Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Is it CLEAN? [CLOSED]


  • This topic is locked This topic is locked

#1
ae86drftr

ae86drftr

    New Member

  • Member
  • Pip
  • 3 posts
I thought to myself, Alot of people on here have similar trojans that I have. I decided to look for the one that resembled my trojan closest and attempted the resolution that was given to them. I believe that I have fixed the problem but if I can have one of you moderators check the logs that I have that would be much appreciated. here are the logs that were asked of the other user. Sorry I forgot to mention that the trojan that I believe I had was the one thatcreated a new wallpaper stating this
"spyware detected on your computer win32adware virtumonde
win32 privacyremover
This is the topic that I followed http://www.geekstogo...64-t208698.html
If I did something wrong or bad please advise me I am the type of person that will attempt to fix something myself evenif it relates to things that I dont really know about.
THANK YOU VERY MUCH FOR EVEN TAKING THE TIME TO READ MY POST!!!!!!


FIRST IS THE REPORT ONE

SDFix: Version 1.218
Run by AE86DRFTR on Tue 08/19/2008 at 05:10 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-19 17:15:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:Orb"
"C:\\Program Files\\XLink Kai\\kaiEngine.exe"="C:\\Program Files\\XLink Kai\\kaiEngine.exe:*:Enabled:XLink Kai Evolution 7 Engine"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Palm\\Hotsync.exe"="C:\\Program Files\\Palm\\Hotsync.exe:*:Enabled:HotSyncr Manager Application"
"C:\\Program Files\\V CAST Music with Rhapsody\\rhapsody.exe"="C:\\Program Files\\V CAST Music with Rhapsody\\rhapsody.exe:*:Enabled:Rhapsody Media Player"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :



Files with Hidden Attributes :

Mon 18 Aug 2008 6,104,632 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Tue 3 Jun 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 7 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3a8714eb7dd4db456941e95c20d46049\BIT37.tmp"
Sat 7 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4bc27de79804b640a2e67eda87fe6cda\BIT1A.tmp"
Sat 7 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a82dc500ddf76b06dc26bd22c7a14240\BIT2C.tmp"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Documents and Settings\AE86DRFTR\Desktop\Computer Management\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Documents and Settings\AE86DRFTR\Desktop\Computer Management\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Documents and Settings\AE86DRFTR\Desktop\Computer Management\Spybot - Search & Destroy\TeaTimer.exe"
Wed 11 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\972f9ceb5c3be430fe6cdcb43653d74d\download\BIT68.tmp"

Finished!

SECOND THE LOG
ComboFix 08-08-18.05 - AE86DRFTR 2008-08-19 17:39:07.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.95 [GMT -7:00]
Running from: C:\Documents and Settings\AE86DRFTR\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\AE86DRFTR\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))
.

2008-08-19 17:09 . 2008-08-19 17:09 578,560 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-08-19 17:08 . 2008-08-19 17:08 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-19 17:03 . 2008-08-19 17:18 <DIR> d-------- C:\SDFix
2008-08-19 09:02 . 2008-08-19 09:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-18 20:16 . 2008-08-18 20:16 <DIR> d-------- C:\Program Files\Picasa2
2008-08-18 20:15 . 2008-08-18 21:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-18 20:14 . 2008-08-18 20:15 <DIR> d-------- C:\Program Files\Google
2008-08-18 19:33 . 2008-08-19 08:17 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-08-18 19:33 . 2008-08-18 19:33 <DIR> d-------- C:\Documents and Settings\AE86DRFTR\Application Data\PC Tools
2008-08-18 19:33 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-08-18 19:33 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-08-18 19:33 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-08-18 19:33 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-08-18 18:27 . 2008-08-18 18:28 19,153,264 --a------ C:\Program Files\aaw2008.exe
2008-08-18 16:19 . 2008-08-18 16:22 <DIR> d-------- C:\Program Files\Chanel DVD Ripper
2008-08-18 16:05 . 2008-08-18 16:05 0 --a------ C:\WINDOWS\AoADVDRipper.INI
2008-08-18 16:04 . 2008-08-18 16:04 <DIR> d-------- C:\Program Files\AoA DVD Ripper
2008-08-14 10:27 . 2008-05-01 07:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-14 10:25 . 2008-04-11 12:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-10 20:20 . 2008-04-13 17:12 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-08-10 20:20 . 2008-04-13 11:45 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-08-10 20:20 . 2008-04-13 11:45 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-08-10 20:20 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-08-06 01:04 . 2008-08-06 01:04 <DIR> d-------- C:\spoolerlogs
2008-08-05 11:26 . 2008-08-05 11:27 <DIR> d-------- C:\Program Files\Common Files\Real
2008-08-05 11:25 . 2008-08-05 11:25 <DIR> d-------- C:\Program Files\Real
2008-08-05 11:23 . 2008-08-05 11:26 <DIR> d-------- C:\Program Files\V CAST Music with Rhapsody
2008-08-02 21:57 . 2008-08-02 21:57 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\AVGTOOLBAR
2008-08-02 12:18 . 2008-08-02 12:18 <DIR> d-------- C:\Program Files\Matrox Imaging
2008-08-01 14:48 . 2008-08-08 14:20 <DIR> d-------- C:\Documents and Settings\Guest
2008-07-28 14:55 . 2008-07-28 14:55 763 --a------ C:\WINDOWS\ST5UNST.001
2008-07-28 14:51 . 2008-07-28 14:54 <DIR> d-------- C:\Program Files\Anvil Studio
2008-07-28 14:49 . 2008-07-28 14:49 779 --a------ C:\WINDOWS\ST5UNST.000
2008-07-25 23:00 . 2008-07-25 22:59 733,558 --a------ C:\WINDOWS\Jump.scr
2008-07-25 22:59 . 2008-07-25 23:00 <DIR> d-------- C:\Program Files\Jump
2008-07-20 18:48 . 2008-07-20 18:48 27,958 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Mp4 Codec.bmp
2008-07-20 18:48 . 2008-07-20 18:48 1,211 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Mp4 Codec.dat
2008-07-20 15:06 . 2008-07-20 15:06 <DIR> d-------- C:\Program Files\iPod
2008-07-20 14:52 . 2008-07-20 14:52 <DIR> d-------- C:\Program Files\Safari

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-19 04:16 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-18 23:04 --------- d-----w C:\Program Files\XviD
2008-08-18 22:20 --------- d-----w C:\Documents and Settings\AE86DRFTR\Application Data\OpenOffice.org2
2008-08-01 00:30 --------- d-----w C:\Program Files\Palm
2008-07-21 01:48 167,936 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2008-07-20 22:06 --------- d-----w C:\Program Files\iTunes
2008-07-20 22:04 --------- d-----w C:\Program Files\QuickTime
2008-07-19 21:34 --------- d-----w C:\Program Files\PSP
2008-07-16 00:48 --------- d-----w C:\Documents and Settings\AE86DRFTR\Application Data\XLink Kai
2008-07-16 00:34 36,928 ----a-w C:\WINDOWS\system32\drivers\pssdk41.sys
2008-07-15 21:02 --------- d-----w C:\Documents and Settings\AE86DRFTR\Application Data\XBMC
2008-07-13 20:41 667,914 ----a-w C:\WINDOWS\unins001.exe
2008-07-13 19:39 --------- d-----w C:\Program Files\Illustrate
2008-07-12 01:21 --------- d-----w C:\Documents and Settings\AE86DRFTR\Application Data\Arcsoft
2008-07-11 20:25 --------- d-----w C:\Program Files\Winamp
2008-07-11 20:24 --------- d-----w C:\Documents and Settings\AE86DRFTR\Application Data\Winamp
2008-07-11 16:07 --------- d-----w C:\Program Files\Java
2008-07-10 16:47 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-10 16:47 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-10 16:47 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-07-09 18:54 --------- d-----w C:\Program Files\MSXML 4.0
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-03 04:54 --------- d-----w C:\Program Files\PonyProg2000
2008-06-28 03:21 --------- d-----w C:\Program Files\Mystery Case Files Prime Suspects
2008-06-27 15:53 --------- d-----w C:\Program Files\ReflexiveArcade
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-21 01:20 --------- d-----w C:\Program Files\XLink Kai
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-04 15:42 720,896 ----a-w C:\WINDOWS\iun6002.exe
2008-06-04 06:38 53,248 ----a-w C:\WINDOWS\system32\palmdevc.dll
2008-06-03 06:54 641,021 ----a-w C:\WINDOWS\unins000.exe
2008-06-03 01:09 53,248 ----a-w C:\WINDOWS\PalmDevC.dll
2008-06-02 23:50 558,142 ----a-w C:\WINDOWS\java\Packages\BV5JZ973.ZIP
2008-06-02 23:50 155,995 ----a-w C:\WINDOWS\java\Packages\49J5BJ5Z.ZIP
2008-05-30 21:19 507,400 ----a-w C:\WINDOWS\system32\XAudio2_1.dll
2008-05-30 21:18 238,088 ----a-w C:\WINDOWS\system32\xactengine3_1.dll
2008-05-30 21:17 65,032 ----a-w C:\WINDOWS\system32\XAPOFX1_0.dll
2008-05-30 21:17 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_4.dll
2008-05-30 21:11 467,984 ----a-w C:\WINDOWS\system32\d3dx10_38.dll
2008-05-30 21:11 3,850,760 ----a-w C:\WINDOWS\system32\D3DX9_38.dll
2008-05-30 21:11 1,491,992 ----a-w C:\WINDOWS\system32\D3DCompiler_38.dll
2008-05-25 23:19 351,232 ----a-w C:\WINDOWS\system32\avisynth.dll
.

((((((((((((((((((((((((((((( [email protected]_15.24.14.65 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 23:27:04 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-08-20 00:08:05 5,910,528 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-08-20 00:08:05 557,056 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 23:27:04 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-08-20 00:08:03 5,910,528 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-08-20 00:08:03 557,056 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-10 09:47 1232152]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 02:46 196608]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 16:26 217088]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=C:\WINDOWS\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\XLink Kai\\kaiEngine.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Palm\\Hotsync.exe"=
"C:\\Program Files\\V CAST Music with Rhapsody\\rhapsody.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 MtxDma0;Matrox Dma Manager (0);C:\WINDOWS\system32\drivers\MtxDma0.sys [2002-07-09 23:33]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-10 09:47]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-03 18:29]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-03 18:29]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-10 09:47]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 22:59]
S3 DLPortIO;DriverLINX Port I/O Driver;C:\WINDOWS\system32\DRIVERS\DLPortIO.SYS [2000-06-29 17:24]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;C:\WINDOWS\system32\DRIVERS\libusb0.sys [2007-05-11 00:12]
S3 PsSdk41;PsSdk41;C:\WINDOWS\system32\Drivers\pssdk41.sys [2008-07-15 17:34]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42c68622-34ea-11dd-9cfa-000e3b09eab5}]
\Shell\AutoRun\command - G:\.pspware\PSPWareLauncher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42c68639-34ea-11dd-9cfa-00045a4b25b1}]
\Shell\AutoRun\command - K:\.pspware\PSPWareLauncher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70d1a995-5113-11dd-b9ec-0007e9a795bd}]
\Shell\AutoRun\command - K:\.pspware\PSPWareLauncher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7bb9de85-31a6-11dd-a8cf-000e3b09eab5}]
\Shell\AutoRun\command - G:\.pspware\PSPWareLauncher.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-08-20 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\AE86DRFTR\Application Data\Mozilla\Firefox\Profiles\80g85xyj.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com
FF -: plugin - C:\Program Files\Google\Google Updater\2.3.1314.1135\npCIDetect12.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-19 17:42:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-19 17:46:27
ComboFix-quarantined-files.txt 2008-08-20 00:46:23
ComboFix2.txt 2008-08-20 00:28:09
ComboFix3.txt 2008-08-19 22:24:43

Pre-Run: 57,525,309,440 bytes free
Post-Run: 57,490,841,600 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /FASTDETECT

197 --- E O F --- 2008-08-16 07:01:57

AND LAST IS THE HIJACK THIS LOG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:47:26 PM, on 8/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\AE86DR~1\Desktop\COMPUT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.509.6972\swg.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: Send Image to Phone - http://www.freeringers.net/ezimage.php
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\AE86DR~1\Desktop\COMPUT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\AE86DR~1\Desktop\COMPUT~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1212525194051
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 6737 bytes
  • 0

Advertisements


#2
Egwene

Egwene

    Member 2k

  • Visiting Consultant
  • 2,141 posts
Hello ae86drftr !

Welcome to the site! :) My name's Egwene and I'll be helping clean up your computer. :) I'm currently looking over your log. I am still in training here, so there might be a delay between my replies as they need to be checked by an expert before I can post them. I'll need a bit of time to research your log fully, so please bear with me.

Before we proceed to clean your computer from malware, let's go over some points that will help both me and you, and prevent causing damage to your computer:
  • To make sure that you receive an email when I reply to this topic, please click here and check that this topic is listed under Malware Removal - HijackThis™ Logs Go Here.
  • Please don't be afraid to ask questions! No question is considered dumb here. It's better to be safe than sorry!
  • When posting logs, please ensure Wordwrap is turned off in Notepad (to check, open Notepad click on Format | Uncheck Word Wrap)
  • Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
  • NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you see a certain entry or program you're unsure about, please don't hesitate to ask!
  • Make sure you reply to this thread using the Add Reply button: Posted Image

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.
  • 0

#3
Egwene

Egwene

    Member 2k

  • Visiting Consultant
  • 2,141 posts
Hey ae86drftr,

Please don't use such tools without supervision. It may be very dangerous for your computer !


Didn't you see the disclaimer about using combofix without any supervision ?

Posted Image 1) Check one file with viruscan :

First, I would like to make sure that you can view hidden files and folders;

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading SELECT Show hidden files and folders.
* UNCHECK the Hide protected operating system files (recommended) option.
* UNCHECK the Hide extensions for known file types option.
* Click Yes to confirm.
* Click OK.


  • Please go to VirScan
  • Copy and paste the following file path into the Suspicious files to scan box.
    o C:\WINDOWS\system32\dllcache\user32.dll
  • Click on the Upload button
  • Once the Scan has completed, click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

2) CFscript :

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42c68622-34ea-11dd-9cfa-000e3b09eab5}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42c68639-34ea-11dd-9cfa-00045a4b25b1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70d1a995-5113-11dd-b9ec-0007e9a795bd}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7bb9de85-31a6-11dd-a8cf-000e3b09eab5}]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Regards,
Egwene.
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP