Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Also hit with Trojandownloader.xs [RESOLVED]

Started by MrsFixIt , May 04 2008 04:06 PM

  • This topic is locked This topic is locked

#1
MrsFixIt
Posted 04 May 2008 - 04:06 PM

MrsFixIt

    Member

  • Member
  • PipPip
  • 32 posts
Hello! I'm new here, but have fixed problems in the past due to the posts I've read here. You guys are great! I've tried to read through the posts for trojandownloader.xs & follow whatever directions I've found (this site & others), but nothing seems to fix this. I have 2 laptops, networked together. My Dell is the one infected, & I can't get on the internet with it. I can, however, get on the [older, slower] IBM laptop, then transfer downloaded files to the Dell as long as I've booted so that I have network support. I'm taking it that each person's infection with this thing is unique & needs its own set of directions.

I'm running Windows Media Editon on the infected computer & XP Pro on the one that connects to the internet. I've ran my virus checker, Ad-Aware, & SpyBot, but these don't help. I've downloaded & ran SmitfraudFix NUMEROUS times & tried all of the options, but this still hasn't fixed the problem. I've downloaded combofix, but when I try to run that, it seems to do nothing -- I get no prompts whatsoever. I haven't used Hijackthis, so if I need to run that, you'll have to walk me through it. I've also tried to edit the registry by looking for the so-called viruses that I'm supposed to be infected with, but I get no hits when I search for them.

I'm an applications programmer, so I'm not afraid to try things -- basically, I know just enough to totally mess up my system when it comes to this sort of thing! And, btw, I'm working on 4 hours of sleep right now, which is a lot less than my 50-yr-old body wants! I just really need to get this fixed asap. Thanks!
  • 0

Advertisements

#2
greyknight17
Posted 04 May 2008 - 05:07 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Delete the version of Combofix you have. Then download it again here. Before you save it, rename it to something else (like CFMrsFixIt.exe instead of the default name). Save it to your desktop and try running it.

If you still have problems running it, do the below:

Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Download HijackThis at http://www.greyknigh.../HijackThis.exe Create a folder at C:\HJT and move HijackThis.exe there. Double-click on the program to run it.

1. If it gives you an intro screen, just choose Do a system scan and save a logfile.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.
  • 0

#3
MrsFixIt
Posted 04 May 2008 - 05:40 PM

MrsFixIt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Okay, I ran both combofix & hijackthis. Do you want the log for combofix as well?

Here's the log for hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:37:17 PM, on 5/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1061125
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [QdrModule10] "C:\Program Files\QdrModule\QdrModule10.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [QdrModule10] "C:\Program Files\QdrModule\QdrModule10.exe" (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 4010 bytes
  • 0

#4
greyknight17
Posted 04 May 2008 - 08:14 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes please.
  • 0

#5
MrsFixIt
Posted 04 May 2008 - 08:30 PM

MrsFixIt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Actually, everything seems to be fine now. I no longer have pop-ups or warning messages coming up. I was able to put my desktop back. I can get to the internet again. I got a clean run of Ad-Aware & am running SpyBot right now. Could it really be fixed already? That seems too easy.

Anyway, here's the log from ComboFix. Let me know if you think I'm good to go, or if there's something else you think I should do. And thanks for all of your help!

ComboFix 08-05-01.3 - Donna McFarland 2008-05-04 19:18:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.668 [GMT -4:00]
Running from: C:\Documents and Settings\Donna McFarland\Desktop\CFMrsFixIt.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Donna McFarland\Application Data\FNTS~1
C:\Documents and Settings\Donna McFarland\Application Data\FNTS~1\F?nts\
C:\Documents and Settings\Donna McFarland\Application Data\FNTS~1\lsass.exe
C:\Documents and Settings\Donna McFarland\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Donna McFarland\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Donna McFarland\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\LocalService\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\LocalService\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\LocalService\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive15.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dicy.gz
C:\Program Files\QdrModule\kwdy.gz
C:\Program Files\QdrModule\QdrModule15.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\QdrPack15.exe
C:\Program Files\QdrPack\trgts.gz
C:\WINDOWS\123messenger.per
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\browserad.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\default.htm
C:\WINDOWS\didduid.ini
C:\WINDOWS\lfn.exe
C:\WINDOWS\licencia.txt
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\muotr.so
C:\WINDOWS\ntnut.exe
C:\WINDOWS\PerfInfo
C:\WINDOWS\pskt.ini
C:\WINDOWS\saiemod.dll
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\000060.exe
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\000090.exe
C:\WINDOWS\system32\drmgs.sys
C:\WINDOWS\system32\fcccbcab.dll
C:\WINDOWS\system32\fNqrBJjl.ini
C:\WINDOWS\system32\fNqrBJjl.ini2
C:\WINDOWS\system32\Indt2.sys
C:\WINDOWS\system32\ljJBrqNf.dll
C:\WINDOWS\system32\oxhxwklv.dll
C:\WINDOWS\system32\vlkwxhxo.ini
C:\WINDOWS\system32\winuwrmy.dll
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\system32\ybprcaym.dll
C:\WINDOWS\telefonos.txt
C:\WINDOWS\textos.txt
C:\WINDOWS\voiceip.dll
C:\WINDOWS\winsb.dll
C:\WINDOWS\winself.exe

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSSECURITY1.209.4
-------\Legacy_PERFMONS
-------\Legacy_ROUTING
-------\Service_MsSecurity1.209.4
-------\Service_perfmons
-------\Service_Routing


((((((((((((((((((((((((( Files Created from 2008-04-04 to 2008-05-04 )))))))))))))))))))))))))))))))
.

2008-05-04 13:48 . 2008-05-04 13:48 109,734 --a------ C:\WINDOWS\BMc3fcccdc.xml
2008-05-04 02:29 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-04 02:29 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-04 02:29 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-04 02:29 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-04 02:29 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-04 02:29 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-04 02:29 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-04 02:29 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-04 01:17 . 2004-08-10 07:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-26 09:56 . 2008-05-04 01:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-26 09:56 . 2008-04-26 09:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-24 20:08 . 2008-04-24 20:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-15 14:16 . 2008-05-04 14:35 <DIR> d-------- C:\Program Files\StepMania

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 05:17 6,656 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-05-03 06:23 --------- d-----w C:\Documents and Settings\Donna McFarland\Application Data\Vso
2008-04-28 04:18 --------- d-----w C:\Documents and Settings\Donna McFarland\Application Data\BitTorrent
2008-04-25 00:09 --------- d-----w C:\Program Files\Lavasoft
2008-04-25 00:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-02 20:59 --------- d-----w C:\Program Files\DVDFab Platinum 4
2008-04-02 20:32 87,608 ----a-w C:\Documents and Settings\Donna McFarland\Application Data\inst.exe
2008-04-02 20:32 47,360 -c--a-w C:\Documents and Settings\Donna McFarland\Application Data\pcouffin.sys
2008-04-02 20:32 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-03-30 23:07 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-03-30 23:07 204,816 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-03-30 22:50 1,169,240 ----a-w C:\WINDOWS\system32\drivers\VsapiNT.sys
2008-03-12 20:25 --------- d-----w C:\Documents and Settings\Donna McFarland\Application Data\Lavasoft
2008-03-02 17:59 3,802,742 ----a-w C:\WINDOWS\4O8K4hdtd4.exe
2008-03-02 17:58 81,408 ----a-w C:\Documents and Settings\All Users\Application Data\cjwhsncn.dll
2008-03-02 17:58 189,440 ----a-w C:\WINDOWS\stwbsreh.dll
2007-01-31 05:55 87,608 -c--a-w C:\Documents and Settings\Donna McFarland\Application Data\ezpinst.exe
2007-01-16 20:55 88 -csh--r C:\WINDOWS\system32\6545AE81B9.sys
2007-01-16 20:56 2,828 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"QdrModule10"="C:\Program Files\QdrModule\QdrModule10.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^.protected]
backup=C:\WINDOWS\pss\.protectedCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Donna McFarland^Start Menu^Programs^Startup^.protected]
backup=C:\WINDOWS\pss\.protectedStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amok axis soft else]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
--a--c--- 2006-11-25 02:58 61440 c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cjwhsncn]
regsvr32 /u C:\Documents and Settings\All Users\Application Data\cjwhsncn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a--c--- 2006-09-28 15:21 57344 C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2006-08-03 20:51 1032192 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2006-08-28 23:57 395776 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2004-12-06 03:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
--a--c--- 2006-05-22 14:26 694272 C:\Program Files\dvd43\dvd43_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a--c--- 2005-09-29 16:01 67584 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a--c--- 2006-11-25 03:29 236544 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a--c--- 2005-12-14 01:41 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a--c--- 2005-12-14 01:45 118784 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-12-14 01:44 98304 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a--c--- 2006-05-01 11:28 602182 C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
--a--c--- 2006-05-01 11:28 667718 C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2004-07-27 18:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2004-07-27 18:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 04:24 20480 C:\Program Files\NetWaiting\netWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE_OEM]
--a------ 2006-04-11 20:39 176201 C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
--a------ 2005-08-30 18:42 823362 C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2006-08-22 17:32 184320 C:\Program Files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Phone 4]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule13]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule15]
C:\Program Files\QdrModule\QdrModule15.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack13]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack15]
C:\Program Files\QdrPack\QdrPack15.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-11-25 03:26 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
-----c--- 2002-02-04 23:32 53248 C:\Program Files\REGSHAVE\REGSHAVE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShareSearcher]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a--c--- 2006-03-25 01:30 282624 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a--c--- 2006-03-08 20:48 761947 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uaol]
C:\DOCUME~1\DONNAM~1\APPLIC~1\FNTS~1\lsass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a--c--- 2006-11-03 18:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XPdefender]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"UMWdf"=3 (0x3)
"perfmons"=2 (0x2)
"WZCSVC"=2 (0x2)
"w32time"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"stisvc"=3 (0x3)
"WudfSvc"=3 (0x3)
"WinDefend"=2 (0x2)
"VSS"=3 (0x3)
"upnphost"=3 (0x3)
"UPS"=3 (0x3)
"StarWindService"=2 (0x2)
"SCardSvr"=3 (0x3)
"SQLAgent$MICROSOFTSMLBIZ"=3 (0x3)
"Routing"=2 (0x2)
"NtmsSvc"=2 (0x2)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasAuto"=3 (0x3)
"RSVP"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"SysmonLog"=3 (0x3)
"ose"=3 (0x3)
"xmlprov"=3 (0x3)
"mnmsrvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"NBService"=3 (0x3)
"ehSched"=2 (0x2)
"ehRecvr"=2 (0x2)
"McrdSvc"=2 (0x2)
"MDM"=2 (0x2)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$MICROSOFTSMLBIZ"=2 (0x2)
"SwPrv"=3 (0x3)
"MHN"=3 (0x3)
"dmadmin"=3 (0x3)
"dmserver"=3 (0x3)
"CiSvc"=3 (0x3)
"PolicyAgent"=2 (0x2)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"HidServ"=2 (0x2)
"GoogleDesktopManager"=3 (0x3)
"gusvc"=3 (0x3)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"MSDTC"=3 (0x3)
"TrkWks"=2 (0x2)
"Browser"=2 (0x2)
"AppMgmt"=3 (0x3)
"aspnet_state"=3 (0x3)
"WmiApSrv"=3 (0x3)
"LPDSVC"=3 (0x3)
"GameConsoleService"=3 (0x3)
"MsSecurity1.209.4"=2 (0x2)
"Tmntsrv"=2 (0x2)
"tmproxy"=2 (0x2)
"TmPfw"=2 (0x2)
"PcCtlCom"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Documents and Settings\\Donna McFarland\\DonnasDocs\\Programs\\WS_FTP\\WS_FTP95.exe"=
"C:\\Program Files\\Microsoft Office\\OFFICE11\\MSPUB.EXE"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S3 PL-40R;CASIO USB MIDI;C:\WINDOWS\system32\Drivers\pl40rwdm.sys [2004-10-01 03:08]
S4 GameConsoleService;GameConsoleService;"C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe" [2007-12-19 19:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-04 23:00:00 C:\WINDOWS\Tasks\AD5981D4918A3590.job"
- c:\docume~1\donnam~1\applic~1\boltat~1\mess 16 amok.exe
"2008-05-04 06:13:06 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-04 19:25:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\drivers\vmdesched.sys 6656 bytes executable
C:\WINDOWS\system32\clb.dll 10752 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\cdosys.dll 35328 bytes executable
C:\WINDOWS\system32\clbinit.dll 1695 bytes

scan completed successfully
hidden files: 6

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\vmdesched.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
.
**************************************************************************
.
Completion time: 2008-05-04 19:27:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-04 23:27:26

Pre-Run: 100,420,505,600 bytes free
Post-Run: 100,329,426,944 bytes free

357 --- E O F --- 2008-04-09 19:04:04
  • 0

#6
greyknight17
Posted 04 May 2008 - 08:42 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Sometimes we do get that lucky, but most of the times there's usually a few more things to clean up. Same applies here...one or two more runs and we should be done :)

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

File::
C:\WINDOWS\BMc3fcccdc.xml
C:\WINDOWS\4O8K4hdtd4.exe
C:\Documents and Settings\All Users\Application Data\cjwhsncn.dll
C:\WINDOWS\stwbsreh.dll
C:\WINDOWS\Tasks\AD5981D4918A3590.job
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\pss\.protectedCommon Startup
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup
C:\WINDOWS\pss\.protectedStartup
Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"QdrModule10"=-
[-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^.protected]
[-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
[-HKLM\~\startupfolder\C:^Documents and Settings^Donna McFarland^Start Menu^Programs^Startup^.protected]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amok axis soft else]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cjwhsncn]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Phone 4]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule13]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule15]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack13]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack15]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShareSearcher]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uaol]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XPdefender]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

Download OTMoveIt2 at http://download.blee...r/OTMoveIt2.exe
* Save it to your desktop.
* Double-click OTMoveIt2.exe to run it. (Vista users, right click on OTMoveIt2.exe and select Run as an Administrator).
* Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

c:\docume~1\donnam~1\applic~1\boltat~1 /u
C:\DOCUME~1\DONNAM~1\APPLIC~1\FNTS~1 /u

* Return to OTMoveIt2. Right click in the Paste List of Files/Folders to Move window (under the Yellow bar) and choose Paste.
* Click the red Moveit! button.
* A log of files and folders moved will be created in the C:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
* Close OTMoveIt2.

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
  • 0

#7
MrsFixIt
Posted 04 May 2008 - 09:08 PM

MrsFixIt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
The ComboFix log:

ComboFix 08-05-01.3 - Donna McFarland 2008-05-04 22:53:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.641 [GMT -4:00]
Running from: C:\Documents and Settings\Donna McFarland\Desktop\CFMrsFixIt.exe
Command switches used :: \\Andysibm\andysdocs\My Downloads\combofix\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup
C:\Documents and Settings\All Users\Application Data\cjwhsncn.dll
C:\WINDOWS\4O8K4hdtd4.exe
C:\WINDOWS\BMc3fcccdc.xml
C:\WINDOWS\pss\.protectedCommon Startup
C:\WINDOWS\stwbsreh.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\Tasks\AD5981D4918A3590.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\cjwhsncn.dll
C:\Documents and Settings\Donna McFarland\Application Data\inst.exe
C:\WINDOWS\4O8K4hdtd4.exe
C:\WINDOWS\BMc3fcccdc.xml
C:\WINDOWS\pss\.protectedCommon Startup
C:\WINDOWS\stwbsreh.dll
C:\WINDOWS\Tasks\AD5981D4918A3590.job

.
((((((((((((((((((((((((( Files Created from 2008-04-05 to 2008-05-05 )))))))))))))))))))))))))))))))
.

2008-05-04 19:36 . 2008-05-04 19:37 <DIR> d-------- C:\HJT
2008-05-04 02:29 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-04 02:29 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-04 02:29 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-04 02:29 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-04 02:29 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-04 02:29 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-04 02:29 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-04 02:29 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-04 01:17 . 2004-08-10 07:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-26 09:56 . 2008-05-04 01:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-26 09:56 . 2008-04-26 09:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-24 20:08 . 2008-04-24 20:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-15 14:16 . 2008-05-04 14:35 <DIR> d-------- C:\Program Files\StepMania

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 05:17 6,656 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-05-03 06:23 --------- d-----w C:\Documents and Settings\Donna McFarland\Application Data\Vso
2008-04-28 04:18 --------- d-----w C:\Documents and Settings\Donna McFarland\Application Data\BitTorrent
2008-04-25 00:09 --------- d-----w C:\Program Files\Lavasoft
2008-04-25 00:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-02 20:59 --------- d-----w C:\Program Files\DVDFab Platinum 4
2008-04-02 20:32 47,360 -c--a-w C:\Documents and Settings\Donna McFarland\Application Data\pcouffin.sys
2008-04-02 20:32 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-03-30 23:07 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-03-30 23:07 204,816 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-03-30 22:50 1,169,240 ----a-w C:\WINDOWS\system32\drivers\VsapiNT.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-12 20:25 --------- d-----w C:\Documents and Settings\Donna McFarland\Application Data\Lavasoft
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 09:07 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-01-31 05:55 87,608 -c--a-w C:\Documents and Settings\Donna McFarland\Application Data\ezpinst.exe
2007-01-16 20:55 88 -csh--r C:\WINDOWS\system32\6545AE81B9.sys
2007-01-16 20:56 2,828 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-04_19.27.13.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-04 19:10:02 62,434 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-04 23:28:53 62,434 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-04 19:10:02 402,994 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-04 23:28:53 402,994 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-05 01:24:46 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_614.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
--a--c--- 2006-11-25 02:58 61440 c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a--c--- 2006-09-28 15:21 57344 C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2006-08-03 20:51 1032192 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2006-08-28 23:57 395776 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2004-12-06 03:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
--a--c--- 2006-05-22 14:26 694272 C:\Program Files\dvd43\dvd43_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a--c--- 2005-09-29 16:01 67584 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a--c--- 2006-11-25 03:29 236544 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a--c--- 2005-12-14 01:41 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a--c--- 2005-12-14 01:45 118784 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-12-14 01:44 98304 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a--c--- 2006-05-01 11:28 602182 C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
--a--c--- 2006-05-01 11:28 667718 C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2004-07-27 18:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2004-07-27 18:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 04:24 20480 C:\Program Files\NetWaiting\netWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE_OEM]
--a------ 2006-04-11 20:39 176201 C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
--a------ 2005-08-30 18:42 823362 C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2006-08-22 17:32 184320 C:\Program Files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-11-25 03:26 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
-----c--- 2002-02-04 23:32 53248 C:\Program Files\REGSHAVE\REGSHAVE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a--c--- 2006-03-25 01:30 282624 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a--c--- 2006-03-08 20:48 761947 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a--c--- 2006-11-03 18:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"UMWdf"=3 (0x3)
"perfmons"=2 (0x2)
"WZCSVC"=2 (0x2)
"w32time"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"stisvc"=3 (0x3)
"WudfSvc"=3 (0x3)
"WinDefend"=2 (0x2)
"VSS"=3 (0x3)
"upnphost"=3 (0x3)
"UPS"=3 (0x3)
"StarWindService"=2 (0x2)
"SCardSvr"=3 (0x3)
"SQLAgent$MICROSOFTSMLBIZ"=3 (0x3)
"Routing"=2 (0x2)
"NtmsSvc"=2 (0x2)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasAuto"=3 (0x3)
"RSVP"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"SysmonLog"=3 (0x3)
"ose"=3 (0x3)
"xmlprov"=3 (0x3)
"mnmsrvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"NBService"=3 (0x3)
"ehSched"=2 (0x2)
"ehRecvr"=2 (0x2)
"McrdSvc"=2 (0x2)
"MDM"=2 (0x2)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$MICROSOFTSMLBIZ"=2 (0x2)
"SwPrv"=3 (0x3)
"MHN"=3 (0x3)
"dmadmin"=3 (0x3)
"dmserver"=3 (0x3)
"CiSvc"=3 (0x3)
"PolicyAgent"=2 (0x2)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"HidServ"=2 (0x2)
"GoogleDesktopManager"=3 (0x3)
"gusvc"=3 (0x3)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"MSDTC"=3 (0x3)
"TrkWks"=2 (0x2)
"Browser"=2 (0x2)
"AppMgmt"=3 (0x3)
"aspnet_state"=3 (0x3)
"WmiApSrv"=3 (0x3)
"LPDSVC"=3 (0x3)
"GameConsoleService"=3 (0x3)
"MsSecurity1.209.4"=2 (0x2)
"Tmntsrv"=2 (0x2)
"tmproxy"=2 (0x2)
"TmPfw"=2 (0x2)
"PcCtlCom"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Documents and Settings\\Donna McFarland\\DonnasDocs\\Programs\\WS_FTP\\WS_FTP95.exe"=
"C:\\Program Files\\Microsoft Office\\OFFICE11\\MSPUB.EXE"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S3 PL-40R;CASIO USB MIDI;C:\WINDOWS\system32\Drivers\pl40rwdm.sys [2004-10-01 03:08]
S4 GameConsoleService;GameConsoleService;"C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe" [2007-12-19 19:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-04 06:13:06 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-04 22:54:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\drivers\vmdesched.sys 6656 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\vmdesched.sys"
.
Completion time: 2008-05-04 22:55:10
ComboFix-quarantined-files.txt 2008-05-05 02:54:50
ComboFix2.txt 2008-05-04 23:27:31

Pre-Run: 100,301,381,632 bytes free
Post-Run: 100,288,774,144 bytes free

256 --- E O F --- 2008-04-09 19:04:04


And the OTMoveit2 log:

< c:\docume~1\donnam~1\applic~1\boltat~1 /u >
File/Folder c:\docume~1\donnam~1\applic~1\boltat~1 not found.
< C:\DOCUME~1\DONNAM~1\APPLIC~1\FNTS~1 /u >
File/Folder C:\DOCUME~1\DONNAM~1\APPLIC~1\FNTS~1 not found.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05042008_230222
  • 0

#8
MrsFixIt
Posted 04 May 2008 - 09:32 PM

MrsFixIt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Something else that I've noticed:

I've been able to get to my email from the infected laptop right along, so I've been getting the notices of your replies to my emails on that computer. Now that I can get to the internet from that computer, I've tried to click on the link in the email to come here to read your posts, but I get an error message that the page can't be displayed. I've even tried to just type in www.geekstogo.com, & I still can't get here from that computer. Is that strange, or is that supposed to be happening at this point in time?
  • 0

#9
MrsFixIt
Posted 05 May 2008 - 10:18 AM

MrsFixIt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Okay, Google isn't working, either. You can do a search, & it will show results, but when you click on any of the links, it takes you to some advertisement. I tried to get to this site through google, & it was showing ads on computers & such. My husband was trying to find car parts & was linking to ads for car dealers.
  • 0

#10
greyknight17
Posted 05 May 2008 - 07:15 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Run all the scans below to see if there is any improvement afterwards.

Download Hoster at http://www.greyknigh.../spy/Hoster.exe and run it. Click on Restore Original Hosts button and press OK. If you used a custom HOSTS file, you will need to restore the file back.

Download Malwarebytes ' Anti-Malware at http://www.besttechi.../mbam-setup.exe or http://www.majorgeek...ware_d5756.html Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoft.../activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.
  • 0

Advertisements

#11
MrsFixIt
Posted 05 May 2008 - 09:31 PM

MrsFixIt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
The Panda scan is still running & is only at 42% done with 28 infected files & 4 suspicious ones, so far. I thought in the meantime, I'd post the MBAB log & ask if it's okay that I'm still using my laptop while we're doing this. We run a part-time business, so it's hard to NOT use it!

Here's the log:

Malwarebytes' Anti-Malware 1.11
Database version: 722

Scan type: Full Scan (C:\|)
Objects scanned: 88766
Time elapsed: 39 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\xflock (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\PostInstallC (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\XPdefender (Rogue.XPDefender) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\WakeNet (Trojan.Adware) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Donna McFarland\DonnasDocs\My Downloads\Yule Log\hold sinstaller3.exe (Adware.Comet) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\ISM\ism.exe.vir (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\QdrDrive\qdrloader.exe.vir (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\QdrPack\QdrPack15.exe.vir (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\4O8K4hdtd4.exe.vir (Rogue.Installer) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\000080.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\fcccbcab.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ljJBrqNf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP3\A0000065.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP3\A0000068.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP3\A0000070.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP3\A0000109.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP3\A0000111.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP3\A0000123.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP4\A0000193.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clbdll.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\perfs.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
  • 0

#12
MrsFixIt
Posted 05 May 2008 - 10:44 PM

MrsFixIt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Here's the log from the Panda scan:

;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-05-06 00:42:13
PROTECTIONS: 1
MALWARE: 20
SUSPECTS: 8
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
Trend Micro PC-cillin Internet Security 12.7.1019 No Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\donna mcfarland\favorites\health
00055522 Eicar.Mod Virus No 0 No No C:\Program Files\Trend Micro\Internet Security 12\tmhelp.chm[/PCC12/Test_virus.htm]
00091156 adware/popmonster Adware No 0 Yes No c:\documents and settings\donna mcfarland\favorites\shopping\walmart.url
00139535 Application/Processor HackTools No 0 Yes No C:\WINDOWS\system32\Process.exe
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP4\A0000206.exe
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Donna McFarland\Cookies\donna mcfarland@tribalfusion[1].txt
00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\Donna McFarland\Cookies\donna mcfarland@revenue[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Donna McFarland\Cookies\donna mcfarland@com[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Donna McFarland\Cookies\donna [email protected][2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Donna McFarland\Cookies\donna mcfarland@advertising[2].txt
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP3\A0000133.exe[327882R2FWJFW\NirCmdC.cfexe]
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\Documents and Settings\Donna McFarland\Desktop\Protection\CFMrsFixIt.exe[327882R2FWJFW\NirCmdC.cfexe]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP3\A0000134.EXE
01196325 Cookie/Enhance TrackingCookie No 0 Yes No C:\Documents and Settings\Donna McFarland\Cookies\donna mcfarland@enhance[2].txt
02164907 Generic Malware Virus/Trojan No 0 Yes No C:\Program Files\DIGStream\digstream.exe
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP4\A0000207.exe
02882762 Trj/Clicker.AHA Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP3\A0000082.sys
02882762 Trj/Clicker.AHA Virus/Trojan No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\Indt2.sys.vir
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP3\A0000124.sys
02913340 Adware/InternetSpeedMonitor Adware No 0 No No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP3\A0000108.exe[ism.exe]
02913340 Adware/InternetSpeedMonitor Adware No 0 No No C:\QooBox\Quarantine\C\WINDOWS\system32\000060.exe.vir[ism.exe]
02913341 Adware/InternetSpeedMonitor Adware No 0 No No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP3\A0000108.exe[QdrModule15.exe]
02913341 Adware/InternetSpeedMonitor Adware No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP3\A0000069.exe
02913341 Adware/InternetSpeedMonitor Adware No 0 No No C:\QooBox\Quarantine\C\WINDOWS\system32\000060.exe.vir[QdrModule15.exe]
02913341 Adware/InternetSpeedMonitor Adware No 0 Yes No C:\QooBox\Quarantine\C\Program Files\QdrModule\QdrModule15.exe.vir
02924397 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\WINDOWS\system32\ndt2.sys
02936956 Adware/SideSearch Adware No 0 Yes No C:\QooBox\Quarantine\C\Program Files\QdrDrive\QdrDrive15.dll.vir
02936956 Adware/SideSearch Adware No 0 No No C:\QooBox\Quarantine\C\WINDOWS\system32\000060.exe.vir[QdrDrive15.dll]
02936956 Adware/SideSearch Adware No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP3\A0000067.dll
02936956 Adware/SideSearch Adware No 0 No No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP3\A0000108.exe[QdrDrive15.dll]
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location 3
;===============================================================================
=================================================================================
===================
No C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll 3
No C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll 3
No C:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll 3
No C:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll 3
No C:\WINDOWS\system32\clb.dll 3
No C:\WINDOWS\system32\clbcatex.dll 3
No C:\WINDOWS\system32\dllcache\clb.dll 3
No C:\WINDOWS\system32\drivers\clbdriver.sys 3
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description 3
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
  • 0

#13
MrsFixIt
Posted 06 May 2008 - 08:18 PM

MrsFixIt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
It looks like I'm still infected. Google seems to be working now, but the scans found some more things. I also uninstalled & re-installed SpyBot & am letting it run ram-resident. It caught a change to my registry, which I denied. I believe it was going to change my home page.

BTW, when are you actually available to do this sort of work? I'm assuming you work outside the home & only have the evenings available. I see you're in NY, too, as am I. Actually, I'm in Upstate NY.
  • 0

#14
MrsFixIt
Posted 08 May 2008 - 12:05 AM

MrsFixIt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Hello? I hope you're still working with me because I'm still having problems. Now I can't upload pictures to my eBay auctions. This is how I'm making money right now, so I really need it fixed! I've been re-running Ad-Aware & SpyBot, but that's about all I really feel comfortable doing on my own at this point. Both programs almost always seem to "find" things, too.
  • 0

#15
greyknight17
Posted 08 May 2008 - 09:06 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Sorry for the delay. Please give us up to 3 days for a reply. Yes, I do work outside the home. Most people here probably do and volunteer their time here whenever they get a chance. I've been busy lately at work and training...

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://swandog46.gee.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install. Make sure Run fixit is checked and click Finish. The fix will begin. Follow the prompts. You will be asked to reboot your computer. Your system may take longer than usual to load - this is normal.

Wait until your desktop loads. A notepad file called report.txt should open up. Post that log here along with a new HijackThis log.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

File::
C:\Documents and Settings\Donna McFarland\Cookies\donna mcfarland@tribalfusion[1].txt
C:\Documents and Settings\Donna McFarland\Cookies\donna mcfarland@revenue[1].txt
C:\Documents and Settings\Donna McFarland\Cookies\donna mcfarland@com[1].txt
C:\Documents and Settings\Donna McFarland\Cookies\donna [email protected][2].txt
C:\Documents and Settings\Donna McFarland\Cookies\donna mcfarland@advertising[2].txt
C:\Documents and Settings\Donna McFarland\Cookies\donna mcfarland@enhance[2].txt
C:\WINDOWS\system32\ndt2.sys
Folder::
c:\documents and settings\donna mcfarland\favorites\health
c:\documents and settings\donna mcfarland\favorites\shopping

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

Any better now?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP