Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

WinIFixer has messed up my computer! Won't Uninstall or go awa

Started by sunny441 , May 13 2008 07:02 PM

  • This topic is locked This topic is locked

#16
sunny441
Posted 19 May 2008 - 08:13 PM

sunny441

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 258 posts
GreyKnight:

Am listing the last 5 objects that it found.

Please note that all these objects were found in the same location: C:\Documents and Settings\All Users\Documents
All of these had the same file size of : 70 KB
Under Healable it says NO

Also AVG clearly says that this is IWORM/RORON and has been identified!

Anyway here are the last 5 files that were found:
PCdudes3d.exe
SexSpy3d.exe
PCdudes[rated].exe
Strip Kounikova.exe
Britney Suxx.exe

once again these files were in the same location and each one was the same size.

these were found a few days apart and the last time a file was found was -5/17/2008 and usually the files are found 3 days apart as far as i can see from the reports

hope that helps!
  • 0

Advertisements

#17
greyknight17
Posted 20 May 2008 - 07:01 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Let's try one more virus scanner to see if it picks anything up:

Make sure you turn off any antivirus programs you have running while performing the online scan below. Using Internet Explorer, run a virus scan at http://www.kaspersky.com/virusscanner Click on 'Launch Kaspersky Anti-Virus Web Scanner' and install the ActiveX component from Kaspersky. Click Yes and it will begin downloading the latest definition files. Once that's done, click on 'Scan Settings' and make sure the following are selected:

Scan using the following Anti-Virus database:
- Extended

Scan Options:
- Scan Archives
- Scan Mail Bases

Click OK. Now under select a target to scan, select 'My Computer'. It will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the 'Save as Text' button. Save the file to your desktop. Copy and paste that information in your next post.

Go to Start->Run, type in win.ini and hit OK. A notepad file should open up. Copy and paste the entire contents of that file here. Then go back to Start->Run and type in wininit.ini and hit OK. Post the contents of that file here also.
  • 0

#18
sunny441
Posted 21 May 2008 - 08:16 AM

sunny441

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 258 posts
Grey Knight:

I ran the scan, Kaspersky does pick up the file in My Documents!!

am posting the entire log below. Also posted is the Win.ini file. However, the WININIT.INI file was not found (or so the computer said) and am unable to post the contents here! :)

Anyway here is Kaspersky log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 20, 2008 23:51:24
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/05/2008
Kaspersky Anti-Virus database records: 788663
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 75085
Number of viruses found: 3
Number of infected objects: 2
Number of suspicious objects: 2
Duration of the scan process: 01:06:28

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Documents\Sexy Teens Desktop (Eng).exe Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Sudhir J. Kamath\Application Data\Mozilla\Firefox\Profiles\kiwl8ovg.default\cert8.db Object is locked skipped
C:\Documents and Settings\Sudhir J. Kamath\Application Data\Mozilla\Firefox\Profiles\kiwl8ovg.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Sudhir J. Kamath\Application Data\Mozilla\Firefox\Profiles\kiwl8ovg.default\history.dat Object is locked skipped
C:\Documents and Settings\Sudhir J. Kamath\Application Data\Mozilla\Firefox\Profiles\kiwl8ovg.default\key3.db Object is locked skipped
C:\Documents and Settings\Sudhir J. Kamath\Application Data\Mozilla\Firefox\Profiles\kiwl8ovg.default\parent.lock Object is locked skipped
C:\Documents and Settings\Sudhir J. Kamath\Application Data\Mozilla\Firefox\Profiles\kiwl8ovg.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Sudhir J. Kamath\Application Data\Mozilla\Firefox\Profiles\kiwl8ovg.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Sudhir J. Kamath\Application Data\Mozilla\Firefox\Profiles\kiwl8ovg.default\webappsstore.sqlite Object is locked skipped
C:\Documents and Settings\Sudhir J. Kamath\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Sudhir J. Kamath\Local Settings\Application Data\Identities\{30E12251-E5EC-43F8-9A4D-B6AA3A5D3ABA}\Microsoft\Outlook Express\Sunny's Gmail - Sent Items.dbx/[From "Sunny" <[email protected]>][Date Mon, 11 Feb 2008 17:00:12 -0500]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Sudhir J. Kamath\Local Settings\Application Data\Identities\{30E12251-E5EC-43F8-9A4D-B6AA3A5D3ABA}\Microsoft\Outlook Express\Sunny's Gmail - Sent Items.dbx MailMSOutlook5: suspicious - 1 skipped
C:\Documents and Settings\Sudhir J. Kamath\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Sudhir J. Kamath\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Sudhir J. Kamath\Local Settings\Application Data\Mozilla\Firefox\Profiles\kiwl8ovg.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Sudhir J. Kamath\Local Settings\Application Data\Mozilla\Firefox\Profiles\kiwl8ovg.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Sudhir J. Kamath\Local Settings\Application Data\Mozilla\Firefox\Profiles\kiwl8ovg.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Sudhir J. Kamath\Local Settings\Application Data\Mozilla\Firefox\Profiles\kiwl8ovg.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Sudhir J. Kamath\Local Settings\Application Data\Yahoo\Y!Msgr\merlin.log Object is locked skipped
C:\Documents and Settings\Sudhir J. Kamath\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sudhir J. Kamath\Local Settings\History\History.IE5\MSHist012008052020080521\index.dat Object is locked skipped
C:\Documents and Settings\Sudhir J. Kamath\Local Settings\Temp\fla5F9.tmp Object is locked skipped
C:\Documents and Settings\Sudhir J. Kamath\Local Settings\Temp\Perflib_Perfdata_874.dat Object is locked skipped
C:\Documents and Settings\Sudhir J. Kamath\Local Settings\Temp\Perflib_Perfdata_de4.dat Object is locked skipped
C:\Documents and Settings\Sudhir J. Kamath\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sudhir J. Kamath\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Sudhir J. Kamath\ntuser.dat.LOG Object is locked skipped
C:\Program Files\TightVNC\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
C:\Program Files\TightVNC\WinVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h skipped
C:\Program Files\Yahoo!\Messenger\logs\billing_Sudhir J. Kamath.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\client_Sudhir J. Kamath.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\network_Sudhir J. Kamath.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\performance_build_907.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\voice_Sudhir J. Kamath_0.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\ycp_Sudhir J. Kamath.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{98EE3EB9-DAF1-4345-AF3F-F21EB25F9731}\RP1\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{98EE3EB9-DAF1-4345-AF3F-F21EB25F9731}\RP1\change.log Object is locked skipped

Scan process completed.



here is the WIN.INI file
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
MAPIX=1
CMC=1
CMCDLLNAME=mapi.dll
CMCDLLNAME32=mapi32.dll
MAPIXVER=1.0.0.1
OLEMessaging=1
[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
asf=MPEGVideo
asx=MPEGVideo
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo
mp2=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
snd=MPEGVideo
wax=MPEGVideo
wm=MPEGVideo
wma=MPEGVideo
wmv=MPEGVideo
wmx=MPEGVideo
wpl=MPEGVideo
wvx=MPEGVideo
[SciCalc]
layout=1
[ActiveScan]
ID = {97444AA2-61E8-48FE-B9DF-EA445AAAED67}


once again, WININIT.INI file was not found!
  • 0

#19
greyknight17
Posted 21 May 2008 - 07:12 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I don't see it in the log. Where is it listed in the Kaspersky log?

The only two problems I see from the scan is the two files in your Sent Items box in Outlook Express. You can just delete them (don't open them).
  • 0

#20
sunny441
Posted 21 May 2008 - 07:18 PM

sunny441

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 258 posts
Hello:

6th item down on the Kaspersky log list.

C:\Documents and Settings\All Users\Documents\Sexy Teens Desktop (Eng).exe Object is locked skipped -- > i looked in my documents folder and found nothing. what do i do?

also what about wininit.ini file?
  • 0

#21
greyknight17
Posted 21 May 2008 - 07:21 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

DirLook::
C:\Documents and Settings\All Users\Documents\
File::
C:\Documents and Settings\All Users\Documents\Sexy Teens Desktop (Eng).exe

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

What happens when you go to Start->Run, copy/paste in wininit.ini and hit OK? Does it give you an error or open up a notepad file?
  • 0

#22
sunny441
Posted 21 May 2008 - 07:26 PM

sunny441

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 258 posts
Yes it gives me a error when i Try Wininit.ini.


also i deleted the entire directory where the kaspersky found the stuff - in sent mail.
also while i was doing this it found another file in the my documents location.

Edited by sunny441, 21 May 2008 - 07:26 PM.

  • 0

#23
sunny441
Posted 21 May 2008 - 07:41 PM

sunny441

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 258 posts
Here is the new combofix log:

Combofix found 3 files(put them in bold) in there. moments later AVG came on and said it HEALED the 3 items. at this point i am just tempted to re-install my OS

ComboFix 08-05-21.2 - Sudhir J. Kamath 2008-05-21 21:28:58.3 - NTFSx86
Running from: C:\Documents and Settings\Sudhir J. Kamath\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sudhir J. Kamath\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\All Users\Documents\Sexy Teens Desktop (Eng).exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Documents\Sexy Teens Desktop (Eng).exe

.
((((((((((((((((((((((((( Files Created from 2008-04-22 to 2008-05-22 )))))))))))))))))))))))))))))))
.

2008-05-20 22:26 . 2008-05-20 22:26 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-20 22:26 . 2008-05-20 22:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-18 01:30 . 2008-05-18 01:30 284 --a------ C:\Shortcut to Andromeda (D).lnk
2008-05-17 23:25 . 2008-05-17 23:25 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-12 15:59 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-12 15:59 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-06 20:45 . 2008-05-06 20:45 <DIR> d-------- C:\Program Files\DialIdol.com
2008-04-22 23:32 . 2008-04-24 19:14 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-22 01:14 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\.gaim
2008-05-21 01:11 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\BitTorrent
2008-05-20 12:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-19 04:47 --------- d-----w C:\Program Files\Nexus
2008-05-18 02:13 --------- d-----w C:\Program Files\FileZilla
2008-05-18 02:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-18 02:11 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\InstallShield
2008-05-12 19:59 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-05-07 01:35 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\Skype
2008-05-03 19:08 --------- d-----w C:\Program Files\DOSBox-0.72
2008-05-01 15:40 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-23 02:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-04-21 02:19 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\Malwarebytes
2008-04-21 02:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-20 19:34 --------- d-----w C:\Program Files\CONEXANT
2008-04-12 23:20 --------- d-----w C:\Program Files\Numericon
2008-04-10 02:11 --------- d-----w C:\Program Files\Trend Micro
2008-04-09 21:20 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-09 21:17 --------- d-----w C:\Program Files\Microsoft.NET
2008-04-07 03:12 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\U3
2008-04-03 12:58 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\AVG7
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-26 01:58 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-25 04:36 --------- d-----w C:\Program Files\Windows Live
2008-03-25 04:35 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-25 04:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-24 22:44 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-24 20:01 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2008-03-23 02:31 127 ---ha-w C:\Documents and Settings\All Users\Application Data\emopts.dat
2008-03-23 02:31 --------- d--h--w C:\Documents and Settings\All Users\Application Data\sacache
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-12 05:45 39,888 ----a-w C:\Documents and Settings\Sudhir J. Kamath\Application Data\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\All Users\Documents\ ----

2008-05-17 22:09 7680 --ahs---- C:\Documents and Settings\All Users\Documents\\My Pictures\Sample Pictures\Thumbs.db
2008-03-13 20:09 129 --ahs---- C:\Documents and Settings\All Users\Documents\\desktop.ini
2007-04-09 00:10 696 --ah----- C:\Documents and Settings\All Users\Documents\\os848618.bin
2006-12-01 19:07 70 --ahs---- C:\Documents and Settings\All Users\Documents\\My Music\Sample Music\desktop.ini
2006-12-01 19:07 42 --ahs---- C:\Documents and Settings\All Users\Documents\\My Pictures\Sample Pictures\desktop.ini
2006-12-01 19:07 151 --ahs---- C:\Documents and Settings\All Users\Documents\\My Music\Desktop.ini
2006-12-01 19:07 150 --ahs---- C:\Documents and Settings\All Users\Documents\\My Pictures\Desktop.ini
2006-12-01 19:03 151 --ahs---- C:\Documents and Settings\All Users\Documents\\My Videos\Desktop.ini
2004-08-04 08:00 83794 --a------ C:\Documents and Settings\All Users\Documents\\My Pictures\Sample Pictures\Water lilies.jpg
2004-08-04 08:00 789 --a------ C:\Documents and Settings\All Users\Documents\\My Music\Sample Playlists\000BEB93\Plylst11.wpl
2004-08-04 08:00 787 --a------ C:\Documents and Settings\All Users\Documents\\My Music\Sample Playlists\000BEB93\Plylst10.wpl
2004-08-04 08:00 784 --a------ C:\Documents and Settings\All Users\Documents\\My Music\Sample Playlists\000BEB93\Plylst9.wpl
2004-08-04 08:00 783 --a------ C:\Documents and Settings\All Users\Documents\\My Music\Sample Playlists\000BEB93\Plylst13.wpl
2004-08-04 08:00 775 --a------ C:\Documents and Settings\All Users\Documents\\My Music\Sample Playlists\000BEB93\Plylst14.wpl
2004-08-04 08:00 760748 --a------ C:\Documents and Settings\All Users\Documents\\My Music\Sample Music\New Stories (Highway Blues).wma
2004-08-04 08:00 733 --a------ C:\Documents and Settings\All Users\Documents\\My Music\Sample Playlists\000BEB93\Plylst15.wpl
2004-08-04 08:00 71189 --a------ C:\Documents and Settings\All Users\Documents\\My Pictures\Sample Pictures\Sunset.jpg
2004-08-04 08:00 613638 --a------ C:\Documents and Settings\All Users\Documents\\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
2004-08-04 08:00 28521 --a------ C:\Documents and Settings\All Users\Documents\\My Pictures\Sample Pictures\Blue hills.jpg
2004-08-04 08:00 1477 --a------ C:\Documents and Settings\All Users\Documents\\My Music\Sample Playlists\000BEB93\Plylst6.wpl
2004-08-04 08:00 1477 --a------ C:\Documents and Settings\All Users\Documents\\My Music\Sample Playlists\000BEB93\Plylst5.wpl
2004-08-04 08:00 1474 --a------ C:\Documents and Settings\All Users\Documents\\My Music\Sample Playlists\000BEB93\Plylst3.wpl
2004-08-04 08:00 1451 --a------ C:\Documents and Settings\All Users\Documents\\My Music\Sample Playlists\000BEB93\Plylst12.wpl
2004-08-04 08:00 1448 --a------ C:\Documents and Settings\All Users\Documents\\My Music\Sample Playlists\000BEB93\Plylst4.wpl
2004-08-04 08:00 1250 --a------ C:\Documents and Settings\All Users\Documents\\My Music\Sample Playlists\000BEB93\Plylst1.wpl
2004-08-04 08:00 105542 --a------ C:\Documents and Settings\All Users\Documents\\My Pictures\Sample Pictures\Winter.jpg
2004-08-04 08:00 1049 --a------ C:\Documents and Settings\All Users\Documents\\My Music\Sample Playlists\000BEB93\Plylst2.wpl
2004-08-04 08:00 1046 --a------ C:\Documents and Settings\All Users\Documents\\My Music\Sample Playlists\000BEB93\Plylst7.wpl
2004-08-04 08:00 1036 --a------ C:\Documents and Settings\All Users\Documents\\My Music\Sample Playlists\000BEB93\Plylst8.wpl
2004-06-17 22:24 71680 --ah----- C:\Documents and Settings\All Users\Documents\\VirtualRape(Rated).exe
2004-06-17 22:24 71680 --ah----- C:\Documents and Settings\All Users\Documents\\Sexy Teens Desktop (Eng).exe
2004-06-17 22:24 71680 --ah----- C:\Documents and Settings\All Users\Documents\\Hot Blondies(sHow).exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 04:40 218032]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 19:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 19:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 19:10 114688]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-01 13:48 1392640]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-17 21:09 579584]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 18:32 221184]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogOff"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-03-04 00:01 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\Program Files\ffdshow\ffdshow.ax

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\K1RFD\\EchoLink\\EchoLink.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

S3 tifm;tifm;C:\WINDOWS\system32\drivers\tifm.sys [2006-07-21 12:42]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caee2460-c11e-11db-950b-000f1fb14a4f}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f226da10-54f6-11dc-957f-000f1fb14a4f}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 21:32:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-21 21:34:14
ComboFix-quarantined-files.txt 2008-05-22 01:33:48
ComboFix2.txt 2008-05-18 05:29:07

Pre-Run: 10,958,458,880 bytes free
Post-Run: 10,950,221,824 bytes free

157 --- E O F --- 2008-05-16 05:09:50
  • 0

#24
greyknight17
Posted 23 May 2008 - 05:16 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
In the C:\Documents and Settings\All Users\ folder is there a folder called Shared Documents or My Documents instead of just the folder called Documents?

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

File::
C:\Documents and Settings\All Users\Application Data\emopts.dat
C:\Documents and Settings\All Users\Documents\os848618.bin
C:\Documents and Settings\All Users\Documents\VirtualRape(Rated).exe
C:\Documents and Settings\All Users\Documents\Sexy Teens Desktop (Eng).exe
C:\Documents and Settings\All Users\Documents\Hot Blondies(sHow).exe
Folder::
C:\Documents and Settings\All Users\Application Data\sacache

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

See if that fixes the problem. If not and you don't want to spend any more time on this, you may backup your data and reinstall Windows....
  • 0

#25
sunny441
Posted 23 May 2008 - 05:38 PM

sunny441

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 258 posts
Hello:

The path and the files that you are asking me to delete have been deleted by AVG already. all the files in the my documents have been deleted already. i will try this again and I will post the COMBOfix log.
  • 0

Advertisements

#26
sunny441
Posted 23 May 2008 - 05:50 PM

sunny441

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 258 posts
Here is the new combofix log

ComboFix 08-05-21.2 - Sudhir J. Kamath 2008-05-23 19:41:02.4 - NTFSx86
Running from: C:\Documents and Settings\Sudhir J. Kamath\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sudhir J. Kamath\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\All Users\Application Data\emopts.dat
C:\Documents and Settings\All Users\Documents\Hot Blondies(sHow).exe
C:\Documents and Settings\All Users\Documents\os848618.bin
C:\Documents and Settings\All Users\Documents\Sexy Teens Desktop (Eng).exe
C:\Documents and Settings\All Users\Documents\VirtualRape(Rated).exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\emopts.dat
C:\Documents and Settings\All Users\Application Data\sacache
C:\Documents and Settings\All Users\Application Data\sacache\5\c1.log
C:\Documents and Settings\All Users\Application Data\sacache\5\c2.log
C:\Documents and Settings\All Users\Application Data\sacache\5\c3.log
C:\Documents and Settings\All Users\Application Data\sacache\5\c4.log
C:\Documents and Settings\All Users\Application Data\sacache\7\1.log
C:\Documents and Settings\All Users\Application Data\sacache\7\2.log
C:\Documents and Settings\All Users\Application Data\sacache\7\3.log
C:\Documents and Settings\All Users\Application Data\sacache\7\index.dat
C:\Documents and Settings\All Users\Documents\os848618.bin

.
((((((((((((((((((((((((( Files Created from 2008-04-23 to 2008-05-23 )))))))))))))))))))))))))))))))
.

2008-05-21 22:02 . 2008-05-21 22:02 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-21 22:02 . 2008-05-21 22:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-20 22:26 . 2008-05-20 22:26 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-20 22:26 . 2008-05-20 22:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-17 23:25 . 2008-05-17 23:25 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-12 15:59 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-12 15:59 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-06 20:45 . 2008-05-06 20:45 <DIR> d-------- C:\Program Files\DialIdol.com
2008-04-29 11:20 . 2008-04-29 11:20 15,648 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 11:19 . 2008-04-29 11:19 15,648 --a------ C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 11:19 . 2008-04-29 11:19 12,960 --a------ C:\WINDOWS\system32\drivers\Awrtpd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-23 23:43 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\BitTorrent
2008-05-23 22:30 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\.gaim
2008-05-22 02:02 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 12:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-19 04:47 --------- d-----w C:\Program Files\Nexus
2008-05-18 02:13 --------- d-----w C:\Program Files\FileZilla
2008-05-18 02:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-18 02:11 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\InstallShield
2008-05-12 19:59 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-05-07 01:35 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\Skype
2008-05-03 19:08 --------- d-----w C:\Program Files\DOSBox-0.72
2008-05-01 15:40 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-24 23:14 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-23 02:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-04-21 02:19 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\Malwarebytes
2008-04-21 02:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-20 19:34 --------- d-----w C:\Program Files\CONEXANT
2008-04-12 23:20 --------- d-----w C:\Program Files\Numericon
2008-04-10 02:11 --------- d-----w C:\Program Files\Trend Micro
2008-04-09 21:20 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-09 21:17 --------- d-----w C:\Program Files\Microsoft.NET
2008-04-07 03:12 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\U3
2008-04-03 12:58 --------- d-----w C:\Documents and Settings\Sudhir J. Kamath\Application Data\AVG7
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-26 01:58 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-25 04:36 --------- d-----w C:\Program Files\Windows Live
2008-03-25 04:35 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-25 04:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-24 22:44 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-24 20:01 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-12 05:45 39,888 ----a-w C:\Documents and Settings\Sudhir J. Kamath\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-05-21_21.33.35.86 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-22 02:11:52 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_84c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 04:40 218032]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 19:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 19:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 19:10 114688]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-01 13:48 1392640]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-17 21:09 579584]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 18:32 221184]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogOff"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-03-04 00:01 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\Program Files\ffdshow\ffdshow.ax

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\K1RFD\\EchoLink\\EchoLink.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

S3 tifm;tifm;C:\WINDOWS\system32\drivers\tifm.sys [2006-07-21 12:42]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caee2460-c11e-11db-950b-000f1fb14a4f}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f226da10-54f6-11dc-957f-000f1fb14a4f}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

*Newly Created Service* - AAWSERVICE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-23 19:45:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-23 19:49:10
ComboFix-quarantined-files.txt 2008-05-23 23:48:49
ComboFix2.txt 2008-05-22 01:34:14
ComboFix3.txt 2008-05-18 05:29:07

Pre-Run: 10,733,772,800 bytes free
Post-Run: 10,784,493,568 bytes free

146 --- E O F --- 2008-05-16 05:09:50
  • 0

#27
greyknight17
Posted 24 May 2008 - 06:40 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Monitor the computer for a day or so and see if anything still pops up. The log looks clean...
  • 0

#28
sunny441
Posted 24 May 2008 - 10:34 PM

sunny441

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 258 posts
Hi:

thanks for your time and help. As mentioned in an earlier post - there is no predictability as far AVG finding these files goes. Sometimes i can go about 4 days before AVG finds something - and most of the time the file in the MY documents location.

anyway I will keep an eye out for this - and when I see something I will post the log or what I see. Hence I request you not to close this topic and I will post back here, in case we need to follow up!

cheers

Sunny
  • 0

#29
greyknight17
Posted 25 May 2008 - 04:22 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No problem. I will keep it up for about 5 more days which hopefully is enough time.
  • 0

#30
sunny441
Posted 25 May 2008 - 07:13 PM

sunny441

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 258 posts
Hi:

I did a complete scan last night on the system. 2 files were found again - same names in the same location!

i think it's best for me to format the computer and re-install the OS!

cheers

Sunny
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP