Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

AntiSpyware Master pop ups [RESOLVED]

Started by coldwars , Jul 18 2008 04:11 PM

  • This topic is locked This topic is locked

#31
emeraldnzl
Posted 27 July 2008 - 12:58 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello coldwars,

Things looking up now. :)

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Documents and Settings\joal\My Documents\My Music\iTunes\iTunes Music\Lil Wayne - Tha Carter III Special Edition [2008] [RAP].zip

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot.

Next

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.

  • Combofix.txt
  • Dr Web Curit report
  • A new HijackThis log
  • and tell me how your computer is running now.

  • 0

Advertisements

#32
coldwars
Posted 27 July 2008 - 09:48 PM

coldwars

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
I ran ComboFix and while it was producing the log there was a message that said "temp07The system cannot find the file specified" however the file is no longer there. Once the log was produced the desktop never appeared so I had to save the log and reboot the computer manually. When I run Dr. Web it says ComboFix.exe and Smitfraud.exe are archives that contains infected objects but I shouldn't remove it right? By the way, should I attach the logs or just copy and paste them?

Edited by coldwars, 27 July 2008 - 09:50 PM.

  • 0

#33
emeraldnzl
Posted 27 July 2008 - 10:51 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Yep, should have mentioned that.

Please return to copy and pasting them into the forum.

The attachment situation was a one off to cover a special situation. On rare occasions the forum software can interfere with things.

Looking forward to hearing from you. :)

Regards
emeraldnzl
  • 0

#34
coldwars
Posted 27 July 2008 - 11:03 PM

coldwars

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
So do I let Dr. Web move ComboFix and Smitfraud?
  • 0

#35
emeraldnzl
Posted 27 July 2008 - 11:57 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Just let it run. If it wants to move them that's Ok.
  • 0

#36
coldwars
Posted 28 July 2008 - 06:55 PM

coldwars

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
ComboFix Log:

ComboFix 08-07-26.1 - joal 2008-07-27 22:29:14.13 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1623 [GMT -4:00]
Running from: C:\Documents and Settings\joal\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\joal\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\joal\My Documents\My Music\iTunes\iTunes Music\Lil Wayne - Tha Carter III Special Edition [2008] [RAP].zip
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\joal\My Documents\My Music\iTunes\iTunes Music\Lil Wayne - Tha Carter III Special Edition [2008] [RAP].zip

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-28 )))))))))))))))))))))))))))))))
.

2008-07-23 19:07 . 2008-01-06 12:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-07-23 19:07 . 2008-07-23 19:07 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-22 01:58 . 2008-07-22 01:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-22 01:58 . 2008-07-22 01:58 <DIR> d-------- C:\Documents and Settings\joal\Application Data\Malwarebytes
2008-07-22 01:58 . 2008-07-22 01:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-22 01:58 . 2008-07-20 20:21 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-22 01:58 . 2008-07-20 20:21 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-21 12:46 . 2008-07-21 12:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-07-21 12:46 . 2008-07-21 12:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-20 13:09 . 2008-07-20 13:09 <DIR> d-------- C:\_OTMoveIt
2008-07-19 14:20 . 2008-07-19 14:20 <DIR> d-------- C:\Deckard
2008-07-18 22:45 . 2008-07-19 13:08 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-07-18 20:32 . 2008-07-18 20:32 3,568 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-18 17:57 . 2008-07-19 14:13 <DIR> d-------- C:\VundoFix Backups
2008-07-13 18:56 . 2008-07-16 00:29 <DIR> d-------- C:\Program Files\iTunes
2008-07-13 18:56 . 2008-07-13 18:56 <DIR> d-------- C:\Program Files\iPod
2008-07-13 18:55 . 2008-07-13 18:55 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-05 18:24 . 2008-07-27 00:58 <DIR> d-------- C:\Program Files\Windows Live Safety Center

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-28 02:28 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-28 02:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-25 18:30 --------- d-----w C:\Documents and Settings\joal\Application Data\LimeWire
2008-07-25 04:49 --------- d-----w C:\Documents and Settings\joal\Application Data\IceChat
2008-07-23 07:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-23 03:28 --------- d-----w C:\Program Files\ZillaTube
2008-07-19 04:41 --------- d-----w C:\Program Files\Bonjour
2008-07-18 23:14 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-16 04:29 --------- d-----w C:\Program Files\Last.fm
2008-07-13 15:37 --------- d-----w C:\Program Files\Creative
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-15 03:05 --------- d-----w C:\Program Files\QuickTime
2008-06-14 16:53 --------- d-----w C:\Program Files\Java
2008-06-14 16:52 --------- d-----w C:\Program Files\Common Files\Java
2008-06-14 16:47 --------- d-----w C:\Program Files\Viewpoint
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 22:22 --------- d-----w C:\Documents and Settings\joal\Application Data\U3
2008-06-12 22:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-12 21:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-12 03:26 --------- d-----w C:\Program Files\DivX
2008-06-07 04:39 --------- d-----w C:\Documents and Settings\joal\Application Data\DivX
2008-05-31 02:58 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-31 02:58 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-31 02:58 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-31 02:58 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-31 02:58 --------- d-----w C:\Program Files\Symantec
2008-05-22 22:22 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2008-05-22 22:22 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2008-05-22 22:22 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2008-05-22 22:19 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-11 02:00 70,072 ----a-w C:\Documents and Settings\joal\Application Data\GDIPFONTCACHEV1.DAT
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 16:35 67112]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 11:37 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 02:59 115816]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 02:12 488984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 02:13 774168]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 18:20 339968 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\joal\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2008-01-06 13:24:21 106496]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\IceChat7\\IceChat7.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=


*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
2008-07-25 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - s!:C:\Program Files\Apple Software Update\SoftwareUpdate.exe-taskSYSTEM0 []
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-27 22:43:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-27 23:09:33
ComboFix-quarantined-files.txt 2008-07-28 03:08:31
ComboFix2.txt 2008-07-27 02:47:57
ComboFix3.txt 2008-07-23 01:59:19
ComboFix4.txt 2008-07-22 22:59:19
ComboFix5.txt 2008-07-28 02:28:58

Pre-Run: 95,246,520,320 bytes free
Post-Run: 95,245,230,080 bytes free

139 --- E O F --- 2008-07-23 07:23:59


Dr. Web log:


Process.exe;C:\Documents and Settings\joal\Desktop\SmitfraudFix;Tool.Prockill;;
restart.exe;C:\Documents and Settings\joal\Desktop\SmitfraudFix;Tool.ShutDown.11;;
Lil Wayne - Tha Carter III Special Edition [2008] [RAP]/Lil Wayne - Tha Carter III.zip ;C:\QooBox\Quarantine\C\Documents and Settings\joal\My Documents\My Music\iTunes\iTunes Music\Lil Wayne - Tha Carter III Special;Trojan.Virtumod.based.11;;
Lil Wayne - Tha Carter III Special Edition [2008] [RAP]/Lil Wayne - Tha Carter III.zip ;C:\QooBox\Quarantine\C\Documents and Settings\joal\My Documents\My Music\iTunes\iTunes Music\Lil Wayne - Tha Carter III Special;Archive contains infected objects;;
Lil Wayne - Tha Carter III Special Edition [2008] [RAP].zip.vir;C:\QooBox\Quarantine\C\Documents and Settings\joal\My Documents\My Music\iTunes\iTunes Music;Archive contains infected objects;Moved.;
ddcBUkhf.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod.based.21;Deleted.;
ekxkimkh.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod.based.21;Deleted.;
iljpfz.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod.based.21;Deleted.;
ipxiaygs.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod.based.21;Deleted.;
kcetywfo.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod.based.21;Deleted.;
nnnlKaba.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod.based.21;Deleted.;
ppfkprgh.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod.based.21;Deleted.;
uvturksg.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod.based.21;Deleted.;
wcomqwqo.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod.based.21;Deleted.;
A0121230.exe\327882R2FWJFW\FIND3M.bat;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP191\A0121230.exe;Probably SCRIPT.Virus;;
A0121230.exe\327882R2FWJFW\psexec.cfexe;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP191\A0121230.exe;Program.PsExec.171;;
A0121230.exe;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP191;Archive contains infected objects;Moved.;
A0127979.dll;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP200;Trojan.Virtumod.based.21;Deleted.;
A0127999.dll;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP200;Trojan.Virtumod.based.21;Deleted.;
A0128070.exe\SmitfraudFix\404Fix.exe;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP201\A0128070.exe;BackDoor.IRC.Chazz.38;;
A0128070.exe\SmitfraudFix\GenericRenosFix.exe;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP201\A0128070.exe;BackDoor.IRC.Chazz.38;;
A0128070.exe\SmitfraudFix\IEDFix.C.exe;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP201\A0128070.exe;BackDoor.IRC.Chazz.38;;
A0128070.exe\SmitfraudFix\IEDFix.exe;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP201\A0128070.exe;BackDoor.IRC.Chazz.38;;
A0128070.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP201\A0128070.exe;Tool.Prockill;;
A0128070.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP201\A0128070.exe;Tool.ShutDown.11;;
A0128070.exe;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP201;Archive contains infected objects;Moved.;
A0128071.exe\327882R2FWJFW\psexec.cfexe;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP201\A0128071.exe;Program.PsExec.171;;
A0128071.exe;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP201;Archive contains infected objects;Moved.;
A0128113.dll;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202;Trojan.Virtumod.based.21;Deleted.;
A0128114.dll;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202;Trojan.Virtumod.based.21;Deleted.;
A0128117.dll;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202;Trojan.Virtumod.based.21;Deleted.;
A0128118.dll;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202;Trojan.Virtumod.based.21;Deleted.;
A0128120.dll;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202;Trojan.Virtumod.based.21;Deleted.;
A0128122.dll;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202;Trojan.Virtumod.based.21;Deleted.;
A0128123.dll;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202;Trojan.Virtumod.based.21;Deleted.;
A0128125.dll;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202;Trojan.Virtumod.based.21;Deleted.;
A0128127.dll;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202;Trojan.Virtumod.based.21;Deleted.;
A0129122.EXE;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202;Program.PsExec.170;;
A0129206.EXE;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP204;Program.PsExec.170;;
A0130297.EXE;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP206;Program.PsExec.170;;
A0130385.EXE;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP207;Program.PsExec.170;;
A0130439.EXE;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP208;Program.PsExec.170;;
A0130759.exe\327882R2FWJFW\psexec.cfexe;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP212\A0130759.exe;Program.PsExec.171;;
A0130759.exe;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP212;Archive contains infected objects;Moved.;
A0133806.exe\327882R2FWJFW\psexec.cfexe;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP218\A0133806.exe;Program.PsExec.171;;
A0133806.exe;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP218;Archive contains infected objects;Moved.;
A0133807.exe\SmitfraudFix\404Fix.exe;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP218\A0133807.exe;BackDoor.IRC.Chazz.38;;
A0133807.exe\SmitfraudFix\GenericRenosFix.exe;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP218\A0133807.exe;BackDoor.IRC.Chazz.38;;
A0133807.exe\SmitfraudFix\IEDFix.C.exe;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP218\A0133807.exe;BackDoor.IRC.Chazz.38;;
A0133807.exe\SmitfraudFix\IEDFix.exe;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP218\A0133807.exe;BackDoor.IRC.Chazz.38;;
A0133807.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP218\A0133807.exe;Tool.Prockill;;
A0133807.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP218\A0133807.exe;Tool.ShutDown.11;;
A0133807.exe;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP218;Archive contains infected objects;Moved.;
A0133808.dll;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP218;Trojan.Virtumod.based.16;Deleted.;
A0133809.dll;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP218;Trojan.Virtumod.based.21;Deleted.;
A0133810.dll;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP218;Trojan.Virtumod.based.21;Deleted.;
A0133811.dll;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP218;Trojan.Virtumod.based.21;Deleted.;
A0133812.exe;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP218;BackDoor.IRC.Chazz.38;Deleted.;
A0133813.exe;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP218;BackDoor.IRC.Chazz.38;Deleted.;
A0133814.exe;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP218;BackDoor.IRC.Chazz.38;Deleted.;
A0133815.exe;C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP218;BackDoor.IRC.Chazz.38;Deleted.;
avkapveq.dll;C:\_OTMoveIt\MovedFiles\07202008_130901\WINDOWS\system32;Trojan.Virtumod.based.21;Deleted.;
qhtrti.dll;C:\_OTMoveIt\MovedFiles\07202008_130901\WINDOWS\system32;Trojan.Virtumod.based.21;Deleted.;
qoMeETLD.dll;C:\_OTMoveIt\MovedFiles\07202008_130901\WINDOWS\system32;Trojan.Virtumod.based.21;Deleted.;
xptjkrur.dll;C:\_OTMoveIt\MovedFiles\07202008_130901\WINDOWS\system32;Trojan.Virtumod.based.21;Deleted.;
xxyxxwWo.dll;C:\_OTMoveIt\MovedFiles\07202008_130901\WINDOWS\system32;Trojan.Virtumod.based.21;Deleted.;


New HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:55:14, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\joal\Desktop\drweb-cureit.exe
C:\DOCUME~1\joal\LOCALS~1\Temp\RarSFX1\_start.exe
C:\DOCUME~1\joal\LOCALS~1\Temp\RarSFX1\setup.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Documents and Settings\joal\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx...owserPlugin.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7212 bytes
  • 0

#37
emeraldnzl
Posted 29 July 2008 - 11:09 AM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello coldwars,

Congratulations your machine looks clean to me. :)

One thing I would just mention. You have Limewire on your machine. These P2P shareing programs are a source of malware. It is quite likely that this is how your machine originally got infected.

We have a couple of last steps to perform and then you're all set. :)

  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
Next, we need to clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.
-------------------------------------------------------------------------------------------------------------------

Now that you are clean here are some things I think are worth having a look at:

-------------------------------------------------------------------------------------------------------------------

Check your Java; quite often people find there edition is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JDK) Update and save it to your desktop or the folder you usually download to.
  • Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop or Download folder.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop or Download folder double-click on the Java exe to install the newest version.

--------------------------------------------------------------------------------------------------------------------

Be sure and give the Temp folders a cleaning out now and then. This helps with security and your computer will run more efficiently. I clean mine once a week. For ease of use, you might consider the following free program which works well with XP:
--------------------------------------------------------------------------------------------------------------------

A great way to check that your Microsoft and Java have the latest updates is to go to Software Inspector at Secunia.

I do this weekly. Not only do they tell you which programs need updating but they give you the link to follow.

To bolster your security go to Secunia.com to ensure essential programs are up to date.

---------------------------------------------------------------------------------------------------------------------

To help protect your computer in the future here are some free programs you can look at:

  • SUPERAntiSpyware Free for Home Users to detect and remove spyware.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

    If your Microsoft Update is not working automatically. Keep your operating system up to date by visiting [list]
  • Microsoft Windows Update
monthly. And to keep your system clean run these free malware scanners
weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klein: So how did I get infected in the first place?

Have a safe and happy computing day!
  • 0

#38
coldwars
Posted 30 July 2008 - 12:33 PM

coldwars

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Thank you so much for your help! :)
  • 0

#39
emeraldnzl
Posted 30 July 2008 - 02:07 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
You are most welcome.

emeraldnzl
  • 0

#40
Rorschach112
Posted 30 July 2008 - 04:13 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP