Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

[email protected]/ MDM rock 4 [RESOLVED]


  • This topic is locked This topic is locked

#1
Rigga

Rigga

    Member

  • Member
  • PipPip
  • 32 posts
hi gtg i need help removing the [email protected] worm


i ran Hijackthis, heres the logfile



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:50:23, on 18/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\NVIDIA\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Kontiki\KService.exe
C:\NVIDIA\NETWOR~1\bin\nSvcIp.exe
C:\NVIDIA\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\NVIDIA\NETWOR~1\bin\nSvcLog.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\WTMKM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\eunwgfiyp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {0C79C96C-F371-4A69-B1C4-C21C3ACDC74C} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MacrokeyManager] WTMKM.exe
O4 - HKLM\..\Run: [MDM Rock 4] C:\WINDOWS\system32\eunwgfiyp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinn...8/pool/pool.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122317086828
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1122317077140
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://esupport.epso...rg/ESTPTest.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinn...jo/wordmojo.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: wvuurrq - wvuurrq.dll (file missing)
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\NVIDIA\NETWOR~1\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NETWOR~1\bin\nSvcLog.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: WTService - Unknown owner - C:\WINDOWS\system32\atwtusb.exe

--
End of file - 11867 bytes




HELP IS HIGHLY APPRECIATED
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Uninstall the following via the Add/Remove Panel (Start->Settings->Control Panel->Add/Remove Programs) if found:

Kontiki - unless you use this

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O2 - BHO: (no name) - {0C79C96C-F371-4A69-B1C4-C21C3ACDC74C} - (no file)
O4 - HKLM\..\Run: [MDM Rock 4] C:\WINDOWS\system32\eunwgfiyp.exe
O20 - Winlogon Notify: wvuurrq - wvuurrq.dll (file missing)


Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\WINDOWS\system32\eunwgfiyp.exe

Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
  • 0

#3
Rigga

Rigga

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Heres the combo scan...



ComboFix 08-04-16.5 - Kieran 2008-04-18 4:39:09.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1525 [GMT 1:00]
Running from: C:\Documents and Settings\Kieran.KIERAN-E81BA96E\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kieran.KIERAN-E81BA96E\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Documents and Settings\Kieran.KIERAN-E81BA96E\Application Data\macromedia\Flash Player\#SharedObjects\83XBW2W4\iforex.com
C:\Documents and Settings\Kieran.KIERAN-E81BA96E\Application Data\macromedia\Flash Player\#SharedObjects\83XBW2W4\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\Kieran.KIERAN-E81BA96E\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\Kieran.KIERAN-E81BA96E\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\Documents and Settings\Kieran.KIERAN-E81BA96E\err.log
C:\WINDOWS\pack.epk
C:\WINDOWS\system32\lsprst7.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\qtstv.ini
C:\WINDOWS\system32\qtstv.ini2
C:\WINDOWS\system32\ssprs.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-18 to 2008-04-18 )))))))))))))))))))))))))))))))
.

2008-04-18 04:47 . 2007-06-13 11:23 80,896 ---h----- C:\qapvjexoz.exe
2008-04-18 04:47 . 2008-04-18 04:49 135 --ah----- C:\AUTORUN.INF
2008-04-18 03:07 . 2008-04-18 03:07 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-18 02:50 . 2008-04-18 02:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-17 23:53 . 2008-04-17 23:59 20 --a------ C:\WINDOWS\musicmv.INI
2008-04-11 02:33 . 2008-04-11 02:33 <DIR> d-------- C:\Documents and Settings\Kieran.KIERAN-E81BA96E\Application Data\FXpansion
2008-04-11 02:20 . 2008-04-11 02:20 <DIR> d-------- C:\Program Files\FXpansion
2008-04-10 21:56 . 2008-04-10 21:56 <DIR> d-------- C:\Program Files\Cakewalk
2008-04-08 01:19 . 2008-04-08 01:19 <DIR> d-------- C:\Program Files\Orion
2008-04-08 01:18 . 2008-04-08 01:17 720,896 --a------ C:\WINDOWS\iun6002.exe
2008-04-08 01:15 . 2008-04-08 01:15 <DIR> d-------- C:\Program Files\Superwave
2008-04-08 01:14 . 2008-04-08 01:14 <DIR> d-------- C:\Program Files\Fatsondo
2008-04-08 01:08 . 2008-04-08 01:08 <DIR> d-------- C:\Program Files\VirSyn Software Synthesizer
2008-04-08 00:54 . 2008-04-08 00:54 65,536 --a------ C:\WINDOWS\IFinst27.exe
2008-04-07 21:25 . 2008-04-07 21:26 <DIR> d-------- C:\Program Files\WNAS
2008-04-07 18:29 . 2008-04-07 18:29 <DIR> d-------- C:\Program Files\rgcaudio
2008-04-07 17:54 . 2008-04-07 17:54 <DIR> d-------- C:\Program Files\WWAYM
2008-03-30 12:36 . 2008-04-07 17:44 <DIR> d-------- C:\Program Files\EDIROL
2008-03-29 19:40 . 2008-03-29 19:40 <DIR> d-------- C:\WINDOWS\system32\Epson
2008-03-29 01:10 . 2008-03-29 01:10 1,025 --a------ C:\WINDOWS\system32\sysprs7.dll
2008-03-29 01:10 . 2008-03-29 01:10 1,025 --a------ C:\WINDOWS\system32\clauth2.dll
2008-03-29 01:10 . 2008-03-29 01:10 1,025 --a------ C:\WINDOWS\system32\clauth1.dll
2008-03-29 00:28 . 2008-03-29 00:28 <DIR> d-------- C:\Program Files\Common Files\Oberon Media
2008-03-28 17:43 . 2008-04-07 22:11 <DIR> d-------- C:\Program Files\AAS
2008-03-28 17:43 . 2008-04-07 22:11 <DIR> d-------- C:\Documents and Settings\Kieran.KIERAN-E81BA96E\Application Data\Applied Acoustics Systems
2008-03-28 17:18 . 2008-03-28 18:28 16 --a------ C:\WINDOWS\system32\w3data.vss
2008-03-28 17:18 . 2008-03-28 18:28 16 --a------ C:\WINDOWS\msocreg32.dat
2008-03-28 04:02 . 2008-03-28 04:02 1,025 --a------ C:\WINDOWS\system32\sysprs7.tgz
2008-03-28 04:02 . 2008-04-17 02:15 219 --a------ C:\WINDOWS\system32\lsprst7.tgz
2008-03-28 04:02 . 2008-04-17 02:15 87 --a------ C:\WINDOWS\system32\ssprs.tgz
2008-03-28 04:01 . 2008-03-29 01:06 <DIR> d-------- C:\Program Files\KORG
2008-03-28 04:01 . 2008-03-29 01:08 <DIR> d-------- C:\Program Files\Common Files\KORG
2008-03-20 11:56 . 2008-03-20 11:56 162 --a------ C:\WINDOWS\msmmdx9.ini
2008-03-18 03:56 . 2008-04-11 03:01 <DIR> d-------- C:\Program Files\MusicLab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-18 01:07 --------- d-----w C:\Program Files\ewido anti-spyware 4.0
2008-04-18 00:24 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-04-17 22:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-17 22:47 --------- d-----w C:\Program Files\Sony
2008-04-17 01:18 --------- d-----w C:\Program Files\LimeWire
2008-04-17 01:18 --------- d-----w C:\Program Files\Incomplete
2008-04-16 23:01 --------- d-----w C:\Program Files\VstPlugins
2008-04-16 17:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-04-12 16:36 --------- d-----w C:\Documents and Settings\Kieran.KIERAN-E81BA96E\Application Data\uTorrent
2008-04-06 11:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-01 23:21 --------- d-----w C:\Program Files\Symantec
2008-04-01 19:52 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-04-01 18:09 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec
2008-04-01 16:22 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\FLEXnet
2008-03-31 01:10 --------- d-----w C:\Program Files\Oberon Media
2008-03-28 16:24 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-03-16 18:15 --------- d-----w C:\Program Files\u-he
2008-03-13 21:23 --------- d-----w C:\Program Files\PoiZone
2008-03-13 20:22 --------- d-----w C:\Program Files\Image-Line
2008-03-10 16:12 --------- d-----w C:\Documents and Settings\Jeanette.KIERAN-E81BA96E\Application Data\PACE Anti-Piracy
2008-03-04 00:49 --------- d-----w C:\Program Files\GForce
2007-06-19 15:44 5,632 --sha-w C:\Program Files\Thumbs.db
2007-05-29 14:07 69,105,794 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_05_29_03_22_18_full.dmp.zip
2007-05-29 14:05 69,108,171 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_05_29_03_21_00_full.dmp.zip
2006-07-14 22:13 488,144 ----a-w C:\Program Files\HJTsetup.exe
2007-06-13 10:23 80,896 --sh--r C:\WINDOWS\system32\eunwgfiyp.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-04-11 17:52 1409024]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 12:39 1310720]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 23:06 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 21:10 344064]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2004-08-25 14:25 28672]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2005-12-18 14:18 307200]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 09:51 172032]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 09:50 204800]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-04-26 08:29 237568]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 10:29 40960]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-25 01:45 180269]
"adiras"="adiras.exe" []
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40 1884160]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 17:34 213936]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 16:28 577536 C:\WINDOWS\soundman.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 21:16 286720]
"MacrokeyManager"="WTMKM.exe" [2007-05-29 09:55 1969824 C:\WINDOWS\system32\WTMKM.exe]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"MDM Rock 4"="C:\WINDOWS\system32\eunwgfiyp.exe" [2007-06-13 11:23 80896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2004-08-25 14:25 28672]

C:\Documents and Settings\Kieran.KIERAN-E81BA96E\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 13:04:08 38912]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2004-08-25 14:25:56 28672]
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe [2007-08-01 14:22:05 962661]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 09:15:54 65588]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 18:23:32 74308]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 12:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MDM Rock 4]
C:\WINDOWS\system32\elpbzvjps.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2003-07-13 03:49 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Westwood\\RA2\\game.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2007\\fm.exe"=
"C:\\WINDOWS\\system32\\eunwgfiyp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"49001:TCP"= 49001:TCP:*:Disabled:Farcry
"40000:TCP"= 40000:TCP:*:Disabled:UBI.com
"41005:UDP"= 41005:UDP:*:Disabled:UBI.com
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 nvp2p;NVIDIA PCI to PCI Bridge Filter;C:\WINDOWS\system32\DRIVERS\nvp2p.sys [2003-12-23 12:37]
R2 WTService;WTService;C:\WINDOWS\system32\atwtusb.exe [2007-05-29 17:40]
R3 Bonifay;Bonifay;C:\WINDOWS\system32\DRIVERS\Bonifay.sys [2005-11-28 21:55]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 20:08]
S1 vcdrom;Virtual CD-ROM Device Driver;C:\WINDOWS\system32\VCdRom.sys []
S3 Gonzales;Gonzales;C:\WINDOWS\system32\DRIVERS\Gonzales.sys [2005-12-13 15:10]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);C:\WINDOWS\system32\DRIVERS\s125bus.sys [2007-04-24 09:33]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s125mdfl.sys [2007-04-24 09:33]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s125mdm.sys [2007-04-24 09:33]
S3 se44bus;Sony Ericsson Device 068 driver (WDM);C:\WINDOWS\system32\DRIVERS\se44bus.sys [2006-11-30 15:58]
S3 se44mdfl;Sony Ericsson Device 068 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se44mdfl.sys [2006-11-30 15:58]
S3 se44mdm;Sony Ericsson Device 068 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se44mdm.sys [2006-11-30 15:58]
S3 se44mgmt;Sony Ericsson Device 068 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se44mgmt.sys [2006-11-30 15:58]
S3 se44nd5;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (NDIS);C:\WINDOWS\system32\DRIVERS\se44nd5.sys [2006-11-30 15:58]
S3 se44obex;Sony Ericsson Device 068 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se44obex.sys [2006-11-30 15:58]
S3 se44unic;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (WDM);C:\WINDOWS\system32\DRIVERS\se44unic.sys [2006-11-30 15:58]
S3 ss_bus;Samsung Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2004-09-17 08:04]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2004-09-17 08:05]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2004-09-17 08:05]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bcc7bed3-cbfa-11db-ac8f-4d6564696130}]
\Shell\Auto\command - D:\rakdopvob.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL rakdopvob.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf2cca46-0cbd-11dd-b022-00e04cd700c6}]
\Shell\Auto\command - D:\womrnfreh.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL womrnfreh.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-13 10:08:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-18 03:48:57 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-16 17:00:10 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-18 04:46:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 158

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\NVIDIA\NETWOR~1\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Kontiki\KService.exe
C:\NVIDIA\NETWOR~1\bin\nSvcIp.exe
C:\NVIDIA\NETWOR~1\bin\nSvcLog.exe
C:\NVIDIA\NETWOR~1\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-04-18 5:05:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-18 04:04:06

Pre-Run: 6,178,410,496 bytes free
Post-Run: 9,672,380,416 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
.
2008-04-11 02:04:20 --- E O F ---
  • 0

#4
Rigga

Rigga

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Hi is there any chance a system restore to an earlier date would remove this virus????

its just that - i understand your very busy, but i really need to use my computer so if the system restore will help i willing to do it....

thanx
  • 0

#5
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I don't recommend using a system restore...at least not at this stage. We started some fixes already. If you use a restore point and it still won't work, it may create more work for us. Best to leave it be for now and try to fix it...

Download the Flash Disinfector at http://www.techsuppo...Disinfector.exe and save it to your desktop. Double-click on it to run it and follow the on-screen instructions. Make sure you do this now since I see two possible infections spawning from this.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

File::
C:\qapvjexoz.exe
C:\AUTORUN.INF
C:\WINDOWS\musicmv.INI
C:\WINDOWS\IFinst27.exe
C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_05_29_03_22_18_full.dmp.zip
C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_05_29_03_21_00_full.dmp.zip
C:\WINDOWS\system32\eunwgfiyp.exe
C:\WINDOWS\system32\elpbzvjps.exe

Folder::
C:\Program Files\Kontiki\

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MDM Rock 4"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MDM Rock 4]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Kontiki\\KService.exe"=-
"C:\\WINDOWS\\system32\\eunwgfiyp.exe"=-

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#6
Rigga

Rigga

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
i think i ve managed to get rid of most of it already, i used AntiVir Pe and it stopped the exe running in processes...

i shall run it anyway as i still have some of the others left in that notepad..
  • 0

#7
Rigga

Rigga

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Hi Greyknight heres the combo fix log thanks..........




ComboFix 08-04-16.5 - Kieran 2008-04-19 3:20:12.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1506 [GMT 1:00]
Running from: C:\antivirus [bleep]\ComboFix.exe
Command switches used :: C:\antivirus [bleep]\CFScript.txt
* Created a new restore point

FILE ::
C:\AUTORUN.INF
C:\qapvjexoz.exe
C:\WINDOWS\IFinst27.exe
C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_05_29_03_21_00_full.dmp.zip
C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_05_29_03_22_18_full.dmp.zip
C:\WINDOWS\musicmv.INI
C:\WINDOWS\system32\elpbzvjps.exe
C:\WINDOWS\system32\eunwgfiyp.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\AUTORUN.INF
C:\Program Files\Kontiki\
C:\Program Files\Kontiki\\KHost.exe
C:\Program Files\Kontiki\\KService.exe
C:\WINDOWS\IFinst27.exe
C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_05_29_03_21_00_full.dmp.zip
C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_05_29_03_22_18_full.dmp.zip
C:\WINDOWS\musicmv.INI
C:\WINDOWS\system32\lsprst7.dll
C:\WINDOWS\system32\ssprs.dll
C:\WINDOWS\system32\tmpPrst.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.

2008-04-18 21:42 . 2008-04-18 21:42 <DIR> d-------- C:\Program Files\Avira
2008-04-18 21:42 . 2008-04-18 21:42 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avira
2008-04-18 16:51 . 2008-04-18 16:51 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-18 16:51 . 2008-04-18 16:51 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-18 05:30 . 2008-04-18 05:30 14 --a------ C:\WINDOWS\system32\tmpPrst.tgz
2008-04-18 03:07 . 2008-04-18 03:07 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-18 02:50 . 2008-04-18 02:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-11 02:33 . 2008-04-11 02:33 <DIR> d-------- C:\Documents and Settings\Kieran.KIERAN-E81BA96E\Application Data\FXpansion
2008-04-11 02:20 . 2008-04-11 02:20 <DIR> d-------- C:\Program Files\FXpansion
2008-04-10 21:56 . 2008-04-10 21:56 <DIR> d-------- C:\Program Files\Cakewalk
2008-04-08 01:19 . 2008-04-08 01:19 <DIR> d-------- C:\Program Files\Orion
2008-04-08 01:18 . 2008-04-08 01:17 720,896 --a------ C:\WINDOWS\iun6002.exe
2008-04-08 01:15 . 2008-04-08 01:15 <DIR> d-------- C:\Program Files\Superwave
2008-04-08 01:14 . 2008-04-08 01:14 <DIR> d-------- C:\Program Files\Fatsondo
2008-04-08 01:08 . 2008-04-08 01:08 <DIR> d-------- C:\Program Files\VirSyn Software Synthesizer
2008-04-07 21:25 . 2008-04-07 21:26 <DIR> d-------- C:\Program Files\WNAS
2008-04-07 18:29 . 2008-04-07 18:29 <DIR> d-------- C:\Program Files\rgcaudio
2008-04-07 17:54 . 2008-04-07 17:54 <DIR> d-------- C:\Program Files\WWAYM
2008-03-30 12:36 . 2008-04-07 17:44 <DIR> d-------- C:\Program Files\EDIROL
2008-03-29 19:40 . 2008-03-29 19:40 <DIR> d-------- C:\WINDOWS\system32\Epson
2008-03-29 01:10 . 2008-03-29 01:10 2,048 --a------ C:\WINDOWS\system32\sysprs7.dll
2008-03-29 01:10 . 2008-03-29 01:10 1,025 --a------ C:\WINDOWS\system32\clauth2.dll
2008-03-29 01:10 . 2008-03-29 01:10 1,025 --a------ C:\WINDOWS\system32\clauth1.dll
2008-03-29 00:28 . 2008-03-29 00:28 <DIR> d-------- C:\Program Files\Common Files\Oberon Media
2008-03-28 17:43 . 2008-04-07 22:11 <DIR> d-------- C:\Program Files\AAS
2008-03-28 17:43 . 2008-04-07 22:11 <DIR> d-------- C:\Documents and Settings\Kieran.KIERAN-E81BA96E\Application Data\Applied Acoustics Systems
2008-03-28 17:18 . 2008-03-28 18:28 16 --a------ C:\WINDOWS\system32\w3data.vss
2008-03-28 17:18 . 2008-03-28 18:28 16 --a------ C:\WINDOWS\msocreg32.dat
2008-03-28 04:02 . 2008-03-28 04:02 2,048 --a------ C:\WINDOWS\system32\sysprs7.tgz
2008-03-28 04:02 . 2008-04-18 05:30 219 --a------ C:\WINDOWS\system32\lsprst7.tgz
2008-03-28 04:02 . 2008-04-18 05:30 87 --a------ C:\WINDOWS\system32\ssprs.tgz
2008-03-28 04:01 . 2008-03-29 01:06 <DIR> d-------- C:\Program Files\KORG
2008-03-28 04:01 . 2008-03-29 01:08 <DIR> d-------- C:\Program Files\Common Files\KORG
2008-03-20 11:56 . 2008-03-20 11:56 162 --a------ C:\WINDOWS\msmmdx9.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-19 02:11 --------- d-----w C:\Program Files\LimeWire
2008-04-19 01:43 --------- d-----w C:\Program Files\Incomplete
2008-04-18 23:43 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-04-18 17:03 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-18 17:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-04-18 01:07 --------- d-----w C:\Program Files\ewido anti-spyware 4.0
2008-04-17 22:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-17 22:47 --------- d-----w C:\Program Files\Sony
2008-04-16 23:01 --------- d-----w C:\Program Files\VstPlugins
2008-04-12 16:36 --------- d-----w C:\Documents and Settings\Kieran.KIERAN-E81BA96E\Application Data\uTorrent
2008-04-11 02:01 --------- d-----w C:\Program Files\MusicLab
2008-04-01 23:21 --------- d-----w C:\Program Files\Symantec
2008-04-01 19:52 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-04-01 18:09 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec
2008-04-01 16:22 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\FLEXnet
2008-03-31 01:10 --------- d-----w C:\Program Files\Oberon Media
2008-03-28 16:24 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-16 18:15 --------- d-----w C:\Program Files\u-he
2008-03-13 21:23 --------- d-----w C:\Program Files\PoiZone
2008-03-13 20:22 --------- d-----w C:\Program Files\Image-Line
2008-03-10 16:12 --------- d-----w C:\Documents and Settings\Jeanette.KIERAN-E81BA96E\Application Data\PACE Anti-Piracy
2008-03-04 00:49 --------- d-----w C:\Program Files\GForce
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2007-06-19 15:44 5,632 --sha-w C:\Program Files\Thumbs.db
2006-07-14 22:13 488,144 ----a-w C:\Program Files\HJTsetup.exe
.

((((((((((((((((((((((((((((( [email protected]_ 5.03.55.06 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-18 03:45:17 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-18 23:21:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-20 12:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\19-04-2008\ERDNT.EXE
+ 2008-04-18 23:23:46 14,102,528 ----a-w C:\WINDOWS\ERDNT\AutoBackup\19-04-2008\Users\00000001\ntuser.dat
+ 2008-04-18 23:23:47 462,848 ----a-w C:\WINDOWS\ERDNT\AutoBackup\19-04-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 12:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-04-18\ERDNT.EXE
+ 2008-04-18 03:48:53 14,102,528 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-04-18\Users\00000001\ntuser.dat
+ 2008-04-18 03:48:54 462,848 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2008-04-18\Users\00000002\UsrClass.dat
+ 2008-01-21 17:12:56 41,792 ----a-w C:\WINDOWS\system32\drivers\avgntdd.sys
+ 2008-01-21 17:11:28 22,336 ----a-w C:\WINDOWS\system32\drivers\avgntmgr.sys
+ 2008-03-04 12:28:53 79,424 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2007-03-01 09:34:22 28,352 ----a-w C:\WINDOWS\system32\drivers\ssmdrv.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-04-11 17:52 1409024]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 12:39 1310720]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 23:06 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 21:10 344064]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2004-08-25 14:25 28672]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2005-12-18 14:18 307200]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 09:51 172032]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 09:50 204800]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-04-26 08:29 237568]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 10:29 40960]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-25 01:45 180269]
"adiras"="adiras.exe" []
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40 1884160]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 17:34 213936]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 16:28 577536 C:\WINDOWS\soundman.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 21:16 286720]
"MacrokeyManager"="WTMKM.exe" [2007-05-29 09:55 1969824 C:\WINDOWS\system32\WTMKM.exe]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2004-08-25 14:25 28672]

C:\Documents and Settings\Kieran.KIERAN-E81BA96E\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 13:04:08 38912]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2004-08-25 14:25:56 28672]
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe [2007-08-01 14:22:05 962661]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 09:15:54 65588]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 18:23:32 74308]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 12:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2003-07-13 03:49 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Westwood\\RA2\\game.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2007\\fm.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"49001:TCP"= 49001:TCP:*:Disabled:Farcry
"40000:TCP"= 40000:TCP:*:Disabled:UBI.com
"41005:UDP"= 41005:UDP:*:Disabled:UBI.com
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 nvp2p;NVIDIA PCI to PCI Bridge Filter;C:\WINDOWS\system32\DRIVERS\nvp2p.sys [2003-12-23 12:37]
R2 WTService;WTService;C:\WINDOWS\system32\atwtusb.exe [2007-05-29 17:40]
R3 Bonifay;Bonifay;C:\WINDOWS\system32\DRIVERS\Bonifay.sys [2005-11-28 21:55]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 20:08]
S1 vcdrom;Virtual CD-ROM Device Driver;C:\WINDOWS\system32\VCdRom.sys []
S3 Gonzales;Gonzales;C:\WINDOWS\system32\DRIVERS\Gonzales.sys [2005-12-13 15:10]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);C:\WINDOWS\system32\DRIVERS\s125bus.sys [2007-04-24 09:33]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s125mdfl.sys [2007-04-24 09:33]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s125mdm.sys [2007-04-24 09:33]
S3 se44bus;Sony Ericsson Device 068 driver (WDM);C:\WINDOWS\system32\DRIVERS\se44bus.sys [2006-11-30 15:58]
S3 se44mdfl;Sony Ericsson Device 068 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se44mdfl.sys [2006-11-30 15:58]
S3 se44mdm;Sony Ericsson Device 068 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se44mdm.sys [2006-11-30 15:58]
S3 se44mgmt;Sony Ericsson Device 068 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se44mgmt.sys [2006-11-30 15:58]
S3 se44nd5;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (NDIS);C:\WINDOWS\system32\DRIVERS\se44nd5.sys [2006-11-30 15:58]
S3 se44obex;Sony Ericsson Device 068 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se44obex.sys [2006-11-30 15:58]
S3 se44unic;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (WDM);C:\WINDOWS\system32\DRIVERS\se44unic.sys [2006-11-30 15:58]
S3 ss_bus;Samsung Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2004-09-17 08:04]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2004-09-17 08:05]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2004-09-17 08:05]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bcc7bed3-cbfa-11db-ac8f-4d6564696130}]
\Shell\Auto\command - D:\rakdopvob.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL rakdopvob.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf2cca46-0cbd-11dd-b022-00e04cd700c6}]
\Shell\Auto\command - D:\womrnfreh.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL womrnfreh.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - SSMDRV
.
Contents of the 'Scheduled Tasks' folder
"2008-02-13 10:08:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-19 01:06:37 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-18 18:23:01 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 03:26:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-04-19 3:36:07
ComboFix-quarantined-files.txt 2008-04-19 02:35:05
ComboFix2.txt 2008-04-18 04:05:03

Pre-Run: 8,851,181,568 bytes free
Post-Run: 9,471,217,664 bytes free
.
2008-04-11 02:04:20 --- E O F ---
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Did you run the Flash Disinfector tool yet and plug in your USB flash drive? It's infected and needs to be disinfected or it will cause problems on other computers you plug it into also.

You may uninstall Ewido Anti-Spyware. That program is outdated (now called AVG Anti-Spyware). You don't need to install AVG A/S back since you have SUPERAntiSpyware already. That should be sufficient enough.

Other than the flash drive infection (please run the fix ASAP), your log is clean.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run and type in Combofix /u and hit OK to remove Combofix. You should be set to go.
  • 0

#9
Rigga

Rigga

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
thanx for all the help
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP