Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

VIRUS! [RESOLVED]

Started by midtown1 , Jul 27 2008 08:29 PM

This topic is locked

#16
miekiemoes

Posted 05 August 2008 - 02:21 PM

Malware Expert

Member
5,503 posts

Just perform with the rest of my steps. We'll deal with it afterwards.

#17
midtown1

Posted 05 August 2008 - 04:05 PM

Member

Topic Starter
Member
20 posts

anyhow, this is what came up on the log.txt....

ComboFix 08-08-04.08 - Twins 2008-08-05 14:01:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.37 [GMT -7:00]
Running from: C:\Documents and Settings\Twins\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
C:\Documents and Settings\Twins\Application Data\DriveCleaner Freeware
C:\Documents and Settings\Twins\Application Data\DriveCleaner Freeware\Logs\update.log
C:\Documents and Settings\Twins\Application Data\FunWebProducts
C:\Documents and Settings\Twins\Application Data\FunWebProducts\Data\Twins\avatar.dat
C:\Documents and Settings\Twins\Application Data\FunWebProducts\Data\Twins\register.dat
C:\Documents and Settings\Twins\Application Data\FunWebProducts\Data\Twins\wffavs.dat
C:\Documents and Settings\Twins\Application Data\FunWebProducts\Data\Twins\zbucks.dat
C:\Documents and Settings\Twins\Application Data\macromedia\Flash Player\#SharedObjects\LJHFRVDB\interclick.com
C:\Documents and Settings\Twins\Application Data\macromedia\Flash Player\#SharedObjects\LJHFRVDB\interclick.com\ud.sol
C:\Documents and Settings\Twins\Application Data\macromedia\Flash Player\#SharedObjects\LJHFRVDB\www.broadcaster.com
C:\Documents and Settings\Twins\Application Data\macromedia\Flash Player\#SharedObjects\LJHFRVDB\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Twins\Application Data\macromedia\Flash Player\#SharedObjects\LJHFRVDB\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Twins\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Twins\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Twins\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Twins\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Twins\Application Data\rhclnej0er69
C:\Documents and Settings\Twins\Desktop\Error Cleaner.url
C:\Documents and Settings\Twins\Desktop\Privacy Protector.url
C:\Documents and Settings\Twins\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Twins\err.log
C:\Documents and Settings\Twins\Favorites\Error Cleaner.url
C:\Documents and Settings\Twins\Favorites\Privacy Protector.url
C:\Documents and Settings\Twins\Favorites\Spyware&Malware Protection.url
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\rhclnej0er69
C:\WINDOWS\edel.exe
C:\WINDOWS\erms.exe
C:\WINDOWS\evgratsm.dll
C:\WINDOWS\installer.exe
C:\WINDOWS\kgxmotapktx.dll
C:\WINDOWS\kgxmotaptbp.dll
C:\WINDOWS\kvxqmtre.dll
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\qndsfmao.dll
C:\WINDOWS\system32\3.tmp
C:\WINDOWS\system32\4.tmp
C:\WINDOWS\system32\5.tmp
C:\WINDOWS\system32\6.tmp
C:\WINDOWS\system32\7.tmp
C:\WINDOWS\system32\8.tmp
C:\WINDOWS\system32\9.tmp
C:\WINDOWS\system32\A.tmp
C:\WINDOWS\system32\actskn43.ocx
C:\WINDOWS\system32\awtsSigE.dll
C:\WINDOWS\system32\B.tmp
C:\WINDOWS\system32\blphcgnej0er69.scr
C:\WINDOWS\system32\C.tmp
C:\WINDOWS\system32\cgrkah.dll
C:\WINDOWS\system32\curqwqyb.ini
C:\WINDOWS\system32\D.tmp
C:\WINDOWS\system32\dlygybge.dll
C:\WINDOWS\system32\E.tmp
C:\WINDOWS\system32\ealomjxx.dll
C:\WINDOWS\system32\efLTwGgh.ini
C:\WINDOWS\system32\efLTwGgh.ini2
C:\WINDOWS\system32\euoatxxc.ini
C:\WINDOWS\system32\F.tmp
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\goktnj.dll
C:\WINDOWS\system32\hgGwTLfe.dll
C:\WINDOWS\system32\hrxfjcyk.dll
C:\WINDOWS\system32\jpsmocpg.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mfoqchbd.ini
C:\WINDOWS\system32\mutacsbv.dll
C:\WINDOWS\system32\nigrny.dll
C:\WINDOWS\system32\nmgyyafj.ini
C:\WINDOWS\system32\obkjtxsb.ini
C:\WINDOWS\system32\olubseqq.dll
C:\WINDOWS\system32\phcgnej0er69.bmp
C:\WINDOWS\system32\pphcgnej0er69.exe
C:\WINDOWS\system32\qlowoo.dll
C:\WINDOWS\system32\stwdmy.dll
C:\WINDOWS\system32\witwaz.dll
C:\WINDOWS\system32\xnmpkvfc.dll
C:\WINDOWS\system32\xxyxYrSL.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService

((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.

2008-08-05 12:30 . 2008-08-05 12:30 <DIR> d-------- C:\Deckard
2008-08-05 00:38 . 2008-08-05 00:38 99,200 --a------ C:\WINDOWS\system32\bsxtjkbo.dll
2008-08-04 00:29 . 2008-08-04 00:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-03 17:07 . 2008-08-03 17:07 130,432 --a------ C:\WINDOWS\system32\swvulq.dll
2008-08-03 17:07 . 2008-08-03 17:07 130,432 --a------ C:\WINDOWS\system32\afpyfpjc.dll
2008-08-03 17:06 . 2008-08-03 17:06 98,688 --a------ C:\WINDOWS\system32\gpcomspj.dll
2008-08-02 15:06 . 2008-08-02 15:06 130,432 --a------ C:\WINDOWS\system32\kbvqfrih.dll
2008-08-02 15:06 . 2008-08-02 15:06 130,432 --a------ C:\WINDOWS\system32\bxvnkv.dll
2008-08-02 15:02 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-08-02 15:02 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-08-02 15:02 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-08-02 15:02 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-07-25 14:44 . 2008-07-25 14:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-25 14:30 . 2008-07-25 14:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-23 20:23 . 2008-07-23 20:23 <DIR> d-------- C:\Documents and Settings\Twins\Application Data\AVGTOOLBAR
2008-07-23 20:22 . 2008-07-23 20:22 <DIR> d-------- C:\Program Files\AVG
2008-07-23 20:22 . 2008-07-23 20:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-23 11:51 . 2008-07-23 11:51 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-21 23:25 . 2008-07-21 23:25 <DIR> d-------- C:\Documents and Settings\Twins\Application Data\Viewpoint
2008-07-21 16:09 . 2008-08-05 13:42 94,208 --a------ C:\WINDOWS\system32\15.tmp
2008-07-21 16:09 . 2008-08-05 13:42 94,208 --a------ C:\WINDOWS\system32\13.tmp
2008-07-21 16:09 . 2008-08-05 13:42 94,208 --a------ C:\WINDOWS\system32\12.tmp
2008-07-21 16:09 . 2008-08-05 13:42 94,208 --a------ C:\WINDOWS\system32\11.tmp
2008-07-21 16:09 . 2008-07-25 14:17 94,208 --a------ C:\WINDOWS\system32\10.tmp
2008-07-21 16:06 . 2008-07-17 21:56 102,400 --a------ C:\WINDOWS\agpqlrfm.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 20:09 --------- d-----w C:\Program Files\Viewpoint
2008-08-05 20:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-05 07:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-25 21:44 --------- d-----w C:\Program Files\Lavasoft
2008-07-21 03:29 --------- d-----w C:\Documents and Settings\Twins\Application Data\LimeWire
2008-07-11 23:23 --------- d-----w C:\Program Files\Broderbund
2008-07-11 23:21 --------- d-----w C:\Program Files\Coupons
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 17:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\IM
2008-06-12 17:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\IncrediMail
2008-05-16 18:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2006-10-30 22:20 461 -c--a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-10 08:38 68856]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-12-17 18:13 3810544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 10:03 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 09:59 126976]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 23:57 30208]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 12:09 49152]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 05:52 380928]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 09:59 124520]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38 241664]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 08:46 172032]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 10:55 49152]
"MP10_EnsureFileVer"="C:\WINDOWS\inf\unregmp2.exe" [2004-08-04 00:56 208896]
"QuickTime Task"="F:\qttask.exe" [2007-04-27 09:41 282624]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"105dddc6"="C:\WINDOWS\system32\bsxtjkbo.dll" [2008-08-05 00:38 99200]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 00:56 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-08-10 08:38:22 125624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2006-10-30 14:53:54 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=bxvnkv.dll swvulq.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\hgGwTLfe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1162349349\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1162349349\\ee\\aim6.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

R0 rllahnvp;rllahnvp;C:\WINDOWS\system32\drivers\aruocjth.dat []
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 14:38]
S3 lgatbus;LG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\lgatbus.sys [2006-05-19 23:00]
S3 lgatmdm;LG CDMA USB Modem Drivers;C:\WINDOWS\system32\DRIVERS\lgatmdm.sys [2006-05-19 23:00]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);C:\WINDOWS\system32\DRIVERS\lgatserd.sys [2006-05-19 23:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38338ccb-072a-11dd-af77-00402b498740}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-07-24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-08-05 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]

2008-07-25 C:\WINDOWS\Tasks\Norton Security Scan.job
- C:\Program Files\Norton Security Scan\Nss.exe [2007-09-19 00:42]

2008-07-18 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job
- C:\Program Files\RegistrySmart\RegistrySmart.exe []

2008-07-18 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job
- C:\Program Files\RegistrySmart [2008-01-06 21:00]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MSMSGS - C:\Program Files\Messenger\msmsgs.exe
HKCU-Run-QuickPhrase - C:\Program Files\TypingMaster\QuickPhrase\quickphrase.exe
HKLM-Run-BDSwitchAgent - C:\progra~1\softwin\bitdef~1\bdswitch.exe
HKLM-Run-BearShare - C:\Program Files\BearShare Applications\BearShare\BearShare.EXE
HKLM-Run-C:\DOCUME~1\Twins\LOCALS~1\Temp\update.exe - C:\DOCUME~1\Twins\LOCALS~1\Temp\update.exe
HKLM-Run-MyWebSearch Plugin - C:\PROGRA~1\MYWEBS~1\bar\29.bin\M3PLUGIN.DLL
HKLM-Run-lphcgnej0er69 - C:\WINDOWS\system32\lphcgnej0er69.exe
HKLM-Run-SMrhclnej0er69 - C:\Program Files\rhclnej0er69\rhclnej0er69.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Twins\Application Data\Mozilla\Firefox\Profiles\ufftc3hc.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - C:\Documents and Settings\Twins\Application Data\Mozilla\Firefox\Profiles\ufftc3hc.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npOberonGameHost.dll
FF -: plugin - C:\PROGRA~1\Yahoo!\common\npyaxmpb.dll
FF -: plugin - C:\Program Files\Google\Google Updater\2.2.1111.1511\npCIDetect11.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 14:36:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\obkjtxsb.ini 1382137 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\\DOCUME~1\\Twins\\LOCALS~1\\Temp\\update.exe"="C:\\DOCUME~1\\Twins\\LOCALS~1\\Temp\\update.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rllahnvp]
"ImagePath"="system32\drivers\aruocjth.dat"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\bsxtjkbo.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\AOL\1162349349\ee\aolsoftware.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-08-05 2:50:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-05 09:50:02

Pre-Run: 3,953,590,272 bytes free
Post-Run: 3,872,407,552 bytes free

272 --- E O F --- 2008-07-09 10:06:09

#18
miekiemoes

Posted 05 August 2008 - 04:21 PM

Malware Expert

Member
5,503 posts

Hi,

I asked you to uninstall Viewpoint Manager previously. Not sure if you have done this. Also uninstall Viewpoint Media Player. Then reboot.

Then, the first step required before you run Combofix is to install the Recovery Console.
Read here how to do this with Combofix:

http://www.bleepingc...to-use-combofix

The reason why Recovery Console is recommended is because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged. Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

After you have installed the Recovery Console..

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\bsxtjkbo.dll
C:\WINDOWS\system32\obkjtxsb.ini
C:\WINDOWS\system32\drivers\aruocjth.dat
C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job
C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job
C:\WINDOWS\system32\bsxtjkbo.dll
C:\WINDOWS\system32\swvulq.dll
C:\WINDOWS\system32\afpyfpjc.dll
C:\WINDOWS\system32\gpcomspj.dll
C:\WINDOWS\system32\kbvqfrih.dll
C:\WINDOWS\system32\bxvnkv.dll
C:\WINDOWS\system32\15.tmp
C:\WINDOWS\system32\13.tmp
C:\WINDOWS\system32\12.tmp
C:\WINDOWS\system32\11.tmp
C:\WINDOWS\system32\10.tmp
C:\WINDOWS\agpqlrfm.exe
Driver::
rllahnvp
Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\\DOCUME~1\\Twins\\LOCALS~1\\Temp\\update.exe"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"105dddc6"=-
"AlcxMonitor"=-

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

Edited by miekiemoes, 05 August 2008 - 04:22 PM.

#19
midtown1

Posted 05 August 2008 - 05:10 PM

Member

Topic Starter
Member
20 posts

ok but im going to paste a log.txt that came up after i rebooted the comp....

ComboFix 08-08-04.08 - Twins 2008-08-05 15:44:56.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.109 [GMT -7:00]
Running from: C:\Documents and Settings\Twins\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Twins\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\obkjtxsb.ini

.
((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.

2008-08-05 12:30 . 2008-08-05 12:30 <DIR> d-------- C:\Deckard
2008-08-05 00:38 . 2008-08-05 00:38 99,200 --a------ C:\WINDOWS\system32\bsxtjkbo.dll
2008-08-04 00:29 . 2008-08-04 00:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-03 17:07 . 2008-08-03 17:07 130,432 --a------ C:\WINDOWS\system32\swvulq.dll
2008-08-03 17:07 . 2008-08-03 17:07 130,432 --a------ C:\WINDOWS\system32\afpyfpjc.dll
2008-08-03 17:06 . 2008-08-03 17:06 98,688 --a------ C:\WINDOWS\system32\gpcomspj.dll
2008-08-02 15:06 . 2008-08-02 15:06 130,432 --a------ C:\WINDOWS\system32\kbvqfrih.dll
2008-08-02 15:06 . 2008-08-02 15:06 130,432 --a------ C:\WINDOWS\system32\bxvnkv.dll
2008-08-02 15:02 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-08-02 15:02 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-08-02 15:02 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-08-02 15:02 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-07-25 14:44 . 2008-07-25 14:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-25 14:30 . 2008-07-25 14:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-23 20:23 . 2008-07-23 20:23 <DIR> d-------- C:\Documents and Settings\Twins\Application Data\AVGTOOLBAR
2008-07-23 20:22 . 2008-07-23 20:22 <DIR> d-------- C:\Program Files\AVG
2008-07-23 20:22 . 2008-07-23 20:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-23 11:51 . 2008-07-23 11:51 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-21 16:09 . 2008-08-05 13:42 94,208 --a------ C:\WINDOWS\system32\15.tmp
2008-07-21 16:09 . 2008-08-05 13:42 94,208 --a------ C:\WINDOWS\system32\13.tmp
2008-07-21 16:09 . 2008-08-05 13:42 94,208 --a------ C:\WINDOWS\system32\12.tmp
2008-07-21 16:09 . 2008-08-05 13:42 94,208 --a------ C:\WINDOWS\system32\11.tmp
2008-07-21 16:09 . 2008-07-25 14:17 94,208 --a------ C:\WINDOWS\system32\10.tmp
2008-07-21 16:06 . 2008-07-17 21:56 102,400 --a------ C:\WINDOWS\agpqlrfm.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 22:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-05 07:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-25 21:44 --------- d-----w C:\Program Files\Lavasoft
2008-07-21 03:29 --------- d-----w C:\Documents and Settings\Twins\Application Data\LimeWire
2008-07-11 23:23 --------- d-----w C:\Program Files\Broderbund
2008-07-11 23:21 --------- d-----w C:\Program Files\Coupons
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 17:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\IM
2008-06-12 17:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\IncrediMail
2008-05-16 18:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2006-10-30 22:20 461 -c--a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-10 08:38 68856]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-12-17 18:13 3810544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 10:03 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 09:59 126976]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 23:57 30208]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 12:09 49152]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 05:52 380928]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 09:59 124520]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38 241664]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 08:46 172032]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 10:55 49152]
"MP10_EnsureFileVer"="C:\WINDOWS\inf\unregmp2.exe" [2004-08-04 00:56 208896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"105dddc6"="C:\WINDOWS\system32\bsxtjkbo.dll" [2008-08-05 00:38 99200]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 00:56 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-08-10 08:38:22 125624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2006-10-30 14:53:54 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=bxvnkv.dll swvulq.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1162349349\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1162349349\\ee\\aim6.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

R0 rllahnvp;rllahnvp;C:\WINDOWS\system32\drivers\aruocjth.dat []
S3 lgatbus;LG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\lgatbus.sys [2006-05-19 23:00]
S3 lgatmdm;LG CDMA USB Modem Drivers;C:\WINDOWS\system32\DRIVERS\lgatmdm.sys [2006-05-19 23:00]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);C:\WINDOWS\system32\DRIVERS\lgatserd.sys [2006-05-19 23:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38338ccb-072a-11dd-af77-00402b498740}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-07-24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-08-05 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]

2008-07-25 C:\WINDOWS\Tasks\Norton Security Scan.job
- C:\Program Files\Norton Security Scan\Nss.exe [2007-09-19 00:42]

2008-07-18 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job
- C:\Program Files\RegistrySmart\RegistrySmart.exe []

2008-07-18 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job
- C:\Program Files\RegistrySmart [2008-01-06 21:00]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-QuickTime Task - F:\qttask.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Twins\Application Data\Mozilla\Firefox\Profiles\ufftc3hc.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - C:\Documents and Settings\Twins\Application Data\Mozilla\Firefox\Profiles\ufftc3hc.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npOberonGameHost.dll
FF -: plugin - C:\PROGRA~1\Yahoo!\common\npyaxmpb.dll
FF -: plugin - C:\Program Files\Google\Google Updater\2.2.1111.1511\npCIDetect11.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 15:53:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\obkjtxsb.ini 1381975 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rllahnvp]
"ImagePath"="system32\drivers\aruocjth.dat"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\bsxtjkbo.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Common Files\AOL\1162349349\ee\aolsoftware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-08-05 16:05:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-05 23:04:25
ComboFix2.txt 2008-08-05 09:50:56

Pre-Run: 3,889,352,704 bytes free
Post-Run: 3,860,078,592 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

173 --- E O F --- 2008-07-09 10:06:09

#20
midtown1

Posted 05 August 2008 - 05:40 PM

Member

Topic Starter
Member
20 posts

ok and this is what came up after i dragged the cfscript into the combofix...

ComboFix 08-08-04.08 - Twins 2008-08-05 16:15:17.3 - NTFSx86
Running from: C:\Documents and Settings\Twins\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Twins\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\agpqlrfm.exe
C:\WINDOWS\system32\10.tmp
C:\WINDOWS\system32\11.tmp
C:\WINDOWS\system32\12.tmp
C:\WINDOWS\system32\13.tmp
C:\WINDOWS\system32\15.tmp
C:\WINDOWS\system32\afpyfpjc.dll
C:\WINDOWS\system32\bsxtjkbo.dll
C:\WINDOWS\system32\bxvnkv.dll
C:\WINDOWS\system32\drivers\aruocjth.dat
C:\WINDOWS\system32\gpcomspj.dll
C:\WINDOWS\system32\kbvqfrih.dll
C:\WINDOWS\system32\obkjtxsb.ini
C:\WINDOWS\system32\swvulq.dll
C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\agpqlrfm.exe
C:\WINDOWS\system32\10.tmp
C:\WINDOWS\system32\11.tmp
C:\WINDOWS\system32\12.tmp
C:\WINDOWS\system32\13.tmp
C:\WINDOWS\system32\15.tmp
C:\WINDOWS\system32\afpyfpjc.dll
C:\WINDOWS\system32\bsxtjkbo.dll
C:\WINDOWS\system32\bxvnkv.dll
C:\WINDOWS\system32\drivers\aruocjth.dat
C:\WINDOWS\system32\gpcomspj.dll
C:\WINDOWS\system32\kbvqfrih.dll
C:\WINDOWS\system32\obkjtxsb.ini
C:\WINDOWS\system32\swvulq.dll
C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RLLAHNVP
-------\Service_rllahnvp

((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.

2008-08-05 12:30 . 2008-08-05 12:30 <DIR> d-------- C:\Deckard
2008-08-04 00:29 . 2008-08-04 00:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-02 15:02 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-08-02 15:02 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-08-02 15:02 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-08-02 15:02 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-07-25 14:44 . 2008-07-25 14:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-25 14:30 . 2008-07-25 14:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-23 20:23 . 2008-07-23 20:23 <DIR> d-------- C:\Documents and Settings\Twins\Application Data\AVGTOOLBAR
2008-07-23 20:22 . 2008-07-23 20:22 <DIR> d-------- C:\Program Files\AVG
2008-07-23 20:22 . 2008-07-23 20:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-23 11:51 . 2008-07-23 11:51 <DIR> d-------- C:\Documents and Settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 22:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-05 07:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-25 21:44 --------- d-----w C:\Program Files\Lavasoft
2008-07-21 03:29 --------- d-----w C:\Documents and Settings\Twins\Application Data\LimeWire
2008-07-11 23:23 --------- d-----w C:\Program Files\Broderbund
2008-07-11 23:21 --------- d-----w C:\Program Files\Coupons
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 17:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\IM
2008-06-12 17:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\IncrediMail
2006-10-30 22:20 461 -c--a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-10 08:38 68856]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-12-17 18:13 3810544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 10:03 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 09:59 126976]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 23:57 30208]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 12:09 49152]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 05:52 380928]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 09:59 124520]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38 241664]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 08:46 172032]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 10:55 49152]
"MP10_EnsureFileVer"="C:\WINDOWS\inf\unregmp2.exe" [2004-08-04 00:56 208896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 00:56 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-08-10 08:38:22 125624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2006-10-30 14:53:54 217088]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1162349349\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1162349349\\ee\\aim6.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

S3 lgatbus;LG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\lgatbus.sys [2006-05-19 23:00]
S3 lgatmdm;LG CDMA USB Modem Drivers;C:\WINDOWS\system32\DRIVERS\lgatmdm.sys [2006-05-19 23:00]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);C:\WINDOWS\system32\DRIVERS\lgatserd.sys [2006-05-19 23:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38338ccb-072a-11dd-af77-00402b498740}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-07-24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-08-05 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]

2008-07-25 C:\WINDOWS\Tasks\Norton Security Scan.job
- C:\Program Files\Norton Security Scan\Nss.exe [2007-09-19 00:42]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 16:24:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Common Files\AOL\1162349349\ee\aolsoftware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-08-05 16:36:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-05 23:35:45
ComboFix2.txt 2008-08-05 23:05:13
ComboFix3.txt 2008-08-05 09:50:56

Pre-Run: 3,856,547,840 bytes free
Post-Run: 3,818,598,400 bytes free

153 --- E O F --- 2008-07-09 10:06:09

#21
miekiemoes

Posted 06 August 2008 - 02:55 AM

Malware Expert

Member
5,503 posts

Hi,

This looks OK again!

Now the most important part.... INSTALL an Antivirus!!!
Normally I should have asked you at the beginning of this thread, because I am sure that, if you had installed an Antivirus previously, you wouldn't need to post your log here, since the Antivirus may already prevented the infection, or cleaned it.
But the reason I didn't ask at the beginning of this thread is because your system was already CRIPPLED with malware, causing a huge system slowdown since you only have 256MB of ram (which is WAY TOO low) and installing an Antivirus at that time would really crawl your system and it would almost be impossible to run the scan anyway, because of the malware eating all your CPU already.

Not sure why you never installed an Antivirus before though... This is irresponsible.
You may want to read this as well: http://miekiemoes.bl...use-i-have.html

That's why.... * Please install Avira Antivirus: http://www.free-av.com/

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.

You'll be amazed how much it will find in the C:\Qoobox\quarantine folder (which is the Combofix quarantine folder). This to make you aware of the fact that an Antivirus is really able to block the infection and clean it in the first place.

#22
midtown1

Posted 06 August 2008 - 04:01 PM

Member

Topic Starter
Member
20 posts

ok quick question..everytime i turn on my comp. or reboot it, is says something like..."Diskette drive A error, Press <F1> to setup, <F2> to resume.

Then when i press F2, another black screen comes on stating, "SMART Failure Predicted on Hard Disk 1: SAMSUNG SV8004H- (PS), Warning: Immediately back-up your data and replace your hard disk drive. A failure may be imminent. Press F1 to continue"

Any suggestions?

Edited by midtown1, 06 August 2008 - 04:02 PM.

#23
miekiemoes

Posted 06 August 2008 - 04:07 PM

Malware Expert

Member
5,503 posts

I assume you're still able to boot?
Anyway, that's a hardware issue and for that, it's better that you post your question in the hardware part of this forum since I'm not really into hardware and won't be the ideal person to help you with that.

Can you proceed with my other instructions and post the Avira log?

#24
midtown1

Posted 06 August 2008 - 04:10 PM

Member

Topic Starter
Member
20 posts

yea it was doing the scan...when a virus thing came up...i press delete right?

Then when the scan got to 99.8% complete...it rebooted my comp automatically, then i opened the antivirus again and went to reports, and it only has the report for the upgrade

#25
miekiemoes

Posted 06 August 2008 - 04:11 PM

Malware Expert

Member
5,503 posts

Sidenote, since you're having above error all the time, I suggest you indeed backup all important data anyway, because it doesn't sound healthy what's happening here. Also, I assume this is an older computer (since you have only 256MB of ram)... so it's not so uncommon that it is slowly dying though

#26
miekiemoes

Posted 06 August 2008 - 04:14 PM

Malware Expert

Member
5,503 posts

yea it was doing the scan...when a virus thing came up...i press delete right?

Then when the scan got to 99.8% complete...it rebooted my comp automatically, then i opened the antivirus again and went to reports, and it only has the report for the upgrade

No report for scans there?

Anyway, it's already a good thing that you have installed an Antivirus after all. Don't uninstall it again!
And yes, when it finds something, you should select "delete".

Since we don't need Combofix anymore:

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

#27
midtown1

Posted 06 August 2008 - 04:19 PM

Member

Topic Starter
Member
20 posts

ok thanks alot!!! i appreciate your time...
i might be buying a new comp...any suggestiong of a good one now a days?

#28
miekiemoes

Posted 06 August 2008 - 04:24 PM

Malware Expert

Member
5,503 posts

Well, this all depends for what you exactly need it though. If it's mainly to surf, play games, develop things etc etc..
So the best way for you is to search on google to find out since this is different from person to person.
Personally, I always liked IBM Personal Computers, but they are quite expensive (but worth the money) :-)