Thanks!
VIRUS ALERT! by clock BAT/fake.PrivDANGER [RESOLVED]
Started by
Greed
, Aug 05 2008 08:03 PM
#1
Posted 05 August 2008 - 08:03 PM
Thanks!
#2
Posted 06 August 2008 - 03:52 AM
Hi there
If possible just run the tools I ask you to for now as it can make this pretty confusing otherwise.
Please go here to install the recovery console and for a guide on using combofix.
Please note: Installing the Recovery Console plays a vital part in making this process of cleaning your computer safe, don't overlook this!
Now please download combofix from here or here. It is important that you save this file to your desktop.
Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a Hijack This log in your next reply.
A quick heads up, if you click on combofix's window when it's running, you may cause it to stall.
If possible just run the tools I ask you to for now as it can make this pretty confusing otherwise.
Please go here to install the recovery console and for a guide on using combofix.
Please note: Installing the Recovery Console plays a vital part in making this process of cleaning your computer safe, don't overlook this!
Now please download combofix from here or here. It is important that you save this file to your desktop.
Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a Hijack This log in your next reply.
A quick heads up, if you click on combofix's window when it's running, you may cause it to stall.
#3
Posted 06 August 2008 - 07:39 AM
I appriciate the help, the problem is that I do not have my windows XP CD at the moment. So it might have to wait until later tonight after work to either find/borrow an XP cd to get the console. Once that is done I will follow the rest of the steps so we can get this corrected.
#4
Posted 06 August 2008 - 09:53 AM
Hi there, in the guide there is a way to install it through ComboFix,
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System
Download the file & save it as it's originally named, next to ComboFix.exe.
Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please post the C:\ComboFix.txt along with a new HijackThis log for further review.
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System
Download the file & save it as it's originally named, next to ComboFix.exe.
Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Drag the setup package onto ComboFix.exe and drop it.
- Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
- At the next prompt, click 'Yes' to run the full ComboFix scan.
- When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log for further review.
#5
Posted 06 August 2008 - 10:03 PM
Hey! I got home and dug out my windows CD and it says that the version of windows on my PC is newer than my CD and will not let me install the recovery console. x.x What do I do?
#6
Posted 06 August 2008 - 10:09 PM
Ok sorry, forgot to refresh! Got your instructions mike, installing the console and then running combofix and hijackthis. Logs pending.
#7
Posted 06 August 2008 - 10:48 PM
Ok, here is the Combofix log
ComboFix 08-08-06.02 - Greed 2008-08-06 22:19:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.590 [GMT -6:00]
Running from: C:\Documents and Settings\Greed\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Greed\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Greed\Application Data\macromedia\Flash Player\#SharedObjects\RA6FDPVW\interclick.com
C:\Documents and Settings\Greed\Application Data\macromedia\Flash Player\#SharedObjects\RA6FDPVW\interclick.com\ud.sol
C:\Documents and Settings\Greed\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Greed\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Greed\Desktop\Error Cleaner.url
C:\Documents and Settings\Greed\Desktop\Privacy Protector.url
C:\Documents and Settings\Greed\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Greed\Favorites\Error Cleaner.url
C:\Documents and Settings\Greed\Favorites\Privacy Protector.url
C:\Documents and Settings\Greed\Favorites\Spyware&Malware Protection.url
C:\WINDOWS\bgrqfetx.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\eefq.exe
C:\WINDOWS\system32\cxumqcjp.dll
C:\WINDOWS\system32\cxwwfy.dll
C:\WINDOWS\system32\jkkhfCsT.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\spphetvk.dll
C:\WINDOWS\system32\ugnzhx.dll
C:\WINDOWS\system32\UwGiRqss.ini
C:\WINDOWS\system32\UwGiRqss.ini2
C:\WINDOWS\system32\xaftmdjy.ini
C:\WINDOWS\tfnslopk.dll
C:\WINDOWS\wnlmdakqpmr.dll
C:\WINDOWS\xokvrpwg.dll
----- BITS: Possible infected sites -----
http://ccp.vo.llnwd.net
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_IPRIP
-------\Service_Iprip
((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 )))))))))))))))))))))))))))))))
.
2008-08-05 15:32 . 2008-08-05 15:32 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-05 15:32 . 2008-08-05 15:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-05 15:14 . 2008-08-05 15:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-05 15:00 . 2008-08-06 22:38 36 --a------ C:\WINDOWS\system32\drivers\Ids_cfg.dat
2008-08-05 12:24 . 2008-08-05 12:24 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-05 11:36 . 2008-08-05 11:36 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-08-05 00:55 . 2008-08-05 00:55 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM
2008-08-04 22:29 . 2008-08-04 22:28 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-04 22:22 . 2008-08-04 22:22 99,200 --a------ C:\WINDOWS\system32\yjdmtfax.VIR000
2008-08-04 08:34 . 2008-08-04 08:34 323,328 --a------ C:\WINDOWS\system32\ssqRiGwU.VIR000
2008-08-04 08:28 . 2008-08-04 05:01 86,016 --a------ C:\WINDOWS\lnvegaow.exe
2008-08-04 08:28 . 2008-08-04 08:28 34,176 --a------ C:\WINDOWS\system32\khfGyVmN.VIR
2008-08-02 14:37 . 2008-08-02 14:37 <DIR> d-------- C:\Program Files\Sierra
2008-08-01 12:47 . 2008-08-01 12:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-01 12:47 . 2008-08-01 12:47 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-22 16:10 . 2008-07-22 16:10 <DIR> d-------- C:\WINDOWS\San Andreas Mod Installer
2008-07-21 22:37 . 2008-07-21 22:38 <DIR> d-------- C:\vcs5core
2008-07-21 22:37 . 2008-07-21 22:37 <DIR> d-------- C:\vcs5BGEffects
2008-07-21 22:37 . 2008-07-21 22:37 <DIR> d-------- C:\AV_LOGS
2008-07-21 17:12 . 2008-07-21 17:12 <DIR> d-------- C:\Program Files\Rockstar Games
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-07 04:36 214,208 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k
2008-08-07 00:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2008-08-06 14:25 --------- d-----w C:\Program Files\Steam
2008-08-06 02:12 1,004,032 ----a-w C:\WINDOWS\system32\AutoPartNt.exe
2008-08-05 21:31 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-05 21:13 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-02 20:45 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-08-02 20:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-14 02:59 --------- d-----w C:\Program Files\EA GAMES
2008-06-21 06:08 --------- d-----w C:\Documents and Settings\Greed\Application Data\EVEMon
2008-06-21 04:50 --------- d-----w C:\Program Files\EVEMon
2008-06-17 18:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\CCP
2008-06-17 17:51 --------- d-----w C:\Program Files\CCP
2008-05-16 17:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-04 01:54 354 -c--a-w C:\Program Files\INSTALL.LOG
2007-01-07 05:30 1 -c--a-w C:\Documents and Settings\Greed\SI.bin
2003-12-18 18:33 20,102 -c--a-w C:\Program Files\Readme.txt
2003-09-03 14:46 10,960 -c--a-w C:\Program Files\EULA.txt
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AMonitor"="C:\Program Files\Tiny Firewall Pro\amon.exe" [2005-08-11 12:12 561152]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Steam"="c:\program files\steam\steam.exe" [2008-04-02 21:07 1271032]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 08:16 171464]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LinksysDiag"="C:\Program Files\Linksys\LinksysDiag\LinksysDiag" [X]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-09-29 19:12 976085]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-09-29 19:12 118784]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 18:25 266497]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 14:43 7630848]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 14:43 86016]
"CTHelper"="CTHELPER.EXE" [2005-12-08 13:06 16384 C:\WINDOWS\CTHELPER.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-03-28 18:38 94208 C:\WINDOWS\KHALMNPR.Exe]
"nwiz"="nwiz.exe" [2006-08-11 14:43 1519616 C:\WINDOWS\system32\nwiz.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-03-13 23:33:14 573440]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2005-07-12 00:26 73728 C:\WINDOWS\system32\UmxWNP.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=UmxSbxExw.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-09-18 08:16 171464 C:\Program Files\DAEMON Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-04-02 21:07 1271032 C:\Program Files\Steam\steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TinyFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Steam\\SteamApps\\demoniccalhoon\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 KmxNdis;KmxNdis;C:\WINDOWS\system32\DRIVERS\kmxndis.sys [2005-08-16 12:42]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2005-07-11 19:39]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2005-07-12 00:20]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2005-08-16 12:42]
R1 KmxIds;KmxIds;C:\WINDOWS\system32\DRIVERS\kmxids.sys [2005-08-11 15:31]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2006-09-04 23:02]
R2 KmxBiG;KmxBiG;C:\WINDOWS\system32\DRIVERS\KmxBiG.sys [2005-07-12 00:21]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2005-08-23 23:50]
R2 LANPkt;Linksys LANPkt Protocol Driver;C:\WINDOWS\system32\DRIVERS\LANPkt.sys [2004-03-09 17:50]
R2 UmxAgent;FW Event Manager;C:\Program Files\Tiny Firewall Pro\UmxAgent.exe [2005-08-22 10:51]
R2 UmxCfg;FW Configuration Interpreter;C:\Program Files\Common Files\PFShared\UmxCfg.exe [2005-07-12 17:57]
R2 UmxLU;FW Live Update;C:\Program Files\Common Files\PFShared\umxlu.exe [2005-03-09 18:02]
R2 UmxPol;FW Policy Manager;C:\Program Files\Common Files\PFShared\UmxPol.exe [2005-07-12 01:21]
R3 Diag69xp;Diag69xp;C:\WINDOWS\system32\Drivers\Diag69xp.sys [2004-05-24 18:16]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2005-08-23 13:41]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-08-29 00:54]
S3 oflpydin;oflpydin;C:\DOCUME~1\Greed\LOCALS~1\Temp\oflpydin.sys []
S3 RTLVLANXP;Linksys VLAN Intermediate Driver;C:\WINDOWS\system32\DRIVERS\RTLVLANXP.SYS [2005-01-26 23:06]
.
- - - - ORPHANS REMOVED - - - -
BHO-{1A4BA860-573E-4059-8337-6A34AC65C535} - C:\WINDOWS\system32\khfGyVmN.dll
BHO-{656ED517-5D0F-42D1-87C0-4E750E96F364} - C:\WINDOWS\system32\ssqRiGwU.dll
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKLM-Run-9cbfc396 - C:\WINDOWS\system32\yjdmtfax.dll
ShellExecuteHooks-{1A4BA860-573E-4059-8337-6A34AC65C535} - C:\WINDOWS\system32\khfGyVmN.dll
Notify-khfGyVmN - khfGyVmN.dll
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Greed\Application Data\Mozilla\Firefox\Profiles\87k7akdk.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 22:39:41
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Tiny Firewall Pro\UmxFwHlp.exe
C:\Program Files\Tiny Firewall Pro\UmxTray.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Linksys\LinksysDiag\LinksysDiag.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-08-06 22:47:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-07 04:47:28
Pre-Run: 16,820,396,032 bytes free
Post-Run: 16,816,984,064 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
221
ComboFix 08-08-06.02 - Greed 2008-08-06 22:19:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.590 [GMT -6:00]
Running from: C:\Documents and Settings\Greed\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Greed\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Greed\Application Data\macromedia\Flash Player\#SharedObjects\RA6FDPVW\interclick.com
C:\Documents and Settings\Greed\Application Data\macromedia\Flash Player\#SharedObjects\RA6FDPVW\interclick.com\ud.sol
C:\Documents and Settings\Greed\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Greed\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Greed\Desktop\Error Cleaner.url
C:\Documents and Settings\Greed\Desktop\Privacy Protector.url
C:\Documents and Settings\Greed\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Greed\Favorites\Error Cleaner.url
C:\Documents and Settings\Greed\Favorites\Privacy Protector.url
C:\Documents and Settings\Greed\Favorites\Spyware&Malware Protection.url
C:\WINDOWS\bgrqfetx.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\eefq.exe
C:\WINDOWS\system32\cxumqcjp.dll
C:\WINDOWS\system32\cxwwfy.dll
C:\WINDOWS\system32\jkkhfCsT.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\spphetvk.dll
C:\WINDOWS\system32\ugnzhx.dll
C:\WINDOWS\system32\UwGiRqss.ini
C:\WINDOWS\system32\UwGiRqss.ini2
C:\WINDOWS\system32\xaftmdjy.ini
C:\WINDOWS\tfnslopk.dll
C:\WINDOWS\wnlmdakqpmr.dll
C:\WINDOWS\xokvrpwg.dll
----- BITS: Possible infected sites -----
http://ccp.vo.llnwd.net
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_IPRIP
-------\Service_Iprip
((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 )))))))))))))))))))))))))))))))
.
2008-08-05 15:32 . 2008-08-05 15:32 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-05 15:32 . 2008-08-05 15:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-05 15:14 . 2008-08-05 15:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-05 15:00 . 2008-08-06 22:38 36 --a------ C:\WINDOWS\system32\drivers\Ids_cfg.dat
2008-08-05 12:24 . 2008-08-05 12:24 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-05 11:36 . 2008-08-05 11:36 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-08-05 00:55 . 2008-08-05 00:55 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM
2008-08-04 22:29 . 2008-08-04 22:28 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-04 22:22 . 2008-08-04 22:22 99,200 --a------ C:\WINDOWS\system32\yjdmtfax.VIR000
2008-08-04 08:34 . 2008-08-04 08:34 323,328 --a------ C:\WINDOWS\system32\ssqRiGwU.VIR000
2008-08-04 08:28 . 2008-08-04 05:01 86,016 --a------ C:\WINDOWS\lnvegaow.exe
2008-08-04 08:28 . 2008-08-04 08:28 34,176 --a------ C:\WINDOWS\system32\khfGyVmN.VIR
2008-08-02 14:37 . 2008-08-02 14:37 <DIR> d-------- C:\Program Files\Sierra
2008-08-01 12:47 . 2008-08-01 12:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-01 12:47 . 2008-08-01 12:47 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-22 16:10 . 2008-07-22 16:10 <DIR> d-------- C:\WINDOWS\San Andreas Mod Installer
2008-07-21 22:37 . 2008-07-21 22:38 <DIR> d-------- C:\vcs5core
2008-07-21 22:37 . 2008-07-21 22:37 <DIR> d-------- C:\vcs5BGEffects
2008-07-21 22:37 . 2008-07-21 22:37 <DIR> d-------- C:\AV_LOGS
2008-07-21 17:12 . 2008-07-21 17:12 <DIR> d-------- C:\Program Files\Rockstar Games
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-07 04:36 214,208 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k
2008-08-07 00:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2008-08-06 14:25 --------- d-----w C:\Program Files\Steam
2008-08-06 02:12 1,004,032 ----a-w C:\WINDOWS\system32\AutoPartNt.exe
2008-08-05 21:31 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-05 21:13 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-02 20:45 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-08-02 20:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-14 02:59 --------- d-----w C:\Program Files\EA GAMES
2008-06-21 06:08 --------- d-----w C:\Documents and Settings\Greed\Application Data\EVEMon
2008-06-21 04:50 --------- d-----w C:\Program Files\EVEMon
2008-06-17 18:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\CCP
2008-06-17 17:51 --------- d-----w C:\Program Files\CCP
2008-05-16 17:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-04 01:54 354 -c--a-w C:\Program Files\INSTALL.LOG
2007-01-07 05:30 1 -c--a-w C:\Documents and Settings\Greed\SI.bin
2003-12-18 18:33 20,102 -c--a-w C:\Program Files\Readme.txt
2003-09-03 14:46 10,960 -c--a-w C:\Program Files\EULA.txt
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AMonitor"="C:\Program Files\Tiny Firewall Pro\amon.exe" [2005-08-11 12:12 561152]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Steam"="c:\program files\steam\steam.exe" [2008-04-02 21:07 1271032]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 08:16 171464]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LinksysDiag"="C:\Program Files\Linksys\LinksysDiag\LinksysDiag" [X]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-09-29 19:12 976085]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-09-29 19:12 118784]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 18:25 266497]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 14:43 7630848]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 14:43 86016]
"CTHelper"="CTHELPER.EXE" [2005-12-08 13:06 16384 C:\WINDOWS\CTHELPER.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-03-28 18:38 94208 C:\WINDOWS\KHALMNPR.Exe]
"nwiz"="nwiz.exe" [2006-08-11 14:43 1519616 C:\WINDOWS\system32\nwiz.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-03-13 23:33:14 573440]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2005-07-12 00:26 73728 C:\WINDOWS\system32\UmxWNP.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=UmxSbxExw.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-09-18 08:16 171464 C:\Program Files\DAEMON Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-04-02 21:07 1271032 C:\Program Files\Steam\steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TinyFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Steam\\SteamApps\\demoniccalhoon\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 KmxNdis;KmxNdis;C:\WINDOWS\system32\DRIVERS\kmxndis.sys [2005-08-16 12:42]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2005-07-11 19:39]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2005-07-12 00:20]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2005-08-16 12:42]
R1 KmxIds;KmxIds;C:\WINDOWS\system32\DRIVERS\kmxids.sys [2005-08-11 15:31]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2006-09-04 23:02]
R2 KmxBiG;KmxBiG;C:\WINDOWS\system32\DRIVERS\KmxBiG.sys [2005-07-12 00:21]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2005-08-23 23:50]
R2 LANPkt;Linksys LANPkt Protocol Driver;C:\WINDOWS\system32\DRIVERS\LANPkt.sys [2004-03-09 17:50]
R2 UmxAgent;FW Event Manager;C:\Program Files\Tiny Firewall Pro\UmxAgent.exe [2005-08-22 10:51]
R2 UmxCfg;FW Configuration Interpreter;C:\Program Files\Common Files\PFShared\UmxCfg.exe [2005-07-12 17:57]
R2 UmxLU;FW Live Update;C:\Program Files\Common Files\PFShared\umxlu.exe [2005-03-09 18:02]
R2 UmxPol;FW Policy Manager;C:\Program Files\Common Files\PFShared\UmxPol.exe [2005-07-12 01:21]
R3 Diag69xp;Diag69xp;C:\WINDOWS\system32\Drivers\Diag69xp.sys [2004-05-24 18:16]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2005-08-23 13:41]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-08-29 00:54]
S3 oflpydin;oflpydin;C:\DOCUME~1\Greed\LOCALS~1\Temp\oflpydin.sys []
S3 RTLVLANXP;Linksys VLAN Intermediate Driver;C:\WINDOWS\system32\DRIVERS\RTLVLANXP.SYS [2005-01-26 23:06]
.
- - - - ORPHANS REMOVED - - - -
BHO-{1A4BA860-573E-4059-8337-6A34AC65C535} - C:\WINDOWS\system32\khfGyVmN.dll
BHO-{656ED517-5D0F-42D1-87C0-4E750E96F364} - C:\WINDOWS\system32\ssqRiGwU.dll
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKLM-Run-9cbfc396 - C:\WINDOWS\system32\yjdmtfax.dll
ShellExecuteHooks-{1A4BA860-573E-4059-8337-6A34AC65C535} - C:\WINDOWS\system32\khfGyVmN.dll
Notify-khfGyVmN - khfGyVmN.dll
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Greed\Application Data\Mozilla\Firefox\Profiles\87k7akdk.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 22:39:41
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Tiny Firewall Pro\UmxFwHlp.exe
C:\Program Files\Tiny Firewall Pro\UmxTray.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Linksys\LinksysDiag\LinksysDiag.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-08-06 22:47:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-07 04:47:28
Pre-Run: 16,820,396,032 bytes free
Post-Run: 16,816,984,064 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
221
#8
Posted 06 August 2008 - 10:49 PM
And here is hijack this. Thanks for the help mike! What else do you need me to do?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:49, on 8/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\PFShared\UmxCfg.exe
C:\Program Files\Tiny Firewall Pro\UmxFwHlp.exe
C:\Program Files\Common Files\PFShared\UmxPol.exe
C:\Program Files\Tiny Firewall Pro\UmxAgent.exe
C:\Program Files\Tiny Firewall Pro\UmxTray.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\PFShared\umxlu.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Linksys\LinksysDiag\LinksysDiag.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\program files\steam\steam.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [LinksysDiag] C:\Program Files\Linksys\LinksysDiag\LinksysDiag /hw
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [AMonitor] C:\Program Files\Tiny Firewall Pro\amon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2p...bs/QOLCheck.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1142307337655
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1142308179717
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: FW Event Manager (UmxAgent) - Computer Associates International, Inc. - C:\Program Files\Tiny Firewall Pro\UmxAgent.exe
O23 - Service: FW Configuration Interpreter (UmxCfg) - Computer Associates International, Inc. - C:\Program Files\Common Files\PFShared\UmxCfg.exe
O23 - Service: FW User-Mode Helper (UmxFwHlp) - Computer Associates International, Inc. - C:\Program Files\Tiny Firewall Pro\UmxFwHlp.exe
O23 - Service: FW Live Update (UmxLU) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\umxlu.exe
O23 - Service: FW Policy Manager (UmxPol) - Computer Associates International, Inc. - C:\Program Files\Common Files\PFShared\UmxPol.exe
--
End of file - 7691 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:49, on 8/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\PFShared\UmxCfg.exe
C:\Program Files\Tiny Firewall Pro\UmxFwHlp.exe
C:\Program Files\Common Files\PFShared\UmxPol.exe
C:\Program Files\Tiny Firewall Pro\UmxAgent.exe
C:\Program Files\Tiny Firewall Pro\UmxTray.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\PFShared\umxlu.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Linksys\LinksysDiag\LinksysDiag.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\program files\steam\steam.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [LinksysDiag] C:\Program Files\Linksys\LinksysDiag\LinksysDiag /hw
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [AMonitor] C:\Program Files\Tiny Firewall Pro\amon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2p...bs/QOLCheck.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1142307337655
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1142308179717
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: FW Event Manager (UmxAgent) - Computer Associates International, Inc. - C:\Program Files\Tiny Firewall Pro\UmxAgent.exe
O23 - Service: FW Configuration Interpreter (UmxCfg) - Computer Associates International, Inc. - C:\Program Files\Common Files\PFShared\UmxCfg.exe
O23 - Service: FW User-Mode Helper (UmxFwHlp) - Computer Associates International, Inc. - C:\Program Files\Tiny Firewall Pro\UmxFwHlp.exe
O23 - Service: FW Live Update (UmxLU) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\umxlu.exe
O23 - Service: FW Policy Manager (UmxPol) - Computer Associates International, Inc. - C:\Program Files\Common Files\PFShared\UmxPol.exe
--
End of file - 7691 bytes
#9
Posted 07 August 2008 - 07:47 AM
Hi there
Please open HijackThis again and choose "Do a system scan only". Please put a check next to each of the following entries (if still present):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
Now please close all open windows except HJT and press "Fix checked".
Then,
Please click Start then Run, in the window appears type in Notepad.exe.
Highlight the entire content of the codebox below. Copy (Control + C) and Paste (Control + V) the content into the notepad window:
Save the file as CFScript.txt
Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
After that please reboot your computer if it asks you to and post ComboFix.txt (the report the ComboFix will generate) in your next reply.
And finally for now,
Please download Malwarebytes' Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Post back with the logs please
Please open HijackThis again and choose "Do a system scan only". Please put a check next to each of the following entries (if still present):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
Now please close all open windows except HJT and press "Fix checked".
Then,
Please click Start then Run, in the window appears type in Notepad.exe.
Highlight the entire content of the codebox below. Copy (Control + C) and Paste (Control + V) the content into the notepad window:
File:: C:\WINDOWS\system32\yjdmtfax.VIR000 C:\WINDOWS\system32\ssqRiGwU.VIR000 C:\WINDOWS\lnvegaow.exe C:\WINDOWS\system32\khfGyVmN.VIR Driver:: oflpydin Registry:: [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoFavoritesMenu"=- "NoRecentDocsNetHood"=- "NoSMHelp"=- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoFavoritesMenu"=- "NoRecentDocsNetHood"=- "NoSMHelp"=-Now in Notepad, go to File and in the menu that drops down click on Save As...
Save the file as CFScript.txt
Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
After that please reboot your computer if it asks you to and post ComboFix.txt (the report the ComboFix will generate) in your next reply.
And finally for now,
Please download Malwarebytes' Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Post back with the logs please
#10
Posted 07 August 2008 - 10:24 PM
Second combofix log!
ComboFix 08-08-07.05 - Greed 2008-08-07 22:09:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.656 [GMT -6:00]
Running from: C:\Documents and Settings\Greed\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Greed\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\lnvegaow.exe
C:\WINDOWS\system32\khfGyVmN.VIR
C:\WINDOWS\system32\ssqRiGwU.VIR000
C:\WINDOWS\system32\yjdmtfax.VIR000
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\lnvegaow.exe
C:\WINDOWS\system32\khfGyVmN.VIR
C:\WINDOWS\system32\ssqRiGwU.VIR000
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_OFLPYDIN
-------\Service_oflpydin
((((((((((((((((((((((((( Files Created from 2008-07-08 to 2008-08-08 )))))))))))))))))))))))))))))))
.
2008-08-06 23:31 . 2008-08-06 23:31 <DIR> d-------- C:\Program Files\LucasArts
2008-08-05 15:32 . 2008-08-05 15:32 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-05 15:32 . 2008-08-05 15:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-05 15:14 . 2008-08-05 15:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-05 15:00 . 2008-08-07 22:15 36 --a------ C:\WINDOWS\system32\drivers\Ids_cfg.dat
2008-08-05 12:24 . 2008-08-05 12:24 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-05 11:36 . 2008-08-05 11:36 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-08-05 00:55 . 2008-08-05 00:55 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM
2008-08-04 22:29 . 2008-08-04 22:28 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-02 14:37 . 2008-08-02 14:37 <DIR> d-------- C:\Program Files\Sierra
2008-08-01 12:47 . 2008-08-01 12:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-01 12:47 . 2008-08-01 12:47 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-22 16:10 . 2008-07-22 16:10 <DIR> d-------- C:\WINDOWS\San Andreas Mod Installer
2008-07-21 22:37 . 2008-07-21 22:38 <DIR> d-------- C:\vcs5core
2008-07-21 22:37 . 2008-07-21 22:37 <DIR> d-------- C:\vcs5BGEffects
2008-07-21 22:37 . 2008-07-21 22:37 <DIR> d-------- C:\AV_LOGS
2008-07-21 17:12 . 2008-07-21 17:12 <DIR> d-------- C:\Program Files\Rockstar Games
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-08 04:19 --------- d-----w C:\Program Files\Steam
2008-08-08 04:13 214,340 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k
2008-08-08 00:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2008-08-07 13:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-06 02:12 1,004,032 ----a-w C:\WINDOWS\system32\AutoPartNt.exe
2008-08-05 21:31 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-05 21:13 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-02 20:45 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-07-14 02:59 --------- d-----w C:\Program Files\EA GAMES
2008-06-21 06:08 --------- d-----w C:\Documents and Settings\Greed\Application Data\EVEMon
2008-06-21 04:50 --------- d-----w C:\Program Files\EVEMon
2008-06-17 18:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\CCP
2008-06-17 17:51 --------- d-----w C:\Program Files\CCP
2008-05-16 17:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-04 01:54 354 -c--a-w C:\Program Files\INSTALL.LOG
2007-01-07 05:30 1 -c--a-w C:\Documents and Settings\Greed\SI.bin
2003-12-18 18:33 20,102 -c--a-w C:\Program Files\Readme.txt
2003-09-03 14:46 10,960 -c--a-w C:\Program Files\EULA.txt
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AMonitor"="C:\Program Files\Tiny Firewall Pro\amon.exe" [2005-08-11 12:12 561152]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Steam"="c:\program files\steam\steam.exe" [2008-04-02 21:07 1271032]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 08:16 171464]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LinksysDiag"="C:\Program Files\Linksys\LinksysDiag\LinksysDiag" [X]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 18:25 266497]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 14:43 7630848]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 14:43 86016]
"CTHelper"="CTHELPER.EXE" [2005-12-08 13:06 16384 C:\WINDOWS\CTHELPER.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-03-28 18:38 94208 C:\WINDOWS\KHALMNPR.Exe]
"nwiz"="nwiz.exe" [2006-08-11 14:43 1519616 C:\WINDOWS\system32\nwiz.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-03-13 23:33:14 573440]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2005-07-12 00:26 73728 C:\WINDOWS\system32\UmxWNP.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=UmxSbxExw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-09-18 08:16 171464 C:\Program Files\DAEMON Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-04-02 21:07 1271032 C:\Program Files\Steam\steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TinyFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Steam\\SteamApps\\demoniccalhoon\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEARXP\\FEARXP.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 KmxNdis;KmxNdis;C:\WINDOWS\system32\DRIVERS\kmxndis.sys [2005-08-16 12:42]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2005-07-11 19:39]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2005-07-12 00:20]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2005-08-16 12:42]
R1 KmxIds;KmxIds;C:\WINDOWS\system32\DRIVERS\kmxids.sys [2005-08-11 15:31]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2006-09-04 23:02]
R2 KmxBiG;KmxBiG;C:\WINDOWS\system32\DRIVERS\KmxBiG.sys [2005-07-12 00:21]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2005-08-23 23:50]
R2 LANPkt;Linksys LANPkt Protocol Driver;C:\WINDOWS\system32\DRIVERS\LANPkt.sys [2004-03-09 17:50]
R2 UmxAgent;FW Event Manager;C:\Program Files\Tiny Firewall Pro\UmxAgent.exe [2005-08-22 10:51]
R2 UmxCfg;FW Configuration Interpreter;C:\Program Files\Common Files\PFShared\UmxCfg.exe [2005-07-12 17:57]
R2 UmxLU;FW Live Update;C:\Program Files\Common Files\PFShared\umxlu.exe [2005-03-09 18:02]
R2 UmxPol;FW Policy Manager;C:\Program Files\Common Files\PFShared\UmxPol.exe [2005-07-12 01:21]
R3 Diag69xp;Diag69xp;C:\WINDOWS\system32\Drivers\Diag69xp.sys [2004-05-24 18:16]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2005-08-23 13:41]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-08-29 00:54]
S3 RTLVLANXP;Linksys VLAN Intermediate Driver;C:\WINDOWS\system32\DRIVERS\RTLVLANXP.SYS [2005-01-26 23:06]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-07 22:16:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Tiny Firewall Pro\UmxFwHlp.exe
C:\Program Files\Tiny Firewall Pro\UmxTray.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Linksys\LinksysDiag\LinksysDiag.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-08-07 22:24:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-08 04:24:30
ComboFix2.txt 2008-08-07 04:47:33
Pre-Run: 12,538,875,904 bytes free
Post-Run: 12,560,642,048 bytes free
166
ComboFix 08-08-07.05 - Greed 2008-08-07 22:09:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.656 [GMT -6:00]
Running from: C:\Documents and Settings\Greed\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Greed\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\lnvegaow.exe
C:\WINDOWS\system32\khfGyVmN.VIR
C:\WINDOWS\system32\ssqRiGwU.VIR000
C:\WINDOWS\system32\yjdmtfax.VIR000
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\lnvegaow.exe
C:\WINDOWS\system32\khfGyVmN.VIR
C:\WINDOWS\system32\ssqRiGwU.VIR000
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_OFLPYDIN
-------\Service_oflpydin
((((((((((((((((((((((((( Files Created from 2008-07-08 to 2008-08-08 )))))))))))))))))))))))))))))))
.
2008-08-06 23:31 . 2008-08-06 23:31 <DIR> d-------- C:\Program Files\LucasArts
2008-08-05 15:32 . 2008-08-05 15:32 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-05 15:32 . 2008-08-05 15:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-05 15:14 . 2008-08-05 15:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-05 15:00 . 2008-08-07 22:15 36 --a------ C:\WINDOWS\system32\drivers\Ids_cfg.dat
2008-08-05 12:24 . 2008-08-05 12:24 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-05 11:36 . 2008-08-05 11:36 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-08-05 00:55 . 2008-08-05 00:55 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM
2008-08-04 22:29 . 2008-08-04 22:28 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-02 14:37 . 2008-08-02 14:37 <DIR> d-------- C:\Program Files\Sierra
2008-08-01 12:47 . 2008-08-01 12:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-01 12:47 . 2008-08-01 12:47 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-22 16:10 . 2008-07-22 16:10 <DIR> d-------- C:\WINDOWS\San Andreas Mod Installer
2008-07-21 22:37 . 2008-07-21 22:38 <DIR> d-------- C:\vcs5core
2008-07-21 22:37 . 2008-07-21 22:37 <DIR> d-------- C:\vcs5BGEffects
2008-07-21 22:37 . 2008-07-21 22:37 <DIR> d-------- C:\AV_LOGS
2008-07-21 17:12 . 2008-07-21 17:12 <DIR> d-------- C:\Program Files\Rockstar Games
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-08 04:19 --------- d-----w C:\Program Files\Steam
2008-08-08 04:13 214,340 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k
2008-08-08 00:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2008-08-07 13:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-06 02:12 1,004,032 ----a-w C:\WINDOWS\system32\AutoPartNt.exe
2008-08-05 21:31 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-05 21:13 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-02 20:45 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-07-14 02:59 --------- d-----w C:\Program Files\EA GAMES
2008-06-21 06:08 --------- d-----w C:\Documents and Settings\Greed\Application Data\EVEMon
2008-06-21 04:50 --------- d-----w C:\Program Files\EVEMon
2008-06-17 18:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\CCP
2008-06-17 17:51 --------- d-----w C:\Program Files\CCP
2008-05-16 17:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-04 01:54 354 -c--a-w C:\Program Files\INSTALL.LOG
2007-01-07 05:30 1 -c--a-w C:\Documents and Settings\Greed\SI.bin
2003-12-18 18:33 20,102 -c--a-w C:\Program Files\Readme.txt
2003-09-03 14:46 10,960 -c--a-w C:\Program Files\EULA.txt
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AMonitor"="C:\Program Files\Tiny Firewall Pro\amon.exe" [2005-08-11 12:12 561152]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Steam"="c:\program files\steam\steam.exe" [2008-04-02 21:07 1271032]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 08:16 171464]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LinksysDiag"="C:\Program Files\Linksys\LinksysDiag\LinksysDiag" [X]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 18:25 266497]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 14:43 7630848]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 14:43 86016]
"CTHelper"="CTHELPER.EXE" [2005-12-08 13:06 16384 C:\WINDOWS\CTHELPER.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-03-28 18:38 94208 C:\WINDOWS\KHALMNPR.Exe]
"nwiz"="nwiz.exe" [2006-08-11 14:43 1519616 C:\WINDOWS\system32\nwiz.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-03-13 23:33:14 573440]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2005-07-12 00:26 73728 C:\WINDOWS\system32\UmxWNP.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=UmxSbxExw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-09-18 08:16 171464 C:\Program Files\DAEMON Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-04-02 21:07 1271032 C:\Program Files\Steam\steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TinyFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Steam\\SteamApps\\demoniccalhoon\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEARXP\\FEARXP.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 KmxNdis;KmxNdis;C:\WINDOWS\system32\DRIVERS\kmxndis.sys [2005-08-16 12:42]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2005-07-11 19:39]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2005-07-12 00:20]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2005-08-16 12:42]
R1 KmxIds;KmxIds;C:\WINDOWS\system32\DRIVERS\kmxids.sys [2005-08-11 15:31]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2006-09-04 23:02]
R2 KmxBiG;KmxBiG;C:\WINDOWS\system32\DRIVERS\KmxBiG.sys [2005-07-12 00:21]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2005-08-23 23:50]
R2 LANPkt;Linksys LANPkt Protocol Driver;C:\WINDOWS\system32\DRIVERS\LANPkt.sys [2004-03-09 17:50]
R2 UmxAgent;FW Event Manager;C:\Program Files\Tiny Firewall Pro\UmxAgent.exe [2005-08-22 10:51]
R2 UmxCfg;FW Configuration Interpreter;C:\Program Files\Common Files\PFShared\UmxCfg.exe [2005-07-12 17:57]
R2 UmxLU;FW Live Update;C:\Program Files\Common Files\PFShared\umxlu.exe [2005-03-09 18:02]
R2 UmxPol;FW Policy Manager;C:\Program Files\Common Files\PFShared\UmxPol.exe [2005-07-12 01:21]
R3 Diag69xp;Diag69xp;C:\WINDOWS\system32\Drivers\Diag69xp.sys [2004-05-24 18:16]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2005-08-23 13:41]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-08-29 00:54]
S3 RTLVLANXP;Linksys VLAN Intermediate Driver;C:\WINDOWS\system32\DRIVERS\RTLVLANXP.SYS [2005-01-26 23:06]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-07 22:16:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Tiny Firewall Pro\UmxFwHlp.exe
C:\Program Files\Tiny Firewall Pro\UmxTray.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Linksys\LinksysDiag\LinksysDiag.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-08-07 22:24:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-08 04:24:30
ComboFix2.txt 2008-08-07 04:47:33
Pre-Run: 12,538,875,904 bytes free
Post-Run: 12,560,642,048 bytes free
166
#11
Posted 07 August 2008 - 10:32 PM
And here is the anti malware programlog
Malwarebytes' Anti-Malware 1.24
Database version: 1032
Windows 5.1.2600 Service Pack 2
10:33:26 PM 8/7/2008
mbam-log-8-7-2008 (22-33-26).txt
Scan type: Quick Scan
Objects scanned: 42955
Time elapsed: 4 minute(s), 44 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\bgrqfetx.btrf (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bgrqfetx.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{306bbb66-d9e4-4481-833e-c1d5fca06774} (Rogue.Foxie) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{546e08aa-809f-4f1a-be1a-6b122ebfcd5a} (Rogue.Foxie) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{61039b22-563d-4922-b844-b076c318a66a} (Rogue.Foxie) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{e4143585-2688-4ebc-b264-27c774f600d5} (Rogue.Foxie) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\Foxie Suite (Rogue.Foxie) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\Foxie Suite\foxiecoreu.dll (Rogue.Foxie) -> Quarantined and deleted successfully.
Malwarebytes' Anti-Malware 1.24
Database version: 1032
Windows 5.1.2600 Service Pack 2
10:33:26 PM 8/7/2008
mbam-log-8-7-2008 (22-33-26).txt
Scan type: Quick Scan
Objects scanned: 42955
Time elapsed: 4 minute(s), 44 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\bgrqfetx.btrf (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bgrqfetx.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{306bbb66-d9e4-4481-833e-c1d5fca06774} (Rogue.Foxie) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{546e08aa-809f-4f1a-be1a-6b122ebfcd5a} (Rogue.Foxie) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{61039b22-563d-4922-b844-b076c318a66a} (Rogue.Foxie) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{e4143585-2688-4ebc-b264-27c774f600d5} (Rogue.Foxie) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\Foxie Suite (Rogue.Foxie) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\Foxie Suite\foxiecoreu.dll (Rogue.Foxie) -> Quarantined and deleted successfully.
#12
Posted 08 August 2008 - 04:16 AM
Looks better
Download the latest version of Java Runtime Environment (JRE) 6 Update 7. Once done, uninstall any older versions of Java through add or remove programs.
Go to Kaspersky website and perform an online antivirus scan.
How is your PC running?
Download the latest version of Java Runtime Environment (JRE) 6 Update 7. Once done, uninstall any older versions of Java through add or remove programs.
Go to Kaspersky website and perform an online antivirus scan.
- Read through the requirements and privacy statement and click on Accept button.
- It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
- When the downloads have finished, click on Settings.
- Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases
- Spyware, Adware, Dialers, and other potentially dangerous programs
- Click on My Computer under Scan.
- Once the scan is complete, it will display the results. Click on View Scan Report.
- You will see a list of infected items there. Click on Save Report As....
- Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
How is your PC running?
Edited by Mike, 08 August 2008 - 08:19 AM.
#13
Posted 08 August 2008 - 06:45 PM
Yeah man, seems to be working great! This Kaspersky online scan seems to be taking fraggin forever. Will post log when it finishes! Got my clock and permissions and whatnot back. And that last scan you had me do with the malware hunter cleared out a trojan I was unaware of.
#14
Posted 08 August 2008 - 09:55 PM
Ok, I finished that KAspersky scan, attaching the report!
Attached Files
#15
Posted 09 August 2008 - 04:34 AM
Hi there
Empty out this folder(i.e delete everything in it): C:\Documents and Settings\Greed\.housecall\Quarantine
Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Your logs look clean
Click START then RUN
Now type Combofix /u in the runbox and click OK
Notice the space between the x and / -- That needs to be there.
&
Now please download OTCleanIt.
Now that your are clean, you'll want to stay that way.
Some important things that you should keep in mind in order to protect yourself:
Make a habit of scanning your computer for viruses every week or so and backing up important files regularly.
Please also read Expert Tony Klein's excellent article: How I got Infected in the First Place
Please post back and tell me if everything is OK, so that I may mark this thread as Resolved.
Empty out this folder(i.e delete everything in it): C:\Documents and Settings\Greed\.housecall\Quarantine
Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Your logs look clean
Click START then RUN
Now type Combofix /u in the runbox and click OK
Notice the space between the x and / -- That needs to be there.
&
Now please download OTCleanIt.
- Save it to your desktop.
- Double Click on OTCleanIt.exe, a window will appear.
- Please press the CleanUp! Button.
Now that your are clean, you'll want to stay that way.
Some important things that you should keep in mind in order to protect yourself:
- Use common sense. This is the big one! Don't download programs from suspicious sites and be careful where you browse.
Things you can do to avoid downloading bad programs:- Google the program. Read reviews and opinions from other people on the internet, if you dont see any reports of foul play - then there more than likely is none.
- Stay away from Cracks! However luring the thought of free software can be it's not worth the hassle and potential danger of getting infected.
- Download the program directly from the website of the developer - then you can be certain you haven't downloaded a bogus copy.
- Read the EULA (End User License Agreement) - Find out exactly what you are downloading. A good tool to aid you in this would be EULAyzer.
- Keep your programs updated! Software developers update their programs to patch possible security risks. Do a scan once in a while for outdated programs using Secunia's Software Inspector
- Keep your protection programs up to date! No matter how good your Antivirus or Antispyware program is, without an updated set of definitions it will do you no good against the new infections. If you run a free program make sure to update them at least once a week.
- Make sure that windows updates is enabled. Keeping your system up to date is a must - to turn on automatic updates take a look at this article by Microsoft.
- SpywareBlaster Take a look at the tutorial here.
- ZonedOut Adds thousands of websites to your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Make a habit of scanning your computer for viruses every week or so and backing up important files regularly.
Please also read Expert Tony Klein's excellent article: How I got Infected in the First Place
Please post back and tell me if everything is OK, so that I may mark this thread as Resolved.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users