Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

winanonymous/vundo/RECYCLER...HELP! [CLOSED]


  • This topic is locked This topic is locked

#1
phil1963

phil1963

    Member

  • Member
  • PipPip
  • 12 posts
Hi, problem possibly started with winanonymous popups but possibly earlier. Have used ATF cleaner , Malwarebytes and superantispyware but problem remains.

On startup I get an error message says userinit.exe failed to initialise (0xc0000005). I then get a blank desktop with no icons , only the background picture showing. Also happens in safe mode!

I have to manually start explorer.exe using ctrl alt delete to get task manager.

I have noticed I get a window popping up saying saving personalised settings RECYCLER... string of numbers too quick to see before icons appear

Malwrebytes log shows vundo trojan but I don't think it is removing it

Would really appreciate a helping hand with this !

Hijack this log and malwarebytes log follows



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:21:07 AM, on 26/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Firebird\bin\ibguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Firebird\bin\ibserver.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\s3hotkey.exe
C:\WINDOWS\system32\S3Tray2.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.iprimus.com.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;172.16.*;172.17.*;172.18.*;172.19.*;172.20.*;172.21.*;172.22.*;172.23.*;172
.24.*;172.25.*;172.26.*;172.27.*;172.28.*;172.29.*;172.30.*;172.31.*;192.168.*;*.
IPrimus.com.au;<local>
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TouchED] "C:\Program Files\TOSHIBA\TouchED\TouchED.Exe"
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.l...lscbase5059.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1153354204024
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5625595-F689-4A2E-B263-9AB15D007D52}: NameServer = 203.134.64.66,203.134.65.66
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00B52F5.dat
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Firebird Guardian Service (InterBaseGuardian) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe

--
End of file - 8957 bytes

###############

Malware bytes Log

Malwarebytes' Anti-Malware 1.12
Database version: 785

Scan type: Quick Scan
Objects scanned: 39473
Time elapsed: 7 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 8
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\rqRKBUmK.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\__c004780D.dat (Trojan.Agent) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{14b27891-a474-4f32-a847-96644adcf843} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{14b27891-a474-4f32-a847-96644adcf843} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d0914109 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMd3a27295 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\rqrkbumk -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: c:\windows\system32\__c004780d.dat -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\rqrkbumk -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\lvjtvldg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gdlvtjvl.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRKBUmK.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\KmUBKRqr.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\KmUBKRqr.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcfliswc.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c004780D.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c00A17D0.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkkICstS.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvUnKArq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe or http://download.blee...Bs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#3
phil1963

phil1963

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Thanks greyknight, combofix log follows


ComboFix 08-05-25.5 - user 2008-05-27 8:04:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.227 [GMT 10:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMd3a27295.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\components
C:\WINDOWS\system32\cwuidktr.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\neonroek.exe
C:\WINDOWS\system32\nnnoLDVP.dll
C:\WINDOWS\system32\PVDLonnn.ini
C:\WINDOWS\system32\PVDLonnn.ini2
C:\WINDOWS\system32\qirnhrfa.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-26 to 2008-05-26 )))))))))))))))))))))))))))))))
.

2008-05-27 08:05 . 2008-05-27 08:05 115,712 --a------ C:\WINDOWS\system32\mhcnxupj.dll
2008-05-27 08:05 . 2008-05-27 08:05 294 ---hs---- C:\WINDOWS\system32\jpuxnchm.ini
2008-05-27 08:02 . 2008-05-27 08:02 51,200 --a------ C:\WINDOWS\system32\hyvxkiul.dll
2008-05-27 08:02 . 2008-05-27 08:02 51,200 --a------ C:\WINDOWS\system32\__c004A010.dat
2008-05-27 08:01 . 2008-05-27 08:01 51,200 --a------ C:\WINDOWS\system32\pprtlsru.dll
2008-05-27 08:01 . 2008-05-27 08:01 51,200 --a------ C:\WINDOWS\system32\__c007E5D0.dat
2008-05-27 07:58 . 2008-05-27 07:58 51,200 --a------ C:\WINDOWS\system32\pgdlisms.dll
2008-05-27 07:55 . 2008-05-27 07:55 51,200 --a------ C:\WINDOWS\system32\avhwtpmk.dll
2008-05-27 07:55 . 2008-05-27 07:55 51,200 --a------ C:\WINDOWS\system32\__c00682AC.dat
2008-05-27 07:54 . 2008-05-27 07:54 125,440 --a------ C:\WINDOWS\system32\utwhbklj.dll
2008-05-27 07:54 . 2008-05-27 07:54 51,200 --a------ C:\WINDOWS\system32\vgucnxnq.dll
2008-05-27 07:54 . 2008-05-27 07:54 51,200 --a------ C:\WINDOWS\system32\cijgugix.dll
2008-05-27 07:54 . 2008-05-27 07:54 51,200 --a------ C:\WINDOWS\system32\__c001AB44.dat
2008-05-27 07:51 . 2008-05-27 07:51 125,440 --a------ C:\WINDOWS\system32\dcpijlwv.dll
2008-05-26 13:10 . 2008-05-26 13:10 58,880 --a------ C:\WINDOWS\system32\iifgGVPI.dll
2008-05-26 08:50 . 2008-05-26 08:50 58,880 --a------ C:\WINDOWS\system32\urqRIcdE.dll
2008-05-26 00:10 . 2008-05-26 00:10 58,880 --a------ C:\WINDOWS\system32\ssqQhgfD.dll
2008-05-25 23:52 . 2008-05-25 23:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-25 23:17 . 2008-05-25 23:17 125,440 --a------ C:\WINDOWS\system32\bkxdksod.dll
2008-05-25 23:17 . 2008-05-25 23:17 51,200 --a------ C:\WINDOWS\system32\mrilcaux.dll
2008-05-25 23:17 . 2008-05-25 23:17 51,200 --------- C:\WINDOWS\system32\__c00B52F5.dat
2008-05-25 23:14 . 2008-05-25 23:17 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-25 23:14 . 2008-05-25 23:14 <DIR> d-------- C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com
2008-05-25 23:14 . 2008-05-25 23:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-25 23:13 . 2008-05-25 23:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-25 22:53 . 2008-05-25 22:53 <DIR> d-------- C:\Documents and Settings\user\Application Data\Malwarebytes
2008-05-25 22:52 . 2008-05-25 22:53 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-25 22:52 . 2008-05-25 22:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-25 22:52 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-25 22:52 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-25 22:51 . 2008-05-25 22:51 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-25 14:02 . 2008-05-25 14:02 58,880 --a------ C:\WINDOWS\system32\vtUlIcaB.dll
2008-05-25 13:13 . 2008-05-25 13:13 51,200 --a------ C:\WINDOWS\system32\seoaxqvj.dll
2008-05-15 17:48 . 2008-05-15 19:16 <DIR> d-------- C:\Program Files\Panda Security
2008-05-11 23:29 . 2008-05-11 23:37 664 --a------ C:\WINDOWS\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 13:28 --------- d-----w C:\Program Files\Google
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2006-07-16 22:10 0 ----a-w C:\Documents and Settings\user\loaded.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E09D32C-E5E6-4184-B177-784CEE1E09C4}]
2008-05-26 00:10 58880 --a------ C:\WINDOWS\system32\ssqQhgfD.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2005-11-30 16:56 1306624]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3Hotkey"="s3hotkey.exe" [2001-09-13 22:27 40960 C:\WINDOWS\system32\s3hotkey.exe]
"S3TRAY2"="S3Tray2.exe" [2002-02-21 17:38 69632 C:\WINDOWS\system32\S3Tray2.exe]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2002-02-22 13:12 249856]
"000StTHK"="000StTHK.exe" [2001-06-24 13:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-03-30 00:40 122880]
"TFNF5"="TFNF5.exe" [2001-08-04 03:08 73728 C:\WINDOWS\system32\TFNF5.exe]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2002-04-13 04:13 126976]
"Tpwrtray"="TPWRTRAY.EXE" [2002-03-20 13:38 217088 C:\WINDOWS\system32\TPWRTRAY.EXE]
"KAVPersonal50"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" [2005-08-30 22:51 139367]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-10-07 20:44 98304]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2005-12-13 08:49 217088]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 18:54 623992]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 13:05:56 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
"{7E09D32C-E5E6-4184-B177-784CEE1E09C4}"= C:\WINDOWS\system32\ssqQhgfD.dll [2008-05-26 00:10 58880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqQhgfD]
ssqQhgfD.dll 2008-05-26 00:10 58880 C:\WINDOWS\system32\ssqQhgfD.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msvideo7"= STV680tg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-10-07 20:44 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-05-06 23:29 6656 C:\Program Files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\java.exe"=
"C:\\Program Files\\PLAN Australia\\PLAN Sales\\CRM.exe"=
"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\java.exe"=
"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\java.exe"=
"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\java.exe"=
"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\java.exe"=
"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\java.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\java.exe"=

R1 Klmc;Klmc;C:\WINDOWS\system32\drivers\klmc.sys [2005-08-30 22:52]
R2 InterBaseGuardian;Firebird Guardian Service;C:\Program Files\Firebird\bin\ibguard -s []
R3 InterBaseServer;Firebird Server;C:\Program Files\Firebird\bin\ibserver -s []
S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys [2008-05-05 20:46]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{18B0E5C0-4FCB-11CF-AAX5-004016608512}]
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1113\iuhi32.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 08:16:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\InterBaseGuardian]
"ImagePath"="C:\Program Files\Firebird\bin\ibguard -s"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\InterBaseServer]
"ImagePath"="C:\Program Files\Firebird\bin\ibserver -s"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ssqQhgfD.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\ssqQhgfD.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\BRSS01A.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Firebird\bin\ibguard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Firebird\bin\ibserver.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-05-27 8:27:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-26 22:27:22

Pre-Run: 18,065,534,976 bytes free
Post-Run: 18,224,705,536 bytes free

171 --- E O F --- 2008-05-17 02:47:44
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Empty your Recycle Bin if there's anything in there.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

File::
C:\WINDOWS\system32\mhcnxupj.dll
C:\WINDOWS\system32\jpuxnchm.ini
C:\WINDOWS\system32\hyvxkiul.dll
C:\WINDOWS\system32\__c004A010.dat
C:\WINDOWS\system32\pprtlsru.dll
C:\WINDOWS\system32\__c007E5D0.dat
C:\WINDOWS\system32\pgdlisms.dll
C:\WINDOWS\system32\avhwtpmk.dll
C:\WINDOWS\system32\__c00682AC.dat
C:\WINDOWS\system32\utwhbklj.dll
C:\WINDOWS\system32\vgucnxnq.dll
C:\WINDOWS\system32\cijgugix.dll
C:\WINDOWS\system32\__c001AB44.dat
C:\WINDOWS\system32\dcpijlwv.dll
C:\WINDOWS\system32\iifgGVPI.dll
C:\WINDOWS\system32\urqRIcdE.dll
C:\WINDOWS\system32\ssqQhgfD.dll
C:\WINDOWS\system32\bkxdksod.dll
C:\WINDOWS\system32\mrilcaux.dll
C:\WINDOWS\system32\__c00B52F5.dat
C:\WINDOWS\system32\vtUlIcaB.dll
C:\WINDOWS\system32\seoaxqvj.dll
C:\Documents and Settings\user\loaded.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E09D32C-E5E6-4184-B177-784CEE1E09C4}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{7E09D32C-E5E6-4184-B177-784CEE1E09C4}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqQhgfD]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is the computer running so far?
  • 0

#5
phil1963

phil1963

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Computer seems to be fine now, was getting "windows explorer has encountered a problem and needs to close " error message on startup but not since last combofix.

I am wondering whether these 3 files are still a problem
"""((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-27 17:20 . 2008-05-27 17:20 124,928 --a------ C:\WINDOWS\system32\opygajrw.dll
2008-05-27 17:20 . 2008-05-27 17:20 116,736 --a------ C:\WINDOWS\system32\tdhhrgmj.dll
2008-05-27 08:34 . 2008-05-27 08:34 58,880 --a------ C:\WINDOWS\system32\iifgDwUk.dll"""

And I am wondering what the "WARNING RECOVERY CONSOLE NOT INSTALLED " means....
Does it mean I can't use system restore??

.... I am really puzzled how I have been infected as I am very careful with my internet usage....
Again, thanks for the help
Combo fix log follows



ComboFix 08-05-25.5 - user 2008-05-27 17:24:58.2 - NTFSx86
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\user\loaded.exe
C:\WINDOWS\system32\__c001AB44.dat
C:\WINDOWS\system32\__c004A010.dat
C:\WINDOWS\system32\__c00682AC.dat
C:\WINDOWS\system32\__c007E5D0.dat
C:\WINDOWS\system32\__c00B52F5.dat
C:\WINDOWS\system32\avhwtpmk.dll
C:\WINDOWS\system32\bkxdksod.dll
C:\WINDOWS\system32\cijgugix.dll
C:\WINDOWS\system32\dcpijlwv.dll
C:\WINDOWS\system32\hyvxkiul.dll
C:\WINDOWS\system32\iifgGVPI.dll
C:\WINDOWS\system32\jpuxnchm.ini
C:\WINDOWS\system32\mhcnxupj.dll
C:\WINDOWS\system32\mrilcaux.dll
C:\WINDOWS\system32\pgdlisms.dll
C:\WINDOWS\system32\pprtlsru.dll
C:\WINDOWS\system32\seoaxqvj.dll
C:\WINDOWS\system32\ssqQhgfD.dll
C:\WINDOWS\system32\urqRIcdE.dll
C:\WINDOWS\system32\utwhbklj.dll
C:\WINDOWS\system32\vgucnxnq.dll
C:\WINDOWS\system32\vtUlIcaB.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\user\loaded.exe
C:\WINDOWS\BMd3a27295.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\__c001AB44.dat
C:\WINDOWS\system32\__c004A010.dat
C:\WINDOWS\system32\__c00682AC.dat
C:\WINDOWS\system32\__c007E5D0.dat
C:\WINDOWS\system32\__c00B52F5.dat
C:\WINDOWS\system32\avhwtpmk.dll
C:\WINDOWS\system32\bkxdksod.dll
C:\WINDOWS\system32\cijgugix.dll
C:\WINDOWS\system32\dcpijlwv.dll
C:\WINDOWS\system32\HQttvyxx.ini
C:\WINDOWS\system32\HQttvyxx.ini2
C:\WINDOWS\system32\hyvxkiul.dll
C:\WINDOWS\system32\iifgGVPI.dll
C:\WINDOWS\system32\jmgrhhdt.ini
C:\WINDOWS\system32\jpuxnchm.ini
C:\WINDOWS\system32\mhcnxupj.dll
C:\WINDOWS\system32\mrilcaux.dll
C:\WINDOWS\system32\pgdlisms.dll
C:\WINDOWS\system32\pprtlsru.dll
C:\WINDOWS\system32\seoaxqvj.dll
C:\WINDOWS\system32\ssqQhgfD.dll
C:\WINDOWS\system32\urqRIcdE.dll
C:\WINDOWS\system32\utwhbklj.dll
C:\WINDOWS\system32\vgucnxnq.dll
C:\WINDOWS\system32\vtUlIcaB.dll
C:\WINDOWS\system32\xxyvttQH.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-27 17:20 . 2008-05-27 17:20 124,928 --a------ C:\WINDOWS\system32\opygajrw.dll
2008-05-27 17:20 . 2008-05-27 17:20 116,736 --a------ C:\WINDOWS\system32\tdhhrgmj.dll
2008-05-27 08:34 . 2008-05-27 08:34 58,880 --a------ C:\WINDOWS\system32\iifgDwUk.dll
2008-05-25 23:52 . 2008-05-25 23:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-25 23:14 . 2008-05-25 23:17 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-25 23:14 . 2008-05-25 23:14 <DIR> d-------- C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com
2008-05-25 23:14 . 2008-05-25 23:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-25 23:13 . 2008-05-25 23:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-25 22:53 . 2008-05-25 22:53 <DIR> d-------- C:\Documents and Settings\user\Application Data\Malwarebytes
2008-05-25 22:52 . 2008-05-25 22:53 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-25 22:52 . 2008-05-25 22:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-25 22:52 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-25 22:52 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-25 22:51 . 2008-05-25 22:51 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-15 17:48 . 2008-05-15 19:16 <DIR> d-------- C:\Program Files\Panda Security
2008-05-11 23:29 . 2008-05-11 23:37 664 --a------ C:\WINDOWS\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 13:28 --------- d-----w C:\Program Files\Google
.

((((((((((((((((((((((((((((( [email protected]_ 8.26.32.11 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-26 22:13:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-27 07:42:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2005-11-30 16:56 1306624]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3Hotkey"="s3hotkey.exe" [2001-09-13 22:27 40960 C:\WINDOWS\system32\s3hotkey.exe]
"S3TRAY2"="S3Tray2.exe" [2002-02-21 17:38 69632 C:\WINDOWS\system32\S3Tray2.exe]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2002-02-22 13:12 249856]
"000StTHK"="000StTHK.exe" [2001-06-24 13:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-03-30 00:40 122880]
"TFNF5"="TFNF5.exe" [2001-08-04 03:08 73728 C:\WINDOWS\system32\TFNF5.exe]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2002-04-13 04:13 126976]
"Tpwrtray"="TPWRTRAY.EXE" [2002-03-20 13:38 217088 C:\WINDOWS\system32\TPWRTRAY.EXE]
"KAVPersonal50"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" [2005-08-30 22:51 139367]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-10-07 20:44 98304]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2005-12-13 08:49 217088]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 18:54 623992]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 13:05:56 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msvideo7"= STV680tg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-10-07 20:44 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-05-06 23:29 6656 C:\Program Files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\java.exe"=
"C:\\Program Files\\PLAN Australia\\PLAN Sales\\CRM.exe"=
"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\java.exe"=
"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\java.exe"=
"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\java.exe"=
"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\java.exe"=
"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\java.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\java.exe"=

R1 Klmc;Klmc;C:\WINDOWS\system32\drivers\klmc.sys [2005-08-30 22:52]
R2 InterBaseGuardian;Firebird Guardian Service;C:\Program Files\Firebird\bin\ibguard -s []
R3 InterBaseServer;Firebird Server;C:\Program Files\Firebird\bin\ibserver -s []
S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys [2008-05-05 20:46]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{18B0E5C0-4FCB-11CF-AAX5-004016608512}]
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1113\iuhi32.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 17:43:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\InterBaseGuardian]
"ImagePath"="C:\Program Files\Firebird\bin\ibguard -s"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\InterBaseServer]
"ImagePath"="C:\Program Files\Firebird\bin\ibserver -s"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\BRSS01A.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Firebird\bin\ibguard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Firebird\bin\ibserver.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-05-27 17:52:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-27 07:52:44
ComboFix2.txt 2008-05-26 22:27:41

Pre-Run: 18,227,408,896 bytes free
Post-Run: 18,207,334,400 bytes free

186 --- E O F --- 2008-05-17 02:47:44
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yep, those will have to go.

No, that message has nothing to do with the system restore feature. It will install a Recovery Console mode where you can access in times when Windows is inaccessible. This can be a useful feature if you know how to do the recovery from there. If you want to install it, just follow the instructions here. Go through all the steps until posting the log part...you may skip that since you did it already :)

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

File::
C:\WINDOWS\system32\opygajrw.dll
C:\WINDOWS\system32\tdhhrgmj.dll
C:\WINDOWS\system32\iifgDwUk.dll
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1113\iuhi32.exe
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{18B0E5C0-4FCB-11CF-AAX5-004016608512}]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#7
phil1963

phil1963

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Ok, Before I do this is my computer seems to be back at the beginning of this problem again, on startup I just got the same error message "userinit.exe faile ..." and had to strt explorer.exe from task manager maually.....

Earlier this morning my son pluged his thumdrive in and I found the RECYCLER.exe folder on it as well..... he assures me he hasn't plugged it in my computer for a long time...

How can I remove this folder from portable drives as it says it is locked?? can it be done on a mac instead?

Is it possible my camera and ipods etc are infected as well??

Do I need to run scans again as the last log was from last night and everything seemed ok.....
  • 0

#8
phil1963

phil1963

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi Greyknight,

I went back to the start and ran combofix and step 2 CFScript steps as before with new filenames...

I'm pretty sure I got everything except maybe the recycler.exe file... if it is still there how do I remove it???

see hijack this and combofix logs following
both are after repeating all previous steps with new file names instead



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:08:36 AM, on 29/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Firebird\bin\ibguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Firebird\bin\ibserver.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\s3hotkey.exe
C:\WINDOWS\system32\S3Tray2.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.iprimus.com.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;172.16.*;172.17.*;172.18.*;172.19.*;172.20.*;172.21.*;172.22.*;172.23.*;172
.24.*;172.25.*;172.26.*;172.27.*;172.28.*;172.29.*;172.30.*;172.31.*;192.168.*;*.
IPrimus.com.au;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TouchED] "C:\Program Files\TOSHIBA\TouchED\TouchED.Exe"
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.l...lscbase5059.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1153354204024
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5625595-F689-4A2E-B263-9AB15D007D52}: NameServer = 203.134.64.66,203.134.65.66
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Firebird Guardian Service (InterBaseGuardian) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe

--
End of file - 9545 bytes



Combofix log
ComboFix 08-05-25.5 - user 2008-05-28 23:49:40.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.215 [GMT 10:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1113\iuhi32.exe
.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-28 )))))))))))))))))))))))))))))))
.

2008-05-25 23:52 . 2008-05-25 23:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-25 23:14 . 2008-05-25 23:17 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-25 23:14 . 2008-05-25 23:14 <DIR> d-------- C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com
2008-05-25 23:14 . 2008-05-25 23:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-25 23:13 . 2008-05-25 23:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-25 22:53 . 2008-05-25 22:53 <DIR> d-------- C:\Documents and Settings\user\Application Data\Malwarebytes
2008-05-25 22:52 . 2008-05-25 22:53 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-25 22:52 . 2008-05-25 22:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-25 22:52 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-25 22:52 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-25 22:51 . 2008-05-25 22:51 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-15 17:48 . 2008-05-15 19:16 <DIR> d-------- C:\Program Files\Panda Security
2008-05-11 23:29 . 2008-05-11 23:37 664 --a------ C:\WINDOWS\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 13:28 --------- d-----w C:\Program Files\Google
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( [email protected]_ 8.26.32.11 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-26 22:13:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-28 12:29:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2005-11-30 16:56 1306624]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3Hotkey"="s3hotkey.exe" [2001-09-13 22:27 40960 C:\WINDOWS\system32\s3hotkey.exe]
"S3TRAY2"="S3Tray2.exe" [2002-02-21 17:38 69632 C:\WINDOWS\system32\S3Tray2.exe]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2002-02-22 13:12 249856]
"000StTHK"="000StTHK.exe" [2001-06-24 13:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-03-30 00:40 122880]
"TFNF5"="TFNF5.exe" [2001-08-04 03:08 73728 C:\WINDOWS\system32\TFNF5.exe]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2002-04-13 04:13 126976]
"Tpwrtray"="TPWRTRAY.EXE" [2002-03-20 13:38 217088 C:\WINDOWS\system32\TPWRTRAY.EXE]
"KAVPersonal50"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" [2005-08-30 22:51 139367]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-10-07 20:44 98304]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2005-12-13 08:49 217088]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 18:54 623992]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 13:05:56 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msvideo7"= STV680tg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-10-07 20:44 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-05-06 23:29 6656 C:\Program Files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\java.exe"=
"C:\\Program Files\\PLAN Australia\\PLAN Sales\\CRM.exe"=
"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\java.exe"=
"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\java.exe"=
"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\java.exe"=
"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\java.exe"=
"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\java.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\java.exe"=

R1 Klmc;Klmc;C:\WINDOWS\system32\drivers\klmc.sys [2005-08-30 22:52]
R2 InterBaseGuardian;Firebird Guardian Service;C:\Program Files\Firebird\bin\ibguard -s []
R3 InterBaseServer;Firebird Server;C:\Program Files\Firebird\bin\ibserver -s []


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{18B0E5C0-4FCB-11CF-AAX5-004016608512}]
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1113\iuhi32.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-28 23:51:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\InterBaseGuardian]
"ImagePath"="C:\Program Files\Firebird\bin\ibguard -s"

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\InterBaseServer]
"ImagePath"="C:\Program Files\Firebird\bin\ibserver -s"
.
Completion time: 2008-05-28 23:53:21
ComboFix-quarantined-files.txt 2008-05-28 13:53:15
ComboFix2.txt 2008-05-28 13:32:34
ComboFix3.txt 2008-05-28 12:41:32
ComboFix4.txt 2008-05-27 07:52:52
ComboFix5.txt 2008-05-26 22:27:41

Pre-Run: 18,177,667,072 bytes free
Post-Run: 18,163,146,752 bytes free

118 --- E O F --- 2008-05-17 02:47:44
  • 0

#9
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Do you have anything in the Recycle Bin? Empty it if it's not emptied already.

Do you use the Firebird service anymore?

Yes, there has been a nasty infection going around that's infecting USB drives as well. Download the Flash Disinfector at http://www.techsuppo...Disinfector.exe and save it to your desktop. Double-click on it to run it and follow the on-screen instructions (make sure your thumb drive is plugged in....do this for all the thumb drives infected).

How is the computer running so far?
  • 0

#10
phil1963

phil1963

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Computer seems to be fine , I ran scans again and deleted files with CFScript.txt and this time I think I got the recycle file deleted as well.

The only thing I am a bit concerned about is a toolbar(no name) showing in the hijack this log,
I hope its not another problem

Combo fix logs and hijack this log follows

Thanks for the link for the usb cleaner, I'll check them.

I dont really need firebird anymore so I guess it can go, Is it potentially a problem or just slowing the computer down??

Thanks again for your time, greatly appreciate it !


ComboFix 08-05-25.5 - user 2008-05-29 17:34:25.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.243 [GMT 10:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1113\iuhi32.exe
.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.

2008-05-25 23:52 . 2008-05-25 23:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-25 23:14 . 2008-05-25 23:17 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-25 23:14 . 2008-05-25 23:14 <DIR> d-------- C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com
2008-05-25 23:14 . 2008-05-25 23:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-25 23:13 . 2008-05-25 23:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-25 22:53 . 2008-05-25 22:53 <DIR> d-------- C:\Documents and Settings\user\Application Data\Malwarebytes
2008-05-25 22:52 . 2008-05-25 22:53 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-25 22:52 . 2008-05-25 22:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-25 22:52 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-25 22:52 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-25 22:51 . 2008-05-25 22:51 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-15 17:48 . 2008-05-15 19:16 <DIR> d-------- C:\Program Files\Panda Security
2008-05-11 23:29 . 2008-05-11 23:37 664 --a------ C:\WINDOWS\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 13:28 --------- d-----w C:\Program Files\Google
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( [email protected]_ 8.26.32.11 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-26 22:13:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-28 21:58:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-02-26 11:59:50 294,912 -c----w C:\WINDOWS\system32\dllcache\msctf.dll
- 2004-08-04 07:56:42 294,400 ----a-w C:\WINDOWS\system32\msctf.dll
+ 2008-02-26 11:59:50 294,912 ----a-w C:\WINDOWS\system32\msctf.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2005-11-30 16:56 1306624]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3Hotkey"="s3hotkey.exe" [2001-09-13 22:27 40960 C:\WINDOWS\system32\s3hotkey.exe]
"S3TRAY2"="S3Tray2.exe" [2002-02-21 17:38 69632 C:\WINDOWS\system32\S3Tray2.exe]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2002-02-22 13:12 249856]
"000StTHK"="000StTHK.exe" [2001-06-24 13:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-03-30 00:40 122880]
"TFNF5"="TFNF5.exe" [2001-08-04 03:08 73728 C:\WINDOWS\system32\TFNF5.exe]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2002-04-13 04:13 126976]
"Tpwrtray"="TPWRTRAY.EXE" [2002-03-20 13:38 217088 C:\WINDOWS\system32\TPWRTRAY.EXE]
"KAVPersonal50"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" [2005-08-30 22:51 139367]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-10-07 20:44 98304]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2005-12-13 08:49 217088]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 18:54 623992]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 13:05:56 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msvideo7"= STV680tg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-10-07 20:44 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-05-06 23:29 6656 C:\Program Files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\java.exe"=
"C:\\Program Files\\PLAN Australia\\PLAN Sales\\CRM.exe"=
"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\java.exe"=
"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\java.exe"=
"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\java.exe"=
"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\java.exe"=
"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\java.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\java.exe"=

R1 Klmc;Klmc;C:\WINDOWS\system32\drivers\klmc.sys [2005-08-30 22:52]
R2 InterBaseGuardian;Firebird Guardian Service;C:\Program Files\Firebird\bin\ibguard -s []
R3 InterBaseServer;Firebird Server;C:\Program Files\Firebird\bin\ibserver -s []

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 17:39:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\InterBaseGuardian]
"ImagePath"="C:\Program Files\Firebird\bin\ibguard -s"

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\InterBaseServer]
"ImagePath"="C:\Program Files\Firebird\bin\ibserver -s"
.
Completion time: 2008-05-29 17:42:45
ComboFix-quarantined-files.txt 2008-05-29 07:42:31
ComboFix2.txt 2008-05-28 13:53:22
ComboFix3.txt 2008-05-28 13:32:34
ComboFix4.txt 2008-05-28 12:41:32
ComboFix5.txt 2008-05-27 07:52:52

Pre-Run: 18,120,978,432 bytes free
Post-Run: 18,107,678,720 bytes free

120 --- E O F --- 2008-05-28 14:02:37



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:08:36 AM, on 29/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Firebird\bin\ibguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Firebird\bin\ibserver.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\s3hotkey.exe
C:\WINDOWS\system32\S3Tray2.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.iprimus.com.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;172.16.*;172.17.*;172.18.*;172.19.*;172.20.*;172.21.*;172.22.*;172.23.*;172
.24.*;172.25.*;172.26.*;172.27.*;172.28.*;172.29.*;172.30.*;172.31.*;192.168.*;*.
IPrimus.com.au;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TouchED] "C:\Program Files\TOSHIBA\TouchED\TouchED.Exe"
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.l...lscbase5059.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1153354204024
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5625595-F689-4A2E-B263-9AB15D007D52}: NameServer = 203.134.64.66,203.134.65.66
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Firebird Guardian Service (InterBaseGuardian) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe

--
End of file - 9545 bytes
  • 0

#11
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
You may fix that no name toolbar if you like. It's the Google Toolbar. Or just reinstall it if it's not showing up in your browser.

Firebird may slow things down a tad. I saw that the service was still running even though the file seems to be missing. We can remove it.

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

sc stop InterBaseGuardian
sc delete InterBaseGuardian
sc stop InterBaseServer
sc delete InterBaseServer
del delete.bat


Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.


Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#12
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP