Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Spyware/Malware/VIRUS ALERT [RESOLVED]


  • This topic is locked This topic is locked

#1
Matt Footloose

Matt Footloose

    Member

  • Member
  • PipPip
  • 16 posts
Hi,

I have a friends laptop (yeah, usual story...but true!) They have a teenage son and I think he's been looking at some funny sites!!! They asked me to look at it because they kept getting a virus warning. When I looked at it..... all admin rights had been stripped and everyone was set as limited users. It also had desktop shortcuts to adult pages. I managed to do an avg scan and it came back with 46000!!!!! threats. I've managed to do a restore to a point before attack and now I've run an avg scan and a ad-aware scan and they seem to be ok.

Could someone please help me to see if there is still issues?!?!?!

Thanks and regards

Matt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:56:04, on 10/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\rcntqtdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rswnw64o.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: khfDspop - khfDspop.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4743 bytes

Edited by Matt Footloose, 10 July 2008 - 12:56 PM.

  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#3
Matt Footloose

Matt Footloose

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hi,

Completed combofix.....

ComboFix 08-07-10.1 - Owner 2008-07-11 13:49:10.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.286 [GMT 1:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Eddie.OWNER-B3168C413\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Eddie.OWNER-B3168C413\Start Menu\Programs\Startup\DW_Start.lnk
C:\Documents and Settings\Eddie\Desktop\Error Cleaner.url
C:\Documents and Settings\Eddie\Desktop\Privacy Protector.url
C:\Documents and Settings\Eddie\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Eddie\Favorites\Error Cleaner.url
C:\Documents and Settings\Eddie\Favorites\Privacy Protector.url
C:\Documents and Settings\Eddie\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\Owner\Favorites\Error Cleaner.url
C:\Documents and Settings\Owner\Favorites\Privacy Protector.url
C:\Documents and Settings\Owner\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\DW_Start.lnk
C:\Program Files\network monitor
C:\Program Files\PCHealthCenter
C:\Program Files\PCHealthCenter\0.gif
C:\Program Files\PCHealthCenter\1.gif
C:\Program Files\PCHealthCenter\2.gif
C:\Program Files\PCHealthCenter\3.gif
C:\Program Files\VAV
C:\Program Files\VAV\vav.ooo
C:\Program Files\VAV\vav0.dat
C:\Program Files\VAV\vav1.dat
C:\Program Files\Zumie
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\Fonts\'
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\system32\g47.exe
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\msssc.dll
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\Pqqtttwa.ini
C:\WINDOWS\system32\Pqqtttwa.ini2
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2008-06-11 to 2008-07-11 )))))))))))))))))))))))))))))))
.

2008-07-10 18:36 . 2008-07-10 18:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-10 18:12 . 2008-07-10 18:12 <DIR> d-------- C:\Documents and Settings\Stephen\Application Data\AVGTOOLBAR
2008-07-10 14:33 . 2008-07-10 14:33 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-07-10 14:30 . 2008-07-10 14:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-07-10 14:29 . 2008-07-10 14:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-10 14:25 . 2008-07-10 14:25 <DIR> d-------- C:\Program Files\Yahoo!
2008-07-10 14:25 . 2008-07-10 14:25 <DIR> d-------- C:\Program Files\CCleaner
2008-07-10 10:37 . 2008-07-10 10:37 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-10 10:37 . 2008-07-10 10:37 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-10 10:36 . 2008-07-10 13:23 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-10 10:36 . 2008-07-10 10:36 <DIR> d-------- C:\Program Files\AVG
2008-07-10 10:36 . 2008-07-10 14:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVGTOOLBAR
2008-07-10 10:36 . 2008-07-10 10:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-10 10:36 . 2008-07-10 10:36 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-10 10:13 . 2008-07-10 10:13 <DIR> d-------- C:\Documents and Settings\Eddie.OWNER-B3168C413
2008-07-10 10:11 . 2008-07-10 10:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-10 09:52 . 2008-07-10 10:10 <DIR> d---s---- C:\Documents and Settings\Eddie
2008-07-09 17:20 . 2008-07-10 10:10 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-07-09 16:53 . 2008-07-10 21:25 <DIR> d-------- C:\$AVG8.VAULT$
2008-07-09 16:47 . 2008-07-09 16:47 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg(2)
2008-07-09 16:47 . 2008-07-10 10:10 <DIR> d-------- C:\Program Files\AVG(2)
2008-07-09 16:47 . 2008-07-10 10:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8(2)
2008-07-04 15:50 . 2008-07-04 15:50 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-04 15:50 . 2008-07-10 18:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-04 15:47 . 2008-07-10 10:12 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-04 15:47 . 2008-07-10 10:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-04 15:41 . 2008-07-04 15:41 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-07-04 15:41 . 2008-07-04 15:41 90,922 --a------ C:\WINDOWS\system32\atkhuiyjnpkekkwzw.dll-uninst.exe
2008-07-04 15:41 . 2008-07-04 15:41 63,902 --a------ C:\WINDOWS\system32\{7382338a-662d-1be7-1481-0c66c3312277}.dll-uninst.exe
2008-07-04 15:32 . 2008-07-10 18:13 <DIR> d-------- C:\Documents and Settings\Stephen
2008-07-04 15:28 . 2008-07-04 15:28 <DIR> d-------- C:\WINDOWS\system32\wb9
2008-07-04 15:28 . 2008-07-10 19:18 <DIR> d-------- C:\WINDOWS\system32\modtrux18
2008-07-04 15:28 . 2008-07-10 19:17 <DIR> d-------- C:\WINDOWS\system32\kp3
2008-07-04 15:28 . 2008-07-10 19:17 <DIR> d-------- C:\WINDOWS\system32\ev2
2008-07-04 15:28 . 2008-07-04 15:28 <DIR> d-------- C:\Temp\syschk3
2008-07-04 15:28 . 2008-07-11 13:49 <DIR> d-------- C:\Temp
2008-07-04 03:01 . 2008-07-04 03:01 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-04 02:58 . 2008-07-04 02:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-07-04 02:42 . 2008-07-04 02:42 <DIR> d-------- C:\Program Files\Thomson
2008-07-02 22:29 . 2003-12-08 11:53 70,688 --a------ C:\WINDOWS\system32\drivers\alcaudsl.sys
2008-07-02 22:29 . 2003-12-08 11:53 53,600 --a------ C:\WINDOWS\system32\drivers\alcan5wn.sys
2008-07-02 22:29 . 2003-12-08 11:53 5,606 --a------ C:\WINDOWS\system32\stci.dll
2008-07-02 22:29 . 2003-12-08 11:53 5,280 --a------ C:\WINDOWS\system32\drivers\alcawh.sys
2008-07-02 22:29 . 2003-12-08 11:53 3,968 --a------ C:\WINDOWS\system32\drivers\alcacr.sys
2008-06-26 22:46 . 2008-06-26 22:46 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\dvdcss
2008-06-26 22:44 . 2008-06-26 22:56 <DIR> d-------- C:\Program Files\VideoLAN
2008-06-26 22:07 . 2008-06-13 12:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-26 22:06 . 2008-05-08 15:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-20 18:46 . 2008-06-20 18:46 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 18:46 . 2008-06-20 18:46 147,968 -----c--- C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 12:51 . 2008-06-20 12:51 361,600 -----c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 12:40 . 2008-06-20 12:40 138,496 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 12:08 . 2008-06-20 12:08 225,856 -----c--- C:\WINDOWS\system32\dllcache\tcpip6.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-04 01:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-28 13:11 --------- d-----w C:\Program Files\Kaspersky Lab
2008-05-28 13:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-28 13:07 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-28 12:29 --------- d-----w C:\Program Files\Apoint2K
2008-05-28 12:28 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-05-28 12:28 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_HpqKbFiltr_01005.Wdf
2008-05-28 12:27 --------- d-----w C:\Program Files\Hewlett-Packard
2008-05-28 12:27 --------- d-----w C:\Documents and Settings\Owner\Application Data\InstallShield
2008-05-28 12:16 --------- d-----w C:\Program Files\Analog Devices
2008-05-28 11:25 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-16 10:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 04:55 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 04:46 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 04:43 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 04:43 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 04:43 299,520 ----a-w C:\WINDOWS\system32\drmclien.dll
2008-04-14 04:43 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 04:41 98,304 ----a-w C:\WINDOWS\system32\actxprxy.dll
2008-04-14 04:40 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 04:40 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 04:40 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 01:30 103,424 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-14 00:00 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 23:57 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 23:15 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 23:05 24,064 ----a-w C:\WINDOWS\system32\pidgen.dll
2008-04-13 23:01 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2008-04-13 23:01 2,065,792 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-13 23:00 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2008-04-13 22:45 76,800 ----a-w C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 22:09 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll
2008-04-13 22:09 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll
2008-04-13 22:09 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2008-04-13 22:07 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2008-04-13 22:07 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2008-04-13 21:58 2,940,928 ----a-w C:\WINDOWS\system32\wmploc.dll
2008-04-13 21:57 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll
2008-04-13 21:56 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2008-04-13 21:56 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll
2008-04-13 21:56 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll
2008-04-13 21:54 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll
2008-04-13 21:53 8,192 ----a-w C:\WINDOWS\system32\asferror.dll
2008-04-13 21:53 168,448 ----a-w C:\WINDOWS\system32\wmerror.dll
2008-04-13 21:51 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2008-04-13 21:39 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2008-04-13 21:33 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
2008-04-13 21:33 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
2008-04-13 21:18 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll
2008-04-13 21:15 216,064 ----a-w C:\WINDOWS\system32\moricons.dll
2008-04-13 20:53 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll
2008-04-13 20:52 48,128 ----a-w C:\WINDOWS\system32\inetres.dll
2008-04-13 20:09 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 05:42 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-02-23 22:26 5537792]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-10 10:36 1232152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 05:42 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-10 10:37]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-10 10:36]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-10 10:36]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-10 10:36]

.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{06A1F910-762A-4660-B534-55B82571851C} - (no file)
Notify-khfDspop - khfDspop.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-11 13:55:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-07-11 13:56:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-11 12:56:07

Pre-Run: 33,649,000,448 bytes free
Post-Run: 34,495,799,296 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

249 --- E O F --- 2008-06-26 21:19:21


Here is new Hijackthis log too

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:59:34, on 11/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4647 bytes

Thanks

Matt
  • 0

#4
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\atkhuiyjnpkekkwzw.dll-uninst.exe
C:\WINDOWS\system32\{7382338a-662d-1be7-1481-0c66c3312277}.dll-uninst.exe
Folder::
C:\WINDOWS\system32\modtrux18
C:\WINDOWS\system32\kp3
C:\WINDOWS\system32\ev2
C:\Temp\syschk3
Dirlook::
C:\WINDOWS\system32\wb9


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • 0

#5
Matt Footloose

Matt Footloose

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
ComboFix 08-07-10.1 - Owner 2008-07-11 17:30:42.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.293 [GMT 1:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\{7382338a-662d-1be7-1481-0c66c3312277}.dll-uninst.exe
C:\WINDOWS\system32\atkhuiyjnpkekkwzw.dll-uninst.exe
C:\WINDOWS\system32\vbzip10.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\syschk3
C:\Temp\syschk3\tdirp5.log
C:\WINDOWS\system32\{7382338a-662d-1be7-1481-0c66c3312277}.dll-uninst.exe
C:\WINDOWS\system32\atkhuiyjnpkekkwzw.dll-uninst.exe
C:\WINDOWS\system32\ev2
C:\WINDOWS\system32\kp3
C:\WINDOWS\system32\modtrux18
C:\WINDOWS\system32\vbzip10.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-11 to 2008-07-11 )))))))))))))))))))))))))))))))
.

2008-07-10 18:36 . 2008-07-10 18:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-10 18:12 . 2008-07-10 18:12 <DIR> d-------- C:\Documents and Settings\Stephen\Application Data\AVGTOOLBAR
2008-07-10 14:33 . 2008-07-10 14:33 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-07-10 14:30 . 2008-07-10 14:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-07-10 14:29 . 2008-07-10 14:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-10 14:25 . 2008-07-10 14:25 <DIR> d-------- C:\Program Files\Yahoo!
2008-07-10 14:25 . 2008-07-10 14:25 <DIR> d-------- C:\Program Files\CCleaner
2008-07-10 10:37 . 2008-07-10 10:37 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-10 10:37 . 2008-07-10 10:37 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-10 10:36 . 2008-07-10 13:23 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-10 10:36 . 2008-07-10 10:36 <DIR> d-------- C:\Program Files\AVG
2008-07-10 10:36 . 2008-07-10 14:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVGTOOLBAR
2008-07-10 10:36 . 2008-07-10 10:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-10 10:36 . 2008-07-10 10:36 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-10 10:13 . 2008-07-10 10:13 <DIR> d-------- C:\Documents and Settings\Eddie.OWNER-B3168C413
2008-07-10 10:11 . 2008-07-10 10:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-10 09:52 . 2008-07-10 10:10 <DIR> d---s---- C:\Documents and Settings\Eddie
2008-07-09 17:20 . 2008-07-10 10:10 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-07-09 16:53 . 2008-07-10 21:25 <DIR> d-------- C:\$AVG8.VAULT$
2008-07-09 16:47 . 2008-07-09 16:47 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg(2)
2008-07-09 16:47 . 2008-07-10 10:10 <DIR> d-------- C:\Program Files\AVG(2)
2008-07-09 16:47 . 2008-07-10 10:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8(2)
2008-07-04 15:50 . 2008-07-04 15:50 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-04 15:50 . 2008-07-10 18:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-04 15:47 . 2008-07-10 10:12 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-04 15:47 . 2008-07-10 10:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-04 15:32 . 2008-07-10 18:13 <DIR> d-------- C:\Documents and Settings\Stephen
2008-07-04 15:28 . 2008-07-04 15:28 <DIR> d-------- C:\WINDOWS\system32\wb9
2008-07-04 15:28 . 2008-07-11 17:30 <DIR> d-------- C:\Temp
2008-07-04 03:01 . 2008-07-04 03:01 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-04 02:58 . 2008-07-04 02:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-07-04 02:42 . 2008-07-04 02:42 <DIR> d-------- C:\Program Files\Thomson
2008-07-02 22:29 . 2003-12-08 11:53 70,688 --a------ C:\WINDOWS\system32\drivers\alcaudsl.sys
2008-07-02 22:29 . 2003-12-08 11:53 53,600 --a------ C:\WINDOWS\system32\drivers\alcan5wn.sys
2008-07-02 22:29 . 2003-12-08 11:53 5,606 --a------ C:\WINDOWS\system32\stci.dll
2008-07-02 22:29 . 2003-12-08 11:53 5,280 --a------ C:\WINDOWS\system32\drivers\alcawh.sys
2008-07-02 22:29 . 2003-12-08 11:53 3,968 --a------ C:\WINDOWS\system32\drivers\alcacr.sys
2008-06-26 22:46 . 2008-06-26 22:46 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\dvdcss
2008-06-26 22:44 . 2008-06-26 22:56 <DIR> d-------- C:\Program Files\VideoLAN
2008-06-26 22:07 . 2008-06-13 12:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-26 22:06 . 2008-05-08 15:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-20 18:46 . 2008-06-20 18:46 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 18:46 . 2008-06-20 18:46 147,968 -----c--- C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 12:51 . 2008-06-20 12:51 361,600 -----c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 12:40 . 2008-06-20 12:40 138,496 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 12:08 . 2008-06-20 12:08 225,856 -----c--- C:\WINDOWS\system32\dllcache\tcpip6.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-04 01:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-28 13:11 --------- d-----w C:\Program Files\Kaspersky Lab
2008-05-28 13:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-28 13:07 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-28 12:29 --------- d-----w C:\Program Files\Apoint2K
2008-05-28 12:28 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-05-28 12:28 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_HpqKbFiltr_01005.Wdf
2008-05-28 12:27 --------- d-----w C:\Program Files\Hewlett-Packard
2008-05-28 12:27 --------- d-----w C:\Documents and Settings\Owner\Application Data\InstallShield
2008-05-28 12:16 --------- d-----w C:\Program Files\Analog Devices
2008-05-28 11:25 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-16 10:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 04:55 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 04:46 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 04:43 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 04:43 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 04:43 299,520 ----a-w C:\WINDOWS\system32\drmclien.dll
2008-04-14 04:43 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 04:41 98,304 ----a-w C:\WINDOWS\system32\actxprxy.dll
2008-04-14 04:40 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 04:40 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 04:40 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 01:30 103,424 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-14 00:00 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 23:57 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 23:15 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 23:05 24,064 ----a-w C:\WINDOWS\system32\pidgen.dll
2008-04-13 23:01 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2008-04-13 23:01 2,065,792 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-13 23:00 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2008-04-13 22:45 76,800 ----a-w C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 22:09 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll
2008-04-13 22:09 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll
2008-04-13 22:09 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2008-04-13 22:07 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2008-04-13 22:07 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2008-04-13 21:58 2,940,928 ----a-w C:\WINDOWS\system32\wmploc.dll
2008-04-13 21:57 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll
2008-04-13 21:56 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2008-04-13 21:56 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll
2008-04-13 21:56 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll
2008-04-13 21:54 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll
2008-04-13 21:53 8,192 ----a-w C:\WINDOWS\system32\asferror.dll
2008-04-13 21:53 168,448 ----a-w C:\WINDOWS\system32\wmerror.dll
2008-04-13 21:51 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2008-04-13 21:39 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2008-04-13 21:33 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
2008-04-13 21:33 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
2008-04-13 21:18 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll
2008-04-13 21:15 216,064 ----a-w C:\WINDOWS\system32\moricons.dll
2008-04-13 20:53 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll
2008-04-13 20:52 48,128 ----a-w C:\WINDOWS\system32\inetres.dll
2008-04-13 20:09 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\system32\wb9 ----

2008-07-03 20:15 49152 --a------ C:\WINDOWS\system32\wb9\GLLv02.exe


((((((((((((((((((((((((((((( [email protected]_13.55.49.23 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-11 12:52:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-11 16:25:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 05:42 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-02-23 22:26 5537792]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-10 10:36 1232152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 05:42 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-10 10:37]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-10 10:36]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-10 10:36]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-10 10:36]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-11 17:32:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-11 17:33:15
ComboFix-quarantined-files.txt 2008-07-11 16:33:12
ComboFix2.txt 2008-07-11 12:56:13

Pre-Run: 34,502,983,680 bytes free
Post-Run: 34,495,381,504 bytes free

192 --- E O F --- 2008-06-26 21:19:21


Hijackthis log..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:34:20, on 11/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4566 bytes


Thanks

Matt
  • 0

#6
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Navigate to and delete the following folder:

C:\WINDOWS\system32\wb9

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
  • 0

#7
Matt Footloose

Matt Footloose

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hi,

Things seem ok now. I've had no more virus alerts and it's running at normal (or even faster speed!!!).

Is that it now? Are we looking clear??

Another question...

Is there any sort of parental control I can attach to stop him looking at "in-appropriate" sites again???
  • 0

#8
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Yes, this looks clean again. :)

Is there any sort of parental control I can attach to stop him looking at "in-appropriate" sites again???

This may be an idea for you: http://miekiemoes.bl...puter-with.html
It even has a Windows Disk Protection feature that you can activate. So in case "bad sites" were visited anyway, after a next reboot, the changes will be undone again.

Also,

Please let the son read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
  • 0

#9
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP