08:36 PM

carsonswheel

    New Member

  • Member
  • Pip
  • 4 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:02:32 PM, on 4/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Charter\InstaLAN\AffinegyService.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\M-Audio\Install\EvoInst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Charter\InstaLAN\InstaLAN.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\system32\sdcu0.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {1FE09B61-2F2D-43A1-8DF9-9A58AEB5CAE7} - C:\WINDOWS\System32\dplayxt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {E6D19462-71C3-47B1-9126-37D9D9B99C23} - c:\windows\system32\dpwsockb.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [InstaLAN] "C:\Program Files\Charter\InstaLAN\InstaLAN.exe" startup
O4 - HKLM\..\Run: [sdcu0] C:\WINDOWS\system32\sdcu0.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [sdcu0] C:\WINDOWS\system32\sdcu0.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\DOCUME~1\Carson\LOCALS~1\Temp\SSUPDATE.EXE Software\SUPERAntiSpyware.com\SUPERAntiSpyware
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.char...in/ssctlsma.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O20 - Winlogon Notify: ybqibktz - C:\WINDOWS\SYSTEM32\dpwsockb.dll
O23 - Service: AffinegyService - Affinegy LLC - C:\Program Files\Charter\InstaLAN\AffinegyService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: M-Audio Installer (EvoInstallerService) - Unknown owner - C:\Program Files\M-Audio\Install\EvoInst.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

End of file - 4464 bytes

even if I don't open internet explorer, even if i just open MY COMPUTER or MY DOCUMENTS a pop up appears. many times it is an ad for trustedantivirus.com

computer runs slow task manager says that cpu runs at 100%
  • 0

Advertisements

#2
Rorschach112
Posted 13 April 2008 - 08:03 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#3
carsonswheel
Posted 14 April 2008 - 09:08 PM

carsonswheel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
ComboFix 08-04-13.3 - Carson 2008-04-14 18:33:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.238 [GMT -6:00]
Running from: C:\Documents and Settings\Carson\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\appcert
C:\WINDOWS\system32\CMMGR32.EXE
C:\WINDOWS\system32\sysmwwod.dll
C:\WINDOWS\system32\dpwsockb.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_YYQAIHHI
-------\Service_yyqaihhi


((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-11 21:03 . 2008-04-11 21:03 <DIR> d-------- C:\Documents and Settings\Carson\Application Data\Malwarebytes
2008-04-11 21:02 . 2008-04-11 21:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-11 21:01 . 2008-04-11 21:01 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-11 16:01 . 2008-04-13 12:22 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-11 16:01 . 2008-04-11 16:01 <DIR> d-------- C:\Documents and Settings\Carson\Application Data\SUPERAntiSpyware.com
2008-04-11 16:01 . 2008-04-11 16:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-11 16:00 . 2008-04-11 16:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-11 15:48 . 2008-04-11 15:48 <DIR> d-------- C:\Program Files\AVG
2008-04-11 14:31 . 2008-04-11 14:43 <DIR> d-------- C:\hijackthis
2008-04-11 14:12 . 2008-04-11 14:19 <DIR> d-------- C:\test
2008-04-09 20:51 . 2008-04-09 20:51 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-04-09 16:00 . 2008-04-12 04:11 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-09 16:00 . 2005-02-24 21:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-09 15:58 . 2008-04-09 15:58 <DIR> d-------- C:\WINDOWS\system32\bits
2008-04-09 15:02 . 2008-04-09 15:30 56 --a------ C:\WINDOWS\CTWave32.ini
2008-04-09 12:31 . 2008-04-09 20:51 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-08 19:45 . 2008-04-08 20:41 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-08 19:45 . 2008-04-09 00:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-08 10:11 . 2008-04-08 10:11 <DIR> d-------- C:\Program Files\WAV to MP3 Encoder
2008-04-08 10:11 . 2001-12-12 11:35 348,160 --a------ C:\WINDOWS\system32\MEnc.ocx
2008-04-08 10:11 . 2002-08-22 23:27 348,160 --a------ C:\WINDOWS\system32\FlatBtn6.ocx
2008-04-07 19:20 . 2008-04-07 19:20 <DIR> d-------- C:\Program Files\BurnAware Free Edition
2008-04-07 19:10 . 2008-04-07 19:10 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-04-07 19:10 . 2003-05-21 23:50 1,700,352 --a------ C:\WINDOWS\system32\GdiPlus.dll
2008-04-07 19:10 . 2003-05-21 12:50 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-04-07 15:25 . 2008-04-07 15:37 616 --a------ C:\WINDOWS\cdplayer.ini
2008-04-05 15:32 . 2003-04-18 15:46 1,233,920 --a------ C:\WINDOWS\system32\msxml4.dll
2008-04-05 15:32 . 2003-04-18 15:29 82,432 --a------ C:\WINDOWS\system32\msxml4r.dll
2008-04-05 15:14 . 2002-11-06 15:12 360,448 --a------ C:\WINDOWS\system32\NCTWMAFile.dll
2008-04-05 15:14 . 2001-08-08 21:00 40,960 --a------ C:\WINDOWS\system32\DGPNorm.ocx
2008-04-05 15:07 . 2002-11-13 11:14 1,703,936 --a------ C:\WINDOWS\system32\NCTAudioFile.dll
2008-04-05 15:07 . 2002-06-13 13:50 376,832 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-04-05 15:07 . 2002-09-06 11:36 233,472 --a------ C:\WINDOWS\system32\lame_enc.dll
2008-04-04 23:06 . 2008-04-04 23:07 <DIR> d-------- C:\Program Files\sfArk
2008-04-04 22:58 . 2008-04-05 00:18 <DIR> d-------- C:\sfarks
2008-04-03 15:12 . 2008-04-03 15:12 <DIR> d-------- C:\Program Files\Free M4a to MP3 Converter
2008-04-03 12:45 . 2002-08-19 16:39 221,184 --a--c--- C:\WINDOWS\system32\dllcache\setup_wm.exe
2008-04-03 12:22 . 1998-06-24 01:00 164,144 --a------ C:\WINDOWS\system32\COMCT232.OCX
2008-04-03 11:30 . 2008-04-03 11:30 15 --a------ C:\WINDOWS\system32\ioncprv.cna
2008-04-03 09:57 . 2008-04-03 09:57 <DIR> d-------- C:\My Media
2008-04-03 09:51 . 2008-04-03 11:31 <DIR> d-------- C:\Program Files\Audio Converter
2008-04-03 09:51 . 2008-04-03 09:51 245,760 --------- C:\WINDOWS\Setup1.exe
2008-04-03 09:51 . 2008-04-03 09:51 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-04-02 13:09 . 2008-04-02 13:09 <DIR> d-------- C:\Program Files\Common Files\Mozilla Shared
2008-04-02 13:08 . 2008-04-11 13:06 6,490,880 --a------ C:\WINDOWS\system32\yrrtwqwv.dat
2008-04-02 13:08 . 2008-04-02 13:08 28,416 --a------ C:\WINDOWS\system32\fjkeills.dat
2008-03-31 15:10 . 2008-03-31 15:10 <DIR> d-------- C:\Program Files\Smallvideosoft
2008-03-31 15:10 . 2007-03-07 00:45 3,086,336 --a------ C:\WINDOWS\system32\NCMedia.dll
2008-03-31 15:10 . 2007-03-07 00:45 3,086,336 --a------ C:\WINDOWS\system32\flvvideo.dll
2008-03-31 15:10 . 2006-11-01 14:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-03-31 15:10 . 2007-02-25 15:36 383,238 --a------ C:\WINDOWS\system32\libmp3lame-0.dll
2008-03-28 19:11 . 2008-03-28 19:41 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-27 11:26 . 2008-03-27 11:26 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-03-27 11:18 . 2008-03-27 11:18 <DIR> d-------- C:\Program Files\Real
2008-03-27 11:07 . 2008-03-27 11:22 <DIR> d-------- C:\Program Files\Common Files\Real
2008-03-16 14:47 . 2008-04-04 15:43 <DIR> d-------- C:\samples

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-10 03:25 --------- d-----w C:\Documents and Settings\Carson\Application Data\LimeWire
2008-04-09 19:48 --------- d-----w C:\Program Files\Symantec
2008-04-09 19:47 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-08 05:38 --------- d-----w C:\Program Files\Yahoo!
2008-04-08 05:30 --------- d-----w C:\Documents and Settings\Carson\Application Data\Yahoo!
2008-04-08 05:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-05 20:08 --------- d-----w C:\Documents and Settings\Carson\Application Data\ICQLite
2008-04-03 21:10 20,224 ----a-w C:\WINDOWS\system32\drivers\ajdysxzh.dat
2008-03-30 21:40 --------- d-----w C:\Documents and Settings\Carson\Application Data\Cakewalk
2008-03-23 20:50 --------- d-----w C:\Program Files\Java
2008-02-27 06:12 --------- d-----w C:\Documents and Settings\Carson\Application Data\ICQ
2008-02-22 07:32 --------- d-----w C:\Program Files\LimeWire
2008-02-22 02:14 --------- d-----w C:\Program Files\CHARTER
2008-02-22 02:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Affinegy
2008-02-22 02:04 --------- d-----w C:\Program Files\Common Files\SupportSoft
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1FE09B61-2F2D-43A1-8DF9-9A58AEB5CAE7}]
2003-03-31 06:00 88064 --a------ C:\WINDOWS\System32\dplayxt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6D19462-71C3-47B1-9126-37D9D9B99C23}]
2008-04-14 18:36 81920 --a------ c:\windows\system32\dpwsockb.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sdcu0"="C:\WINDOWS\system32\sdcu0.exe" [2008-01-04 14:55 16384]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18 1670144]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-04-13 12:22 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\Updreg.exe" [2000-05-11 01:00 90112]
"AudioHQ"="C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE" [2000-05-11 01:00 205312]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"InstaLAN"="C:\Program Files\Charter\InstaLAN\InstaLAN.exe" [2007-02-18 16:09 548864]
"sdcu0"="C:\WINDOWS\system32\sdcu0.exe" [2008-01-04 14:55 16384]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-27 11:10 185896]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-04-13 12:22 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

R0 masvkjrz;masvkjrz;C:\WINDOWS\System32\drivers\ajdysxzh.dat []
R2 AffinegyService;AffinegyService;"C:\Program Files\Charter\InstaLAN\AffinegyService.exe" [2007-02-08 18:36]
R2 EvoInstallerService;M-Audio Installer;C:\Program Files\M-Audio\Install\EvoInst.exe [2005-03-08 11:19]
R3 AFGSp50;AFGSp50 NDIS Protocol Driver;C:\WINDOWS\System32\Drivers\AFGSp50.sys [2007-02-08 17:11]
R3 EVOLUSB;%EVOL_USB.SvcDesc%;C:\WINDOWS\System32\drivers\evolusb.sys [2004-10-20 16:50]
S3 AFGMp50;AFGMp50 NDIS Protocol Driver;C:\WINDOWS\System32\Drivers\AFGMp50.sys []

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-14 18:39:28
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\masvkjrz]
"ImagePath"="system32\drivers\ajdysxzh.dat"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ctsvccda.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2008-04-14 18:41:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-15 00:41:08

Pre-Run: 89,721,556,992 bytes free
Post-Run: 89,813,676,032 bytes free
.
2008-04-09 21:30:05 --- E O F ---


for the moment, things seem all right but i'll let you know if it does it again
  • 0

#4
carsonswheel
Posted 15 April 2008 - 01:10 AM

carsonswheel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:49:57 AM, on 4/15/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Charter\InstaLAN\AffinegyService.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\M-Audio\Install\EvoInst.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Charter\InstaLAN\InstaLAN.exe
C:\WINDOWS\system32\sdcu0.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: (no name) - {1FE09B61-2F2D-43A1-8DF9-9A58AEB5CAE7} - C:\WINDOWS\System32\dplayxt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {E6D19462-71C3-47B1-9126-37D9D9B99C23} - c:\windows\system32\dpwsockb.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [InstaLAN] "C:\Program Files\Charter\InstaLAN\InstaLAN.exe" startup
O4 - HKLM\..\Run: [sdcu0] C:\WINDOWS\system32\sdcu0.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [sdcu0] C:\WINDOWS\system32\sdcu0.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.char...in/ssctlsma.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: AffinegyService - Affinegy LLC - C:\Program Files\Charter\InstaLAN\AffinegyService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: M-Audio Installer (EvoInstallerService) - Unknown owner - C:\Program Files\M-Audio\Install\EvoInst.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 4655 bytes
  • 0

#5
Rorschach112
Posted 15 April 2008 - 08:50 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\dpwsockb.dll
C:\WINDOWS\System32\dplayxt.dll
C:\WINDOWS\system32\sdcu0.exe

Folder::

Driver::
masvkjrz
AFGMp50
Registry::



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#6
carsonswheel
Posted 15 April 2008 - 02:16 PM

carsonswheel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
ComboFix 08-04-13.3 - Carson 2008-04-15 13:57:55.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.245 [GMT -6:00]
Running from: C:\Documents and Settings\Carson\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Carson\Desktop\cfscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\System32\dplayxt.dll
C:\WINDOWS\system32\dpwsockb.dll
C:\WINDOWS\system32\sdcu0.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\sdcu0.exe
C:\WINDOWS\System32\dplayxt.dll . . . . failed to delete
C:\WINDOWS\system32\dpwsockb.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MASVKJRZ
-------\Service_AFGMp50
-------\Service_masvkjrz


((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-11 21:03 . 2008-04-11 21:03 <DIR> d-------- C:\Documents and Settings\Carson\Application Data\Malwarebytes
2008-04-11 21:02 . 2008-04-11 21:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-11 21:01 . 2008-04-11 21:01 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-11 16:01 . 2008-04-13 12:22 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-11 16:01 . 2008-04-11 16:01 <DIR> d-------- C:\Documents and Settings\Carson\Application Data\SUPERAntiSpyware.com
2008-04-11 16:01 . 2008-04-11 16:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-11 16:00 . 2008-04-11 16:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-11 15:48 . 2008-04-11 15:48 <DIR> d-------- C:\Program Files\AVG
2008-04-11 14:31 . 2008-04-11 14:43 <DIR> d-------- C:\hijackthis
2008-04-11 14:12 . 2008-04-11 14:19 <DIR> d-------- C:\test
2008-04-09 20:51 . 2008-04-09 20:51 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-04-09 16:00 . 2008-04-12 04:11 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-09 16:00 . 2005-02-24 21:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-09 15:58 . 2008-04-09 15:58 <DIR> d-------- C:\WINDOWS\system32\bits
2008-04-09 15:02 . 2008-04-09 15:30 56 --a------ C:\WINDOWS\CTWave32.ini
2008-04-09 12:31 . 2008-04-09 20:51 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-08 19:45 . 2008-04-08 20:41 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-08 19:45 . 2008-04-09 00:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-08 10:11 . 2008-04-08 10:11 <DIR> d-------- C:\Program Files\WAV to MP3 Encoder
2008-04-08 10:11 . 2001-12-12 11:35 348,160 --a------ C:\WINDOWS\system32\MEnc.ocx
2008-04-08 10:11 . 2002-08-22 23:27 348,160 --a------ C:\WINDOWS\system32\FlatBtn6.ocx
2008-04-07 19:20 . 2008-04-07 19:20 <DIR> d-------- C:\Program Files\BurnAware Free Edition
2008-04-07 19:10 . 2008-04-07 19:10 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-04-07 19:10 . 2003-05-21 23:50 1,700,352 --a------ C:\WINDOWS\system32\GdiPlus.dll
2008-04-07 19:10 . 2003-05-21 12:50 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-04-07 15:25 . 2008-04-07 15:37 616 --a------ C:\WINDOWS\cdplayer.ini
2008-04-05 15:32 . 2003-04-18 15:46 1,233,920 --a------ C:\WINDOWS\system32\msxml4.dll
2008-04-05 15:32 . 2003-04-18 15:29 82,432 --a------ C:\WINDOWS\system32\msxml4r.dll
2008-04-05 15:14 . 2002-11-06 15:12 360,448 --a------ C:\WINDOWS\system32\NCTWMAFile.dll
2008-04-05 15:14 . 2001-08-08 21:00 40,960 --a------ C:\WINDOWS\system32\DGPNorm.ocx
2008-04-05 15:07 . 2002-11-13 11:14 1,703,936 --a------ C:\WINDOWS\system32\NCTAudioFile.dll
2008-04-05 15:07 . 2002-06-13 13:50 376,832 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-04-05 15:07 . 2002-09-06 11:36 233,472 --a------ C:\WINDOWS\system32\lame_enc.dll
2008-04-04 23:06 . 2008-04-04 23:07 <DIR> d-------- C:\Program Files\sfArk
2008-04-04 22:58 . 2008-04-05 00:18 <DIR> d-------- C:\sfarks
2008-04-03 15:12 . 2008-04-03 15:12 <DIR> d-------- C:\Program Files\Free M4a to MP3 Converter
2008-04-03 12:45 . 2002-08-19 16:39 221,184 --a--c--- C:\WINDOWS\system32\dllcache\setup_wm.exe
2008-04-03 12:22 . 1998-06-24 01:00 164,144 --a------ C:\WINDOWS\system32\COMCT232.OCX
2008-04-03 11:30 . 2008-04-03 11:30 15 --a------ C:\WINDOWS\system32\ioncprv.cna
2008-04-03 09:57 . 2008-04-03 09:57 <DIR> d-------- C:\My Media
2008-04-03 09:51 . 2008-04-03 11:31 <DIR> d-------- C:\Program Files\Audio Converter
2008-04-03 09:51 . 2008-04-03 09:51 245,760 --------- C:\WINDOWS\Setup1.exe
2008-04-03 09:51 . 2008-04-03 09:51 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-04-02 13:09 . 2008-04-02 13:09 <DIR> d-------- C:\Program Files\Common Files\Mozilla Shared
2008-04-02 13:08 . 2008-04-11 13:06 6,490,880 --a------ C:\WINDOWS\system32\yrrtwqwv.dat
2008-04-02 13:08 . 2008-04-02 13:08 28,416 --a------ C:\WINDOWS\system32\fjkeills.dat
2008-03-31 15:10 . 2008-03-31 15:10 <DIR> d-------- C:\Program Files\Smallvideosoft
2008-03-31 15:10 . 2007-03-07 00:45 3,086,336 --a------ C:\WINDOWS\system32\NCMedia.dll
2008-03-31 15:10 . 2007-03-07 00:45 3,086,336 --a------ C:\WINDOWS\system32\flvvideo.dll
2008-03-31 15:10 . 2006-11-01 14:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-03-31 15:10 . 2007-02-25 15:36 383,238 --a------ C:\WINDOWS\system32\libmp3lame-0.dll
2008-03-28 19:11 . 2008-03-28 19:41 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-27 11:26 . 2008-03-27 11:26 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-03-27 11:18 . 2008-03-27 11:18 <DIR> d-------- C:\Program Files\Real
2008-03-27 11:07 . 2008-03-27 11:22 <DIR> d-------- C:\Program Files\Common Files\Real
2008-03-16 14:47 . 2008-04-04 15:43 <DIR> d-------- C:\samples

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 00:50 81,920 ----a-w C:\WINDOWS\system32\dpwsockb.dll
2008-04-10 03:25 --------- d-----w C:\Documents and Settings\Carson\Application Data\LimeWire
2008-04-09 19:48 --------- d-----w C:\Program Files\Symantec
2008-04-09 19:47 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-08 05:38 --------- d-----w C:\Program Files\Yahoo!
2008-04-08 05:30 --------- d-----w C:\Documents and Settings\Carson\Application Data\Yahoo!
2008-04-08 05:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-05 20:08 --------- d-----w C:\Documents and Settings\Carson\Application Data\ICQLite
2008-04-03 21:10 20,224 ----a-w C:\WINDOWS\system32\drivers\ajdysxzh.dat
2008-03-30 21:40 --------- d-----w C:\Documents and Settings\Carson\Application Data\Cakewalk
2008-03-27 17:17 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-03-27 17:17 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-03-23 20:50 --------- d-----w C:\Program Files\Java
2008-03-10 21:04 246,545 ----a-w C:\WINDOWS\system32\libssl32.dll
2008-03-10 21:04 1,188,375 ----a-w C:\WINDOWS\system32\libeay32.dll
2008-02-27 06:12 --------- d-----w C:\Documents and Settings\Carson\Application Data\ICQ
2008-02-22 07:32 --------- d-----w C:\Program Files\LimeWire
2008-02-22 02:14 --------- d-----w C:\Program Files\CHARTER
2008-02-22 02:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Affinegy
2008-02-22 02:04 --------- d-----w C:\Program Files\Common Files\SupportSoft
.

((((((((((((((((((((((((((((( snapshot@2008-04-14_18.40.42.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-15 00:38:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-15 20:03:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1FE09B61-2F2D-43A1-8DF9-9A58AEB5CAE7}]
2003-03-31 06:00 88064 --a------ C:\WINDOWS\System32\dplayxt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6D19462-71C3-47B1-9126-37D9D9B99C23}]
2008-04-14 18:50 81920 --a------ c:\windows\system32\dpwsockb.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sdcu0"="C:\WINDOWS\system32\sdcu0.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18 1670144]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-04-13 12:22 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\Updreg.exe" [2000-05-11 01:00 90112]
"AudioHQ"="C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE" [2000-05-11 01:00 205312]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"InstaLAN"="C:\Program Files\Charter\InstaLAN\InstaLAN.exe" [2007-02-18 16:09 548864]
"sdcu0"="C:\WINDOWS\system32\sdcu0.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-27 11:10 185896]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-04-13 12:22 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

R0 masvkjrz;masvkjrz;C:\WINDOWS\System32\drivers\ajdysxzh.dat []
R2 AffinegyService;AffinegyService;"C:\Program Files\Charter\InstaLAN\AffinegyService.exe" [2007-02-08 18:36]
R2 EvoInstallerService;M-Audio Installer;C:\Program Files\M-Audio\Install\EvoInst.exe [2005-03-08 11:19]
R3 AFGSp50;AFGSp50 NDIS Protocol Driver;C:\WINDOWS\System32\Drivers\AFGSp50.sys [2007-02-08 17:11]
R3 EVOLUSB;%EVOL_USB.SvcDesc%;C:\WINDOWS\System32\drivers\evolusb.sys [2004-10-20 16:50]

*Newly Created Service* - MASVKJRZ
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 14:04:49
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\masvkjrz]
"ImagePath"="system32\drivers\ajdysxzh.dat"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ctsvccda.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2008-04-15 14:06:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-15 20:06:23
ComboFix2.txt 2008-04-15 00:55:44
ComboFix3.txt 2008-04-15 00:41:18

Pre-Run: 89,772,863,488 bytes free
Post-Run: 89,778,065,408 bytes free
.
2008-04-09 21:30:05 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:10:25 PM, on 4/15/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Charter\InstaLAN\AffinegyService.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\M-Audio\Install\EvoInst.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Charter\InstaLAN\InstaLAN.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: (no name) - {1FE09B61-2F2D-43A1-8DF9-9A58AEB5CAE7} - C:\WINDOWS\System32\dplayxt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {E6D19462-71C3-47B1-9126-37D9D9B99C23} - c:\windows\system32\dpwsockb.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [InstaLAN] "C:\Program Files\Charter\InstaLAN\InstaLAN.exe" startup
O4 - HKLM\..\Run: [sdcu0] C:\WINDOWS\system32\sdcu0.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [sdcu0] C:\WINDOWS\system32\sdcu0.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.char...in/ssctlsma.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: AffinegyService - Affinegy LLC - C:\Program Files\Charter\InstaLAN\AffinegyService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: M-Audio Installer (EvoInstallerService) - Unknown owner - C:\Program Files\M-Audio\Install\EvoInst.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 4662 bytes

hijack this stalls for a while with a message at the top that says 015 enumeration zone
  • 0

#7
Rorschach112
Posted 17 April 2008 - 05:04 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Looks like we got a nice infection :)

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:
The Spy Killer Forum
  • Click on "New Topic"
  • Put your name, e-mail address, and this as the title: "c:\windows\system32\dpwsockb.dll"
  • Put a link to this topic in the description box.
  • Then next to the file box, at the bottom, click the browse button, then navigate to this file:


    • c:\windows\system32\dpwsockb.dll

  • Click Open.
  • Click Post.
Thank you!



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\system32\yrrtwqwv.dat
C:\WINDOWS\system32\fjkeills.dat
C:\WINDOWS\system32\dpwsockb.dll
C:\WINDOWS\system32\drivers\ajdysxzh.dat
c:\windows\system32\dpwsockb.dll

Driver::
masvkjrz


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  • 0

#8
Rorschach112
Posted 22 April 2008 - 06:48 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP