Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

wmsdkns.exe, other malware and antivirus kills [RESOLVED]


  • This topic is locked This topic is locked

#1
hwg

hwg

    Member

  • Member
  • PipPip
  • 25 posts
Hello,

I am sure you get this all the time, but I am new to posting here and would love for some expert to help me out...I have tried everything I can think of and many of the google searches. Here is my issue:

I got some ugly virus - Many popups stating I have a virus and to go to their web site for fixes and the computer was running really slow. I used different programs including NOD (which was running when I got infected), AV8, Smitfraud, combofix and ATF (which highlighted Smitfraud and combofix as viruses). This cleaned many of my issues but here are the remaining problems:

1) wmsdkns.exe is in hijack this file and on my computer
2) My c:drive is "X"'d out with a RED "X".
3) I can install my purchased NOD application, but when I turn off the pc, I get a kernel error and it doesn't run. I have to do a new reinstall - but it only works until I turn off the pc.

I am running XP5.1 SP2

Here is my hijack this file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:52 PM, on 5/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - (no file)
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: Download with Rapget - C:\old computer\Downloads\from joe\RapGet\rapget.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1189988193562
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 5543 bytes


If someone can help me I would be SOOOOO appreciative! I thank you in advance!
hwg
  • 0

Advertisements


#2
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi hwg

welcome to geekstogo :)

i can see a few infections on your log, so we will remove them now and do a couple of scans to see what else is lurking on your machine.

the scans will likely take 3 hours, quite possibly much longer. so just let them run.

there are 6 logs to post in your next reply, so feel free to post them as you complete them......i will wait for them all to come in :)


====STEP 1====
we will be doing this step in safe mode so you should save these instructions for this step in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


====STEP 2====
Please download the OTMoveIt2 by OldTimer and Save it to your desktop.

Do not run it yet



Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. (if present)

R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - (no file)
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O8 - Extra context menu item: Download with Rapget - C:\old computer\Downloads\from joe\RapGet\rapget.htm
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe (file missing)


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.



Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\WINDOWS\system32\wmsdkns.exe
    C:\old computer\Downloads\from joe\RapGet\rapget.htm
    C:\WINDOWS\winself.exe
    purity 
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



====STEP 3====
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.



====STEP 4====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



====STEP 5====
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

====STEP 6====
could you delete the current version of combofix you have and then follow these instructions:

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet. For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**




In your next reply could i see:
1. the Report.txt log
2. the OTMoveIT log
3. the malwarebytes log
4. the kaspersky scan log
5. the combofix log
6. a new hijackthis log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#3
hwg

hwg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
WOW Andrewuk! What a GREAT reply! I shall start this straight away and let you know the results! Thank you for your detailed and thorough response!

hwg
  • 0

#4
hwg

hwg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
O.K. Here are the logs for part 1. I am sure I have to finish all steps before I am finished, but I thought I would do it in parts to keep the post for getting too long.

Thanks!
hwg

Step 1
=======

SDFix: Version 1.180
Run by Roe on Tue 05/06/2008 at 10:10 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
MsSecurity1.209.4

Path :

MsSecurity1.209.4 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\17PHolmes572.exe - Deleted
C:\WINDOWS\123messenger.per - Deleted
C:\WINDOWS\didduid.ini - Deleted
C:\WINDOWS\licencia.txt - Deleted
C:\WINDOWS\megavid.cdt - Deleted
C:\WINDOWS\muotr.so - Deleted
C:\WINDOWS\system32\winfrun32.bin - Deleted
C:\WINDOWS\telefonos.txt - Deleted
C:\WINDOWS\textos.txt - Deleted





Removing Temp Files

ADS Check :


C:\WINDOWS\system32
:svchost 769
Total size: 769 bytes.
system32: deleted 769 bytes in 1 streams.

Checking for remaining Streams

C:\WINDOWS\system32
No streams found.


Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-06 10:17:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s0"=dword:f315fd62
"s1"=dword:d5d3c651
"s2"=dword:cb6f383f
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:0d,5c,c4,1d,8a,05,1b,d4,b8,af,25,03,43,bf,a6,e8,0e,89,44,98,7d,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:0d,5c,c4,1d,8a,05,1b,d4,b8,af,25,03,43,bf,a6,e8,0e,89,44,98,7d,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\MSN Messenger\\MsnMsgr .Exe"="C:\\Program Files\\MSN Messenger\\MsnMsgr .Exe:*:Enabled:Messenger"
"C:\\Program Files\\MSN Messenger\\MsnMsgr .Exe"="C:\\Program Files\\MSN Messenger\\MsnMsgr .Exe:*:Enabled:Messenger"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\old computer\\Program Files\\Adobe\\Foxit editor\\FoxIt PDF Editor\\PDF Editor Pro v1.4 cracked\\PDFEdit.exe"="C:\\old computer\\Program Files\\Adobe\\Foxit editor\\FoxIt PDF Editor\\PDF Editor Pro v1.4 cracked\\PDFEdit.exe:*:Enabled:Foxit PDF Editor, the first REAL editor for PDF files!"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 21 Aug 2005 213 A.SHR --- "C:\old computer\BOOT.BAK"
Wed 6 Feb 2008 1,310,720 A..H. --- "C:\Documents and Settings\LocalService\NTUSER.bak"
Wed 6 Feb 2008 1,310,720 A..H. --- "C:\Documents and Settings\NetworkService\NTUSER.bak"
Wed 6 Feb 2008 6,815,744 A..H. --- "C:\Documents and Settings\Roe\NTUSER.bak"
Tue 19 Jun 2001 65,536 A..H. --- "C:\old computer\MobMircV201XTR\moo2.dll"
Mon 17 May 2004 8,007,680 A..H. --- "C:\Program Files\XSite Pro\Microsoft.mshtml.dll"
Mon 5 Nov 2007 88 A.SH. --- "C:\WINDOWS\system32\4D7CD740B4.sys"
Mon 28 Jan 2008 2,516 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sun 14 Oct 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 11 Jul 2007 22,528 A..H. --- "C:\Roe\Deux Amis\Deux Amis\~WRL0001.tmp"
Fri 13 Jul 2007 24,064 A..H. --- "C:\Roe\Deux Amis\Deux Amis\~WRL0048.tmp"
Fri 13 Jul 2007 24,576 A..H. --- "C:\Roe\Deux Amis\Deux Amis\~WRL1514.tmp"
Thu 12 Jul 2007 22,528 A..H. --- "C:\Roe\Deux Amis\Deux Amis\~WRL2872.tmp"
Thu 12 Jul 2007 23,040 A..H. --- "C:\Roe\Deux Amis\Deux Amis\~WRL2898.tmp"
Fri 13 Jul 2007 24,064 A..H. --- "C:\Roe\Deux Amis\Deux Amis\~WRL3587.tmp"
Thu 12 Jul 2007 22,528 A..H. --- "C:\Roe\Deux Amis\Deux Amis\~WRL3875.tmp"
Wed 6 Dec 2006 4,348 A.SH. --- "C:\old computer\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 14 Oct 2007 4,348 ...H. --- "C:\Documents and Settings\Roe\My Documents\My Music\License Backup\drmv1key.bak"
Wed 27 Feb 2008 20 A..H. --- "C:\Documents and Settings\Roe\My Documents\My Music\License Backup\drmv1lic.bak"
Wed 27 Feb 2008 312 A.SH. --- "C:\Documents and Settings\Roe\My Documents\My Music\License Backup\drmv2key.bak"
Sun 16 Sep 2007 262,144 A..H. --- "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.bak"
Sun 16 Sep 2007 262,144 A..H. --- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.bak"
Wed 6 Feb 2008 262,144 A..H. --- "C:\Documents and Settings\Roe\Local Settings\Application Data\Microsoft\Windows\UsrClass.bak"
Tue 13 Mar 2007 365,056 A..H. --- "C:\old computer\Documents and Settings\HP_Owner\Application Data\Microsoft\Templates\~WRL1460.tmp"
Tue 6 Dec 2005 19,456 A..H. --- "C:\old computer\Documents and Settings\HP_Owner\Application Data\Microsoft\Word\~WRL0003.tmp"
Tue 31 Jan 2006 19,456 A..H. --- "C:\old computer\Documents and Settings\HP_Owner\Application Data\Microsoft\Word\~WRL0004.tmp"
Tue 6 Dec 2005 19,456 A..H. --- "C:\old computer\Documents and Settings\HP_Owner\Application Data\Microsoft\Word\~WRL0194.tmp"
Tue 31 Jan 2006 107,008 A..H. --- "C:\old computer\Documents and Settings\HP_Owner\Application Data\Microsoft\Word\~WRL1507.tmp"
Fri 13 Jul 2007 22,528 A..H. --- "C:\old computer\Documents and Settings\HP_Owner\Application Data\Microsoft\Word\~WRL3513.tmp"
Fri 13 Jul 2007 743,424 A..H. --- "C:\old computer\Documents and Settings\HP_Owner\Application Data\Microsoft\Word\~WRL3631.tmp"
Sat 2 Dec 2006 19,456 A..H. --- "C:\old computer\Documents and Settings\HP_Owner\Application Data\Microsoft\Word\~WRL3884.tmp"

Finished!



************************************************************

Step 2
=========

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:19:17 PM, on 5/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - (no file)
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: Download with Rapget - C:\old computer\Downloads\from joe\RapGet\rapget.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1189988193562
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 4414 bytes

Edited by hwg, 07 May 2008 - 09:27 AM.

  • 0

#5
hwg

hwg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
STEP 3

File/Folder CODE not found.
File/Folder not found.
Explorer killed successfully
File/Folder C:\WINDOWS\system32\wmsdkns.exe not found.
C:\old computer\Downloads\from joe\RapGet\rapget.htm moved successfully.
File/Folder C:\WINDOWS\winself.exe not found.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05062008_200749

Edited by hwg, 07 May 2008 - 09:26 AM.

  • 0

#6
hwg

hwg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Step 4 Log:
==========

Malwarebytes' Anti-Malware 1.12
Database version: 727

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 238423
Time elapsed: 45 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{b1e22eb8-2ae8-4e8e-96ae-74f2a1764533} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{bdbebf18-7615-4971-9ac3-bd6ffb7ad6c1} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{bdbebf18-7615-4971-9ac3-bd6ffb7ad6c1} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dlp.dlpobj (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dlp.dlpobj.1 (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Roe\Application Data\Desktopicon\eBayShortcuts.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Edited by hwg, 07 May 2008 - 09:26 AM.

  • 0

#7
hwg

hwg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Step 5
============

Wednesday, May 07, 2008 2:04:42 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/05/2008
Kaspersky Anti-Virus database records: 744315


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects 202045
Number of viruses found 9
Number of infected objects 22
Number of suspicious objects 0
Duration of the scan process 02:46:33

Infected Object Name Virus Name Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Roe\Application Data\Netscape\Navigator\Profiles\ppy2y2h5.default\cert8.db Object is locked skipped

C:\Documents and Settings\Roe\Application Data\Netscape\Navigator\Profiles\ppy2y2h5.default\formhistory.dat Object is locked skipped

C:\Documents and Settings\Roe\Application Data\Netscape\Navigator\Profiles\ppy2y2h5.default\history.dat Object is locked skipped

C:\Documents and Settings\Roe\Application Data\Netscape\Navigator\Profiles\ppy2y2h5.default\key3.db Object is locked skipped

C:\Documents and Settings\Roe\Application Data\Netscape\Navigator\Profiles\ppy2y2h5.default\linkpad.sqlite Object is locked skipped

C:\Documents and Settings\Roe\Application Data\Netscape\Navigator\Profiles\ppy2y2h5.default\parent.lock Object is locked skipped

C:\Documents and Settings\Roe\Application Data\Netscape\Navigator\Profiles\ppy2y2h5.default\search.sqlite Object is locked skipped

C:\Documents and Settings\Roe\Application Data\Netscape\Navigator\Profiles\ppy2y2h5.default\urlclassifier2.sqlite Object is locked skipped

C:\Documents and Settings\Roe\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Roe\Desktop\download\MIRC616.EXE/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped

C:\Documents and Settings\Roe\Desktop\download\MIRC616.EXE mIRC: infected - 1 skipped

C:\Documents and Settings\Roe\Desktop\mIRC_MobMirc2004.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped

C:\Documents and Settings\Roe\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Roe\Desktop\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Roe\Desktop\SmitfraudFix.exe RAR: infected - 1 skipped

C:\Documents and Settings\Roe\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Roe\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Roe\Local Settings\Application Data\Netscape\Navigator\Profiles\ppy2y2h5.default\Cache\_CACHE_001_ Object is locked skipped

C:\Documents and Settings\Roe\Local Settings\Application Data\Netscape\Navigator\Profiles\ppy2y2h5.default\Cache\_CACHE_002_ Object is locked skipped

C:\Documents and Settings\Roe\Local Settings\Application Data\Netscape\Navigator\Profiles\ppy2y2h5.default\Cache\_CACHE_003_ Object is locked skipped

C:\Documents and Settings\Roe\Local Settings\Application Data\Netscape\Navigator\Profiles\ppy2y2h5.default\Cache\_CACHE_MAP_ Object is locked skipped

C:\Documents and Settings\Roe\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Roe\Local Settings\History\History.IE5\MSHist012008050720080508\index.dat Object is locked skipped

C:\Documents and Settings\Roe\Local Settings\Temp\~DF255C.tmp Object is locked skipped

C:\Documents and Settings\Roe\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Roe\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Roe\ntuser.dat.LOG Object is locked skipped

C:\Downloads\rview31.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.n skipped

C:\Downloads\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\old computer\Downloads\mobmirc-v201xtr\MobMirc2004v2.01XTR.exe/mIRC_MobMirc2004.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped

C:\old computer\Downloads\mobmirc-v201xtr\MobMirc2004v2.01XTR.exe/system\alias\alias3.ini Infected: Backdoor.IRC.Zapchast skipped

C:\old computer\Downloads\mobmirc-v201xtr\MobMirc2004v2.01XTR.exe Gentee: infected - 2 skipped

C:\old computer\Downloads\mobmirc-v201xtr.zip/MobMirc2004v2.01XTR.exe/mIRC_MobMirc2004.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped

C:\old computer\Downloads\mobmirc-v201xtr.zip/MobMirc2004v2.01XTR.exe/system\alias\alias3.ini Infected: Backdoor.IRC.Zapchast skipped

C:\old computer\Downloads\mobmirc-v201xtr.zip/MobMirc2004v2.01XTR.exe Infected: Backdoor.IRC.Zapchast skipped

C:\old computer\Downloads\mobmirc-v201xtr.zip ZIP: infected - 3 skipped

C:\old computer\Downloads\Office 2003 Prokeygen.rar/crack.exe Infected: Trojan-Downloader.Win32.IstBar.er skipped

C:\old computer\Downloads\Office 2003 Prokeygen.rar ZIP: infected - 1 skipped

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2008-05-06.10-14-58.log Object is locked skipped

C:\Program Files\Netscape\Navigator 9\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP272\A0061242.dll Infected: Trojan.Win32.Agent.lkz skipped

C:\System Volume Information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP286\change.log Object is locked skipped

C:\System Volume Information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP86\A0011231.exe/file01 Infected: not-a-virus:Monitor.Win32.GoldenEye.401 skipped

C:\System Volume Information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP86\A0011231.exe/file23 Infected: Trojan.Win32.Hooker.j skipped

C:\System Volume Information\_restore{681E7DC9-F614-4D8B-8879-2E9EE0C935F2}\RP86\A0011231.exe Inno: infected - 2 skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{4913207B-2E49-4688-B5E8-3BE896640E49}.crmlog Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped

C:\WINDOWS\system32\drivers\sptd6477.sys Object is locked skipped

C:\WINDOWS\system32\drivers\vaxscsi.sys Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
  • 0

#8
hwg

hwg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
This is the 6th and final step. All logs and instructions were followed exactly! Please let me know what else I need to do! I REALLY appreciate it! I also would like to put on my NOD virus software that I purchased. Is that suggested at this time. Lastly, I need a recommendation for a Firewall.
Thanks a BUNCH!
hwg

Step 6
==================

ComboFix 08-05-01.3 - Roe 2008-05-07 16:32:31.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1532 [GMT -7:00]
Running from: C:\Documents and Settings\Roe\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Roe\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\kmd.exe
C:\WINDOWS\mainms.vpi
C:\WINDOWS\system\msvbvm60.dll
C:\WINDOWS\system32\ajbpborm.ini
C:\WINDOWS\system32\CMMGR32.EXE
.
---- Previous Run -------
.
C:\WINDOWS\system32\qxkpwbly.dll
C:\Documents and Settings\Roe\Application Data\inst.exe
C:\Program Files\MSN Messenger\MsnMsgr .Exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\_000110_.tmp.dll
C:\WINDOWS\system32\CMMGR32.EXE
C:\WINDOWS\system32\ddtedibh.ini
C:\WINDOWS\system32\dgjlm.ini
C:\WINDOWS\system32\dgjlm.ini2
C:\WINDOWS\system32\erdxbeqp.ini
C:\WINDOWS\system32\fuqtjeex.ini
C:\WINDOWS\system32\lxgbiaea.ini
C:\WINDOWS\system32\mljgd.dll
C:\WINDOWS\system32\mljgd.exe
C:\WINDOWS\system32\qxkpwbly.dll
C:\WINDOWS\system32\qxkpwbly.dllbox
C:\WINDOWS\system32\xhtjsfyf.dll
C:\WINDOWS\system32\yaywurq.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 )))))))))))))))))))))))))))))))
.

2008-05-06 20:16 . 2008-05-06 20:16 <DIR> d-------- C:\Documents and Settings\Roe\Application Data\Malwarebytes
2008-05-06 20:15 . 2008-05-06 20:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-06 20:15 . 2008-05-06 20:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-06 20:15 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-06 20:15 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-06 20:07 . 2008-05-06 20:07 <DIR> d-------- C:\_OTMoveIt
2008-05-06 09:15 . 2008-05-06 09:15 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-06 09:06 . 2008-05-06 13:16 <DIR> d-------- C:\SDFix
2008-05-05 21:07 . 2008-05-05 21:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-05 20:37 . 2008-05-05 20:37 <DIR> d-------- C:\Program Files\Unlocker
2008-05-05 20:37 . 2008-05-07 08:22 <DIR> d-------- C:\Documents and Settings\Roe\Application Data\Desktopicon
2008-05-05 20:24 . 2008-05-05 20:24 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-05 20:24 . 2008-05-05 20:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-04 18:34 . 2008-05-04 18:34 <DIR> d-------- C:\!KillBox
2008-05-04 18:32 . 2008-05-04 18:37 <DIR> d-------- C:\Program Files\Windows Live
2008-05-04 18:32 . 2008-05-04 18:37 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-04 18:32 . 2008-05-04 21:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-04 14:52 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-05-04 14:52 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-05-04 12:48 . 2008-05-04 18:13 <DIR> d-------- C:\Program Files\COMODO
2008-05-04 12:48 . 2008-05-04 18:13 <DIR> d-------- C:\Documents and Settings\Roe\Application Data\Comodo
2008-05-03 20:25 . 2008-05-03 20:25 <DIR> d-------- C:\Program Files\AVG
2008-05-03 20:25 . 2008-05-04 09:58 <DIR> d-------- C:\Documents and Settings\Roe\Application Data\AVGTOOLBAR
2008-05-03 20:25 . 2008-05-05 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-03 18:31 . 2008-05-03 18:31 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-05-03 14:20 . 2008-05-03 14:20 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-05-03 14:20 . 2006-03-15 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-26 20:37 . 2008-05-01 18:32 <DIR> d-------- C:\Documents and Settings\Roe\Application Data\ZoomBrowser EX
2008-04-26 20:35 . 2008-04-26 20:35 <DIR> d-------- C:\Documents and Settings\Roe\Application Data\Canon
2008-04-26 20:35 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-04-26 20:35 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-04-25 12:19 . 2008-05-01 18:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-04-25 11:51 . 2008-04-25 11:51 <DIR> d-------- C:\Program Files\Common Files\Canon
2008-04-23 18:36 . 2008-04-23 18:36 <DIR> d-------- C:\Program Files\LizardTech
2008-04-23 18:35 . 2008-04-23 18:35 <DIR> dr------- C:\UDC Output Files
2008-04-23 18:35 . 2008-04-23 18:35 <DIR> d-------- C:\Program Files\Universal Document Converter
2008-04-23 18:35 . 2007-08-14 20:57 5,632 --a------ C:\WINDOWS\system32\udcpm.dll
2008-04-08 17:44 . 2008-04-08 17:44 <DIR> d-------- C:\Program Files\Bonjour
2008-04-08 17:36 . 2008-04-08 17:36 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-04-08 10:29 . 2008-04-08 10:29 <DIR> d-------- C:\Western Digital
2008-04-08 10:18 . 2008-04-08 10:19 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-07 21:10 . 2008-04-07 21:10 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-04-07 21:10 . 2008-04-07 21:10 223,128 --a------ C:\WINDOWS\system32\drivers\vaxscsi.sys
2008-04-07 21:07 . 2008-04-07 21:07 642,560 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-04-07 21:07 . 2008-04-07 21:07 96,256 --a------ C:\WINDOWS\system32\drivers\sptd6477.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-05 03:58 --------- d-----w C:\Program Files\The Print Shop 20
2008-05-05 01:30 --------- d-----w C:\Program Files\MSN Messenger
2008-05-04 19:43 --------- d-----w C:\Documents and Settings\Roe\Application Data\TeraCopy
2008-05-04 17:43 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-05-04 17:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-04 17:43 --------- d-----w C:\Documents and Settings\Roe\Application Data\SUPERAntiSpyware.com
2008-05-01 21:23 --------- d-----w C:\Documents and Settings\Roe\Application Data\Vso
2008-04-25 19:21 --------- d-----w C:\Program Files\CANON
2008-04-24 01:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-09 00:43 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-08 04:05 --------- d-----w C:\Documents and Settings\Roe\Application Data\DMCache
2008-04-04 04:28 --------- d-----w C:\Documents and Settings\Roe\Application Data\Corel
2008-03-20 00:07 --------- d-----w C:\Program Files\Mayoko
2008-03-12 23:35 --------- d-----w C:\Program Files\VLCPortable
2008-01-11 03:03 47,360 ----a-w C:\Documents and Settings\Roe\Application Data\pcouffin.sys
2007-12-26 00:40 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-09-22 01:21 2,393 ----a-w C:\Documents and Settings\Roe\Application Data\SAS7_000.DAT
2007-11-05 21:11 88 --sha-w C:\WINDOWS\system32\4D7CD740B4.sys
2008-01-29 04:40 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
<pre>
----a-w		   151,552 2008-02-06 20:46:59  C:\Documents and Settings\Roe\Desktop\MPTBox .exe
----a-w		   311,296 2008-02-05 17:48:56  C:\Program Files\CANON\MultiPASS4\monitr32 .exe
----a-w		   151,552 2008-02-06 20:46:59  C:\Program Files\CANON\MultiPASS4\MPTBox .exe
----a-w		 6,731,312 2008-02-07 04:44:13  C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas  .exe
----a-w		   278,528 2008-02-04 22:38:19  C:\Program Files\iTunes\iTunesHelper .exe
----a-w		 1,667,584 2008-01-28 20:39:12  C:\Program Files\Messenger\msmsgs .exe
----a-w		 5,674,352 2008-02-10 00:09:34  C:\Program Files\MSN Messenger\MsnMsgr  .Exe
----a-w		 5,674,352 2008-02-10 18:41:31  C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w		 1,310,720 2008-02-06 03:35:41  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
----a-w		 4,670,704 2008-02-07 04:44:13  C:\Program Files\Yahoo!\Messenger\YahooMessenger	 .exe
----a-w		   158,208 2008-02-10 18:44:56  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w			65,536 2008-02-04 22:38:19  C:\WINDOWS\system32\fxredir .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 18:43 4670704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Palo Alto Software Update Manager 8.0.lnk]
backup=C:\WINDOWS\pss\Palo Alto Software Update Manager 8.0.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Roe^Start Menu^Programs^Startup^Cyber-shot Viewer Media Check Tool.lnk]
backup=C:\WINDOWS\pss\Cyber-shot Viewer Media Check Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2008-02-06 21:44 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2007-02-28 23:06 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--------- 2005-05-03 03:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitDefender Antiphishing Helper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
--a------ 2007-03-13 16:38 39264 c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2004-08-10 04:04 59392 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fxredir]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-04-19 22:57 162584 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-04-19 22:57 142104 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-02-16 16:15 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-02-16 16:15 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\monitr32]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPTBox]
--a------ 2008-02-07 13:37 0 C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-02-07 13:37 0 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2007-04-19 22:57 138008 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-09-17 22:05 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--------- 2007-04-12 02:33 16132608 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-12-07 16:08 21686568 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 2003-09-29 16:00 155648 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-02-29 16:03 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UDC Integration]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2008-05-01 21:15 15872 C:\Program Files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Button Manager]
--a------ 2008-04-08 10:42 364544 C:\WINDOWS\system32\WDBtnMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 18:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
--a------ 2007-06-08 07:59 224248 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ekrn"=2 (0x2)
"EhttpSrv"=3 (0x3)
"wuauserv"=3 (0x3)
"wscsvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R2 cis1284;cis1284;C:\WINDOWS\system32\drivers\cis1284.sys [2001-06-26 21:00]
R3 WDC_SAM;WD SCSI Pass Thru driver;C:\WINDOWS\system32\DRIVERS\wdcsam.sys [2006-09-07 22:16]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2007-09-16 13:43]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30d5f1aa-6498-11dc-9cdb-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{21DB17A7-9EB9-0768-D9C5-22A71AD280F1}]
C:\WINDOWS\system32:svchost.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 16:37:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\CANON\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-05-07 16:44:41 - machine was rebooted [Roe]
ComboFix-quarantined-files.txt 2008-05-07 23:44:28

Pre-Run: 332,165,599,232 bytes free
Post-Run: 332,168,769,536 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

247

===================
Hijack This
============

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:47:20 PM, on 5/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1189988193562
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 4205 bytes
  • 0

#9
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
yes, it is now ok to now put your NOD32 on, update it and run a full system scan. i can still see some infections in your logs and i will be back with further instructions, and hopefully by then your NOD32 scan should be complete or underway :)

andrewuk
  • 0

#10
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
appears you have an infection which has compromised some of your security and other programs, which we will start to remove now.

====STEP 1====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\old computer\Downloads\mobmirc-v201xtr\MobMirc2004v2.01XTR.exe
C:\old computer\Downloads\mobmirc-v201xtr.zip
C:\old computer\Downloads\Office 2003 Prokeygen.rar

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30d5f1aa-6498-11dc-9cdb-806d6172696f}]

RenV::
C:\Documents and Settings\Roe\Desktop\MPTBox .exe
C:\Program Files\CANON\MultiPASS4\monitr32 .exe
C:\Program Files\CANON\MultiPASS4\MPTBox .exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas  .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\MSN Messenger\MsnMsgr  .Exe
C:\Program Files\MSN Messenger\msnmsgr .exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger	 .exe
C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
C:\WINDOWS\system32\fxredir .exe


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

Advertisements


#11
hwg

hwg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Thanks for the quick and thorough reply, once again!!! My C drive still displayed as RED "X". Is it still infected or is this something that I just need to change back, if so, how do I change it back?

Here is Combofix log
================

ComboFix 08-05-01.3 - Roe 2008-05-07 20:53:02.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1632 [GMT -7:00]
Running from: C:\Documents and Settings\Roe\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Roe\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\old computer\Downloads\mobmirc-v201xtr.zip
C:\old computer\Downloads\mobmirc-v201xtr\MobMirc2004v2.01XTR.exe
C:\old computer\Downloads\Office 2003 Prokeygen.rar
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\old computer\Downloads\mobmirc-v201xtr.zip
C:\old computer\Downloads\mobmirc-v201xtr\MobMirc2004v2.01XTR.exe
C:\old computer\Downloads\Office 2003 Prokeygen.rar

.
((((((((((((((((((((((((( Files Created from 2008-04-08 to 2008-05-08 )))))))))))))))))))))))))))))))
.

2008-05-07 17:22 . 2008-05-07 17:22 <DIR> d-------- C:\Program Files\ESET
2008-05-06 20:16 . 2008-05-06 20:16 <DIR> d-------- C:\Documents and Settings\Roe\Application Data\Malwarebytes
2008-05-06 20:15 . 2008-05-06 20:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-06 20:15 . 2008-05-06 20:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-06 20:15 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-06 20:15 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-06 20:07 . 2008-05-06 20:07 <DIR> d-------- C:\_OTMoveIt
2008-05-06 09:15 . 2008-05-06 09:15 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-06 09:06 . 2008-05-06 13:16 <DIR> d-------- C:\SDFix
2008-05-05 21:07 . 2008-05-05 21:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-05 20:37 . 2008-05-05 20:37 <DIR> d-------- C:\Program Files\Unlocker
2008-05-05 20:37 . 2008-05-07 08:22 <DIR> d-------- C:\Documents and Settings\Roe\Application Data\Desktopicon
2008-05-05 20:24 . 2008-05-05 20:24 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-05 20:24 . 2008-05-05 20:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-04 18:34 . 2008-05-04 18:34 <DIR> d-------- C:\!KillBox
2008-05-04 18:32 . 2008-05-04 18:37 <DIR> d-------- C:\Program Files\Windows Live
2008-05-04 18:32 . 2008-05-04 18:37 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-04 18:32 . 2008-05-04 21:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-04 14:52 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-05-04 14:52 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-05-04 12:48 . 2008-05-04 18:13 <DIR> d-------- C:\Program Files\COMODO
2008-05-04 12:48 . 2008-05-04 18:13 <DIR> d-------- C:\Documents and Settings\Roe\Application Data\Comodo
2008-05-03 20:25 . 2008-05-03 20:25 <DIR> d-------- C:\Program Files\AVG
2008-05-03 20:25 . 2008-05-04 09:58 <DIR> d-------- C:\Documents and Settings\Roe\Application Data\AVGTOOLBAR
2008-05-03 20:25 . 2008-05-05 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-03 18:31 . 2008-05-03 18:31 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-05-03 14:20 . 2008-05-03 14:20 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-05-03 14:20 . 2006-03-15 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-26 20:37 . 2008-05-01 18:32 <DIR> d-------- C:\Documents and Settings\Roe\Application Data\ZoomBrowser EX
2008-04-26 20:35 . 2008-04-26 20:35 <DIR> d-------- C:\Documents and Settings\Roe\Application Data\Canon
2008-04-26 20:35 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-04-26 20:35 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-04-25 12:19 . 2008-05-01 18:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-04-25 11:51 . 2008-04-25 11:51 <DIR> d-------- C:\Program Files\Common Files\Canon
2008-04-23 18:36 . 2008-04-23 18:36 <DIR> d-------- C:\Program Files\LizardTech
2008-04-23 18:35 . 2008-04-23 18:35 <DIR> dr------- C:\UDC Output Files
2008-04-23 18:35 . 2008-04-23 18:35 <DIR> d-------- C:\Program Files\Universal Document Converter
2008-04-23 18:35 . 2007-08-14 20:57 5,632 --a------ C:\WINDOWS\system32\udcpm.dll
2008-04-08 17:44 . 2008-04-08 17:44 <DIR> d-------- C:\Program Files\Bonjour
2008-04-08 17:36 . 2008-04-08 17:36 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-04-08 10:29 . 2008-04-08 10:29 <DIR> d-------- C:\Western Digital
2008-04-08 10:18 . 2008-04-08 10:19 <DIR> d-------- C:\WINDOWS\system32\NtmsData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-08 03:53 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-05-08 03:53 --------- d-----w C:\Program Files\MSN Messenger
2008-05-08 03:53 --------- d-----w C:\Program Files\iTunes
2008-05-05 03:58 --------- d-----w C:\Program Files\The Print Shop 20
2008-05-04 19:43 --------- d-----w C:\Documents and Settings\Roe\Application Data\TeraCopy
2008-05-04 17:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-04 17:43 --------- d-----w C:\Documents and Settings\Roe\Application Data\SUPERAntiSpyware.com
2008-05-01 21:23 --------- d-----w C:\Documents and Settings\Roe\Application Data\Vso
2008-04-25 19:21 --------- d-----w C:\Program Files\CANON
2008-04-24 01:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-09 00:43 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-08 17:42 364,544 ----a-w C:\WINDOWS\system32\WDBtnMgr.exe
2008-04-08 04:10 223,128 ----a-w C:\WINDOWS\system32\drivers\vaxscsi.sys
2008-04-08 04:10 --------- d-----w C:\Program Files\Alcohol Soft
2008-04-08 04:07 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd6477.sys
2008-04-08 04:07 642,560 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-04-08 04:05 --------- d-----w C:\Documents and Settings\Roe\Application Data\DMCache
2008-04-04 04:28 --------- d-----w C:\Documents and Settings\Roe\Application Data\Corel
2008-03-20 00:07 --------- d-----w C:\Program Files\Mayoko
2008-03-13 23:52 33,800 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2008-03-13 23:44 29,704 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-03-13 23:43 40,456 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-03-12 23:35 --------- d-----w C:\Program Files\VLCPortable
2008-02-10 19:14 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2008-02-10 18:44 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig.exe
2008-01-11 03:03 47,360 ----a-w C:\Documents and Settings\Roe\Application Data\pcouffin.sys
2007-12-26 00:40 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-09-22 01:21 2,393 ----a-w C:\Documents and Settings\Roe\Application Data\SAS7_000.DAT
2007-11-05 21:11 88 --sha-w C:\WINDOWS\system32\4D7CD740B4.sys
2008-01-29 04:40 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_16.44.18.20 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-07 23:36:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-08 00:24:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-08 00:22:57 10,134 ----a-r C:\WINDOWS\Installer\{86A6E235-C08F-4A14-B14C-793C7D8844A0}\callmsi.exe
+ 2008-05-08 00:22:57 136,448 ----a-r C:\WINDOWS\Installer\{86A6E235-C08F-4A14-B14C-793C7D8844A0}\egui.exe
- 2006-03-15 12:00:00 158,208 -c--a-w C:\WINDOWS\system32\dllcache\msconfig.exe
+ 2008-02-10 18:44:56 158,208 -c--a-w C:\WINDOWS\system32\dllcache\msconfig.exe
+ 2008-02-04 22:38:19 65,536 ----a-w C:\WINDOWS\system32\fxredir.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2008-02-06 21:44 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 16:48 1443072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Palo Alto Software Update Manager 8.0.lnk]
backup=C:\WINDOWS\pss\Palo Alto Software Update Manager 8.0.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Roe^Start Menu^Programs^Startup^Cyber-shot Viewer Media Check Tool.lnk]
backup=C:\WINDOWS\pss\Cyber-shot Viewer Media Check Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2007-02-28 23:06 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--------- 2005-05-03 03:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitDefender Antiphishing Helper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
--a------ 2007-03-13 16:38 39264 c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2004-08-10 04:04 59392 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fxredir]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-04-19 22:57 162584 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-04-19 22:57 142104 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-02-16 16:15 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-02-16 16:15 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\monitr32]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPTBox]
--a------ 2008-02-06 13:46 151552 C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-01-28 13:39 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2007-04-19 22:57 138008 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-09-17 22:05 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--------- 2007-04-12 02:33 16132608 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-12-07 16:08 21686568 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 2003-09-29 16:00 155648 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-02-05 20:35 1310720 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UDC Integration]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2008-05-01 21:15 15872 C:\Program Files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Button Manager]
--a------ 2008-04-08 10:42 364544 C:\WINDOWS\system32\WDBtnMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2008-02-06 21:44 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
--a------ 2007-06-08 07:59 224248 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ekrn"=2 (0x2)
"EhttpSrv"=3 (0x3)
"wuauserv"=3 (0x3)
"wscsvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]
R2 cis1284;cis1284;C:\WINDOWS\system32\drivers\cis1284.sys [2001-06-26 21:00]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2007-09-16 13:43]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\WINDOWS\system32\DRIVERS\wdcsam.sys [2006-09-07 22:16]

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{21DB17A7-9EB9-0768-D9C5-22A71AD280F1}]
C:\WINDOWS\system32:svchost.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 20:57:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-07 21:00:08
ComboFix-quarantined-files.txt 2008-05-08 03:59:56
ComboFix2.txt 2008-05-07 23:44:42

Pre-Run: 332,005,965,824 bytes free
Post-Run: 331,994,431,488 bytes free

217

=====================
Here is the new Hijack this log:
=====================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:01:43 PM, on 5/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1189988193562
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 4649 bytes
  • 0

#12
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
i suspect we are almost done.

My C drive still displayed as RED "X". Is it still infected or is this something that I just need to change back, if so, how do I change it back?

not infected, just the remnant of a past infection, we will see where the issue is in this post and fix it in the following post.

and we will also scan a file.


====STEP 1====
Open Notepad and Copy (Control+C) and Paste (Control+V) the following code into the Notepad window.


@ECHO OFF
If exist DrvIconQuery.txt Del DrvIconQuery.txt
Echo Report>>DrvIconQuery.txt
Echo %date% %time% >>DrvIconQuery.txt
Echo.>>DrvIconQuery.txt
@ECHO Working.......
Reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /s >> DrvIconQuery.txt
start notepad DrvIconQuery.txt


Click on 'File' then 'Save As'
In the Save in drop down box select Desktop
In the File name box type in FixService.bat
In the Save as type drop down box select All Files
Close Notepad.

Now, find FixService.bat on your Desktop and Double click it
A window will open and close, do not be concerned this is normal.


Make sure you attach the report in your reply - it will be too large to copy and paste.



To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

====STEP 2====
Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
C:\WINDOWS\system32\4D7CD740B4.sys

Click on the submit button

Please post the results of the scan in your next reply.

If Jotti is busy, try the same atVirustotal



In your next reply could i see:
1. the attached DrvIconQuery.txt
2. the jotti report

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk

Edited by andrewuk, 08 May 2008 - 09:49 AM.

  • 0

#13
hwg

hwg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Here is DrvIconQuesrty.txt. I do not see where the Jotti report is stored. There is a window with this information below - is that correct or did I do something wrong?

Scan taken on 08 May 2008 16:26:52 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Edited by hwg, 09 May 2008 - 09:32 AM.

  • 0

#14
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
the jotti report was fine :)

i need to see the DrvIconQuesrty.txt as an attachment - it is too long to cut and past onto the forum. see the instructions in my prior post on how to post as an attachment.

andrewuk
  • 0

#15
hwg

hwg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Sorry, here is the file as an attachment.

Attached Files


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP