Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Trojan Problems

Started by fright01 , May 29 2008 05:52 PM

Please log in to reply

#1
fright01

Posted 29 May 2008 - 05:52 PM

Member

Member
11 posts

So my issue is much like another's issue. http://www.geekstogo...73#entry1247973
I got as far as the end, the only difference is that I was able to run the combo-fix.
If you would like the file that likely caused the problems, I know what it was.

I tried fitting the log on here, but it wont. so I uploaded it with my combofix log to my gpages. (see next post)

Edited by fright01, 29 May 2008 - 06:04 PM.

#2
fright01

Posted 29 May 2008 - 05:57 PM

Member

Topic Starter
Member
11 posts

Uhm, I can't fit it within more than 2 messages, so I will upload to my googlepages. >.<
http://frightful720....om/OTScanIt.Txt
http://frightful720....om/ComboFix.Txt

Edited by fright01, 29 May 2008 - 06:03 PM.

#3
kahdah

Posted 29 May 2008 - 06:16 PM

GeekU Teacher

Retired Staff
15,822 posts

Hello fright01

Welcome to G2Go.

=====================
Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Finally copy and paste the contents of the results file Report.txt back onto the forum.

==============
Then Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

#4
fright01

Posted 29 May 2008 - 06:23 PM

Member

Topic Starter
Member
11 posts

SDFix: Version 1.186
Run by Administrator on Thu 05/29/2008 at 04:35 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting

Checking Files :

Trojan Files Found:

C:\Temp\vtmp2\ktnv33.log - Deleted
C:\WINDOWS\system32\vntiho06\vntiho061083.exe - Deleted
C:\WINDOWS\x.exe - Deleted
C:\WINDOWS\y.exe - Deleted
C:\WINDOWS\accesss.exe - Deleted
C:\WINDOWS\astctl32.ocx - Deleted
C:\WINDOWS\avpcc.dll - Deleted
C:\WINDOWS\clrssn.exe - Deleted
C:\WINDOWS\cpan.dll - Deleted
C:\WINDOWS\ctfmon32.exe - Deleted
C:\WINDOWS\ctrlpan.dll - Deleted
C:\WINDOWS\default.htm - Deleted
C:\WINDOWS\directx32.exe - Deleted
C:\WINDOWS\dnsrelay.dll - Deleted
C:\WINDOWS\editpad.exe - Deleted
C:\WINDOWS\explore.exe - Deleted
C:\WINDOWS\explorer32.exe - Deleted
C:\WINDOWS\funniest.exe - Deleted
C:\WINDOWS\funny.exe - Deleted
C:\WINDOWS\gfmnaaa.dll - Deleted
C:\WINDOWS\helpcvs.exe - Deleted
C:\WINDOWS\iedll.exe - Deleted
C:\WINDOWS\iexplorer.exe - Deleted
C:\WINDOWS\inetinf.exe - Deleted
C:\WINDOWS\internet.exe - Deleted
C:\WINDOWS\loader.exe - Deleted
C:\WINDOWS\msconfd.dll - Deleted
C:\WINDOWS\msspi.dll - Deleted
C:\WINDOWS\mssys.exe - Deleted
C:\WINDOWS\msupdate.exe - Deleted
C:\WINDOWS\mswsc10.dll - Deleted
C:\WINDOWS\mswsc20.dll - Deleted
C:\WINDOWS\mtwirl32.dll - Deleted
C:\WINDOWS\notepad32.exe - Deleted
C:\WINDOWS\olehelp.exe - Deleted
C:\WINDOWS\qttasks.exe - Deleted
C:\WINDOWS\quicken.exe - Deleted
C:\WINDOWS\rundll16.exe - Deleted
C:\WINDOWS\rundll32.vbe - Deleted
C:\WINDOWS\searchword.dll - Deleted
C:\WINDOWS\sistem.exe - Deleted
C:\WINDOWS\svchost32.exe - Deleted
C:\WINDOWS\svcinit.exe - Deleted
C:\WINDOWS\systeem.exe - Deleted
C:\WINDOWS\systemcritical.exe - Deleted
C:\WINDOWS\system32\hljwugsf.bin - Deleted
C:\WINDOWS\time.exe - Deleted
C:\WINDOWS\users32.exe - Deleted
C:\WINDOWS\waol.exe - Deleted
C:\WINDOWS\win32e.exe - Deleted
C:\WINDOWS\win64.exe - Deleted
C:\WINDOWS\winajbm.dll - Deleted
C:\WINDOWS\window.exe - Deleted
C:\WINDOWS\winmgnt.exe - Deleted
C:\WINDOWS\xplugin.dll - Deleted
C:\WINDOWS\xxxvideo.hta - Deleted

Folder C:\Temp\vtmp2 - Removed
Folder C:\WINDOWS\system32\vntiho06 - Removed

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 16:41:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:ad,db,a3,87,40,e1,c9,07,54,9e,fb,18,57,90,8f,d6,5a,ce,7e,86,5f,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,02,64,67,14,ba,e2,2a,ef,9e,d3,ec,c8,22,e5,b6,05,b4,..
"khjeh"=hex:fa,1d,55,ae,fd,20,82,58,be,41,bb,c6,36,ea,19,af,11,51,bb,18,eb,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:f8,46,ce,a5,9a,d5,45,54,47,31,5f,36,90,ea,69,96,7e,94,70,f7,40,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:ad,db,a3,87,40,e1,c9,07,54,9e,fb,18,57,90,8f,d6,5a,ce,7e,86,5f,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,02,64,67,14,ba,e2,2a,ef,9e,d3,ec,c8,22,e5,b6,05,b4,..
"khjeh"=hex:fa,1d,55,ae,fd,20,82,58,be,41,bb,c6,36,ea,19,af,11,51,bb,18,eb,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:f8,46,ce,a5,9a,d5,45,54,47,31,5f,36,90,ea,69,96,7e,94,70,f7,40,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\TightVNC\\WinVNC.exe"="C:\\Program Files\\TightVNC\\WinVNC.exe:*:Enabled:TightVNC Win32 Server"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :

C:\WINDOWS\accesss.exe Found
C:\WINDOWS\astctl32.ocx Found
C:\WINDOWS\avpcc.dll Found
C:\WINDOWS\default.htm Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Finished!

#5
kahdah

Posted 29 May 2008 - 06:27 PM

GeekU Teacher

Retired Staff
15,822 posts

OK can you please run the dss scanner and post threports here
Thanks.

( If they won't fit please upload them as you had earlier )

#6
fright01

Posted 29 May 2008 - 06:34 PM

Member

Topic Starter
Member
11 posts

http://frightful720....es.com/main.txt
http://frightful720....s.com/extra.txt

Just some more information. My task manager is disabled by the administrator (me). I did some research, and checked in my group policy, and the virus has deleted the administrative templates, and software settings, from both user and computer

Edited by fright01, 29 May 2008 - 06:35 PM.

#7
kahdah

Posted 29 May 2008 - 06:49 PM

GeekU Teacher

Retired Staff
15,822 posts

Hi I believe that you have a virus infection that has infected some system files.

Please submit the following files to one of these online file scanners.
(All you have to do is copy and paste them in one at a time)

C:\WINDOWS\system32\zipfldr.dll
C:\WINDOWS\system32\xpsp2res.dll
C:\WINDOWS\system32\setupapi.dll

Jotti File Scan
VirusTotal File Scan

This will produce a report after the scan is complete, please copy and paste those results in your next post.

#8
fright01

Posted 29 May 2008 - 06:56 PM

Member

Topic Starter
Member
11 posts

C:\WINDOWS\system32\zipfldr.dll

Scan taken on 30 May 2008 00:52:38 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

C:\WINDOWS\system32\xpsp2res.dll
Also found nothing

C:\WINDOWS\system32\setupapi.dll
Again, found nothing.

I will try the other scanner, but I dont think thats it

Edit:
Again, nothing found. And, I went to install Kaspersky AV and uhm, apparently I have also disabled installation

>.<

Edit2: Did a scan on the patcher.exe
Here is the scan on that. Mostly got Win32 Trojan Dropper
http://www.virustota...8e8cffd08e38ef6

and another file that came with it:
http://www.virustota...af70c663d353ed5

Ohh, fun

I was uhm, using a random taskmanager fixer, that adds all the registry keys needed to enable taskman.... and just randomly, quickly hit ctrl alt del. and it workd O.o

well the processes running are only 'vbpdtvdp.exe'. Thats the only unusual one.

Edited by fright01, 29 May 2008 - 08:21 PM.

#9
kahdah

Posted 29 May 2008 - 09:37 PM

GeekU Teacher

Retired Staff
15,822 posts

1. Please open Notepad

Click Start , then Run
type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\y.exe
C:\WINDOWS\xplugin.dll
C:\WINDOWS\x.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\window.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\win64.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\users32.exe
C:\WINDOWS\time.exe
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\svchost32.exe
C:\WINDOWS\sistem.exe
C:\WINDOWS\searchword.dll
C:\WINDOWS\rundll16.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\qttasks.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\notepad32.exe
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\msupdate.exe
C:\WINDOWS\mssys.exe
C:\WINDOWS\msspi.dll
C:\WINDOWS\msconfd.dll
C:\WINDOWS\loader.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\inetinf.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\iedll.exe
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\funny.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\editpad.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\directx32.exe
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\cpan.dll
C:\WINDOWS\clrssn.exe
C:\WINDOWS\avpcc.dll
C:\WINDOWS\accesss.exe
C:\WINDOWS\system32\vbpdtvdp.exe 
C:\WINDOWS\system32\ea4c002.dll 
C:\WINDOWS\system32\1f26b5c8.dll 
C:\WINDOWS\system32\a85400.dll 
C:\WINDOWS\system32\17cddf.dll 
C:\WINDOWS\system32\35b57048.dll 
C:\WINDOWS\system32\153ab180.dll 
C:\WINDOWS\system32\6156e58.dll 
C:\WINDOWS\system32\1746267c.dll 
C:\WINDOWS\system32\c2acd0b.dll 
C:\WINDOWS\system32\1b64237e.dll 
C:\WINDOWS\system32\f8b044b.dll 
C:\WINDOWS\system32\2788261b.dll 
C:\WINDOWS\system32\104c9740.dll 
C:\WINDOWS\system32\2bb67ff7.dll 
C:\WINDOWS\system32\c261a9.dll 
C:\WINDOWS\system32\1687d9de.dll 
C:\WINDOWS\system32\1c774c5d.dll 
C:\WINDOWS\system32\180fba62.dll 
C:\WINDOWS\system32\c6c396.dll 
C:\WINDOWS\system32\79491f4.dll 
C:\WINDOWS\system32\16842ab0.dll 
C:\WINDOWS\system32\11c69e70.dll 
C:\WINDOWS\system32\5b595d6.dll 
C:\WINDOWS\system32\1ac9c9ae.dll 
C:\WINDOWS\system32\cebf434.dll
C:\WINDOWS\system32\2444092f.dll 
C:\WINDOWS\system32\1ada4106.dll 
C:\WINDOWS\system32\1074d19a.dll
C:\WINDOWS\system32\35a1aec.dll 
C:\WINDOWS\system32\16468728.dll 
C:\WINDOWS\system32\2195cee0.dll 
C:\WINDOWS\system32\1e77b45e.dll
C:\WINDOWS\system32\afc25c4.dll 
C:\WINDOWS\system32\26631bd9.dll 
C:\WINDOWS\system32\1cde2f8.dll 
C:\WINDOWS\system32\10f01bca.dll 
C:\WINDOWS\system32\46bc4c8.dll
C:\WINDOWS\system32\1299b6.dll
C:\WINDOWS\system32\{b3f49b3c-a0e8-1cd9-80e5-5b9c92ca3617}.dll
C:\Documents and Settings\Administrator\Application Data\Microsoft\dtsc\16434.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\DW_Start.lnk
C:\WINDOWS\pss\DW_Start.lnk
c:\windows\system32\rwwnw64d.exe
C:\WINDOWS\astctl32.ocx 
C:\WINDOWS\default.htm  
Folder::
C:\WINDOWS\system32\vd2
C:\WINDOWS\system32\rev3
C:\WINDOWS\system32\bTMP
C:\WINDOWS\system32\acom1
C:\WINDOWS\system32\1026c
C:\Program Files\webHancer
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"=dword:00000000
"NoSMConfigurePrograms"=dword:00000000
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe"
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Installer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^DW_Start.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{379ad676-b32b-39cc-fd97-52283b7ccd07}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

#10
fright01

Posted 30 May 2008 - 05:08 PM

Member

Topic Starter
Member
11 posts

http://frightful720..../hijackthis.log
http://frightful720....om/ComboFix.txt

Okay there

I am going to restart again, see if the virus comes back.. but i think its gone. Also, somehow sometime last night the install for Kaspersky AV workd. So I have that running a active protection. So the virus hasnt really been doing much but sometimes annoying me. And it has stopped lately.

Well, I think it works.

but ill keep kaspersky, and maybe get avg or something. Well thanks, I will come back and post anything else in this post. Or should I make a new one? Thanks again KahDah.

Edited by fright01, 30 May 2008 - 06:19 PM.

#11
kahdah

Posted 30 May 2008 - 07:42 PM

GeekU Teacher

Retired Staff
15,822 posts

1. Please open Notepad

Click Start , then Run
type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KILLALL::

File::
C:\WINDOWS\xxxvideo.hta
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\system32\1804830.dll
C:\WINDOWS\system32\150d8085.dll
C:\WINDOWS\system32\1fbe1e8.dll
C:\WINDOWS\system32\12399770.dll
C:\WINDOWS\system32\2fcd04a.dll
C:\WINDOWS\system32\1042422a.dll
C:\WINDOWS\system32\1856ec29.dll
C:\WINDOWS\system32\11a3453c.dll
C:\WINDOWS\system32\ba2abf1.dll
C:\WINDOWS\system32\340a781.dll
C:\WINDOWS\system32\767ffa.dll
C:\WINDOWS\system32\6350868.dll
C:\WINDOWS\system32\e2ac92d.dll
C:\WINDOWS\system32\90ddd0c.dll
C:\WINDOWS\system32\b970916.dll
C:\WINDOWS\system32\154e793c.dll
C:\WINDOWS\system32\816b94f.dll
C:\WINDOWS\system32\13f15308.dll
C:\WINDOWS\system32\b49d9e.dll
C:\WINDOWS\system32\a0c8c58.dll
C:\WINDOWS\system32\b9473f2.dll
C:\WINDOWS\system32\1cf2462d.dll
C:\WINDOWS\system32\9d7b206.dll
C:\WINDOWS\system32\61b5718.dll
C:\WINDOWS\system32\17476c80.dll
C:\WINDOWS\system32\13e21e7.dll
C:\WINDOWS\system32\813d4a3.dll
C:\WINDOWS\system32\421ccb9.dll
C:\WINDOWS\system32\2684efec.dll
C:\WINDOWS\system32\123f148.dll
C:\WINDOWS\system32\b3ae60f.dll
C:\WINDOWS\system32\732459.dll
C:\WINDOWS\system32\1d20ac88.dll
C:\WINDOWS\system32\120e5d73.dll
C:\WINDOWS\system32\3f09b58.dll
C:\WINDOWS\system32\3a1ad08.dll
C:\WINDOWS\system32\209d61d4.dll
C:\WINDOWS\system32\11e25984.dll
C:\WINDOWS\system32\c6f036b.dll
C:\WINDOWS\system32\2806dea0.dll
C:\WINDOWS\system32\fe8febd.dll
C:\WINDOWS\system32\2900ba4c.dll
c:\windows\system32\rwwnw64d.exe
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{B4-4C-C5-56-DW}]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

#12
fright01

Posted 30 May 2008 - 10:04 PM

Member

Topic Starter
Member
11 posts

http://frightful720....m/ComboFix2.txt
http://frightful720....hijackthis2.log

I am not sure if it is gone, but like i said, it has stopped bugging me.

#13
kahdah

Posted 31 May 2008 - 05:27 AM

GeekU Teacher

Retired Staff
15,822 posts

ALmost there.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

#14
fright01

Posted 31 May 2008 - 03:00 PM

Member

Topic Starter
Member
11 posts

Malwarebytes' Anti-Malware 1.14
Database version: 810

1:59:53 PM 5/31/2008
mbam-log-5-31-2008 (13-59-53).txt

Scan type: Quick Scan
Objects scanned: 33271
Time elapsed: 6 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\targetedbanner (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\{b3f49b3c-a0e8-1cd9-80e5-5b9c92ca3617}.dll-uninst.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.

#15
kahdah

Posted 31 May 2008 - 03:58 PM

GeekU Teacher

Retired Staff
15,822 posts

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
===========================================================
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as button:
Save the file in txt format to your desktop.
Post that information in your next post.