Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

"VIRUS ALERT!" In System time. Task manager disabled [CL

Started by Spear , Jun 03 2008 10:32 PM

  • This topic is locked This topic is locked

#1
Spear
Posted 03 June 2008 - 10:32 PM

Spear

    New Member

  • Member
  • Pip
  • 2 posts
HEY ALL! I know you've run into this one before, but Every fix is a little different from what I've read so far. Hope you can help me :)


* System time has VIRUS ALERT!
* Task manager disabled
* No Control Panel
* No My Computer
* No My Documents
* Regedit disabled
* No Cmd
* No Local C: drive

**Also have occasional popups saying that I have a virus or spyware that aren't sent by my AV.



Hijack this says:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:32: VIRUS ALERT!, on 6/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Vampirefreaks\vfalerter.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\Rapido\brontok-washer\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {10B5E5C2-8901-4E3C-BF61-AC6E11039292} - C:\WINDOWS\system32\iifcBuRk.dll
O2 - BHO: (no name) - {456AF477-DAC5-45B0-95CF-F5FAF73AB52C} - C:\WINDOWS\system32\tuvsQkkK.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: atfxqogp - {910EF077-8B76-4A3C-B201-A5CAABA866F8} - C:\WINDOWS\atfxqogp.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe /auto
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [188435b9] rundll32.exe "C:\WINDOWS\system32\xaxisxrx.dll",b
O4 - HKLM\..\RunOnce: [Trojan Remover] "C:\Program Files\Trojan Remover\RMVTRJAN.EXE" /restart
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [antivirus-2008pro.exe] C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Alerter.lnk = C:\Program Files\Vampirefreaks\vfalerter.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: iifcBuRk - C:\WINDOWS\SYSTEM32\iifcBuRk.dll
O21 - SSODL: vltdfabw - {09CD0C7E-5C69-4A3B-AD3F-58A594511456} - C:\WINDOWS\vltdfabw.dll
O21 - SSODL: vregfwlx - {06F2F9A2-8716-4366-B6DC-CED11F8B0BFD} - C:\WINDOWS\vregfwlx.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 6395 bytes

Edited by Spear, 03 June 2008 - 10:43 PM.

  • 0

Advertisements

#2
Mike
Posted 04 June 2008 - 09:22 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi ,

I am currently reviewing your log and will post back soon.

Please take note of the following points.
  • Please keep in mind that there may be a time difference between us, If you are not in the GMT +1 time zone, than you can expect a slight delay.
  • Please do not run any tools other than what I request of you to run. Some of the tools we will use are very powerful, and using them without the required knowledge could cause more damage and prove to be more troublesome than the problem you are currently facing.
  • If at any time you have a doubt about what you are to do, please stop there and ask. No question is considered dumb here at GeeksToGo!.

Thanks,

Mike :)
  • 0

#3
Mike
Posted 04 June 2008 - 09:29 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there Spear and welcome to GeeksToGo!

Please follow my instructions in the order they were given, if you come across something you don't understand or don't feel comfortable doing, don't hesitate to ask and I will get you sorted out :)
If you cannot complete a step in my instructions, please skip it and continue with the rest of my instructions and tell me in your next reply which one you were having trouble with.

Do you recognize this program? Vampirefreaks, if so could you tell me what it is? Is it related to the VampireFreaks radio?

Please fix this line with Hijack This: Go to "Scan Only", click on the checkbox next to this item, then press "Fix checked" near the bottom of the program.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2

Please go here to install the recovery console and for a guide on using combofix.
Please note: Installing the Recovery Console plays a vital part in making this process of cleaning your computer safe, please don't overlook this!

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#4
Spear
Posted 04 June 2008 - 04:21 PM

Spear

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
I Followed the instructions on the site you gave me, but it didnt give me a confirmation that install a the recovery console was complete, somethign tells me it didnt install properly. :)

Here are the logs you requested



OH! Vampirefreaks is my alerter of new comment, messages, invites, ect for the social networking site of Vampirefreaks.com. Been workign for the site for about 4 years now and the alerter has been on my system for about 4 months. :)

Combofix Log

ComboFix 08-06-03.4 - Owner 2008-06-04 9:19:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.263 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus-2008pro.lnk
C:\Documents and Settings\Owner\Desktop\Error Cleaner.url
C:\Documents and Settings\Owner\Desktop\Privacy Protector.url
C:\Documents and Settings\Owner\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Owner\Favorites\Error Cleaner.url
C:\Documents and Settings\Owner\Favorites\Privacy Protector.url
C:\Documents and Settings\Owner\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\Owner\Start Menu\Programs\Antivirus 2008 PRO
C:\Documents and Settings\Owner\Start Menu\Programs\Antivirus 2008 PRO\antivirus-2008pro.lnk
C:\Program Files\Antivirus 2008 PRO
C:\Program Files\Antivirus 2008 PRO\vscan.tsi
C:\Program Files\Antivirus 2008 PRO\zlib.dll
C:\WINDOWS\atfxqogp.dll
C:\WINDOWS\system32\iifcBuRk.dll
C:\WINDOWS\system32\KkkQsvut.ini
C:\WINDOWS\system32\KkkQsvut.ini2
C:\WINDOWS\system32\xrxsixax.ini
C:\WINDOWS\vltdfabw.dll
C:\WINDOWS\vregfwlx.dll
C:\WINDOWS\xmpstean.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 )))))))))))))))))))))))))))))))
.

2008-06-03 20:12 . 2008-06-03 20:12 95,232 --a------ C:\WINDOWS\system32\xaxisxrx.dll.vir
2008-06-03 20:02 . 2008-06-04 09:04 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-03 20:01 . 2008-06-03 20:01 <DIR> d-------- C:\Program Files\Trojan Remover
2008-06-03 20:01 . 2008-06-03 20:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Simply Super Software
2008-06-03 20:01 . 2008-06-03 20:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-06-03 20:01 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-06-03 20:01 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-06-03 20:01 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-06-03 20:01 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-06-03 20:01 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-06-03 16:39 . 2008-06-03 18:57 <DIR> d---s---- C:\Documents and Settings\Administrator
2008-06-03 16:36 . 2008-06-03 19:27 45 --a------ C:\contactlist.xml
2008-06-03 15:21 . 2008-06-03 15:21 324,352 --a------ C:\WINDOWS\system32\tuvsQkkK.dll.vir
2008-06-03 15:13 . 2008-06-03 04:52 282,624 --a------ C:\WINDOWS\boqnrwdmdev.dll.vir
2008-06-03 15:13 . 2008-06-03 04:52 139,264 --a------ C:\WINDOWS\esbq.exe
2008-06-03 15:01 . 2008-06-03 15:01 <DIR> d-------- C:\Program Files\VirtualDJ
2008-06-03 12:39 . 2008-06-03 12:47 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Ableton
2008-06-03 12:39 . 2008-03-14 13:22 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-06-03 12:36 . 2008-06-03 12:36 <DIR> d-------- C:\Program Files\Ableton
2008-05-29 20:54 . 2008-05-29 20:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Media Player Classic
2008-05-28 18:32 . 2008-05-28 18:32 <DIR> d-------- C:\Program Files\Alarm
2008-05-28 18:32 . 2000-05-21 23:00 140,488 --a------ C:\WINDOWS\system32\comdlg32.ocx
2008-05-28 18:32 . 2007-04-29 23:24 61,440 --a------ C:\WINDOWS\system32\digitbox.ocx
2008-05-15 09:16 . 2008-05-15 09:16 <DIR> d-------- C:\Program Files\Vampirefreaks
2008-05-07 09:40 . 2008-05-07 09:40 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-05-07 09:40 . 2008-05-07 09:40 <DIR> d-------- C:\Program Files\Adobe Media Player
2008-05-07 09:18 . 2008-06-04 15:08 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\skypePM
2008-05-07 09:18 . 2008-06-03 18:42 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-07 09:17 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-05-07 09:17 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-05-07 09:16 . 2008-05-07 09:16 <DIR> d-------- C:\Program Files\Skype
2008-05-07 09:16 . 2008-05-07 09:16 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-07 09:16 . 2008-05-07 09:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-05-07 09:16 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-05-07 09:16 . 2004-08-03 23:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 22:08 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype
2008-06-04 01:57 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2008-05-27 08:48 --------- d-----w C:\Program Files\Azureus
2008-05-26 09:52 --------- d-----w C:\Program Files\Desktop Clock
2008-04-10 22:42 --------- d-----w C:\Program Files\Logon Loader
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-14 20:22 368,640 ----a-w C:\WINDOWS\system32\ReWire.dll
2008-03-14 20:22 233,472 ----a-w C:\WINDOWS\system32\REX Shared Library.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{456AF477-DAC5-45B0-95CF-F5FAF73AB52C}]
C:\WINDOWS\system32\tuvsQkkK.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{910EF077-8B76-4A3C-B201-A5CAABA866F8}"= "C:\WINDOWS\atfxqogp.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{910ef077-8b76-4a3c-b201-a5caaba866f8}]
[HKEY_CLASSES_ROOT\atfxqogp.1]
[HKEY_CLASSES_ROOT\TypeLib\{F25C07D1-1C0E-416F-8147-20AF5007A3F5}]
[HKEY_CLASSES_ROOT\atfxqogp]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-07 00:33 8720384]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 19:03 152872]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-04-23 17:45 22058792]
"antivirus-2008pro.exe"="C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 19:47 204800]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-02-10 11:55 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-02-10 11:51 118784]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-21 16:13 262401]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-11-02 11:33 1115728]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16 286720]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-21 13:23 185896]
"MSConfig"="C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe" [2004-08-12 07:00 158208]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-05-21 14:00 877136]
"188435b9"="C:\WINDOWS\system32\xaxisxrx.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-07 00:33 8720384]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Alerter.lnk - C:\Program Files\Vampirefreaks\vfalerter.exe [2008-01-23 08:10:58 9752064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\Documents and Settings\\Owner\\Desktop\\Random\\Minimalist_Black_by_windlord\\logonui_technics_final.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2007-07-02 03:27 219520 C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My App]
C:\Program Files\Desktop Clock\Desktop Clock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2kAutostart]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-05-07 15:11]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-31 22:17:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 15:04:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-06-04 15:17:16 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-06-04 22:16:09

Pre-Run: 23,250,038,784 bytes free
Post-Run: 26,521,726,976 bytes free

170 --- E O F --- 2008-05-17 10:02:51






HiJackThis! Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:18, on 6/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Vampirefreaks\vfalerter.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\Desktop\Rapido\brontok-washer\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {456AF477-DAC5-45B0-95CF-F5FAF73AB52C} - C:\WINDOWS\system32\tuvsQkkK.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: atfxqogp - {910EF077-8B76-4A3C-B201-A5CAABA866F8} - C:\WINDOWS\atfxqogp.dll (file missing)
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe /auto
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [188435b9] rundll32.exe "C:\WINDOWS\system32\xaxisxrx.dll",b
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [antivirus-2008pro.exe] C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Alerter.lnk = C:\Program Files\Vampirefreaks\vfalerter.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 6191 bytes


  • 0

#5
Mike
Posted 05 June 2008 - 03:47 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi again Spear,

This line : O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe /auto shows me that you have some startup items disabled, could you please renable them.

Step 1. Jotti Scan

  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • C:\WINDOWS\esbq.exe
  • Click on the submit button
  • Please post the results in your next reply.

Please do the same for C:\WINDOWS\system32\MFC71.dll

Step 2. Installing the Recovery Console

I would like you to install the Recovery Console.
The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware. If you use Windows XP and have a Windows CD, you will not need to do this step.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.

Posted Image

Download the file & save it as it's originally named, next to ComboFix.exe.

Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

After you have done this proceed with the next steps.

Step 3. Making a CFScript

First off, re-open hijack this and fix this line:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2

Close Hijack This.

Please click Start then Run, in the window appears type in Notepad.exe.
Highlight the entire content of the codebox below. Copy (Control + C) and Paste (Control + V) the content into the notepad window:
File::
C:\WINDOWS\system32\xaxisxrx.dll.vir
C:\contactlist.xml
C:\WINDOWS\system32\tuvsQkkK.dll.vir
C:\WINDOWS\boqnrwdmdev.dll.vir
C:\WINDOWS\system32\ezsidmv.dat
C:\WINDOWS\system32\tuvsQkkK.dll
C:\WINDOWS\system32\xaxisxrx.dll

Folder::
C:\Documents and Settings\Owner\Start Menu\Programs\IMVU

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{456AF477-DAC5-45B0-95CF-F5FAF73AB52C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{910EF077-8B76-4A3C-B201-A5CAABA866F8}"=-

[-HKEY_CLASSES_ROOT\clsid\{910ef077-8b76-4a3c-b201-a5caaba866f8}]

[-HKEY_CLASSES_ROOT\atfxqogp.1]

[-HKEY_CLASSES_ROOT\TypeLib\{F25C07D1-1C0E-416F-8147-20AF5007A3F5}]

[-HKEY_CLASSES_ROOT\atfxqogp]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"antivirus-2008pro.exe"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"188435b9"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{d9288080-1baa-4bc4-9cf8-a92d743db949}]
Now in Notepad, go to File and in the menu that drops down click on Save As...
Save the file as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
Posted Image

After that please reboot your computer if it asks you to and post ComboFix.txt (the report the ComboFix will generate) in your next reply.

In your next reply

Please post the log from Combofix (the log thats produced when you use the CFScript)
Please post the log from Hijack This. (after running ComboFix.)
Please post the log from Jotti.

If the logs are to big to fit in one reply please spread them out over multiple replies.

Edited by Mike, 05 June 2008 - 03:47 AM.

  • 0

#6
Mike
Posted 14 June 2008 - 04:15 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP