Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Slower than usual computer. [RESOLVED]


  • This topic is locked This topic is locked

#1
lostsoul77

lostsoul77

    Member

  • Member
  • PipPip
  • 43 posts
Hello. About 3 dys ago my son used my comp to check his email,but instead went to some free video chat sites(he's 30 by the way) and i ended up wit a ton of spyware. I'm running avast antivirus and i also ran superantispyware,smitfraudfix,combofix,sdfix,vundofix,hijackthis, and atf cleaner to remove them all in safe mode. Now my computer is still running slower than normal with slow shutdown,iexplore.exe process usage spikes, and my internet explorer starts up real slow. I even turned off sys restore during cleaning. My computer was running fine until then. Also can u suggest a good free antispyware resident shield software. I was running spywareguard, now it's spyware blaster. Big thanks in advance. Here's my HJT log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:08 AM, on 2008-04-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/d...lugin_0.5.1.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driver...driveragent.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5866 bytes
  • 0

Advertisements


#2
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi,
Welcome to the site, Sorry avbout the delay. We are very busy at the moment.

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

I want you to show hidden files. There are instructions HERE to help you do this.
You should have Administrator rights to perform the fixes. Some of the instructions I give may need to be printed or saved for reference during the fix. Some of the fix will be done in Safe Mode so you will be unable to access this thread at that time.
Please dont use any of the tools without specific instructions. Some of them are dangerous (and could leave your computer in worse condition that it is when infected) if used incorrectly.
These instructions should be read first, then followed. If you do not understand something, don't be afraid to ask, or see if I'm on chat. :)

As it has been a few days since you posted your Hijack this log, can you please post a freshly scanned one. This is because your computers condidtion may have changed.
  • 0

#3
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#4
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
User has returned.


:)
  • 0

#5
lostsoul77

lostsoul77

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
As u asked; here is my new HJT log file and thanks again.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:23:35 PM, on 2008-04-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...t/PCPitStop.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/d...lugin_0.5.1.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driver...driveragent.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - Unknown owner - F:\Program Files\Common\Database\bin\fbserver.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 6340 bytes
  • 0

#6
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi,
1.
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

2.
Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan (Full scan is optional. According to the program's creator Quick Scan will do just fine.).
Click Scan.
When the scan is complete, click OK, then Show Results to view the results.

If Malware is found...
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad.
Please save it to your desktop.

NOTE: Logs can be retrieved at a later date from the Malwarebytes' Anti-Malware main screen:

Launch Malwarebytes' Anti-Malware.
Click the Logs tab.
Double-click log-mm.dd.yyyy [xxxxxx].txt.

In your next reply post the Malwarebytes' Anti-Malware log.

3.
Click HERE and run an online scan with Kaspersky WebScanner
  • Click on Kaspersky Online Scanner
  • You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
  • Scan Options:
    Scan Archives
    Scan Mail Bases
[*]Click OK
[*]Now under select a target to scan:Select My Computer
[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
[*]Save the file to your desktop.
[*]Copy and paste that information into your next post.
[/list]
  • 0

#7
lostsoul77

lostsoul77

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Thanks again for the reopen. Here's the malware scan log as requested:

Malwarebytes' Anti-Malware 1.11
Database version: 707

Scan type: Full Scan (C:\|)
Objects scanned: 83983
Time elapsed: 37 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 15
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\bndblock4.band (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock4.band.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock4.bho (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndblock4.bho.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d4a714f6-af40-4425-b708-ff03cbbc0a84} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\mslagent (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BndBlock4.DLL (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\{02ffac45-0b10-5633-4296-1801f1a36678} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\{f710fa10-2031-3106-8872-93a2b5c5c620} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\Web\def.htm.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
  • 0

#8
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi,
Did you scan with Kapersky Online scanner?
  • 0

#9
lostsoul77

lostsoul77

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Followed your instructions. Here are the scan results:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-05-01 04:05:39 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/05/2008
Kaspersky Anti-Virus database records: 734395
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 51013
Number of viruses found: 5
Number of infected objects: 10
Number of suspicious objects: 0
Duration of the scan process: 00:51:07

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mr.Joe L\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mr.Joe L\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Mr.Joe L\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mr.Joe L\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mr.Joe L\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mr.Joe L\Local Settings\History\History.IE5\MSHist012008050120080502\index.dat Object is locked skipped
C:\Documents and Settings\Mr.Joe L\Local Settings\temp\~DF4AD4.tmp Object is locked skipped
C:\Documents and Settings\Mr.Joe L\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Mr.Joe L\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mr.Joe L\My Documents\Misc\Anti-fiters\erica anti-fix\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Mr.Joe L\My Documents\Misc\Anti-fiters\erica anti-fix\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Mr.Joe L\My Documents\Misc\Anti-fiters\erica anti-fix\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Mr.Joe L\My Documents\Misc\Anti-fiters\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Mr.Joe L\My Documents\Misc\Windows Keygen and Wga Patcher\keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.g skipped
C:\Documents and Settings\Mr.Joe L\My Documents\Misc\Windows Keygen and Wga Patcher\keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Mr.Joe L\My Documents\Misc\Windows Keygen and Wga Patcher\keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Mr.Joe L\My Documents\Misc\Windows Keygen and Wga Patcher\keyfinder.exe RarSFX: infected - 3 skipped
C:\Documents and Settings\Mr.Joe L\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Mr.Joe L\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\info.exe Infected: Trojan-Spy.Win32.Zbot.aif skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\LimeWire\clean up man b gizzle.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{EAC80183-2020-4DED-8958-14D3ECFBCA04}\RP5\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SAE7CF58B.tmp Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_44c.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
  • 0

#10
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Documents and Settings\Mr.Joe L\My Documents\Misc\Windows Keygen and Wga Patcher\keyfinder.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Delete your old version of Combofix and download a new one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

Advertisements


#11
lostsoul77

lostsoul77

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Combofix log:
ComboFix 08-05-01.3 - Mr.Joe L 2008-05-04 13:16:44.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.876 [GMT -4:00]
Running from: C:\Documents and Settings\Mr.Joe L\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-04 to 2008-05-04 )))))))))))))))))))))))))))))))
.

2008-05-04 13:14 . 2008-05-04 13:14 <DIR> d-------- C:\_OTMoveIt
2008-05-01 17:26 . 2007-11-28 11:49 104,217 --------- C:\WINDOWS\hpoins04.dat.temp
2008-05-01 17:26 . 2004-06-22 09:04 17,176 --------- C:\WINDOWS\hpomdl04.dat.temp
2008-05-01 14:32 . 2008-05-01 14:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-01 14:32 . 2008-05-01 14:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-01 13:19 . 2008-05-01 13:19 <DIR> d-------- C:\Documents and Settings\Mr.Joe L\Application Data\Malwarebytes
2008-05-01 13:19 . 2008-05-01 13:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-01 13:18 . 2008-05-01 14:19 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-30 20:57 . 2008-04-30 20:57 <DIR> d-------- C:\Documents and Settings\Mr.Joe L\Application Data\Ulead Systems
2008-04-30 20:28 . 2008-04-30 20:29 <DIR> d-------- C:\Program Files\Common Files\Ulead Systems
2008-04-30 20:28 . 2008-04-30 20:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-04-30 19:58 . 2008-04-30 19:58 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-04-30 19:58 . 2008-04-30 19:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-04-25 04:58 . 2008-04-25 21:17 385 --a------ C:\WINDOWS\BeatBox.INI
2008-04-25 04:58 . 2008-04-25 21:16 376 --a------ C:\WINDOWS\Sampler.INI
2008-04-25 04:58 . 2008-04-25 21:16 28 --a------ C:\WINDOWS\Robota.INI
2008-04-25 04:36 . 2006-07-18 00:03 49,152 --a------ C:\WINDOWS\system32\mgxasio2.dll
2008-04-21 19:37 . 2008-04-21 20:01 <DIR> d-------- C:\Program Files\EPSON
2008-04-21 19:37 . 2001-03-05 11:15 61,598 --a------ C:\WINDOWS\system32\E_SL2352.DLL
2008-04-21 19:37 . 2000-06-07 10:01 34,304 --a------ C:\WINDOWS\system32\EBPCHP.DLL
2008-04-21 19:37 . 2000-06-26 11:20 32,768 --a------ C:\WINDOWS\system32\ECBTEG.DLL
2008-04-21 19:37 . 2000-09-14 11:03 145 --a------ C:\WINDOWS\system32\EBPPORT.DAT
2008-04-20 00:33 . 2008-04-26 01:34 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-04-20 00:33 . 2008-04-30 19:31 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-18 13:36 . 2008-04-21 09:43 1,704 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-16 09:53 . 2008-04-20 23:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\cbwvufqb
2008-04-10 13:56 . 2005-09-20 10:31 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2008-04-10 13:49 . 2005-09-20 10:36 114,688 --a------ C:\WINDOWS\system32\igfxpers.exe
2008-04-10 13:49 . 2005-09-20 10:35 94,208 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-04-10 13:49 . 2005-09-20 10:32 77,824 --a------ C:\WINDOWS\system32\hkcmd.exe
2008-04-08 22:19 . 2002-07-07 18:14 1,294,336 --a------ C:\WINDOWS\system32\vorbis.acm
2008-04-08 22:19 . 2006-03-30 18:39 368,640 --a------ C:\WINDOWS\system32\ReWire.dll
2008-04-04 10:04 . 2008-05-03 23:09 <DIR> d-------- C:\Program Files\PeerGuardian2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 04:41 --------- d-----w C:\Documents and Settings\Mr.Joe L\Application Data\Vso
2008-05-04 03:09 --------- d-----w C:\Documents and Settings\Mr.Joe L\Application Data\uTorrent
2008-05-02 04:26 --------- d-----w C:\Program Files\DesignPro
2008-05-01 00:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-01 00:06 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-27 02:44 --------- d-----w C:\Program Files\HP
2008-04-25 08:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\MAGIX
2008-04-25 08:42 --------- d-----w C:\Program Files\Common Files\MAGIX Shared
2008-04-21 16:32 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-21 16:06 --------- d-----w C:\Documents and Settings\Mr.Joe L\Application Data\LimeWire
2008-04-21 14:19 --------- d-----w C:\Program Files\Java
2008-04-10 16:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-05 04:44 --------- d-----w C:\Documents and Settings\Mr.Joe L\Application Data\SprillBermudeEng
2008-04-01 18:43 --------- d-----w C:\Documents and Settings\Mr.Joe L\Application Data\Sahmon Games
2008-03-31 06:12 --------- d-----w C:\Documents and Settings\Mr.Joe L\Application Data\ViquaSoft
2008-03-29 15:12 --------- d-----w C:\Program Files\DVDInfoPro
2008-03-22 20:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2008-03-21 04:54 --------- d-----w C:\Documents and Settings\Mr.Joe L\Application Data\GetRightToGo
2008-03-20 21:13 23,600 ----a-w C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-03-20 00:23 --------- d-----w C:\Program Files\MagicISO
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-14 03:45 --------- d-----w C:\Program Files\Easy Video Joiner
2008-03-13 18:31 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-10 06:01 --------- d-----w C:\Program Files\QuickTime
2008-03-04 01:41 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-03-02 17:17 47,360 -c--a-w C:\Documents and Settings\Mr.Joe L\Application Data\pcouffin.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 18:49 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-01-18 06:48 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
<pre>
----a-w			39,792 2007-12-23 06:19:57  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
-c--a-w			94,208 2007-12-23 13:08:59  C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe
-c--a-w		   579,072 2007-12-23 13:53:39  C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w			49,152 2007-12-23 13:53:47  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
-c--a-w		   241,664 2007-12-23 13:53:55  C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
-c--a-w			31,016 2007-12-23 13:54:08  C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
----a-w		   200,704 2008-01-23 16:32:02  C:\Program Files\PowerISO\PWRISOVM .EXE
-c--a-w		   282,624 2008-02-23 03:31:21  C:\Program Files\QuickTime\qttask .exe
----a-w			15,360 2007-12-23 13:54:14  C:\WINDOWS\system32\ctfmon .exe
----a-w		   114,688 2007-12-23 13:53:47  C:\WINDOWS\system32\igfxpers .exe
----a-w			94,208 2007-12-23 13:53:41  C:\WINDOWS\system32\igfxtray .exe
</pre>


------- Sigcheck -------

2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2007-12-26 23:29 360576 87b872f35f67bd199e0a93812673ed5b C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-02-18 00:35 360064 482ab7f9cd41702e8f856c11cfefb02d C:\WINDOWS\system32\dllcache\tcpip.sys
2008-02-18 00:34 360064 482ab7f9cd41702e8f856c11cfefb02d C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [ ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 14:37 79224]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2007-08-02 21:08 95504]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-03-09 12:14 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"msacm.ac3filter"= ac3filter.acm
"msacm.fraunhoferacm"= l3codecp.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mr.Joe L^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\Mr.Joe L\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
--a------ 2008-01-23 13:04 89024 C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FAST Defrag]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2008-02-22 23:31 282624 C:\Program Files\QuickTime\qttask .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 18:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Microsoft Office Groove Audit Service"=3 (0x3)
"FirebirdServerMAGIXInstance"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 14:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 14:35]
R2 HWiNFO32;HWiNFO32 Kernel Driver;C:\Program Files\HWiNFO32\HWiNFO32.SYS [2007-09-14 15:15]
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;C:\WINDOWS\system32\drivers\Envy24HF.sys [2004-11-25 22:55]
R3 uscbs109;uscbs109;C:\WINDOWS\system32\DRIVERS\uscbs109.sys [2005-03-22 01:00]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;F:\Program Files\Common\Database\bin\fbserver.exe []
S3 UPnPService;UPnPService;C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [2006-12-14 16:00]
S3 uscsc109;uscsc109;C:\WINDOWS\system32\DRIVERS\uscsc109.sys [2005-03-22 01:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\start.exe /checksection

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\Setup.exe -auto

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4bb40058-da94-11dc-b41e-89e9512d523d}]
\Shell\AutoRun\command - H:\Launch.exe

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-04 13:18:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-05-04 13:21:11
ComboFix-quarantined-files.txt 2008-05-04 17:20:06
ComboFix2.txt 2008-04-30 23:27:50
ComboFix3.txt 2008-04-18 18:12:02
ComboFix4.txt 2008-03-15 04:32:02
ComboFix5.txt 2008-02-18 02:58:17

Pre-Run: 29,521,272,832 bytes free
Post-Run: 29,513,121,792 bytes free

183 --- E O F --- 2008-04-10 16:47:41
Also the OT log:
OT log:
File/Folder C:\Documents and Settings\Mr.Joe L\My Documents\Misc\Windows Keygen and WgaPatcher\keyfinder.exe not found.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05042008_131403
I'm sorry i deleted that folder last night. Thanks.
  • 0

#12
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi lostsoul77,

I'll post back with a fix in a moment. Can you please keep your computer on and dont reboot it unless necessarily.
  • 0

#13
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
  • Copy the entire contents of the Code Box below to Notepad.
  • Name the file as Log.txt (Overwrite the existing one)
  • Change the Save as Type to All Files
  • and Save it on the desktop
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe
C:\Program Files\Grisoft\AVG7\avgcc .exe
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
C:\Program Files\PowerISO\PWRISOVM .EXE
C:\Program Files\QuickTime\qttask .exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\igfxpers .exe
C:\WINDOWS\system32\igfxtray .exe

Posted Image


Refering to the picture above, drag Log.txt into RenV.exe and attach the resulting report to your reply.

Edited by sarahw, 04 May 2008 - 12:01 PM.

  • 0

#14
lostsoul77

lostsoul77

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Ran RenV w/log. Here are the results.
Ran on 2008-05-06 - 15:13:31.85

 Entries:				0  (0)
 Directories:			0  Files:			 0
 Bytes:				  0  Blocks:			0

Also,program could not find files.
  • 0

#15
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi

Also,program could not find files.

Could you explain what you mean? What program?

It looks like we have removed those infected files.

Can youplease rescan with Combofix.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP