Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Wallpaper hijack resolved, but Trojans remain [RESOLVED]

Started by CurryJ , May 06 2008 05:53 PM

  • This topic is locked This topic is locked

#1
CurryJ
Posted 06 May 2008 - 05:53 PM

CurryJ

    Member

  • Member
  • PipPip
  • 22 posts
I have some very bad stuff on my laptop, so bad that the malware prevents me from accessing the geekstogo.com page! I had to use a proxy site to post this.

I have run Malwarebytes which picked up a lot of bad stuff, and quarantined it...Malwarebytes shows no infected files

SuperAntispyware will scan for about 4 minutes, and then PC shuts down and reboots

I used SmitRem to stop the wallpaper hijack: WARNING.; etc...but I am still getting lots of popups.

You guys have been great before; I hope you can help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:52:58 PM, on 5/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Svconr\Svconr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Abide\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: {16ed043a-91ca-ea1b-65a4-a8de444c6cfa} - {afc6c444-ed8a-4a56-b1ae-ac19a340de61} - C:\WINDOWS\system32\cwcwardp.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [986eedeb] rundll32.exe "C:\WINDOWS\system32\hbakumhj.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Svconr] C:\Program Files\Svconr\Svconr.exe
O4 - HKCU\..\Run: [Wfkpvpn] C:\WINDOWS\a?sembly\n?lookup.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - http://www-307.ibm.c...pport/acpir.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebo...Uploader4_5.cab
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5865 bytes
  • 0

Advertisements

#2
kahdah
Posted 06 May 2008 - 06:41 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello CurryJ

Welcome to G2Go. :)
=====================
The first thing I will need you to do is to Download ONE of these anti-virus programs and install it. (Note if you have an antivirus then disregard the first set of instructions)
These are free.
Avast
or
AVG free 8.0
Note this is free antispyware protection and Antivirus protection.
or
Antivir

as long as you only install one.
======================
Then

Please visit this web page for instructions for downloading and running ComboFix
http://www.bleepingc...to-use-combofix
Post the log from ComboFix when you've accomplished all of that, along with a new HijackThis log.
  • 0

#3
CurryJ
Posted 06 May 2008 - 08:34 PM

CurryJ

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Wonderful, thanks for the speedy reply

I installed avast and ran a combofix log:

ComboFix 08-05-01.3 - Abide 2008-05-06 21:21:33.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.247 [GMT -5:00]
Running from: C:\Documents and Settings\Abide\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Abide\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Abide\My Documents\MCROSO~1
C:\Documents and Settings\Abide\My Documents\MCROSO~1\M?crosoft\
C:\Program Files\ecurit~1
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\asembl~1
C:\WINDOWS\cookies.ini
C:\WINDOWS\default.htm
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\drivers\kbdclasss.sys
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\n3
C:\WINDOWS\system32\pcgamylh.dll
C:\WINDOWS\system32\znpqytnd.dll
C:\WINDOWS\wintst32.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KBDCLASSS
-------\Legacy_MSSECURITY1.209.4
-------\Service_kbdclasss


((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 )))))))))))))))))))))))))))))))
.

2008-05-06 20:22 . 2008-05-06 20:22 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-06 16:28 . 2008-05-06 16:28 <DIR> d-------- C:\Documents and Settings\Abide\Application Data\Snapfish
2008-05-06 16:28 . 2008-05-06 16:28 1,157 --a------ C:\WINDOWS\mozver.dat
2008-05-03 17:56 . 2008-05-03 17:56 <DIR> d-------- C:\VundoFix Backups
2008-05-03 17:41 . 2008-05-03 17:41 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-03 17:17 . 2008-05-06 20:51 1,695 --a------ C:\WINDOWS\system32\clbinit.dll
2008-05-03 17:10 . 2008-05-06 21:19 <DIR> d-------- C:\Documents and Settings\Abide\Application Data\SUPERAntiSpyware.com
2008-04-28 21:53 . 2008-04-28 21:53 <DIR> d-------- C:\WINDOWS\ukor
2008-04-28 21:53 . 2008-04-28 21:57 <DIR> d-------- C:\Program Files\Common Files\ukor
2008-04-28 20:51 . 2008-04-28 20:51 <DIR> d-------- C:\Documents and Settings\Abide\Application Data\Malwarebytes
2008-04-28 20:50 . 2008-04-28 20:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-28 20:50 . 2008-04-28 20:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-28 19:42 . 2008-04-28 19:42 <DIR> d-------- C:\Program Files\Svconr
2008-04-28 19:36 . 2008-05-06 21:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-28 19:36 . 2008-04-28 19:36 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-28 19:27 . 2008-05-06 20:32 <DIR> d-------- C:\Program Files\RcvSystem
2008-04-28 19:27 . 2008-04-28 21:42 109,783 --a------ C:\WINDOWS\BM9b5dde77.xml
2008-04-26 14:36 . 2008-04-26 14:36 15,086 --a------ C:\WINDOWS\system32\FreePokerBonus.ico
2008-04-26 14:36 . 2008-04-26 14:36 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-04-26 14:36 . 2008-04-26 14:36 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUK.ico
2008-04-26 14:36 . 2008-04-26 14:36 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconFR.ico
2008-04-26 14:24 . 2008-05-03 16:55 1,695 --a------ C:\WINDOWS\system32\clbcfg.dat
2008-04-26 14:14 . 2008-04-28 22:35 <DIR> d-------- C:\WINDOWS\system32\wTMP
2008-04-26 14:14 . 2008-04-26 14:14 <DIR> d-------- C:\WINDOWS\system32\pnVes06
2008-04-26 14:14 . 2008-05-06 20:47 <DIR> d--hs---- C:\WINDOWS\QWJpZGU
2008-04-26 14:14 . 2008-04-26 14:14 <DIR> d-------- C:\Temp\zvebs14
2008-04-26 14:14 . 2008-04-26 14:14 <DIR> d-------- C:\Temp\kvebs14
2008-04-26 14:14 . 2008-05-06 21:21 <DIR> d-------- C:\Temp
2008-04-26 14:14 . 2008-04-26 14:14 400,512 --a------ C:\WINDOWS\system32\g40.exe
2008-04-26 14:14 . 2008-05-03 17:26 167,545 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-04-26 14:14 . 2006-02-28 07:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-26 14:14 . 2008-04-28 19:27 578 --a------ C:\WINDOWS\index.html

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-07 02:19 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-05-06 23:06 --------- d-----w C:\Program Files\PokerStars
2008-03-27 20:09 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-27 20:09 --------- d-----w C:\Documents and Settings\Abide\Application Data\ArcSoft
2008-03-27 20:09 --------- d-----w C:\Documents and Settings\Abide\Application Data\AdobeUM
2008-03-27 20:07 --------- d-----w C:\Program Files\Sanyo
2008-03-27 20:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-27 20:02 --------- d-----w C:\Program Files\ArcSoft
2008-03-27 19:59 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-25 18:27 --------- d-----w C:\Documents and Settings\Abide\Application Data\Apple Computer
2008-03-24 18:36 --------- d-----w C:\Program Files\AIM
2008-03-22 17:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-16 22:14 --------- d-----w C:\Program Files\Viewpoint
2008-03-10 21:56 --------- d-----w C:\Program Files\AOD
2008-03-10 21:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-10 21:56 --------- d-----w C:\Documents and Settings\Abide\Application Data\Aim
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{afc6c444-ed8a-4a56-b1ae-ac19a340de61}]
C:\WINDOWS\system32\cwcwardp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-16 18:49 68856]
"AIM"="C:\PROGRA~1\AIM\aim.exe" [2006-08-01 15:35 67112]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 07:00 15360]
"Svconr"="C:\Program Files\Svconr\Svconr.exe" [2008-04-28 19:42 57344]
"Wfkpvpn"="C:\WINDOWS\a?sembly\n?lookup.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 16:07 61952 C:\WINDOWS\system32\HDAShCut.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2006-08-30 02:40 89542 C:\WINDOWS\AGRSMMSG.exe]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 14:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 14:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 14:17 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 04:22 267048]
"986eedeb"="C:\WINDOWS\system32\hbakumhj.dll" [ ]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AIM\\aim.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 13:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 13:35]
S3 TPPWRIF;TPPWRIF;C:\WINDOWS\_tpb0000.tmp\TPPWRIF.sys [2006-09-21 05:53]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-26 02:34:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-06 21:24:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2008-05-06 21:27:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-07 02:27:38

Pre-Run: 67,707,531,264 bytes free
Post-Run: 67,722,096,640 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

170 --- E O F --- 2008-05-06 03:25:42

And here is the HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:41 PM, on 5/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Svconr\Svconr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Abide\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: {16ed043a-91ca-ea1b-65a4-a8de444c6cfa} - {afc6c444-ed8a-4a56-b1ae-ac19a340de61} - C:\WINDOWS\system32\cwcwardp.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [986eedeb] rundll32.exe "C:\WINDOWS\system32\hbakumhj.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Svconr] C:\Program Files\Svconr\Svconr.exe
O4 - HKCU\..\Run: [Wfkpvpn] C:\WINDOWS\a?sembly\n?lookup.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - http://www-307.ibm.c...pport/acpir.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebo...Uploader4_5.cab
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6413 bytes
  • 0

#4
kahdah
Posted 07 May 2008 - 02:53 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Driver::
clbdriver.sys
Rootkit::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\clbdriver.sys 
File::
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\BM9b5dde77.xml
C:\WINDOWS\system32\FreePokerBonus.ico
C:\WINDOWS\system32\clbcfg.dat
C:\WINDOWS\system32\g40.exe
C:\WINDOWS\index.html
Folder::
C:\VundoFix Backups
C:\WINDOWS\ukor
C:\Program Files\Common Files\ukor
C:\Program Files\Svconr
C:\Program Files\RcvSystem
C:\WINDOWS\system32\wTMP
C:\WINDOWS\system32\pnVes06
C:\WINDOWS\QWJpZGU
C:\Temp\zvebs14
C:\Temp\kvebs14
C:\Program Files\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{afc6c444-ed8a-4a56-b1ae-ac19a340de61}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Svconr"=-
"Wfkpvpn"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"986eedeb"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#5
CurryJ
Posted 07 May 2008 - 08:19 PM

CurryJ

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Thanks for the help; the popups seem to be coming more slower now ( 4 in the last five hours)

Here is the Combofix log after running CFscript

ComboFix 08-05-01.3 - Abide 2008-05-07 21:04:01.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.219 [GMT -5:00]
Running from: C:\Documents and Settings\Abide\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Abide\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BM9b5dde77.xml
C:\WINDOWS\index.html
C:\WINDOWS\system32\clbcfg.dat
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\FreePokerBonus.ico
C:\WINDOWS\system32\g40.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Abide\Local Settings\Temporary Internet Files\bestwiner.stt
C:\Documents and Settings\Abide\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
C:\Program Files\Common Files\ukor
C:\Program Files\Common Files\ukor\ukora.lck
C:\Program Files\Common Files\ukor\ukorl.lck
C:\Program Files\Common Files\ukor\ukorm.lck
C:\Program Files\RcvSystem
C:\Program Files\Svconr
C:\Program Files\Svconr\Svconr.exe
C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentMgr.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\VMPVideo.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\VMPVideo2.dll
C:\Temp\kvebs14
C:\Temp\kvebs14\zvKarru.log
C:\Temp\zvebs14
C:\VundoFix Backups
C:\WINDOWS\BM9b5dde77.xml
C:\WINDOWS\index.html
C:\WINDOWS\QWJpZGU
C:\WINDOWS\system32\clbcfg.dat
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\FreePokerBonus.ico
C:\WINDOWS\system32\g40.exe
C:\WINDOWS\system32\pnVes06
C:\WINDOWS\system32\pnVes06\pnVes061083.exe
C:\WINDOWS\system32\wTMP
C:\WINDOWS\ukor
C:\WINDOWS\ukor\ukor.dat
C:\WINDOWS\ukor\wu

.
((((((((((((((((((((((((( Files Created from 2008-04-08 to 2008-05-08 )))))))))))))))))))))))))))))))
.

2008-05-06 20:22 . 2008-05-06 20:22 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-06 16:28 . 2008-05-06 16:28 <DIR> d-------- C:\Documents and Settings\Abide\Application Data\Snapfish
2008-05-06 16:28 . 2008-05-06 16:28 1,157 --a------ C:\WINDOWS\mozver.dat
2008-05-03 17:41 . 2008-05-03 17:41 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-03 17:10 . 2008-05-06 21:19 <DIR> d-------- C:\Documents and Settings\Abide\Application Data\SUPERAntiSpyware.com
2008-04-28 20:51 . 2008-04-28 20:51 <DIR> d-------- C:\Documents and Settings\Abide\Application Data\Malwarebytes
2008-04-28 20:50 . 2008-04-28 20:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-28 20:50 . 2008-04-28 20:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-28 19:36 . 2008-05-07 07:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-28 19:36 . 2008-04-28 19:36 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-26 14:36 . 2008-04-26 14:36 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-04-26 14:36 . 2008-04-26 14:36 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUK.ico
2008-04-26 14:36 . 2008-04-26 14:36 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconFR.ico
2008-04-26 14:14 . 2008-05-07 21:04 <DIR> d-------- C:\Temp
2008-04-26 14:14 . 2006-02-28 07:00 4,224 --a------ C:\WINDOWS\system32\beep.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-07 02:43 --------- d-----w C:\Program Files\PokerStars
2008-05-07 02:19 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-27 20:09 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-27 20:09 --------- d-----w C:\Documents and Settings\Abide\Application Data\ArcSoft
2008-03-27 20:09 --------- d-----w C:\Documents and Settings\Abide\Application Data\AdobeUM
2008-03-27 20:07 --------- d-----w C:\Program Files\Sanyo
2008-03-27 20:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-27 20:02 --------- d-----w C:\Program Files\ArcSoft
2008-03-27 19:59 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-25 18:27 --------- d-----w C:\Documents and Settings\Abide\Application Data\Apple Computer
2008-03-24 18:36 --------- d-----w C:\Program Files\AIM
2008-03-22 17:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-10 21:56 --------- d-----w C:\Program Files\AOD
2008-03-10 21:56 --------- d-----w C:\Documents and Settings\Abide\Application Data\Aim
.

((((((((((((((((((((((((((((( snapshot@2008-05-06_21.27.29.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-07 02:24:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-08 02:06:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-08 02:07:05 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_66c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-16 18:49 68856]
"AIM"="C:\PROGRA~1\AIM\aim.exe" [2006-08-01 15:35 67112]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 16:07 61952 C:\WINDOWS\system32\HDAShCut.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2006-08-30 02:40 89542 C:\WINDOWS\AGRSMMSG.exe]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 14:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 14:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 14:17 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 04:22 267048]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AIM\\aim.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 13:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 13:35]
S3 TPPWRIF;TPPWRIF;C:\WINDOWS\_tpb0000.tmp\TPPWRIF.sys [2006-09-21 05:53]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-26 02:34:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 21:07:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\igfxsrvc.exe
.
**************************************************************************
.

Here is the latest HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:04 PM, on 5/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Abide\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - http://www-307.ibm.c...pport/acpir.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebo...Uploader4_5.cab
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6001 bytes
  • 0

#6
kahdah
Posted 07 May 2008 - 08:47 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please submit the following file to one of these online file scanners.
(All you have to do is copy and paste it in)

C:\WINDOWS\_tpb0000.tmp\TPPWRIF.sys

Jotti File Scan
VirusTotal File Scan

This will produce a report after the scan is complete, please copy and paste those results in your next post.
  • 0

#7
CurryJ
Posted 08 May 2008 - 06:14 AM

CurryJ

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Service load:
0% 100%
File: TPPWRIF.sys_
Status:
OK
MD5: 44672de6cea9569c21c4b7a8d2560750
Packers detected:
-
Bit9 reports:
Scanner results
Scan taken on 08 May 2008 12:12:30 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
  • 0

#8
kahdah
Posted 08 May 2008 - 09:54 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.
  • 0

#9
CurryJ
Posted 08 May 2008 - 10:55 PM

CurryJ

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Ok, having a little trouble with instructions...

I clicked on gmer link, and was given a choice of several files to view/download.

I downloaded gmer.zip (740 kb)

When I unzipped there was gmer.exe

clicking that I found a "Rootkit/Malware" tab

There were 11 boxes on the right side, but none of them were "Show all"

Scan button is not working

(Ok I eventually found it by clicking the boxes on the right on and off, and clicking on Save button)

Here is the Gmer scan

GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-05-08 23:54:31
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xAAC6BD98]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xAAC6BCB8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xAAC6C12A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAAC6B8AA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xAAC6BD2E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xAAC6B7C8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xAAC6B83C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAAC6BE42]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAAC6BE02]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xAAC6BF84]

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\WINDOWS\system32\services.exe[888] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00370002
IAT C:\WINDOWS\system32\services.exe[888] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00370000

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- EOF - GMER 1.0.14 ----
  • 0

#10
kahdah
Posted 09 May 2008 - 10:04 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
====================
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as button:
  • Save the file in txt format to your desktop.
  • Post that information in your next post.

  • 0

Advertisements

#11
CurryJ
Posted 09 May 2008 - 07:10 PM

CurryJ

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, May 09, 2008 8:07:54 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/05/2008
Kaspersky Anti-Virus database records: 750464
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 30215
Number of viruses found: 14
Number of infected objects: 26
Number of suspicious objects: 0
Duration of the scan process: 00:21:23

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Abide\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.35290/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\Documents and Settings\Abide\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.35290 NSIS: infected - 1 skipped
C:\Documents and Settings\Abide\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.81056 Infected: Trojan-Downloader.Win32.Homles.bj skipped
C:\Documents and Settings\Abide\Application Data\Mozilla\Firefox\Profiles\wpawla92.default\cert8.db Object is locked skipped
C:\Documents and Settings\Abide\Application Data\Mozilla\Firefox\Profiles\wpawla92.default\history.dat Object is locked skipped
C:\Documents and Settings\Abide\Application Data\Mozilla\Firefox\Profiles\wpawla92.default\key3.db Object is locked skipped
C:\Documents and Settings\Abide\Application Data\Mozilla\Firefox\Profiles\wpawla92.default\parent.lock Object is locked skipped
C:\Documents and Settings\Abide\Application Data\Mozilla\Firefox\Profiles\wpawla92.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Abide\Application Data\Mozilla\Firefox\Profiles\wpawla92.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Abide\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Abide\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Abide\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Abide\Local Settings\Application Data\Mozilla\Firefox\Profiles\wpawla92.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Abide\Local Settings\Application Data\Mozilla\Firefox\Profiles\wpawla92.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Abide\Local Settings\Application Data\Mozilla\Firefox\Profiles\wpawla92.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Abide\Local Settings\Application Data\Mozilla\Firefox\Profiles\wpawla92.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Abide\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Abide\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Abide\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Abide\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswAr.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\Svconr\Svconr.exe.vir Infected: not-a-virus:AdWare.Win32.Rond.e skipped
C:\QooBox\Quarantine\C\WINDOWS\default.htm.vir Infected: not-virus:Hoax.HTML.Secureinvites.b skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\clbdll.dll.vir Infected: Trojan.Win32.Agent.lkz skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\g40.exe.vir/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.bkz skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\g40.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Agent.bkz skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\g40.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pnVes06\pnVes061083.exe.vir Infected: Trojan-Downloader.Win32.VB.ebf skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{27E24B6B-ADCC-485A-A673-19E8DC08D656}\RP120\A0024046.exe Infected: Worm.Win32.Socks.ff skipped
C:\System Volume Information\_restore{27E24B6B-ADCC-485A-A673-19E8DC08D656}\RP120\A0026060.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{27E24B6B-ADCC-485A-A673-19E8DC08D656}\RP120\A0026060.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{27E24B6B-ADCC-485A-A673-19E8DC08D656}\RP120\A0026061.exe Infected: Trojan-Downloader.Win32.PurityScan.gb skipped
C:\System Volume Information\_restore{27E24B6B-ADCC-485A-A673-19E8DC08D656}\RP120\A0027051.sys Infected: Rootkit.Win32.Agent.aii skipped
C:\System Volume Information\_restore{27E24B6B-ADCC-485A-A673-19E8DC08D656}\RP121\A0027066.exe Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\System Volume Information\_restore{27E24B6B-ADCC-485A-A673-19E8DC08D656}\RP121\A0027074.dll Infected: not-a-virus:AdWare.Win32.Agent.bkz skipped
C:\System Volume Information\_restore{27E24B6B-ADCC-485A-A673-19E8DC08D656}\RP121\A0027080.old Infected: Trojan-Downloader.Win32.Small.ixt skipped
C:\System Volume Information\_restore{27E24B6B-ADCC-485A-A673-19E8DC08D656}\RP121\A0028173.exe Infected: Trojan.Win32.Agent.lke skipped
C:\System Volume Information\_restore{27E24B6B-ADCC-485A-A673-19E8DC08D656}\RP123\A0029184.old Infected: Trojan-Downloader.Win32.Small.uzg skipped
C:\System Volume Information\_restore{27E24B6B-ADCC-485A-A673-19E8DC08D656}\RP126\A0033301.vbs Object is locked skipped
C:\System Volume Information\_restore{27E24B6B-ADCC-485A-A673-19E8DC08D656}\RP128\A0033352.dll Infected: Trojan.Win32.Agent.lkz skipped
C:\System Volume Information\_restore{27E24B6B-ADCC-485A-A673-19E8DC08D656}\RP130\A0033433.exe Infected: not-a-virus:AdWare.Win32.Rond.e skipped
C:\System Volume Information\_restore{27E24B6B-ADCC-485A-A673-19E8DC08D656}\RP130\A0033447.exe Infected: Trojan-Downloader.Win32.VB.ebf skipped
C:\System Volume Information\_restore{27E24B6B-ADCC-485A-A673-19E8DC08D656}\RP130\A0033450.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.bkz skipped
C:\System Volume Information\_restore{27E24B6B-ADCC-485A-A673-19E8DC08D656}\RP130\A0033450.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.bkz skipped
C:\System Volume Information\_restore{27E24B6B-ADCC-485A-A673-19E8DC08D656}\RP130\A0033450.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{27E24B6B-ADCC-485A-A673-19E8DC08D656}\RP132\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\spool\PRINTERS\FP00000.SHD Object is locked skipped
C:\WINDOWS\system32\spool\PRINTERS\FP00000.SPL Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\temp\Perflib_Perfdata_66c.dat Object is locked skipped
C:\WINDOWS\temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
  • 0

#12
kahdah
Posted 09 May 2008 - 08:19 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image

Also uninstall Malwarebytes' Anti-Malware.
===============================
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Post that log in your next reply.

(Note if you cannot open the log it produces then right click on it and choose rename.
Rename it to .txt and you will be able to open it)
  • 0

#13
CurryJ
Posted 11 May 2008 - 01:00 PM

CurryJ

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Dr Web Log

QUAR1.81056;C:\Documents and Settings\Abide\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine;Trojan.DownLoader.59088;Deleted.;
Process.exe;C:\Documents and Settings\Abide\Desktop\Malware Utilities\smitRem;Tool.Prockill;;
pv.exe;C:\Documents and Settings\Abide\Desktop\Malware Utilities\smitRem;Program.PrcView.3741;;
PortableVaultInstallerMemorexV2051.exe;C:\Documents and Settings\Abide\My Documents\My Music;Adware.SearchTwo.36;;
  • 0

#14
CurryJ
Posted 11 May 2008 - 01:50 PM

CurryJ

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Regarding those four "trouble areas" on the Dr. Web log, I clicked on them and "cured" as much as I could.

I ran another Dr. Web scan and got the "no viruses" message.

Looking good so far, and haven't had any pop-ups in a good while.
  • 0

#15
kahdah
Posted 11 May 2008 - 02:02 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Great go ahead and delete Dr web.
Also there will be a folder it will be in your My Documents folder called Dr.web also delete that.
==============================
After that please update your Java:
Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Ugrading Java:After that
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
===============================
System Restore
Then I will need you to reset your System Restore points.
The link below shows how to create a clean restore point.
How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb/310405/en-us
=====================================
After that your log is clean. :)

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Ad-Aware-Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

IE-SPYAD- puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Tony Klein article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP