Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

mrofinu1001186.exe among other offenders

Started by Stir423 , Apr 22 2008 11:28 AM

  • Please log in to reply

#31
kahdah
Posted 28 April 2008 - 11:20 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok let's get crackin :)
=================
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Step 1: Download the eScan Antivirus Toolkit Here. Save it to the Desktop, it is roughly 10MB in size. Before running the program we need to update the signature files first in Step 2.

Step 2: Updating the eScan Antivirus Toolkit with the latest files:
1.) Double-click on the mwav.exe file saved to the Desktop; it will extract the program files to a new folder called Kaspersky at the root of the C:\drive. (C:\Kaspersky.)
2.) Double-click on My Computer, double-click on the Hard Drive (usually the C:\drive), find and double-click on the Kaspersky folder; inside the Kaspersky folder, find and double-click on the kavupd.exe file. Double-clicking on the kavupd.exe file opens the Windows command prompt (DOS screen) and updates the program with all the latest signature files.
3.) After the update is complete, the bottom of the command prompt will read "Press any key to continue", press any key to close the screen. Close eScan for now. You need to also close all Windows Explorer windows (or "My Computer" windows) to allow a refresh.
4.) *Important* : in order to complete the update process, you must now do the following: - Using Windows Explorer (or "My Computer"), go to C:\Downloads and "Copy" all files present in that folder - "Paste" the files in C:\Kaspersky - Allow the overwriting of existing files, when prompted - Close Windows Explorer Please do not run a scan with the eScan Antivirus Toolkit utility yet.

Step 3: Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Step 4: From Safe Mode, run the eScan Antivirus Toolkit. Please follow these instructions:1.) To run the eScan Antivirus Toolkit program, look for a file called mwavscan.com inside the C:\Kaspersky folder.
2.) Double-click on the mwavscan.com file; this will open the eScan program.
3.) With the eScan interface on your Desktop, make sure that these boxes under Scan Option are checked : Memory, Registry, Startup Folders, System Folders, Services.
4.) Check the Drive box, this will enable the All Local Drives radio button below it. Make sure it is activated.
5.) Below these boxes, make sure the box Scan All Files is checked, not Program Files.
6.) Click the Scan Clean button and let the utility run until it completes a thorough scan of your hard drive. When the scan has finished it will read Scan Completed. Do not Exit the tool just yet.
7.) Open a new NotePad file (click on "Start" >> "All Programs" >>"Accessories" >> "NotePad"), then Copy/Paste the content of the Virus Log Information window into that file, and save it. eScan also creates a full log inside the C:\Kaspersky folder (named mwav.log), but it is huge and cannot be posted on a forum. Please post the content of the log you have saved (into NotePad) in your next reply, once all steps are completed. Reboot your computer into normal Windows.

  • 0

Advertisements

#32
Stir423
Posted 28 April 2008 - 04:23 PM

Stir423

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Okay, several connection problems and one interminable scan later, I was able to run escan on the machine in safe mode. And you're right the mwav.log was humongous. But I ran into trouble with the virus log information as well. It simply refused to be copied.

This is a very small piece of the virus log I was able to get:

File C:\WINDOWS\Explorer.exe infected by "Virus.Win32.Virut.n" Virus. Action Taken: File Disinfected.

File C:\WINDOWS\system32\kuki.bat infected by "Trojan.BAT.Starter.o" Virus. Action Taken: File Deleted.

File C:\WINDOWS\system32\he.bat infected by "Trojan.BAT.Starter.o" Virus. Action Taken: File Deleted.

File C:\WINDOWS\system32\smaprnter.exe infected by "Net-Worm.Win32.Kolab.qe" Virus. Action Taken: File Deleted.

File C:\Documents and Settings\Des Chanel.MENLOG9WECL961\kuki.bat infected by "Trojan.BAT.Starter.o" Virus. Action Taken: File Deleted

File C:\Documents and Settings\Des Chanel.MENLOG9WECL961\Local Settings\Temporary Internet Files\Content.IE5\MWOA7LDW\c70bfcdfc030e694a9d4fcbd6c848af[1].zip tagged as not-a-virus:AdWare.Win32.Insider.d. No Action Taken.

File C:\Documents and Settings\Myds.MENLOG9WECL961\he.bat infected by "Trojan.BAT.Starter.o" Virus. Action Taken: File Deleted.

File C:\Documents and Settings\Myds.MENLOG9WECL961\Local Settings\Temporary Internet Files\Content.IE5\RFT04JBQ\servupdate[1].exe infected by "Backdoor.Win32.Rbot.jtf" Virus. Action Taken: File Renamed.

File C:\Documents and Settings\Myds.MENLOG9WECL961\Local Settings\Temporary Internet Files\Content.IE5\W06G811L\c70bfcdfc030e694a9d4fcbd6c848af[1].zip tagged as not-a-virus:AdWare.Win32.Insider.d. No Action Taken.

File C:\Program Files\kari\zlip1.cpl infected by "Backdoor.IRC.Zapchast" Virus. Action Taken: File Renamed.

C:\RECYCLER\S-1-5-21-1417001333-1960408961-682003330-1003\Dc2\pfiles\common\Msshared\websrvex\40\_VTI_BIN\SHTML.EXE infected by "Virus.Win32.Virut.n" Virus. Action Taken: File Disinfected.

C:\RECYCLER\S-1-5-21-1417001333-1960408961-682003330-1003\Dc2\pfiles\common\Msshared\websrvex\40\_VTI_BIN\_VTI_ADM\ADMIN.EXE infected by "Virus.Win32.Virut.n" Virus. Action Taken: File Disinfected.

C:\RECYCLER\S-1-5-21-1417001333-1960408961-682003330-1003\Dc2\pfiles\common\Msshared\websrvex\40\_VTI_BIN\_VTI_AUT\AUTHOR.EXE infected by "Virus.Win32.Virut.n" Virus. Action Taken: File Disinfected.

C:\RECYCLER\S-1-5-21-1417001333-1960408961-682003330-1003\Dc2\pfiles\Msoffice\Office\MSO7FTP.EXE infected by "Virus.Win32.Virut.n" Virus. Action Taken: File Disinfected.

C:\RECYCLER\S-1-5-21-1417001333-1960408961-682003330-1003\Dc2\pfiles\Msoffice\Office\MSO7FTPA.EXE infected by "Virus.Win32.Virut.n" Virus. Action Taken: File Disinfected.

C:\RECYCLER\S-1-5-21-1417001333-1960408961-682003330-1003\Dc2\pfiles\Msoffice\Office\MSO7FTPS.EXE infected by "Virus.Win32.Virut.n" Virus. Action Taken: File Disinfected.

I've just about had enough of this. What would a safe reinstall be under these circumstances? How do I proceed?
  • 0

#33
kahdah
Posted 28 April 2008 - 06:27 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts 
I've just about had enough of this. What would a safe reinstall be under these circumstances? How do I proceed?
Did you want to try to continue or did you want to reinstall?

IF you want to reinstall then You will need a XP Install cd or a Recovery Partion built in to your hard Drive.
It will be listed under the Hard drives in My Computer.
Usually it is drive letter D:\
This may be infected as well so it is better to format all partitions and Install with a clean install from a cd.

Do you know if you have a Recovery Option when you turn on your Computer?

Or do you know if you have a recovery Partion?

Or do you have an XP cd?
  • 0

#34
Stir423
Posted 28 April 2008 - 09:18 PM

Stir423

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Since I got the XP CD, I opted to repair install. Seems to have worked. The machine got Windows Explorer back. It's booting normally now. Misbehaving programs seem to be back on track. The connection speed has improved. Here's the last HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:31 PM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [Internet Firewall Layer] tsqla.exe
O4 - HKLM\..\RunServices: [Internet Security Service] mysqlwin32.exe
O4 - HKLM\..\RunServices: [Windows USB Monitor] servupdate.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7F2600D-2596-48BC-B361-72DD753419B0}: NameServer = 58.69.254.3,58.69.254.8
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 3672 bytes
  • 0

#35
kahdah
Posted 29 April 2008 - 02:39 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Great you still have malware present so we still have some work to do.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#36
Stir423
Posted 01 May 2008 - 07:24 AM

Stir423

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Sorry for the delay. I only have intermittent access to the troubled machine. I had to enlist one of the regular users of the computer to do the Deckard system scan and email me its report. So here it is:



Deckard's System Scanner v20071014.68
Run by Myds on 2008-05-01 20:18:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 255 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-01 20:19:22
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG7\avgw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Myds.MENLO-G9WECL961\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search &

Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\RunServices: [Internet Firewall Layer] tsqla.exe
O4 - HKLM\..\RunServices: [Internet Security Service] mysqlwin32.exe
O4 - HKLM\..\RunServices: [Windows USB Monitor] servupdate.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Service Agent] msngear.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Service Agent] msngear.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search &

Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program

Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{A7F2600D-2596-48BC-B361-72DD753419B0}: NameServer = 58.69.254.3,58.69.254.8
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft

Shared\Information Retrieval\msitss.dll
O18 - Protocol: msero - {B0D92A71-886B-453B-A649-1B91F93801E7} - C:\Program Files\Common Files\Microsoft Shared\Encarta

Researcher\MSERO.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


--
End of file - 5064 bytes

-- Files created between 2008-04-01 and 2008-05-01 -----------------------------

2008-05-01 20:01:38 0 d-------- C:\WINDOWS\system32\PreInstall
2008-05-01 20:01:30 0 d--h----- C:\WINDOWS\$hf_mig$
2008-05-01 20:01:26 0 d-------- C:\WINDOWS\LastGood
2008-04-29 16:55:27 0 d-------- C:\Program Files\FreeRIP2
2008-04-29 16:53:07 0 d-------- C:\Program Files\FairStars CD Ripper
2008-04-29 14:46:54 0 d-------- C:\Documents and Settings\Des Chanel.MENLO-G9WECL961\Application Data\AdobeUM
2008-04-29 14:42:17 0 d-------- C:\Documents and Settings\Elijah James\Application Data\AVG7
2008-04-29 14:07:02 0 d-------- C:\Documents and Settings\Myds.MENLO-G9WECL961\Application Data\Ahead
2008-04-29 14:04:55 38912 -ra------ C:\WINDOWS\system32\picn20.dll <Not Verified; Pegasus Imaging Corp.; PEGASUS>
2008-04-29 14:04:54 544768 -ra------ C:\WINDOWS\system32\imagx5.dll <Not Verified; Pegasus Software, LLC; ImagXpress>
2008-04-29 14:04:53 569344 -ra------ C:\WINDOWS\system32\imagr5.dll <Not Verified; Pegasus Software,LLC; ImagXpress>
2008-04-29 14:04:49 155648 -ra------ C:\WINDOWS\system32\NeroCheck.exe <Not Verified; Ahead Software Gmbh; Ahead Software

Gmbh NeroCheck>
2008-04-29 13:46:07 0 d-------- C:\Documents and Settings\Myds.MENLO-G9WECL961\Application Data\CyberLink
2008-04-29 13:43:37 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\CyberLink
2008-04-29 07:47:02 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-04-29 07:28:24 0 d-------- C:\WINDOWS\Prefetch
2008-04-29 01:52:31 0 d-------- C:\Downloads
2008-04-29 01:52:31 0 d-------- C:\Bases
2008-04-29 01:51:40 0 d-------- C:\Kaspersky
2008-04-28 22:55:46 0 dr-h----- C:\$VAULT$.AVG
2008-04-28 21:40:22 0 d-------- C:\Documents and Settings\Des Chanel.MENLO-G9WECL961\Application Data\AVG7
2008-04-28 19:53:46 0 d-------- C:\Program Files\iTunes
2008-04-28 19:41:59 0 d-------- C:\Documents and Settings\Myds.MENLO-G9WECL961\Application Data\Apple Computer
2008-04-28 19:35:11 0 d-------- C:\Program Files\QuickTime
2008-04-28 18:39:18 0 d-------- C:\Documents and Settings\Myds.MENLO-G9WECL961\Application Data\AdobeUM
2008-04-28 18:37:57 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Adobe
2008-04-28 18:36:30 0 d-------- C:\WINDOWS\Cache
2008-04-28 17:55:03 0 d-------- C:\Documents and Settings\Myds.MENLO-G9WECL961\DoctorWeb
2008-04-24 10:00:29 0 d-------- C:\Program Files\Trend Micro
2008-04-24 09:48:19 0 d-------- C:\WINDOWS\ERUNT
2008-04-23 16:01:41 0 d-------- C:\Documents and Settings\Myds.MENLO-G9WECL961\Application Data\AVG7
2008-04-21 14:37:16 0 d--hs---- C:\WINDOWS\CSC
2008-04-21 13:34:47 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7
2008-04-21 13:34:00 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
2008-04-21 12:41:52 0 d-------- C:\WINDOWS\pss
2008-04-21 11:22:55 0 d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-04-21 11:22:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-04-21 10:43:42 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-21 10:43:42 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-21 10:43:42 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-21 10:43:42 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-04-21 10:43:42 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-21 10:43:42 438272 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-21 10:43:42 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-21 10:43:42 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-04-21 10:43:42 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-21 10:43:42 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-04-21 10:43:42 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-21 10:43:42 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-04-21 10:43:42 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-21 10:43:42 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-17 10:14:17 0 d-------- C:\Documents and Settings\Elijah James\Application Data\Macromedia
2008-04-17 10:14:16 0 d-------- C:\Documents and Settings\Elijah James\Application Data\Adobe
2008-04-09 17:53:06 111616 --ah----- C:\WINDOWS\system32\len.exe
2008-04-08 22:23:11 111616 --ah----- C:\WINDOWS\system32\jer.exe


-- Find3M Report ---------------------------------------------------------------

2008-04-29 14:04:40 0 d-------- C:\Program Files\Ahead
2008-04-29 07:20:29 0 d-------- C:\Program Files\Movie Maker
2008-04-29 07:19:06 22748 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-29 07:18:45 0 d-------- C:\Program Files\Messenger
2008-04-29 07:18:42 0 d-------- C:\Program Files\Windows NT
2008-04-29 05:54:58 0 d-------- C:\Program Files\Winamp
2008-04-29 03:14:14 0 d-------- C:\Program Files\kari
2008-04-28 19:54:13 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-28 18:39:10 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-28 18:39:10 0 d-------- C:\Documents and Settings\Myds.MENLO-G9WECL961\Application Data\Adobe
2008-03-25 23:52:05 2557 --a------ C:\WINDOWS\unins000.dat
2008-03-25 23:30:02 691545 --a------ C:\WINDOWS\unins000.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [03/01/2006 01:22 AM C:\WINDOWS\SOUNDMAN.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/29/2008 07:47 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/28/2008 07:35 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06/14/2006 04:24 PM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [10/31/2003 07:42 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 03:50 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 12:43 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Internet Firewall Layer"=tsqla.exe
"Internet Security Service"=mysqlwin32.exe
"Windows USB Monitor"=servupdate.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"nvcoi"=C:\Program Files\nvcoi\nvcoi.exe
"JavaCore"=C:\Program Files\\JavaCore\\JavaCore.exe
"Windows Service Agent"=msngear.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start

Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoInclude]
C:\WINDOWS\TEMP\DIL4.tmp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fafa]
mwoz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Firewall Layer]
tsqla.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Security Service]
mysqlwin32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pronto]
anqh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu1001186.exe 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDFix]
C:\SDFix\RunThis.bat /second

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinDLL (msygl32.exe)]
rundll32.exe C:\WINDOWS\system32\msygl32.exe,start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\z0ogu]
z0ogu.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a7247cc-e7c6-11dc-b9f7-0016178cdd58}]
Auto\command- F:\infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{821d6136-0189-11dd-ba43-0016178cdd58}]
Auto\command- infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e5b110b4-d74d-11dc-b9c9-0016178cdd58}]
AutoRun\command- F:\
explore\Command- WScript.exe .\azkaban.vbs
open\Command- WScript.exe .\azkaban.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f3f8c1df-15fa-11dd-ba9d-0016178cdd58}]
Auto\command- RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL

RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE
Browser\command- RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f3f8c1e0-15fa-11dd-ba9d-0016178cdd58}]
0pen\command- F:\krag.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL krag.exe




-- End of Deckard's System Scanner: finished at 2008-05-01 20:20:47 ------------
  • 0

#37
kahdah
Posted 01 May 2008 - 10:21 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
No problem do this when you can.
=====================
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\\Internet Firewall Layer
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\\Internet Security Service
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\\Windows USB Monitor
C:\Windows\tsqla.exe
C:\Windows\system32\tsqla.exe
C:\Windows\mysqlwin32.exe
C:\Windows\system32\mysqlwin32.exe
C:\Windows\servupdate.exe
C:\Windows\system32\servupdate.exe
HKEY_USERS\.default\software\microsoft\windows\currentversion\run\\nvcoi
HKEY_USERS\.default\software\microsoft\windows\currentversion\run\\JavaCore
HKEY_USERS\.default\software\microsoft\windows\currentversion\run\\Windows Service Agent
C:\Program Files\nvcoi
C:\Program Files\\JavaCore
C:\Windows\msngear.exe
C:\Windows\system32\msngear.exe
C:\WINDOWS\TEMP\DIL4.tmp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoInclude
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fafa
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Firewall Layer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Security Service
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pronto
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1
C:\WINDOWS\mrofinu1001186.exe 
C:\WINDOWS\mrofinu1001186.exe.tmp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDFix
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinDLL (msygl32.exe)]
C:\WINDOWS\system32\msygl32.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\z0ogu
F:\infrom.exe
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a7247cc-e7c6-11dc-b9f7-0016178cdd58}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{821d6136-0189-11dd-ba43-0016178cdd58}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e5b110b4-d74d-11dc-b9c9-0016178cdd58}
F:\azkaban.vbs
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f3f8c1e0-15fa-11dd-ba9d-0016178cdd58}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f3f8c1df-15fa-11dd-ba9d-0016178cdd58}
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
============================================
Then
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#38
Stir423
Posted 04 May 2008 - 11:47 AM

Stir423

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
< HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\\Internet Firewall Layer >
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\\Internet Firewall Layer deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\\Internet Security Service >
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\\Internet Security Service deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\\Windows USB Monitor >
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\\Windows USB Monitor deleted successfully.
File/Folder C:\Windows\tsqla.exe not found.
File/Folder C:\Windows\system32\tsqla.exe not found.
File/Folder C:\Windows\mysqlwin32.exe not found.
File/Folder C:\Windows\system32\mysqlwin32.exe not found.
File/Folder C:\Windows\servupdate.exe not found.
File/Folder C:\Windows\system32\servupdate.exe not found.
< HKEY_USERS\.default\software\microsoft\windows\currentversion\run\\nvcoi >
Registry value HKEY_USERS\.default\software\microsoft\windows\currentversion\run\\nvcoi deleted successfully.
< HKEY_USERS\.default\software\microsoft\windows\currentversion\run\\JavaCore >
Registry value HKEY_USERS\.default\software\microsoft\windows\currentversion\run\\JavaCore deleted successfully.
< HKEY_USERS\.default\software\microsoft\windows\currentversion\run\\Windows Service Agent >
Registry value HKEY_USERS\.default\software\microsoft\windows\currentversion\run\\Windows Service Agent deleted successfully.
File/Folder C:\Program Files\nvcoi not found.
File/Folder C:\Program Files\\JavaCore not found.
File/Folder C:\Windows\msngear.exe not found.
File/Folder C:\Windows\system32\msngear.exe not found.
File/Folder C:\WINDOWS\TEMP\DIL4.tmp not found.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoInclude >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoInclude\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fafa >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fafa\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Firewall Layer >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Firewall Layer\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Security Service >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Security Service\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pronto >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pronto\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1 >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1\\ deleted successfully.
File/Folder C:\WINDOWS\mrofinu1001186.exe not found.
File/Folder C:\WINDOWS\mrofinu1001186.exe.tmp not found.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDFix >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDFix\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinDLL (msygl32.exe)] >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinDLL (msygl32.exe)]\\ not found.
File/Folder C:\WINDOWS\system32\msygl32.exe not found.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\z0ogu >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\z0ogu\\ deleted successfully.
File/Folder F:\infrom.exe not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a7247cc-e7c6-11dc-b9f7-0016178cdd58} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a7247cc-e7c6-11dc-b9f7-0016178cdd58}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{821d6136-0189-11dd-ba43-0016178cdd58} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{821d6136-0189-11dd-ba43-0016178cdd58}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e5b110b4-d74d-11dc-b9c9-0016178cdd58} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e5b110b4-d74d-11dc-b9c9-0016178cdd58}\\ deleted successfully.
File/Folder F:\azkaban.vbs not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f3f8c1e0-15fa-11dd-ba9d-0016178cdd58} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f3f8c1e0-15fa-11dd-ba9d-0016178cdd58}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f3f8c1df-15fa-11dd-ba9d-0016178cdd58} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f3f8c1df-15fa-11dd-ba9d-0016178cdd58}\\ deleted successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05042008_155609








ComboFix 08-05-01.3 - Myds 2008-05-04 16:08:21.1 - NTFSx86
Running from: C:\Documents and Settings\Myds.MENLO-G9WECL961\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\b999.exe
C:\WINDOWS\explorer.exe.tmp
C:\WINDOWS\system32\tf5
C:\WINDOWS\system32\tf5\xopz89104.exe
C:\WINDOWS\system32\xk1
C:\WINDOWS\system32\zeb3

.
((((((((((((((((((((((((( Files Created from 2008-04-04 to 2008-05-04 )))))))))))))))))))))))))))))))
.

2008-05-04 15:29 . 2008-05-04 15:30 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-04 15:29 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-05-04 15:29 . 2003-02-28 18:26 46,352 --a------ C:\WINDOWS\setdebug.exe
2008-05-04 15:29 . 2003-02-28 16:54 7,315 --a------ C:\WINDOWS\system32\javasup.vxd
2008-05-04 15:29 . 2003-02-28 16:35 6,550 --a------ C:\WINDOWS\jautoexp.dat
2008-05-04 15:29 . 2003-02-28 16:38 113 --a------ C:\WINDOWS\system32\zonedon.reg
2008-05-04 15:29 . 2003-02-28 16:38 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2008-05-03 11:05 . 2008-05-03 11:05 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-05-01 20:01 . 2008-05-02 14:55 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-05-01 20:01 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-29 16:55 . 2008-04-29 16:55 <DIR> d-------- C:\Program Files\FreeRIP2
2008-04-29 16:53 . 2008-04-29 16:55 <DIR> d-------- C:\Program Files\FairStars CD Ripper
2008-04-29 14:46 . 2008-04-29 14:46 <DIR> d-------- C:\Documents and Settings\Des Chanel.MENLO-G9WECL961\Application Data\AdobeUM
2008-04-29 14:42 . 2008-04-29 14:42 <DIR> d-------- C:\Documents and Settings\Elijah James\Application Data\AVG7
2008-04-29 14:07 . 2008-04-29 14:07 <DIR> d-------- C:\Documents and Settings\Myds.MENLO-G9WECL961\Application Data\Ahead
2008-04-29 14:05 . 2008-04-29 14:05 1,024 --ah----- C:\Documents and Settings\Default User\NtUser.dat.LOG
2008-04-29 14:05 . 2008-05-04 16:08 1,024 --ah----- C:\Documents and Settings\Default User.WINDOWS\NtUser.dat.LOG
2008-04-29 14:04 . 2001-07-06 06:41 569,344 -ra------ C:\WINDOWS\system32\imagr5.dll
2008-04-29 14:04 . 2001-07-06 04:44 544,768 -ra------ C:\WINDOWS\system32\imagx5.dll
2008-04-29 14:04 . 2001-07-06 10:24 283,920 -ra------ C:\WINDOWS\system32\ImagXpr5.dll
2008-04-29 14:04 . 2001-07-09 03:50 155,648 -ra------ C:\WINDOWS\system32\NeroCheck.exe
2008-04-29 14:04 . 2001-06-26 00:15 38,912 -ra------ C:\WINDOWS\system32\picn20.dll
2008-04-29 13:46 . 2008-04-29 13:46 <DIR> d-------- C:\Documents and Settings\Myds.MENLO-G9WECL961\Application Data\CyberLink
2008-04-29 13:43 . 2008-04-29 13:43 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\CyberLink
2008-04-29 07:47 . 2008-04-29 07:47 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-04-29 07:25 . 2001-08-23 04:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-04-29 07:24 . 2001-08-23 04:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-04-29 07:23 . 2001-08-23 04:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-04-29 07:22 . 2004-08-03 15:56 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-04-29 07:20 . 2001-08-23 04:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-04-29 07:20 . 2008-04-29 07:20 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-04-29 07:20 . 2008-04-29 07:20 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-04-29 07:20 . 2008-04-29 07:20 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-04-29 07:20 . 2008-04-29 07:20 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-04-29 07:20 . 2008-04-29 07:20 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-04-29 07:20 . 2008-04-29 07:20 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-04-29 07:11 . 2003-07-01 13:42 27,904 --a------ C:\WINDOWS\system32\drivers\VIAAGP1.SYS
2008-04-29 04:34 . 2008-04-29 04:34 0 --a------ C:\23990098.$$$
2008-04-29 01:52 . 2008-04-29 02:37 <DIR> d-------- C:\Downloads
2008-04-29 01:52 . 2008-04-29 02:37 <DIR> d-------- C:\Bases
2008-04-29 01:51 . 2008-04-29 05:39 <DIR> d-------- C:\Kaspersky
2008-04-28 22:55 . 2008-04-30 06:35 <DIR> dr-h----- C:\$VAULT$.AVG
2008-04-28 21:40 . 2008-05-02 12:26 <DIR> d-------- C:\Documents and Settings\Des Chanel.MENLO-G9WECL961\Application Data\AVG7
2008-04-28 19:53 . 2008-04-28 19:53 <DIR> d-------- C:\Program Files\iTunes
2008-04-28 19:41 . 2008-04-28 19:41 <DIR> d-------- C:\Documents and Settings\Myds.MENLO-G9WECL961\Application Data\Apple Computer
2008-04-28 19:35 . 2008-04-28 19:35 <DIR> d-------- C:\Program Files\QuickTime
2008-04-28 18:39 . 2008-04-28 18:39 <DIR> d-------- C:\Documents and Settings\Myds.MENLO-G9WECL961\Application Data\AdobeUM
2008-04-28 18:36 . 2008-04-28 18:36 <DIR> d-------- C:\WINDOWS\Cache
2008-04-28 17:55 . 2008-04-28 18:00 <DIR> d-------- C:\Documents and Settings\Myds.MENLO-G9WECL961\DoctorWeb
2008-04-28 13:58 . 2008-04-28 13:58 <DIR> d-------- C:\_OTMoveIt
2008-04-24 11:53 . 2008-04-24 11:53 <DIR> d-------- C:\Deckard
2008-04-24 10:00 . 2008-04-24 10:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-24 09:48 . 2008-04-24 09:48 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-24 09:47 . 2008-04-29 07:13 <DIR> d-------- C:\SDFix
2008-04-23 16:01 . 2008-05-04 15:19 <DIR> d-------- C:\Documents and Settings\Myds.MENLO-G9WECL961\Application Data\AVG7
2008-04-21 13:34 . 2008-04-21 13:34 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7
2008-04-21 13:34 . 2008-04-29 07:46 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
2008-04-21 11:22 . 2008-04-21 11:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-04-21 11:20 . 2008-04-21 11:21 172 --a------ C:\WINDOWS\wininit.ini
2008-04-21 10:43 . 2008-04-29 07:47 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-21 10:43 . 2008-05-04 16:08 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-09 17:53 . 2008-04-09 17:53 111,616 --ah----- C:\WINDOWS\system32\len.exe
2008-04-08 22:23 . 2008-04-08 22:23 111,616 --ah----- C:\WINDOWS\system32\jer.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 21:04 --------- d-----w C:\Program Files\Ahead
2008-04-29 12:54 --------- d-----w C:\Program Files\Winamp
2008-04-29 10:14 --------- d-----w C:\Program Files\kari
2008-04-29 02:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-29 02:53 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-04-29 01:39 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-28 21:35 33,952 ----a-w C:\WINDOWS\system32\drivers\oreans32.sys
2008-03-26 06:56 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-26 06:56 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-03-26 06:30 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2004-08-03 22:56 168,960 --sha-r C:\WINDOWS\system32\bqrr.exe
2004-08-03 22:56 168,960 --sha-r C:\WINDOWS\system32\brnj.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 01:22 577536 C:\WINDOWS\SOUNDMAN.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-29 07:47 579584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-04-28 19:35 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24 278528]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 03:50 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-29 07:47 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 13:59 44544]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinDLL (msygl32.exe)]
C:\WINDOWS\system32\msygl32.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2008-04-28 14:35]
S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys []

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-04 16:10:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-04 16:11:46
ComboFix-quarantined-files.txt 2008-05-04 23:11:44

Pre-Run: 28,459,929,600 bytes free
Post-Run: 28,687,011,840 bytes free

153 --- E O F --- 2008-05-04 22:30:07










Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:18:26 PM, on 5/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7F2600D-2596-48BC-B361-72DD753419B0}: NameServer = 58.69.254.3,58.69.254.8
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4246 bytes
  • 0

#39
kahdah
Posted 04 May 2008 - 01:50 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\len.exe
C:\WINDOWS\system32\jer.exe
C:\WINDOWS\system32\bqrr.exe
C:\WINDOWS\system32\brnj.exe
C:\WINDOWS\system32\msygl32.exe
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinDLL (msygl32.exe)]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP