Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Vundo.gen trojan and more I think.... [RESOLVED]


  • This topic is locked This topic is locked

#1
th3coz

th3coz

    New Member

  • Member
  • Pip
  • 8 posts
Hey all,

I'm really stuck here, starting yesterday I just started getting bombarded by malware. I've done alot of reading and downloading various antivirus apps but nothing is working, it's just getting worse. TR/vundo.gen is the most popular virus showing up in my AV, but it's getting to the point where it just shuts down now from all the bombardment. Here are my hijackthis log and my combofix log that I tried. Any help is much appreciated.

** Edit** I dunno if it matters but I ran vundofix 7.0.6 and it found nothing, yet my AV finds up to 50 vundo.gens on a scan. **Edit**

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:03, on 6/29/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
D:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearc...ce.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: gxvpsafm - {63733480-2CC8-4334-8627-35651AAF74F4} - C:\DOCUME~1\Marley\LOCALS~1\Temp\ac8zt2\gxvpsafm.dll (file missing)
O4 - HKLM\..\Run: [SMSystemAnalyzer] "d:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [70372535] rundll32.exe "C:\WINDOWS\System32\xjsuramx.dll",b
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [BM730416a9] Rundll32.exe "C:\WINDOWS\System32\djgnwosj.dll",s
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [msvecurity] C:\WINDOWS\msvecurity.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O21 - SSODL: pntqkflv - {02F5B585-193C-49E0-A11B-D19F6ED8DB13} - C:\WINDOWS\pntqkflv.dll
O21 - SSODL: qegbdmwf - {D5616AEF-47A0-48E5-975C-DDB64E15A06B} - C:\WINDOWS\qegbdmwf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5351 bytes

ComboFix 08-06-20.4 - Marley 2008-06-29 16:34:18.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.771 [GMT -4:00]
Running from: C:\Documents and Settings\Marley\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM730416a9.xml
C:\WINDOWS\efks.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\BJPoYGgh.ini
C:\WINDOWS\system32\BJPoYGgh.ini2
C:\WINDOWS\system32\ekfaivpu.ini
C:\WINDOWS\system32\giRYcfii.ini
C:\WINDOWS\system32\giRYcfii.ini2
C:\WINDOWS\system32\hgGYoPJB.dll
C:\WINDOWS\system32\lkQqqtwa.ini
C:\WINDOWS\system32\lkQqqtwa.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\qriraivu.ini
C:\WINDOWS\system32\rgjgvuda.ini
C:\WINDOWS\system32\vksawyuq.ini
C:\WINDOWS\system32\wsnpoem\audio.dll . . . . failed to delete
C:\WINDOWS\system32\wsnpoem\video.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-29 )))))))))))))))))))))))))))))))
.

2008-06-29 11:43 . 2008-06-29 11:43 <DIR> d-------- C:\Program Files\Avira
2008-06-29 11:43 . 2008-06-29 11:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-29 11:39 . 2008-06-29 12:16 <DIR> d-------- C:\Documents and Settings\TEMP.COZ
2008-06-28 21:28 . 2008-06-28 21:28 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-28 19:16 . 2008-06-21 11:35 3,262 --a------ C:\WINDOWS\system32\sex2.ico
2008-06-28 19:14 . 2008-06-28 19:14 <DIR> d-------- C:\WINDOWS\Torrents
2008-06-28 19:14 . 2008-06-28 19:14 28,288 --a------ C:\WINDOWS\system32\khfFXopm.dll
2008-06-28 19:14 . 2008-06-28 19:14 28,288 --a------ C:\WINDOWS\system32\byXQHwWN.dll
2008-06-28 19:13 . 2008-06-29 13:00 <DIR> d-------- C:\WINDOWS\system32\788877
2008-06-28 19:13 . 2008-06-29 12:36 36,757 --a------ C:\WINDOWS\msvecurity.config
2008-06-28 19:12 . 2008-06-29 12:37 <DIR> d-------- C:\Program Files\VAV
2008-06-28 19:12 . 2008-06-28 10:11 409,600 --a------ C:\WINDOWS\gfetqaxsbfk.dll
2008-06-28 19:12 . 2008-06-28 10:11 253,952 --a------ C:\WINDOWS\pntqkflv.dll
2008-06-28 19:12 . 2008-06-28 10:11 225,280 --a------ C:\WINDOWS\qegbdmwf.dll
2008-06-28 19:12 . 2008-06-28 10:11 155,648 --a------ C:\WINDOWS\gxvpsafm.dll
2008-06-28 19:12 . 2008-06-19 18:20 117,248 --a------ C:\WINDOWS\system32\vav.cpl
2008-06-28 19:12 . 2008-06-28 10:11 81,920 --a------ C:\WINDOWS\tovafrnm.exe
2008-06-28 19:12 . 2008-06-21 11:35 3,262 --a------ C:\WINDOWS\system32\sex1.ico
2008-06-28 19:11 . 2008-06-29 12:49 <DIR> d-------- C:\Program Files\PCHealthCenter
2008-06-28 19:10 . 2008-06-28 19:10 34,304 --------- C:\WINDOWS\system32\opnMfCsS.dll
2008-06-21 08:49 . 2008-06-21 08:49 <DIR> d-------- C:\Documents and Settings\Marley\Application Data\NCH Swift Sound
2008-06-16 20:32 . 2008-06-16 20:35 <DIR> d-------- C:\Program Files\PartyGaming
2008-06-16 20:12 . 2008-06-16 21:00 <DIR> d-------- C:\Program Files\PokerStars.NET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-29 18:42 --------- d-----w C:\Documents and Settings\Marley\Application Data\DNA
2008-06-29 00:56 --------- d-----w C:\Program Files\DNA
2008-06-28 23:12 --------- d-----w C:\Documents and Settings\Marley\Application Data\BitTorrent
2008-06-28 23:11 --------- d-----w C:\Program Files\BitTorrent
2008-06-24 14:06 --------- d-----w C:\Program Files\Soulseek
2008-05-19 17:14 --------- d-----w C:\Documents and Settings\Timmy\Application Data\BitTorrent
2008-05-13 16:28 --------- d-----w C:\Documents and Settings\Marley\Application Data\ICAClient
2008-05-13 16:25 --------- d-----w C:\Program Files\Citrix
2008-05-05 14:44 --------- d-----w C:\Documents and Settings\Marley\Application Data\Command & Conquer 3 Tiberium Wars
2008-05-04 21:36 --------- d-----w C:\Documents and Settings\Timmy\Application Data\iolo
2008-05-03 20:56 --------- d-----w C:\Documents and Settings\Marley\Application Data\iolo
2008-05-03 20:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\iolo
2008-05-03 20:24 --------- d-----w C:\Program Files\iolo
2008-05-03 20:24 --------- d-----w C:\Documents and Settings\LocalService\Application Data\iolo
2008-05-03 17:03 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-05-03 17:03 --------- d-----w C:\Documents and Settings\Marley\Application Data\SystemRequirementsLab
2008-05-03 14:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-02 23:33 --------- d-----w C:\Program Files\Alcohol Soft
2008-05-02 23:29 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-05-01 18:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ubisoft
2007-12-26 06:00 15,872 --sha-w C:\Program Files\Thumbs.db
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{05d1b4b6-0f9b-468b-869e-4195bf79fd7a}]
C:\WINDOWS\System32\uiacvk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E64E841-2463-47C9-8797-DAF2810BBF61}]
2008-06-28 19:10 34304 --------- C:\WINDOWS\System32\opnMfCsS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bdf21582-f109-4bab-a660-437476cf0d2a}]
2008-06-28 10:11 409600 --a------ C:\WINDOWS\gfetqaxsbfk.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{63733480-2CC8-4334-8627-35651AAF74F4}"= "C:\DOCUME~1\Marley\LOCALS~1\Temp\ac8zt2\gxvpsafm.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{63733480-2cc8-4334-8627-35651aaf74f4}]
[HKEY_CLASSES_ROOT\gxvpsafm.1]
[HKEY_CLASSES_ROOT\TypeLib\{FCEC91BA-D0AA-4C87-AC80-45891152C8BD}]
[HKEY_CLASSES_ROOT\gxvpsafm]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-07 22:06 289088]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-20 12:46 217544]
"msvecurity"="C:\WINDOWS\msvecurity.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSystemAnalyzer"="d:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [2008-03-31 15:09 725352]
"70372535"="C:\WINDOWS\System32\upviafke.dll" [ ]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"BM730416a9"="C:\WINDOWS\System32\tpqlcmrl.dll" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-12 20:48:54 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{0E64E841-2463-47C9-8797-DAF2810BBF61}"= C:\WINDOWS\System32\opnMfCsS.dll [2008-06-28 19:10 34304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"pntqkflv"= {02F5B585-193C-49E0-A11B-D19F6ED8DB13} - C:\WINDOWS\pntqkflv.dll [2008-06-28 10:11 253952]
"qegbdmwf"= {D5616AEF-47A0-48E5-975C-DDB64E15A06B} - C:\WINDOWS\qegbdmwf.dll [2008-06-28 10:11 225280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\System32\\ntos.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnMfCsS]
opnMfCsS.dll 2008-06-28 19:10 34304 C:\WINDOWS\system32\opnMfCsS.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wingzy32]
wingzy32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.MI-SC4"= MI-SC4.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgntmgr.sys [2008-01-21 18:11]
R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys [2008-01-21 18:12]
R2 ioloFileInfoList;iolo FileInfoList Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-03-31 14:46]
R2 ioloSystemService;iolo System Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-03-31 14:46]
S1 404e0770;404e0770;C:\WINDOWS\System32\drivers\404e0770.sys []
S3 dwusbdnt;dwusbdnt;C:\WINDOWS\System32\DRIVERS\dwusbdnt.sys [2002-05-24 11:52]

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
*Newly Created Service* - SHAREDACCESS
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-29 16:43:44
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\ntos.exe 466432 bytes executable
C:\WINDOWS\system32\wsnpoem

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\opnMfCsS.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe
.
**************************************************************************
.
Completion time: 2008-06-29 16:48:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-29 20:48:17

Pre-Run: 1,761,824,768 bytes free
Post-Run: 2,151,641,088 bytes free

164


Thanks for any help.

Edited by th3coz, 29 June 2008 - 06:48 PM.

  • 0

Advertisements


#2
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts

Looking at your system now, one or more of the identified infections is a backdoor Trojan. If this computer is ever used for on-line banking, I suggest you do the following IMMEDIATELY:

  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.
Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information. Please refrain from using this computer for online-banking/financial purpose until we give it all clear



Hello, my name is fenzodahl512 and welcome to Geekstogo... Please do the following....



Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • A new folder will be extracted to your %systemdrive%, typically C:\SDFix
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.






NEXT


Installing Recovery Console:

It appears your computer has no Recovery Console installed. We need to install Recovery Console first before proceed to our next fix. Please do the following..

Please go to Microsoft's website => HERE
Select the download that's appropriate for your Operating System.


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

After successfully install Recovery Console, a pop-on will appear asking to run ComboFix, please select NO.




NEXT



1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
404e0770

File::
C:\WINDOWS\System32\uiacvk.dll
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\system32\sex2.ico
C:\WINDOWS\system32\khfFXopm.dll
C:\WINDOWS\system32\byXQHwWN.dll
C:\WINDOWS\gfetqaxsbfk.dll
C:\WINDOWS\pntqkflv.dll
C:\WINDOWS\qegbdmwf.dll
C:\WINDOWS\gxvpsafm.dll
C:\WINDOWS\system32\vav.cpl
C:\WINDOWS\tovafrnm.exe
C:\WINDOWS\system32\sex1.ico
C:\WINDOWS\system32\opnMfCsS.dll
C:\WINDOWS\msvecurity.exe
C:\WINDOWS\System32\upviafke.dll
C:\WINDOWS\System32\tpqlcmrl.dll
C:\WINDOWS\System32\ntos.exe
C:\WINDOWS\System32\drivers\404e0770.sys

Folder::
C:\WINDOWS\system32\788877
C:\WINDOWS\msvecurity.config
C:\Program Files\VAV
C:\Program Files\PCHealthCenter
C:\Documents and Settings\Marley\Local Settings\Temp\ac8zt2

DirLook::
C:\Documents and Settings\TEMP.COZ
C:\Documents and Settings\Administrator
C:\WINDOWS\Torrents
C:\WINDOWS\system32\wsnpoem

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{05d1b4b6-0f9b-468b-869e-4195bf79fd7a}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E64E841-2463-47C9-8797-DAF2810BBF61}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bdf21582-f109-4bab-a660-437476cf0d2a}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{63733480-2CC8-4334-8627-35651AAF74F4}"=-
[-HKEY_CLASSES_ROOT\clsid\{63733480-2cc8-4334-8627-35651aaf74f4}]
[-HKEY_CLASSES_ROOT\gxvpsafm.1]
[-HKEY_CLASSES_ROOT\TypeLib\{FCEC91BA-D0AA-4C87-AC80-45891152C8BD}]
[-HKEY_CLASSES_ROOT\gxvpsafm]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msvecurity"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"70372535"=-
"BM730416a9"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{0E64E841-2463-47C9-8797-DAF2810BBF61}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"pntqkflv"=-
"qegbdmwf"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnMfCsS]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wingzy32]

3. Save the above as CFScript.txt in your Desktop.

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • SDFix
  • ComboFix
  • A new HijackThis log.


Regards
fenzodahl512
  • 0

#3
th3coz

th3coz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks so much for the help so far. Here are the logs.


SDFix: Version 1.199
Run by Marley on Mon 06/30/2008 at 08:59

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\opnMfCsS.dll - Deleted
C:\Documents and Settings\Marley\Favorites\Error Cleaner.url - Deleted
C:\Documents and Settings\Marley\Favorites\Privacy Protector.url - Deleted
C:\Documents and Settings\Marley\Favorites\Spyware&Malware Protection.url - Deleted
C:\Program Files\VAV\vav.cpl - Deleted
C:\Program Files\VAV\vav0.dat - Deleted
C:\Program Files\VAV\vav1.dat - Deleted
C:\WINDOWS\gfetqaxsbfk.dll - Deleted
C:\WINDOWS\system32\sex1.ico - Deleted
C:\WINDOWS\system32\sex2.ico - Deleted
C:\WINDOWS\gxvpsafm.dll - Deleted
C:\WINDOWS\pntqkflv.dll - Deleted
C:\WINDOWS\qegbdmwf.dll - Deleted
C:\WINDOWS\system32\vav.cpl - Deleted
C:\WINDOWS\tovafrnm.exe - Deleted
C:\WINDOWS\system32\ntos.exe - Deleted
C:\WINDOWS\system32\wsnpoem\video.dll - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted



Folder C:\Program Files\VAV - Removed
Folder C:\WINDOWS\system32\788877 - Removed
Folder C:\WINDOWS\system32\wsnpoem - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 09:10:06
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:61,58,8e,93,0e,3b,7e,58,b7,df,4c,85,a5,35,d7,a4,22,c7,d0,ca,b1,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:61,58,8e,93,0e,3b,7e,58,b7,df,4c,85,a5,35,d7,a4,22,c7,d0,ca,b1,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000031
"TracesSuccessful"=dword:00000002

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :


Finished!

ComboFix 08-06-20.4 - Marley 2008-06-30 9:22:56.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.717 [GMT -4:00]
Running from: C:\Documents and Settings\Marley\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Marley\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\gfetqaxsbfk.dll
C:\WINDOWS\gxvpsafm.dll
C:\WINDOWS\msvecurity.exe
C:\WINDOWS\pntqkflv.dll
C:\WINDOWS\qegbdmwf.dll
C:\WINDOWS\system32\byXQHwWN.dll
C:\WINDOWS\System32\drivers\404e0770.sys
C:\WINDOWS\system32\khfFXopm.dll
C:\WINDOWS\System32\ntos.exe
C:\WINDOWS\system32\opnMfCsS.dll
C:\WINDOWS\system32\sex1.ico
C:\WINDOWS\system32\sex2.ico
C:\WINDOWS\System32\tpqlcmrl.dll
C:\WINDOWS\System32\uiacvk.dll
C:\WINDOWS\System32\upviafke.dll
C:\WINDOWS\system32\vav.cpl
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\tovafrnm.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\PCHealthCenter
C:\Program Files\PCHealthCenter\0.gif
C:\Program Files\PCHealthCenter\1.gif
C:\Program Files\PCHealthCenter\2.gif
C:\Program Files\PCHealthCenter\3.gif
C:\Program Files\PCHealthCenter\sex1.ico
C:\Program Files\PCHealthCenter\sex2.ico
C:\WINDOWS\msvecurity.config\
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\byXQHwWN.dll
C:\WINDOWS\system32\khfFXopm.dll
C:\WINDOWS\system32\rqRHxuts.dll
C:\WINDOWS\system32\stuxHRqr.ini
C:\WINDOWS\system32\stuxHRqr.ini2
C:\WINDOWS\system32\xmarusjx.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_404e0770


((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))
.

2008-06-30 08:54 . 2008-06-30 08:54 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-30 08:53 . 2008-06-30 09:12 <DIR> d----c--- C:\SDFix
2008-06-29 18:58 . 2008-06-29 18:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-29 17:30 . 2008-06-29 17:30 <DIR> d----c--- C:\VundoFix Backups
2008-06-29 17:13 . 2008-06-29 17:13 87,040 --a------ C:\WINDOWS\system32\xjsuramx.VIR
2008-06-29 17:10 . 2008-06-29 17:10 104,448 --a------ C:\WINDOWS\system32\tznmmi.dll
2008-06-29 17:07 . 2008-06-29 17:07 0 --a------ C:\WINDOWS\BM730416a9.xml
2008-06-29 11:43 . 2008-06-29 11:43 <DIR> d-------- C:\Program Files\Avira
2008-06-29 11:43 . 2008-06-29 11:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-29 11:39 . 2008-06-29 12:16 <DIR> d-------- C:\Documents and Settings\TEMP.COZ
2008-06-28 21:28 . 2008-06-28 21:28 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-28 19:14 . 2008-06-28 19:14 <DIR> d-------- C:\WINDOWS\Torrents
2008-06-28 19:13 . 2008-06-29 12:36 36,757 --a------ C:\WINDOWS\msvecurity.config
2008-06-21 08:49 . 2008-06-21 08:49 <DIR> d-------- C:\Documents and Settings\Marley\Application Data\NCH Swift Sound
2008-06-16 20:32 . 2008-06-16 20:35 <DIR> d-------- C:\Program Files\PartyGaming
2008-06-16 20:12 . 2008-06-16 21:00 <DIR> d-------- C:\Program Files\PokerStars.NET
2008-05-13 12:26 . 2008-05-13 12:28 <DIR> d-------- C:\Documents and Settings\Marley\Application Data\ICAClient
2008-05-13 12:25 . 2008-05-13 12:25 <DIR> d-------- C:\WINDOWS\system32\Resource
2008-05-13 12:25 . 2008-05-13 12:25 <DIR> d-------- C:\Program Files\Citrix
2008-05-05 10:39 . 2008-05-05 10:44 <DIR> d-------- C:\Documents and Settings\Marley\Application Data\Command & Conquer 3 Tiberium Wars
2008-05-03 17:54 . 2008-05-04 17:36 <DIR> d-------- C:\Documents and Settings\Timmy\Application Data\iolo
2008-05-03 16:25 . 2008-05-03 16:25 406 --a------ C:\WINDOWS\system32\ioloBootDefrag.cfg
2008-05-03 16:24 . 2008-05-03 16:24 <DIR> d-------- C:\Program Files\iolo
2008-05-03 16:24 . 2008-05-03 16:24 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\iolo
2008-05-03 16:24 . 2008-03-31 15:09 439,656 --a------ C:\WINDOWS\system32\Incinerator.dll
2008-05-03 16:24 . 2008-03-13 10:08 38,912 --a------ C:\WINDOWS\system32\smrgdf.exe
2008-05-03 16:24 . 2008-03-13 09:25 32,768 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2008-05-03 16:23 . 2008-05-03 16:23 74,703 --a------ C:\WINDOWS\system32\mfc45.dll
2008-05-03 16:22 . 2008-05-03 16:56 <DIR> d-------- C:\Documents and Settings\Marley\Application Data\iolo
2008-05-03 16:22 . 2008-05-03 16:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-05-03 13:03 . 2008-05-03 13:03 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-05-03 13:03 . 2008-05-03 13:03 <DIR> d-------- C:\Documents and Settings\Marley\Application Data\SystemRequirementsLab
2008-05-03 10:13 . 2008-05-03 10:13 319 --a------ C:\WINDOWS\game.ini
2008-05-03 09:33 . 2008-05-03 09:33 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-05-02 19:33 . 2008-05-02 19:33 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-05-02 19:29 . 2008-05-02 19:29 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-05-01 14:38 . 2008-05-01 14:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ubisoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-30 03:31 --------- d-----w C:\Documents and Settings\Marley\Application Data\DNA
2008-06-29 00:56 --------- d-----w C:\Program Files\DNA
2008-06-28 23:12 --------- d-----w C:\Documents and Settings\Marley\Application Data\BitTorrent
2008-06-28 23:11 --------- d-----w C:\Program Files\BitTorrent
2008-06-24 14:06 --------- d-----w C:\Program Files\Soulseek
2008-05-19 17:14 --------- d-----w C:\Documents and Settings\Timmy\Application Data\BitTorrent
2008-05-03 14:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-26 06:00 15,872 --sha-w C:\Program Files\Thumbs.db
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\Administrator ----

2008-06-30 08:32 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-30 08:32 1024 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT.LOG
2008-06-28 21:46 6291456 --ah----- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
2008-06-28 21:46 262144 --ah----- C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
2008-06-28 21:46 180 --ahs---- C:\Documents and Settings\Administrator\ntuser.ini
2008-06-28 21:46 1024 --ah----- C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
2008-06-28 21:28 62 --ahs---- C:\Documents and Settings\Administrator\Local Settings\desktop.ini
2008-06-28 21:28 16384 --a------ C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
2008-06-28 21:28 16384 --a------ C:\Documents and Settings\Administrator\Cookies\index.dat
2005-11-01 22:40 84 --ahs---- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini
2005-11-01 22:40 84 --ahs---- C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Entertainment\desktop.ini
2005-11-01 22:40 792 --a------ C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk
2005-11-01 22:40 482 --ahs---- C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\desktop.ini
2005-11-01 22:40 386 --a------ C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk
2005-11-01 22:40 348 --ahs---- C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\desktop.ini
2005-11-01 22:40 206 --ahs---- C:\Documents and Settings\Administrator\Start Menu\Programs\desktop.ini
2005-11-01 22:40 1599 --a------ C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk
2005-11-01 22:40 1555 --a------ C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Command Prompt.lnk
2005-11-01 22:40 1539 --a------ C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk
2005-11-01 22:40 1532 --a------ C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk
2005-11-01 22:40 1527 --a------ C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Tour Windows XP.lnk
2005-11-01 22:40 1525 --a------ C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk
2005-11-01 22:40 1519 --a------ C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Synchronize.lnk
2005-11-01 22:40 1519 --a------ C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Notepad.lnk
2005-11-01 22:40 1501 --a------ C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk
2005-11-01 22:40 141 --a------ C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\brndlog.txt
2005-11-01 22:39 67 --ahs---- C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\desktop.ini
2005-11-01 22:39 113 --ahs---- C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\desktop.ini
2005-11-01 22:39 113 --ahs---- C:\Documents and Settings\Administrator\Local Settings\History\desktop.ini
2005-11-01 22:38 181 --ahs---- C:\Documents and Settings\Administrator\SendTo\desktop.ini
2005-11-01 22:38 1487 --a------ C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Windows Explorer.lnk
2005-11-01 22:38 0 --a------ C:\Documents and Settings\Administrator\SendTo\Mail Recipient.MAPIMail
2005-11-01 22:38 0 --a------ C:\Documents and Settings\Administrator\SendTo\Desktop (create shortcut).DeskLink
2005-11-01 22:38 0 --a------ C:\Documents and Settings\Administrator\SendTo\Compressed (zipped) Folder.ZFSendToTarget
2005-11-01 16:58 62 --ahs---- C:\Documents and Settings\Administrator\Start Menu\desktop.ini
2005-11-01 16:58 62 --ahs---- C:\Documents and Settings\Administrator\Application Data\desktop.ini
2001-08-23 08:00 58 --a------ C:\Documents and Settings\Administrator\Templates\sndrec.wav
2001-08-23 08:00 57 -ra------ C:\Documents and Settings\Administrator\Templates\wordpfct.wpg
2001-08-23 08:00 5632 --a------ C:\Documents and Settings\Administrator\Templates\excel.xls
2001-08-23 08:00 461 --a------ C:\Documents and Settings\Administrator\Templates\presenta.shw
2001-08-23 08:00 4608 --a------ C:\Documents and Settings\Administrator\Templates\winword.doc
2001-08-23 08:00 4570 --a------ C:\Documents and Settings\Administrator\Templates\amipro.sam
2001-08-23 08:00 4017 --a------ C:\Documents and Settings\Administrator\Templates\quattro.wb2
2001-08-23 08:00 30 -ra------ C:\Documents and Settings\Administrator\Templates\wordpfct.wpd
2001-08-23 08:00 2448 --a------ C:\Documents and Settings\Administrator\Templates\lotus.wk4
2001-08-23 08:00 1769 --a------ C:\Documents and Settings\Administrator\Templates\winword2.doc
2001-08-23 08:00 1518 --a------ C:\Documents and Settings\Administrator\Templates\excel4.xls
2001-08-23 08:00 12288 --a------ C:\Documents and Settings\Administrator\Templates\powerpnt.ppt

---- Directory of C:\Documents and Settings\TEMP.COZ ----

2008-06-29 11:39 32768 --a------ C:\Documents and Settings\TEMP.COZ\Local Settings\Temporary Internet Files\Content.IE5\index.dat
2008-06-29 11:39 16384 --a------ C:\Documents and Settings\TEMP.COZ\Local Settings\History\History.IE5\index.dat
2008-06-29 11:39 16384 --a------ C:\Documents and Settings\TEMP.COZ\Cookies\index.dat

---- Directory of C:\WINDOWS\system32\wsnpoem ----

C:\WINDOWS\system32\wsnpoem\

---- Directory of C:\WINDOWS\Torrents ----



------- Sigcheck -------

2001-08-23 08:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\system32\svchost.exe
2001-08-23 08:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\system32\dllcache\svchost.exe

2001-08-23 08:00 561152 be57a5c3abd240514b98f6bca872fb21 C:\WINDOWS\system32\user32.dll
2001-08-23 08:00 561152 be57a5c3abd240514b98f6bca872fb21 C:\WINDOWS\system32\dllcache\user32.dll

2001-08-23 08:00 75264 8529c295df59b564d37a73b5629162b1 C:\WINDOWS\system32\ws2_32.dll
2001-08-23 08:00 75264 8529c295df59b564d37a73b5629162b1 C:\WINDOWS\system32\dllcache\ws2_32.dll

2001-08-23 08:00 593920 cf9f1eef71f42ede71b6f4aa05d5ca1a C:\WINDOWS\system32\wininet.dll
2001-08-23 08:00 593920 cf9f1eef71f42ede71b6f4aa05d5ca1a C:\WINDOWS\system32\dllcache\wininet.dll

2001-08-23 08:00 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\system32\dllcache\tcpip.sys
2001-08-23 08:00 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\system32\drivers\tcpip.sys

2001-08-23 08:00 430080 2b0e480e975ee51f2d5ce5f068fed6e2 C:\WINDOWS\system32\winlogon.exe
2001-08-23 08:00 430080 2b0e480e975ee51f2d5ce5f068fed6e2 C:\WINDOWS\system32\dllcache\winlogon.exe

2001-08-23 08:00 161536 3efd4f59ba0a340de0a3ab984001dbf7 C:\WINDOWS\system32\dllcache\ndis.sys
2001-08-23 08:00 161536 3efd4f59ba0a340de0a3ab984001dbf7 C:\WINDOWS\system32\drivers\ndis.sys

2001-08-23 08:00 1896704 46e2e3dcf54b819cfb2ebfe48a22b5c9 C:\WINDOWS\system32\ntkrnlpa.exe

2001-08-23 08:00 1982208 a29222d5281056e497408fcc9062f749 C:\WINDOWS\system32\ntoskrnl.exe

2001-08-23 08:00 1000960 5a26fc6010886d25b3e412493dd95ed8 C:\WINDOWS\explorer.exe
2001-08-23 08:00 1000960 5a26fc6010886d25b3e412493dd95ed8 C:\WINDOWS\system32\dllcache\explorer.exe

2001-08-23 08:00 101376 e3df4a0252d287c44606ee55355e1623 C:\WINDOWS\system32\services.exe
2001-08-23 08:00 101376 e3df4a0252d287c44606ee55355e1623 C:\WINDOWS\system32\dllcache\services.exe

2001-08-23 08:00 11776 8a590ea109b5e0c7629e022f8a6b17c5 C:\WINDOWS\system32\lsass.exe
2001-08-23 08:00 11776 8a590ea109b5e0c7629e022f8a6b17c5 C:\WINDOWS\system32\dllcache\lsass.exe

2001-08-23 08:00 13312 85b1054db58d13aa42d7dca778c30f57 C:\WINDOWS\system32\ctfmon.exe
2001-08-23 08:00 13312 85b1054db58d13aa42d7dca778c30f57 C:\WINDOWS\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((( [email protected]_16.47.36.76 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-29 20:41:17 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-30 13:29:56 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-01 07:23:42 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-06-30 12:54:57 3,493,888 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-06-30 12:54:57 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-07-01 07:23:42 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-06-30 12:54:52 3,493,888 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-06-30 12:54:53 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-06-29 20:41:44 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-30 13:30:08 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-06-29 20:41:44 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-30 13:30:08 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-06-29 20:41:44 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-30 13:31:39 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-29 20:43:44 62,344 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-29 22:10:55 62,344 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-06-29 20:43:46 401,064 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-29 22:10:55 401,064 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e0daa224-8a6c-4911-a1d8-fd718ec97b14}]
2008-06-29 17:10 104448 --a------ C:\WINDOWS\System32\tznmmi.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-07 22:06 289088]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-20 12:46 217544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSystemAnalyzer"="d:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [2008-03-31 15:09 725352]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-12 20:48:54 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.MI-SC4"= MI-SC4.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgntmgr.sys [2008-01-21 18:11]
R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys [2008-01-21 18:12]
R2 ioloFileInfoList;iolo FileInfoList Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-03-31 14:46]
R2 ioloSystemService;iolo System Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-03-31 14:46]
S3 dwusbdnt;dwusbdnt;C:\WINDOWS\System32\DRIVERS\dwusbdnt.sys [2002-05-24 11:52]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 09:31:05
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-06-30 9:36:59 - machine was rebooted [Marley]
ComboFix-quarantined-files.txt 2008-06-30 13:36:49
ComboFix2.txt 2008-06-29 20:48:29

Pre-Run: 2,052,558,848 bytes free
Post-Run: 2,046,414,848 bytes free

256

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:38, on 6/30/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearc...ce.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: {41b79ce8-17df-8d1a-1194-c6a8422aad0e} - {e0daa224-8a6c-4911-a1d8-fd718ec97b14} - C:\WINDOWS\System32\tznmmi.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SMSystemAnalyzer] "d:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4483 bytes
  • 0

#4
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\WINDOWS\system32\xjsuramx.VIR
C:\WINDOWS\system32\tznmmi.dll
C:\WINDOWS\BM730416a9.xml
C:\WINDOWS\msvecurity.config

Folder::
C:\VundoFix Backups
C:\WINDOWS\system32\wsnpoem

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e0daa224-8a6c-4911-a1d8-fd718ec97b14}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#5
th3coz

th3coz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
More logs, thanks again.

ComboFix 08-06-20.4 - Marley 2008-06-30 11:43:08.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.686 [GMT -4:00]
Running from: C:\Documents and Settings\Marley\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Marley\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BM730416a9.xml
C:\WINDOWS\msvecurity.config
C:\WINDOWS\system32\tznmmi.dll
C:\WINDOWS\system32\xjsuramx.VIR
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\WINDOWS\BM730416a9.xml
C:\WINDOWS\msvecurity.config
C:\WINDOWS\system32\xjsuramx.VIR

.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))
.

2008-06-30 08:54 . 2008-06-30 08:54 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-30 08:53 . 2008-06-30 09:12 <DIR> d----c--- C:\SDFix
2008-06-29 18:58 . 2008-06-29 18:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-29 11:43 . 2008-06-29 11:43 <DIR> d-------- C:\Program Files\Avira
2008-06-29 11:43 . 2008-06-29 11:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-29 11:39 . 2008-06-29 12:16 <DIR> d-------- C:\Documents and Settings\TEMP.COZ
2008-06-28 21:28 . 2008-06-28 21:28 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-28 19:14 . 2008-06-28 19:14 <DIR> d-------- C:\WINDOWS\Torrents
2008-06-21 08:49 . 2008-06-21 08:49 <DIR> d-------- C:\Documents and Settings\Marley\Application Data\NCH Swift Sound
2008-06-16 20:32 . 2008-06-16 20:35 <DIR> d-------- C:\Program Files\PartyGaming
2008-06-16 20:12 . 2008-06-16 21:00 <DIR> d-------- C:\Program Files\PokerStars.NET
2008-05-13 12:26 . 2008-05-13 12:28 <DIR> d-------- C:\Documents and Settings\Marley\Application Data\ICAClient
2008-05-13 12:25 . 2008-05-13 12:25 <DIR> d-------- C:\WINDOWS\system32\Resource
2008-05-13 12:25 . 2008-05-13 12:25 <DIR> d-------- C:\Program Files\Citrix
2008-05-05 10:39 . 2008-05-05 10:44 <DIR> d-------- C:\Documents and Settings\Marley\Application Data\Command & Conquer 3 Tiberium Wars
2008-05-03 17:54 . 2008-05-04 17:36 <DIR> d-------- C:\Documents and Settings\Timmy\Application Data\iolo
2008-05-03 16:25 . 2008-05-03 16:25 406 --a------ C:\WINDOWS\system32\ioloBootDefrag.cfg
2008-05-03 16:24 . 2008-05-03 16:24 <DIR> d-------- C:\Program Files\iolo
2008-05-03 16:24 . 2008-05-03 16:24 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\iolo
2008-05-03 16:24 . 2008-03-31 15:09 439,656 --a------ C:\WINDOWS\system32\Incinerator.dll
2008-05-03 16:24 . 2008-03-13 10:08 38,912 --a------ C:\WINDOWS\system32\smrgdf.exe
2008-05-03 16:24 . 2008-03-13 09:25 32,768 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2008-05-03 16:23 . 2008-05-03 16:23 74,703 --a------ C:\WINDOWS\system32\mfc45.dll
2008-05-03 16:22 . 2008-05-03 16:56 <DIR> d-------- C:\Documents and Settings\Marley\Application Data\iolo
2008-05-03 16:22 . 2008-05-03 16:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-05-03 13:03 . 2008-05-03 13:03 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-05-03 13:03 . 2008-05-03 13:03 <DIR> d-------- C:\Documents and Settings\Marley\Application Data\SystemRequirementsLab
2008-05-03 10:13 . 2008-05-03 10:13 319 --a------ C:\WINDOWS\game.ini
2008-05-03 09:33 . 2008-05-03 09:33 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-05-02 19:33 . 2008-05-02 19:33 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-05-02 19:29 . 2008-05-02 19:29 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-05-01 14:38 . 2008-05-01 14:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ubisoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-30 15:36 --------- d-----w C:\Documents and Settings\Marley\Application Data\DNA
2008-06-29 00:56 --------- d-----w C:\Program Files\DNA
2008-06-28 23:12 --------- d-----w C:\Documents and Settings\Marley\Application Data\BitTorrent
2008-06-28 23:11 --------- d-----w C:\Program Files\BitTorrent
2008-06-24 14:06 --------- d-----w C:\Program Files\Soulseek
2008-05-19 17:14 --------- d-----w C:\Documents and Settings\Timmy\Application Data\BitTorrent
2008-05-03 14:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-26 06:00 15,872 --sha-w C:\Program Files\Thumbs.db
.

------- Sigcheck -------

2001-08-23 08:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\system32\svchost.exe
2001-08-23 08:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\system32\dllcache\svchost.exe

2001-08-23 08:00 561152 be57a5c3abd240514b98f6bca872fb21 C:\WINDOWS\system32\user32.dll
2001-08-23 08:00 561152 be57a5c3abd240514b98f6bca872fb21 C:\WINDOWS\system32\dllcache\user32.dll

2001-08-23 08:00 75264 8529c295df59b564d37a73b5629162b1 C:\WINDOWS\system32\ws2_32.dll
2001-08-23 08:00 75264 8529c295df59b564d37a73b5629162b1 C:\WINDOWS\system32\dllcache\ws2_32.dll

2001-08-23 08:00 593920 cf9f1eef71f42ede71b6f4aa05d5ca1a C:\WINDOWS\system32\wininet.dll
2001-08-23 08:00 593920 cf9f1eef71f42ede71b6f4aa05d5ca1a C:\WINDOWS\system32\dllcache\wininet.dll

2001-08-23 08:00 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\system32\dllcache\tcpip.sys
2001-08-23 08:00 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\system32\drivers\tcpip.sys

2001-08-23 08:00 430080 2b0e480e975ee51f2d5ce5f068fed6e2 C:\WINDOWS\system32\winlogon.exe
2001-08-23 08:00 430080 2b0e480e975ee51f2d5ce5f068fed6e2 C:\WINDOWS\system32\dllcache\winlogon.exe

2001-08-23 08:00 161536 3efd4f59ba0a340de0a3ab984001dbf7 C:\WINDOWS\system32\dllcache\ndis.sys
2001-08-23 08:00 161536 3efd4f59ba0a340de0a3ab984001dbf7 C:\WINDOWS\system32\drivers\ndis.sys

2001-08-23 08:00 1896704 46e2e3dcf54b819cfb2ebfe48a22b5c9 C:\WINDOWS\system32\ntkrnlpa.exe

2001-08-23 08:00 1982208 a29222d5281056e497408fcc9062f749 C:\WINDOWS\system32\ntoskrnl.exe

2001-08-23 08:00 1000960 5a26fc6010886d25b3e412493dd95ed8 C:\WINDOWS\explorer.exe
2001-08-23 08:00 1000960 5a26fc6010886d25b3e412493dd95ed8 C:\WINDOWS\system32\dllcache\explorer.exe

2001-08-23 08:00 101376 e3df4a0252d287c44606ee55355e1623 C:\WINDOWS\system32\services.exe
2001-08-23 08:00 101376 e3df4a0252d287c44606ee55355e1623 C:\WINDOWS\system32\dllcache\services.exe

2001-08-23 08:00 11776 8a590ea109b5e0c7629e022f8a6b17c5 C:\WINDOWS\system32\lsass.exe
2001-08-23 08:00 11776 8a590ea109b5e0c7629e022f8a6b17c5 C:\WINDOWS\system32\dllcache\lsass.exe

2001-08-23 08:00 13312 85b1054db58d13aa42d7dca778c30f57 C:\WINDOWS\system32\ctfmon.exe
2001-08-23 08:00 13312 85b1054db58d13aa42d7dca778c30f57 C:\WINDOWS\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((( [email protected]_16.47.36.76 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-29 20:41:17 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-30 15:46:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-01 07:23:42 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-06-30 12:54:57 3,493,888 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-06-30 12:54:57 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-07-01 07:23:42 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-06-30 12:54:52 3,493,888 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-06-30 12:54:53 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-06-29 20:41:44 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-30 15:46:12 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-06-29 20:41:44 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-30 15:46:12 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-06-29 20:41:44 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-30 15:46:12 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-29 20:43:44 62,344 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-29 22:10:55 62,344 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-06-29 20:43:46 401,064 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-29 22:10:55 401,064 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-07 22:06 289088]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-20 12:46 217544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSystemAnalyzer"="d:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [2008-03-31 15:09 725352]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-12 20:48:54 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.MI-SC4"= MI-SC4.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgntmgr.sys [2008-01-21 18:11]
R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys [2008-01-21 18:12]
R2 ioloFileInfoList;iolo FileInfoList Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-03-31 14:46]
R2 ioloSystemService;iolo System Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-03-31 14:46]
S3 dwusbdnt;dwusbdnt;C:\WINDOWS\System32\DRIVERS\dwusbdnt.sys [2002-05-24 11:52]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 11:47:04
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-06-30 11:52:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-30 15:52:37
ComboFix2.txt 2008-06-30 13:37:00
ComboFix3.txt 2008-06-29 20:48:29

Pre-Run: 2,102,247,424 bytes free
Post-Run: 2,098,065,408 bytes free

163


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:53, on 6/30/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearc...ce.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SMSystemAnalyzer] "d:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4359 bytes
  • 0

#6
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.







Please download Deckard's System Scanner (DSS) from HERE or HERE and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • Please let your firewall allow the scanning/downloading process.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
If you are using Vista, you need to right-click at dss.exe icon and choose Run as Administrator




Post the following logs in your next reply.. Post each log in separate post..

1. Malwarebytes'
2. Deckard System Scanner main.txt and extra.txt (separate post please)


Regards
fenzodahl512
  • 0

#7
th3coz

th3coz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here they are.

Malwarebytes' Anti-Malware 1.19
Database version: 908
Windows 5.1.2600

1:12:13 PM 6/30/2008
mbam-log-6-30-2008 (13-12-13).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 70302
Time elapsed: 58 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2f4b2f9e-6e2d-4fcc-a0ac-10b97b0bec38} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{53600c72-ac0c-4766-bd48-b5f3530eb5e5} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f712b746-2cb5-4c3a-bcdd-7c26bd4dac97} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\efks.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\byXQHwWN.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\hgGYoPJB.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\khfFXopm.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A734CACD-122D-4392-B0A9-4CE471D5832E}\RP950\A0329958.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A734CACD-122D-4392-B0A9-4CE471D5832E}\RP950\A0330132.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A734CACD-122D-4392-B0A9-4CE471D5832E}\RP950\A0330138.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A734CACD-122D-4392-B0A9-4CE471D5832E}\RP950\A0330153.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A734CACD-122D-4392-B0A9-4CE471D5832E}\RP950\A0330154.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A734CACD-122D-4392-B0A9-4CE471D5832E}\RP952\A0330246.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A734CACD-122D-4392-B0A9-4CE471D5832E}\RP952\A0330247.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
  • 0

#8
th3coz

th3coz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Deckard's System Scanner v20071014.68
Run by Marley on 2008-06-30 13:12:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
53: 2008-06-30 17:13:11 UTC - RP954 - Deckard's System Scanner Restore Point
52: 2008-06-30 15:42:47 UTC - RP953 - ComboFix created restore point
51: 2008-06-30 13:22:38 UTC - RP952 - ComboFix created restore point
50: 2008-06-30 13:15:35 UTC - RP951 - ComboFix created restore point
49: 2008-06-29 21:07:25 UTC - RP950 - Last known good configuration


-- First Restore Point --
1: 2008-06-29 21:07:19 UTC - RP902 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Marley.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:13, on 6/30/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\update.exe
C:\Documents and Settings\Marley\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Marley.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SMSystemAnalyzer] "d:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4294 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 aeaudio - c:\windows\system32\drivers\aeaudio.sys <Not Verified; Andrea Electronics Corporation; Andrea Audio Driver>
R3 smwdm - c:\windows\system32\drivers\smwdm.sys <Not Verified; Analog Devices, Inc.; SoundMAX Digital Audio Driver>
R4 catchme - c:\combofix\catchme.sys (file missing)

S3 ATIAVAIW (ATI T200 Unified AVStream service) - c:\windows\system32\drivers\atinavt2.sys <Not Verified; ATI Technologies Inc.; ATI AVStream>
S3 dwusbdnt - c:\windows\system32\drivers\dwusbdnt.sys <Not Verified; [email protected] Co., Ltd.; [email protected] Audio Player>
S3 MPE (BDA MPE Filter) - c:\windows\system32\drivers\mpe.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirScheduler (Avira AntiVir Personal – Free Antivirus Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; AntiVir Workstation>
R2 uploadmgr (Upload Manager) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

S3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description:
Device ID: DISPLAY\NTATIVRV01\5&3AAA98C9&2&80000008&01&00
Manufacturer:
Name:
PNP Device ID: DISPLAY\NTATIVRV01\5&3AAA98C9&2&80000008&01&00
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_1106&DEV_3104&SUBSYS_80A11043&REV_82\3&61AAA01&0&83
Manufacturer:
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_1106&DEV_3104&SUBSYS_80A11043&REV_82\3&61AAA01&0&83
Service:


-- Files created between 2008-05-30 and 2008-06-30 -----------------------------

2008-06-30 12:10:26 0 d-------- C:\Documents and Settings\Marley\Application Data\Malwarebytes
2008-06-30 12:10:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-30 12:10:22 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-30 09:16:16 237728 --a----c- C:\cmldr
2008-06-30 09:16:13 0 d------c- C:\cmdcons
2008-06-30 08:54:49 0 d-------- C:\WINDOWS\ERUNT
2008-06-29 18:58:30 0 d-------- C:\Program Files\Trend Micro
2008-06-29 16:33:11 68096 --a------ C:\WINDOWS\zip.exe
2008-06-29 16:33:11 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-29 16:33:11 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-29 16:33:11 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-29 16:33:11 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-29 16:33:11 98816 --a------ C:\WINDOWS\sed.exe
2008-06-29 16:33:11 80412 --a------ C:\WINDOWS\grep.exe
2008-06-29 16:33:11 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-29 11:43:55 0 d-------- C:\Program Files\Avira
2008-06-29 11:43:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-28 21:28:32 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-28 21:28:32 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-28 21:28:32 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-28 21:28:32 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-06-28 21:28:32 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-28 21:28:32 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-28 21:28:32 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-06-28 21:28:32 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-28 21:28:32 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-06-28 21:28:32 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-28 21:28:32 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-06-28 21:28:32 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-28 21:28:32 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-28 21:28:31 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-28 21:28:19 0 d--hs---- C:\WINDOWS\CSC
2008-06-28 19:14:19 0 d-------- C:\WINDOWS\Torrents
2008-06-21 08:49:10 0 d-------- C:\Documents and Settings\Marley\Application Data\NCH Swift Sound
2008-06-16 20:32:49 0 d-------- C:\Program Files\PartyGaming
2008-06-16 20:12:49 0 d-------- C:\Program Files\PokerStars.NET


-- Find3M Report ---------------------------------------------------------------

2008-06-30 13:07:03 0 d-------- C:\Documents and Settings\Marley\Application Data\DNA
2008-06-29 11:46:13 0 d-------- C:\Documents and Settings\Marley\Application Data\Macromedia
2008-06-28 20:56:01 0 d-------- C:\Program Files\DNA
2008-06-28 19:12:31 0 d-------- C:\Documents and Settings\Marley\Application Data\BitTorrent
2008-06-28 19:11:57 0 d-------- C:\Program Files\BitTorrent
2008-06-24 10:06:40 0 d-------- C:\Program Files\Soulseek
2008-05-13 12:28:15 0 d-------- C:\Documents and Settings\Marley\Application Data\ICAClient
2008-05-13 12:25:47 0 d-------- C:\Program Files\Citrix
2008-05-12 13:39:23 0 d-------- C:\Program Files\Messenger
2008-05-05 10:44:25 0 d-------- C:\Documents and Settings\Marley\Application Data\Command & Conquer 3 Tiberium Wars
2008-05-03 16:56:45 0 d-------- C:\Documents and Settings\Marley\Application Data\iolo
2008-05-03 16:24:32 0 d-------- C:\Program Files\iolo
2008-05-03 16:23:55 74703 --a------ C:\WINDOWS\System32\mfc45.dll
2008-05-03 13:03:43 0 d-------- C:\Program Files\SystemRequirementsLab
2008-05-03 13:03:43 0 d-------- C:\Documents and Settings\Marley\Application Data\SystemRequirementsLab
2008-05-03 10:13:58 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-02 22:06:39 1598 --a------ C:\WINDOWS\eReg.dat
2008-05-02 19:33:14 0 d-------- C:\Program Files\Alcohol Soft


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSystemAnalyzer"="d:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [03/31/2008 15:09]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [05/07/2008 22:06]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [03/20/2008 12:46]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [4/12/2007 8:48:54 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-06-30 13:16:24 ------------
  • 0

#9
th3coz

th3coz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600)
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP 2200+
Percentage of Memory in Use: 32%
Physical Memory (total/avail): 1023.53 MiB / 690.61 MiB
Pagefile Memory (total/avail): 2462.09 MiB / 2177.31 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1958.92 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 12.11 GiB total, 1.9 GiB free.
D: is Fixed (NTFS) - 37.26 GiB total, 8.04 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST313021A - 12.12 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 12.11 GiB - C:

\\.\PHYSICALDRIVE1 - ST340016A - 37.27 GiB - 1 partition
\PARTITION0 - Installable File System - 37.26 GiB - D:



-- Security Center -------------------------------------------------------------

AUState says computer is in an unknown state.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Marley\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=COZ
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Marley
LOGONSERVER=\\COZ
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\PC Connectivity Solution
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Marley\LOCALS~1\Temp
TMP=C:\DOCUME~1\Marley\LOCALS~1\Temp
USERDOMAIN=COZ
USERNAME=Marley
USERPROFILE=C:\Documents and Settings\Marley
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

cozy (admin)
Marley (admin)
Timmy
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\UninstFl.exe -q
Adobe Flash Player Plugin --> C:\WINDOWS\System32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,[email protected] -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Avira AntiVir Personal – Free Antivirus --> C:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
BitTorrent 6.0.2 --> C:\Program Files\BitTorrent\uninst.exe
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DNA --> "C:\Program Files\DNA\btdna.exe" /UNINSTALL
Ghost Recon --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D89EF3B3-6F17-4665-B7A9-A4235A6DC787}\Setup.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
iolo technologies' System Mechanic 7 --> "d:\Program Files\iolo\System Mechanic 7\unins000.exe"
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
K-Lite Codec Pack 3.5.7 Standard --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MediaMonkey 3.0 --> "C:\Program Files\MediaMonkey\unins000.exe"
MetaFrame Presentation Server Web Client for Win32 --> C:\WINDOWS\System32\ctxsetup.exe /uninst C:\PROGRA~1\Citrix\icaweb32\uninst.inf
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MixMeister BPM Analyzer 1.0 --> "C:\Program Files\MixMeister BPM Analyzer\unins000.exe"
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN Messenger 7.5 --> MsiExec.exe /I{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5}
MSVC80_x86 --> MsiExec.exe /I{212748BB-0DA5-46DE-82A1-403736DC9F27}
Nokia Connectivity Cable Driver --> MsiExec.exe /X{0A3D3C54-2EC0-4D67-B265-FF17926E6D67}
PartyPoker --> "C:\Program Files\PartyGaming\PartyPoker\Uninstall.exe" "C:\Program Files\PartyGaming\PartyPoker\install.log"
PC Connectivity Solution --> MsiExec.exe /I{BA084E7C-8ABA-4670-BDE8-B85E689A5C1B}
PSP Video 9 2.25 --> C:\Program Files\Red Kawa\Video Converter\uninstaller.exe
Reason --> MsiExec.exe /X{AB9FC2F9-7FC7-11D7-9D82-00065BABCB42}
SoulSeek Client 156c --> "C:\Program Files\Soulseek\uninstall.exe"
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
TruePoker (High Res) --> D:\PROGRA~1\TRUEPO~1\UNWISE.EXE D:\PROGRA~1\TRUEPO~1\INSTALL.LOG
USB Driver Vers. 3.2 --> C:\Program Files\USB Driver Vers. 3.2\uninstall.exe
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Wave Splitter 2.10 --> "C:\Program Files\Wave Splitter\unins000.exe"
WavePad Uninstall --> C:\Program Files\NCH Swift Sound\WavePad\uninst.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type747 / Error
Event Submitted/Written: 06/30/2008 01:15:56 PM
Event ID/Source: 454 / ESENT
Event Description:
Catalog Database (980) Database recovery/restore failed with unexpected error -4001.

Event Record #/Type746 / Error
Event Submitted/Written: 06/30/2008 01:15:51 PM
Event ID/Source: 454 / ESENT
Event Description:
Catalog Database (980) Database recovery/restore failed with unexpected error -4001.

Event Record #/Type745 / Error
Event Submitted/Written: 06/30/2008 01:15:48 PM
Event ID/Source: 454 / ESENT
Event Description:
Catalog Database (980) Database recovery/restore failed with unexpected error -4001.

Event Record #/Type744 / Error
Event Submitted/Written: 06/30/2008 01:15:43 PM
Event ID/Source: 454 / ESENT
Event Description:
Catalog Database (980) Database recovery/restore failed with unexpected error -4001.

Event Record #/Type743 / Error
Event Submitted/Written: 06/30/2008 01:15:39 PM
Event ID/Source: 454 / ESENT
Event Description:
Catalog Database (980) Database recovery/restore failed with unexpected error -4001.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type13547 / Error
Event Submitted/Written: 06/30/2008 11:54:59 AM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.100.10 for the Network Card with network address 000C6E1CE1DD has been
denied by the DHCP server 99.253.246.1 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type13544 / Warning
Event Submitted/Written: 06/30/2008 11:54:54 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 000C6E1CE1DD. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type13542 / Error
Event Submitted/Written: 06/30/2008 11:54:35 AM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Event Record #/Type13541 / Error
Event Submitted/Written: 06/30/2008 11:54:35 AM
Event ID/Source: 17 / W32Time
Event Description:
Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,time.nist.gov'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Event Record #/Type13540 / Error
Event Submitted/Written: 06/30/2008 11:54:30 AM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 72.141.7.93 for the Network Card with network address 000C6E1CE1DD has been
denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).



-- End of Deckard's System Scanner: finished at 2008-06-30 13:16:24 ------------
  • 0

#10
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please go to Start >> Run and type or copy/paste the following in the run box: "%userprofile%\desktop\dss.exe" /daft . Then press Enter
  • Click on the Scan button.
  • Select everything it is displaying there
  • Click the Fix button.
  • Then rescan with DAFT again - it should say now that "All associations are OK"
  • Close DAFT if you receive that message. This means that it is fixed now.


Post a fresh DSS log after that :)
  • 0

#11
th3coz

th3coz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Everything went as you said so far, you rock. I didn't get an extra.txt this time 'round if that matters.

Deckard's System Scanner v20071014.68
Run by Marley on 2008-06-30 13:32:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Marley.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:32, on 6/30/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Marley\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Marley.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SMSystemAnalyzer] "d:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4227 bytes

-- Files created between 2008-05-30 and 2008-06-30 -----------------------------

2008-06-30 12:10:26 0 d-------- C:\Documents and Settings\Marley\Application Data\Malwarebytes
2008-06-30 12:10:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-30 12:10:22 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-30 09:16:16 237728 --a----c- C:\cmldr
2008-06-30 09:16:13 0 d------c- C:\cmdcons
2008-06-30 08:54:49 0 d-------- C:\WINDOWS\ERUNT
2008-06-29 18:58:30 0 d-------- C:\Program Files\Trend Micro
2008-06-29 16:33:11 68096 --a------ C:\WINDOWS\zip.exe
2008-06-29 16:33:11 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-29 16:33:11 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-29 16:33:11 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-29 16:33:11 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-29 16:33:11 98816 --a------ C:\WINDOWS\sed.exe
2008-06-29 16:33:11 80412 --a------ C:\WINDOWS\grep.exe
2008-06-29 16:33:11 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-29 11:43:55 0 d-------- C:\Program Files\Avira
2008-06-29 11:43:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-28 21:28:32 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-28 21:28:32 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-28 21:28:32 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-28 21:28:32 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-06-28 21:28:32 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-28 21:28:32 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-28 21:28:32 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-06-28 21:28:32 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-28 21:28:32 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-06-28 21:28:32 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-28 21:28:32 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-06-28 21:28:32 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-28 21:28:32 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-28 21:28:31 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-28 21:28:19 0 d--hs---- C:\WINDOWS\CSC
2008-06-28 19:14:19 0 d-------- C:\WINDOWS\Torrents
2008-06-21 08:49:10 0 d-------- C:\Documents and Settings\Marley\Application Data\NCH Swift Sound
2008-06-16 20:32:49 0 d-------- C:\Program Files\PartyGaming
2008-06-16 20:12:49 0 d-------- C:\Program Files\PokerStars.NET


-- Find3M Report ---------------------------------------------------------------

2008-06-30 13:27:05 0 d-------- C:\Documents and Settings\Marley\Application Data\DNA
2008-06-29 11:46:13 0 d-------- C:\Documents and Settings\Marley\Application Data\Macromedia
2008-06-28 20:56:01 0 d-------- C:\Program Files\DNA
2008-06-28 19:12:31 0 d-------- C:\Documents and Settings\Marley\Application Data\BitTorrent
2008-06-28 19:11:57 0 d-------- C:\Program Files\BitTorrent
2008-06-24 10:06:40 0 d-------- C:\Program Files\Soulseek
2008-05-13 12:28:15 0 d-------- C:\Documents and Settings\Marley\Application Data\ICAClient
2008-05-13 12:25:47 0 d-------- C:\Program Files\Citrix
2008-05-12 13:39:23 0 d-------- C:\Program Files\Messenger
2008-05-05 10:44:25 0 d-------- C:\Documents and Settings\Marley\Application Data\Command & Conquer 3 Tiberium Wars
2008-05-03 16:56:45 0 d-------- C:\Documents and Settings\Marley\Application Data\iolo
2008-05-03 16:24:32 0 d-------- C:\Program Files\iolo
2008-05-03 16:23:55 74703 --a------ C:\WINDOWS\System32\mfc45.dll
2008-05-03 13:03:43 0 d-------- C:\Program Files\SystemRequirementsLab
2008-05-03 13:03:43 0 d-------- C:\Documents and Settings\Marley\Application Data\SystemRequirementsLab
2008-05-03 10:13:58 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-02 22:06:39 1598 --a------ C:\WINDOWS\eReg.dat
2008-05-02 19:33:14 0 d-------- C:\Program Files\Alcohol Soft


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSystemAnalyzer"="d:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [03/31/2008 15:09]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [05/07/2008 22:06]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [03/20/2008 12:46]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [4/12/2007 8:48:54 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-06-30 13:34:11 ------------
  • 0

#12
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Great!! Your log looks clean to my eyes...


Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
    Please note that the space between x and / is needed

    Posted Image




NEXT


Please Install/Update Sun Java

Updating Java:
  • Go to Start --> Control Panel --> Add or Remove Programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
  • It should have next icon next to it: Posted Image
  • Select it and click Remove. This will uninstall the previous (outdated) version of Java.
  • Then Download and install the newest version from here: Java Runtime Environment (JRE) 6 Update 6




NEXT


I noticed you already have:

1. Avira Antivir as your antivirus..
2. Malwarebytes' Anti-Malware as your antispyware..



However, I haven't seen any third-party firewall in your logs.. Do you have any? If you don't, please install ONLY ONE of these free and excellent firewall below:
After you install the third party firewall, please disable your Windows firewall. Please go to My Computer >> Control Panel >> Windows Firewall and choose Off (not recommended) option. Then please click Apply and Ok.




Lastly, to keep your operating system up to date please visit the link below monthly

To learn more about how to protect yourself while on the internet read this excellent article by Tony Klein: So how did I get infected in the first place?

Please also read an excellent article by miekiemoes :Help! My computer is slow!

And another excellent article by CastleCops Malware Prevention: Prevent Re-infection

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :)



Have a safe and happy computing day!


Regards
fenzodahl512
  • 0

#13
th3coz

th3coz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
From what I can tell everything is back to normal. You are a god among men! Thank you SO much for the time you put in to help me, it is greatly appreciated. I'll keep a close eye on my comp over the next few days and let you know if anything pops up.

THANKS AGAIN!
  • 0

#14
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP