Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Malware and Trojans still affecting comp

Started by Andy Br00t4l , Nov 04 2008 08:52 PM

  • Please log in to reply

#1
Andy Br00t4l
Posted 04 November 2008 - 08:52 PM

Andy Br00t4l

    Member

  • Member
  • PipPip
  • 16 posts
Last Friday, I believe I received a Sasser worm, although I'm not absolutely sure because FxSasser.exe didn't find the worm on my system. I looked upon multiple tech forums to solve the problem, and since then I've solved that, but my regedit has been disabled by "Administrator," which is me, cuz it's my computer, my folder options went missing (both of these events have happened twice now, and regedit is still disabled, although folder options shows up in the Control Panel itself, not the Tools menu), I found braskt.exe on my system and removed that (although I believe it is also connected to "karna.dat" which I have found in my HJT logs, but not my registry or my /system32/ folder), ran 3 registry cleaners; RegRun, RegistryBooster, CCleaner; ran free Antivir PE Classic without updated definitions because I BELIEVE malware is causing it not to recognize an internet connection, ran the following anti-spyware/malware programs to no avail (scans stop midway through); MalwareByte's Anti-Malware, Lavasoft Ad-Aware (both the free versions), I've manually deleted suspicious registry entries, repaired my Master Boot Record multiple times, repaired my boot partition multiple times (which was subsequently named " help" [mind the spaces] instead of Windows XP Professional during boots in Safe Mode), my System Restore has not been able to create restore points for quite some time, and at one point my Administrator Options were disabled, as well as disk defrag not being able to work. Just recently I found psyche.exe on my HJT log and read up on how to remove it, yet I can't because none of my anti-spyware programs work. I just removed it through HJT and found out, despite my deletions and re-running HJT, psyche.exe and PsycheEnque.exe are still in my log. ALSO
after running my antivirus, I have a log. If you'd like me to post what it deleted, I will in next post. Hope this helps for now.

Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:14 PM, on 11/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\drivers\services.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\drivers\services.exe
C:\Documents and Settings\Andy\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\TEMP\winlogun.exe
C:\Documents and Settings\Andy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\program files\steam\steam.exe
C:\WINDOWS\system32\drivers\services.exe
C:\Documents and Settings\Andy\svchost.exe
C:\WINDOWS\TEMP\winlogun.exe
C:\Documents and Settings\Andy\Start Menu\Programs\Startup\userinit.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\DOCUME~1\Andy\LOCALS~1\Temp\csrssc.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://windiwsfsearch.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.net-studio.org
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = google.net-studio.org
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = google.net-studio.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\services.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Microsoft copyright - {32c620d6-cc10-4e6a-9715-bacacd5b0e61} - [SASInprocServer32] (file missing)
O2 - BHO: C:\WINDOWS\system32\jksf83deff.dll - {c5af42a3-94f3-42bd-f434-3604832c897d} - C:\WINDOWS\system32\jksf83deff.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKLM\..\Run: [winlogon] C:\Documents and Settings\Andy\svchost.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [e0dc39ce] rundll32.exe "C:\WINDOWS\system32\kaqwoaeh.dll",b
O4 - HKLM\..\Run: [jsg8jfgfdfhfhf] C:\WINDOWS\TEMP\winlogun.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Andy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKCU\..\Run: [winlogon] C:\Documents and Settings\Andy\svchost.exe
O4 - HKCU\..\Run: [jsg8jfgfdfhfhf] C:\WINDOWS\TEMP\winlogun.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Andy\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKUS\.DEFAULT\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [winlogon] C:\Documents and Settings\LocalService\svchost.exe (User 'Default user')
O4 - Startup: userinit.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O20 - AppInit_DLLs: karna.dat fuqobs.dll
O21 - SSODL: WebProxy - {A744F16C-B2D5-4138-81A2-085CDFCDE83A} - ckds16.dll (file missing)
O22 - SharedTaskScheduler: g984tsmy55ygffgnjkdfgdsfd - {C5AF42A3-94F3-42BD-F434-3604832C897D} - C:\WINDOWS\system32\jksf83deff.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ICF (icf) - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\vhosts.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: psyche - Unknown owner - C:\WINDOWS\System32\psyche.exe
O23 - Service: PsycheEnqueue (psycheenqueue) - Unknown owner - C:\WINDOWS\System32\PsycheEnqueue.exe

--
End of file - 6524 bytes
  • 0

Advertisements

#2
kahdah
Posted 04 November 2008 - 09:44 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello Andy Br00t4l

Welcome to G2Go. :)
=====================
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information,
please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions
to apprise them of your situation.

Please read this for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
====================
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#3
Andy Br00t4l
Posted 04 November 2008 - 10:36 PM

Andy Br00t4l

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Ran ComboFix right away, and FYI for each Trojan that popped up, I haven't deleted them yet. I just denied access for this boot up. If necessary, I will run ComboFix again and delete the Trojans, but I wanted to hear your word first. As requested, here is my ComboFix log.

ComboFix 08-11-04.02 - Andy 2008-11-04 23:20:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.747 [GMT -5:00]
.
ADS - svchost.exe: deleted 25088 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator.PRODUCTION\Start Menu\Programs\Startup\userinit.exe
c:\documents and settings\Administrator.PRODUCTION\svchost.exe
c:\documents and settings\Andy\Application Data\Facegame
c:\documents and settings\Andy\Application Data\Facegame\FACEGAME.del
c:\documents and settings\Andy\Start Menu\Programs\Startup\userinit.exe
c:\documents and settings\Andy\svchost.exe
c:\documents and settings\LocalService\Application Data\1076308579.exe
c:\documents and settings\LocalService\Application Data\1170817257.exe
c:\documents and settings\LocalService\Application Data\wsnpoem
c:\documents and settings\LocalService\Application Data\wsnpoem\audio.dll
c:\documents and settings\NetworkService\Application Data\wsnpoem
c:\documents and settings\NetworkService\Application Data\wsnpoem\audio.dll
c:\program files\Microsoft Common
C:\userinit.exe
c:\windows\system32\124909
c:\windows\system32\2.bat
c:\windows\system32\adult.txt
c:\windows\system32\bhldlbcs.ini
c:\windows\system32\bydzev.dll
c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
c:\windows\system32\drivers\b7c8c2a6.sys
c:\windows\system32\drivers\cd528233.sys
c:\windows\system32\drivers\e9b348b3.sys
c:\windows\system32\drivers\services.exe
c:\windows\system32\Drivers\TDSSmhxt.sys
c:\windows\system32\finance.txt
c:\windows\system32\fuqobs.dll
c:\windows\system32\GQqYcccf.ini
c:\windows\system32\GQqYcccf.ini2
c:\windows\system32\gvapoijc.dll
c:\windows\system32\heaowqak.ini
c:\windows\system32\jravkwky.ini
c:\windows\system32\k86.bin
c:\windows\system32\kaqwoaeh.dll
c:\windows\system32\lt.res
c:\windows\system32\mcrh.tmp
c:\windows\system32\mihbowfs.dll
c:\windows\system32\nkjprlyr.dll
c:\windows\system32\ntos.exe
c:\windows\system32\other.txt
c:\windows\system32\pharma.txt
c:\windows\system32\psyche.exe
c:\windows\system32\PsycheEnqueue.exe
c:\windows\system32\sft.res
c:\windows\system32\sfwobhim.ini
c:\windows\system32\sn.txt
c:\windows\system32\sydbmejm.ini
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\vhosts.exe
c:\windows\system32\wini10821.exe
c:\windows\system32\wsnpoem
c:\windows\system32\wsnpoem\audio.dll
c:\windows\system32\wsnpoem\video.dll
c:\windows\system32\yjncqcry.dll
c:\windows\system32\zbwcpgoa32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Psyche
-------\Legacy_Psyche
-------\Service_PsycheEnqueue
-------\Legacy_PsycheEnqueue
-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
-------\Legacy_fci
-------\Legacy_icf
-------\Legacy_msupdate
-------\Legacy_RESTORE
-------\Service_b7c8c2a6
-------\Service_cd528233
-------\Service_e9b348b3
-------\Service_icf
-------\Service_msupdate
-------\Service_restore


((((((((((((((((((((((((( Files Created from 2008-10-05 to 2008-11-05 )))))))))))))))))))))))))))))))
.

2008-11-04 21:51 . 2008-11-04 21:51 <DIR> d-------- c:\program files\Trend Micro
2008-11-04 03:19 . 2008-11-04 03:19 <DIR> d-------- c:\documents and settings\Andy\Application Data\Uniblue
2008-11-04 03:15 . 2008-11-04 03:15 <DIR> d-------- c:\program files\Uniblue
2008-11-04 03:15 . 2008-11-04 03:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-04 03:13 . 2008-11-04 03:57 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-04 03:13 . 2008-11-04 03:16 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-11-03 12:12 . 2008-11-03 12:12 10,000 --a------ c:\windows\system32\jksf83deff.dll
2008-11-02 23:54 . 2008-11-02 23:54 33,792 --a------ c:\windows\system32\ckds16.dll
2008-11-02 23:22 . 2008-11-02 23:22 268 --ah----- C:\sqmdata10.sqm
2008-11-02 23:22 . 2008-11-02 23:22 244 --ah----- C:\sqmnoopt10.sqm
2008-11-02 23:09 . 2004-08-03 20:07 4,224 --a------ c:\windows\system32\drivers\beep.sys
2008-11-02 21:18 . 2008-11-02 21:18 <DIR> d-------- c:\program files\Lavasoft
2008-11-02 21:18 . 2008-11-02 23:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-02 21:17 . 2008-11-04 03:57 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-02 21:04 . 2008-11-02 21:04 <DIR> d-------- c:\documents and settings\Andy\Application Data\Malwarebytes
2008-11-02 21:03 . 2008-11-02 21:03 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-02 21:03 . 2008-11-02 21:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-02 21:03 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-02 21:03 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-02 20:44 . 2008-11-02 20:44 268 --ah----- C:\sqmdata09.sqm
2008-11-02 20:44 . 2008-11-02 20:44 244 --ah----- C:\sqmnoopt09.sqm
2008-11-02 20:37 . 2008-11-02 20:37 <DIR> d-------- c:\program files\Avira
2008-11-02 20:37 . 2008-11-02 20:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-11-02 20:19 . 2008-11-02 20:19 134 --a------ c:\documents and settings\Andy\delself.bat
2008-11-02 20:01 . 2008-11-03 12:12 16,451 --a------ c:\windows\gmail.com-error.html
2008-11-02 20:01 . 2008-11-03 12:12 6,182 --a------ c:\windows\live.com-error.html
2008-11-02 20:01 . 2008-11-03 12:12 5,596 --a------ c:\windows\aol.com-error.html
2008-11-02 20:01 . 2008-11-03 12:12 3,696 --a------ c:\windows\google.com-error.html
2008-11-02 20:01 . 2008-11-03 12:12 1,997 --a------ c:\windows\search.yahoo.com-error.html
2008-11-02 19:15 . 2007-01-16 15:07 346,624 --a--c--- c:\windows\system32\OLD63.tmp
2008-11-02 19:15 . 2007-01-16 15:07 346,624 --a------ c:\windows\system32\msscp.dll
2008-11-01 02:23 . 2002-01-01 06:18 9,728 --a------ C:\fjoofg.exe
2008-11-01 01:03 . 2008-11-01 01:03 113,664 --a--c--- c:\windows\system32\JPXQQZ.del
2008-11-01 00:57 . 2008-11-01 00:57 3,120 --a------ c:\windows\system32\DRWSJLAD.ocx
2008-11-01 00:57 . 2008-11-01 00:57 3,120 --a------ c:\windows\LJRGKDD9.ocx
2008-11-01 00:54 . 2008-11-04 03:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Defender Pro
2008-11-01 00:33 . 2008-11-01 00:54 <DIR> d-------- c:\program files\Defender Pro
2008-11-01 00:25 . 2008-11-04 23:22 <DIR> d-------- c:\documents and settings\Administrator.PRODUCTION
2008-10-26 08:05 . 2008-10-26 08:05 268 --ah----- C:\sqmdata05.sqm
2008-10-26 08:05 . 2008-10-26 08:05 244 --ah----- C:\sqmnoopt05.sqm
2008-10-26 03:06 . 2008-10-26 03:06 588 --a------ c:\windows\system32\settingsbkup.sfm
2008-10-26 03:06 . 2008-10-26 03:06 588 --a------ c:\windows\system32\settings.sfm
2008-10-25 16:47 . 2008-10-25 16:47 268 --ah----- C:\sqmdata04.sqm
2008-10-25 16:47 . 2008-10-25 16:47 244 --ah----- C:\sqmnoopt04.sqm
2008-10-23 13:32 . 2008-08-14 04:55 2,142,720 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-23 13:32 . 2008-08-14 04:18 2,020,864 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-05 04:27 --------- d-----w c:\program files\Steam
2008-11-05 04:09 --------- d-----w c:\documents and settings\Andy\Application Data\.purple
2008-11-05 03:58 23,654 ----a-w c:\windows\system32\duplex.dll
2008-11-05 03:42 --------- d-----w c:\documents and settings\Andy\Application Data\gtk-2.0
2008-11-04 09:03 --------- d-----w c:\program files\Viewpoint
2008-11-04 09:03 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-04 08:59 --------- d-----w c:\program files\Windows Live
2008-11-04 08:59 --------- d-----w c:\program files\AIM
2008-11-04 08:58 --------- d-----w c:\program files\Common Files\AOL
2008-11-04 08:46 --------- d-----w c:\program files\uTorrent
2008-11-04 08:46 --------- d-----w c:\documents and settings\Andy\Application Data\uTorrent
2008-11-04 01:52 21,840 -c--atw c:\windows\system32\SIntfNT.dll
2008-11-04 01:52 17,212 -c--atw c:\windows\system32\SIntf32.dll
2008-11-04 01:52 12,067 -c--atw c:\windows\system32\SIntf16.dll
2008-11-03 06:57 14,336 ----a-w c:\windows\system32\svchost.exe
2008-10-26 03:26 --------- d-----w c:\program files\Streamripper
2008-10-25 20:18 --------- d-----w c:\program files\Warsow
2008-10-02 11:08 --------- d-----w c:\program files\Codemasters
2008-09-30 23:00 --------- d-----w c:\program files\VoiceSync
2008-09-30 02:33 --------- d-----w c:\documents and settings\Andy\Application Data\Canneverbe_Limited
2008-09-29 23:15 --------- d-----w c:\program files\Reference Assemblies
2008-09-29 23:15 --------- d-----w c:\program files\MSBuild
2008-09-29 07:55 --------- d-----w c:\program files\Winamp
2008-09-29 07:55 --------- d-----w c:\documents and settings\All Users\Application Data\OrbNetworks
2008-09-29 07:54 --------- d-----w c:\documents and settings\Andy\Application Data\Winamp
2008-09-29 07:44 --------- d-----w c:\program files\Winamp Toolbar
2008-09-29 07:44 --------- d-----w c:\program files\Winamp Remote
2008-09-29 07:44 --------- d-----w c:\documents and settings\All Users\Application Data\Winamp Toolbar
2008-09-28 09:35 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-09-28 09:33 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-09-22 04:04 --------- d-----w c:\program files\Drug Wars
2008-09-21 22:51 --------- d-----w c:\program files\MSXML 6.0
2008-09-21 22:45 --------- d-----w c:\program files\MSXML 4.0
2008-09-19 07:54 --------- d-----w c:\documents and settings\Andy\Application Data\Warsow
2008-09-16 20:34 --------- d-----w c:\documents and settings\Andy\Application Data\streamripper
2008-09-16 04:42 --------- d-----w c:\program files\Audacity
2008-09-16 03:02 --------- d-----w c:\documents and settings\Andy\Application Data\NCH Software
2008-09-16 03:02 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Software
2008-09-15 12:17 1,846,912 ----a-w c:\windows\system32\win32k.sys
2008-08-20 05:33 667,648 ----a-w c:\windows\system32\wininet.dll
2008-08-14 09:57 2,185,984 -c--a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:18 2,062,976 -c--a-w c:\windows\system32\ntkrnlpa.exe
2002-10-01 19:43 119,798 -c--a-w c:\windows\inf\spca561.sys
2002-01-01 05:57 2 --shatr c:\windows\winstart.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2008-07-16 1266992]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5AF42A3-94F3-42BD-F434-3604832C897D}]
2008-11-03 12:12 10000 --a------ c:\windows\system32\jksf83deff.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Andy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2002-01-02 133104]
"Steam"="c:\program files\steam\steam.exe" [2002-01-01 1410296]
"Uniblue RegistryBooster 2009"="c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe" [2008-08-26 2019624]
"Jnskdfmf9eldfd"="c:\docume~1\Andy\LOCALS~1\Temp\csrssc.exe" [2008-11-04 20993]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 36975]
"Media Codec Update Service"="c:\program files\Essentials Codec Pack\update.exe" [2007-04-08 303104]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [2008-06-27 c:\windows\system32\CtHelper.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogOff"= 0 (0x0)
"NoFolderOptions"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{C5AF42A3-94F3-42BD-F434-3604832C897D}"= "c:\windows\system32\jksf83deff.dll" [2008-11-03 10000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\duplex]
2008-11-04 22:58 23654 c:\windows\system32\duplex.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=karna.dat fuqobs.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dplx.sys]
@="Driver"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jnskdfmf9eldfd]
---h----- 2008-11-04 23:28 20993 c:\docume~1\Andy\LOCALS~1\temp\csrssc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=

R1 dplx;PCI Express DMA;c:\windows\system32\dplx.sys [2002-01-01 8608]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.SYS [2008-06-27 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.SYS [2008-06-27 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.SYS [2008-06-27 566296]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [2008-06-27 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [2008-06-27 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.SYS [2008-06-27 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [2008-06-27 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [2008-06-27 566296]
S3 mbamswissarmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-10-22 38496]
S3 partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [ ]
S3 regguard;RegGuard;c:\windows\system32\Drivers\regguard.sys [2002-01-01 25773]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{a744f16c-b2d5-4138-81a2-085cdfcde83a}]
rundll32 ckds16.dll,InitModule
.
Contents of the 'Scheduled Tasks' folder

2002-01-01 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Andy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2002-01-02 03:00]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe
HKCU-Run-jsg8jfgfdfhfhf - c:\windows\TEMP\winlogun.exe
HKLM-Run-e0dc39ce - c:\windows\system32\kaqwoaeh.dll
HKU-Default-Run-[system] - c:\windows\system32\drivers\services.exe
HKU-Default-Run-winlogon - c:\documents and settings\LocalService\svchost.exe
Notify-efcCrqPf - efcCrqPf.dll
Notify-zbwcpgoa - zbwcpgoa.dll
SafeBoot-ati0sxxx.sys
MSConfigStartUp-aim - c:\program files\AIM\aim.exe
MSConfigStartUp-aim6 - c:\program files\AIM6\aim6.exe
MSConfigStartUp-msnmsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Andy\Application Data\Mozilla\Firefox\Profiles\a89qkb99.default\
FF -: plugin - c:\documents and settings\Andy\Local Settings\Application Data\Google\Update\1.2.131.25\npGoogleOneClick6.dll
FF -: plugin - c:\program files\Java\jre1.5.0_03\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_03\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_03\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_03\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_03\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_03\bin\NPJPI150_03.dll
FF -: plugin - c:\program files\Java\jre1.5.0_03\bin\NPOJI610.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-04 23:26:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\windows\system32\rundll32.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-04 23:32:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-05 04:32:01

Pre-Run: 156,551,786,496 bytes free
Post-Run: 158,452,043,776 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="help" no

312 --- E O F --- 2008-11-03 06:11:13

Edited by Andy Br00t4l, 04 November 2008 - 10:37 PM.

  • 0

#4
kahdah
Posted 05 November 2008 - 05:10 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please do not delete anything yet.
=======================
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Driver::
dplx

File::
c:\windows\system32\jksf83deff.dll
c:\windows\system32\ckds16.dll
c:\documents and settings\Andy\delself.bat
C:\fjoofg.exe
c:\windows\system32\duplex.dll
c:\windows\system32\dplx.sys 
c:\docume~1\Andy\LOCALS~1\temp\csrssc.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5AF42A3-94F3-42BD-F434-3604832C897D}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogOff"=-
"NoFolderOptions"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{C5AF42A3-94F3-42BD-F434-3604832C897D}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\duplex]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dplx.sys]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jnskdfmf9eldfd]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{a744f16c-b2d5-4138-81a2-085cdfcde83a}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Jnskdfmf9eldfd"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#5
Andy Br00t4l
Posted 05 November 2008 - 11:51 AM

Andy Br00t4l

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
New Combofix log:

ComboFix 08-11-04.02 - Andy 2008-11-05 12:39:40.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.671 [GMT -5:00]
Running from: c:\documents and settings\Andy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Andy\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\docume~1\Andy\LOCALS~1\temp\csrssc.exe
c:\documents and settings\Andy\delself.bat
C:\fjoofg.exe
c:\windows\system32\ckds16.dll
c:\windows\system32\dplx.sys
c:\windows\system32\duplex.dll
c:\windows\system32\jksf83deff.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Andy\LOCALS~1\temp\csrssc.exe
c:\documents and settings\Andy\delself.bat
C:\fjoofg.exe
c:\windows\system32\ckds16.dll
c:\windows\system32\dplx.sys
c:\windows\system32\duplex.dll
c:\windows\system32\jksf83deff.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_dplx
-------\Service_dplx


((((((((((((((((((((((((( Files Created from 2008-10-05 to 2008-11-05 )))))))))))))))))))))))))))))))
.

2008-11-04 21:51 . 2008-11-04 21:51 <DIR> d-------- c:\program files\Trend Micro
2008-11-04 03:19 . 2008-11-04 03:19 <DIR> d-------- c:\documents and settings\Andy\Application Data\Uniblue
2008-11-04 03:15 . 2008-11-04 03:15 <DIR> d-------- c:\program files\Uniblue
2008-11-04 03:15 . 2008-11-04 03:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-04 03:13 . 2008-11-04 03:57 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-04 03:13 . 2008-11-04 03:16 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-11-02 23:22 . 2008-11-02 23:22 268 --ah----- C:\sqmdata10.sqm
2008-11-02 23:22 . 2008-11-02 23:22 244 --ah----- C:\sqmnoopt10.sqm
2008-11-02 23:09 . 2004-08-03 20:07 4,224 --a------ c:\windows\system32\drivers\beep.sys
2008-11-02 21:18 . 2008-11-02 21:18 <DIR> d-------- c:\program files\Lavasoft
2008-11-02 21:18 . 2008-11-02 23:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-02 21:17 . 2008-11-04 03:57 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-02 21:04 . 2008-11-02 21:04 <DIR> d-------- c:\documents and settings\Andy\Application Data\Malwarebytes
2008-11-02 21:03 . 2008-11-02 21:03 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-02 21:03 . 2008-11-02 21:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-02 21:03 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-02 21:03 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-02 20:44 . 2008-11-02 20:44 268 --ah----- C:\sqmdata09.sqm
2008-11-02 20:44 . 2008-11-02 20:44 244 --ah----- C:\sqmnoopt09.sqm
2008-11-02 20:37 . 2008-11-02 20:37 <DIR> d-------- c:\program files\Avira
2008-11-02 20:37 . 2008-11-02 20:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-11-02 20:01 . 2008-11-03 12:12 16,451 --a------ c:\windows\gmail.com-error.html
2008-11-02 20:01 . 2008-11-03 12:12 6,182 --a------ c:\windows\live.com-error.html
2008-11-02 20:01 . 2008-11-03 12:12 5,596 --a------ c:\windows\aol.com-error.html
2008-11-02 20:01 . 2008-11-03 12:12 3,696 --a------ c:\windows\google.com-error.html
2008-11-02 20:01 . 2008-11-03 12:12 1,997 --a------ c:\windows\search.yahoo.com-error.html
2008-11-02 19:15 . 2007-01-16 15:07 346,624 --a--c--- c:\windows\system32\OLD63.tmp
2008-11-02 19:15 . 2007-01-16 15:07 346,624 --a------ c:\windows\system32\msscp.dll
2008-11-01 01:03 . 2008-11-01 01:03 113,664 --a--c--- c:\windows\system32\JPXQQZ.del
2008-11-01 00:57 . 2008-11-01 00:57 3,120 --a------ c:\windows\system32\DRWSJLAD.ocx
2008-11-01 00:57 . 2008-11-01 00:57 3,120 --a------ c:\windows\LJRGKDD9.ocx
2008-11-01 00:54 . 2008-11-04 03:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Defender Pro
2008-11-01 00:33 . 2008-11-01 00:54 <DIR> d-------- c:\program files\Defender Pro
2008-11-01 00:25 . 2008-11-04 23:22 <DIR> d-------- c:\documents and settings\Administrator.PRODUCTION
2008-10-26 08:05 . 2008-10-26 08:05 268 --ah----- C:\sqmdata05.sqm
2008-10-26 08:05 . 2008-10-26 08:05 244 --ah----- C:\sqmnoopt05.sqm
2008-10-26 03:06 . 2008-10-26 03:06 588 --a------ c:\windows\system32\settingsbkup.sfm
2008-10-26 03:06 . 2008-10-26 03:06 588 --a------ c:\windows\system32\settings.sfm
2008-10-25 16:47 . 2008-10-25 16:47 268 --ah----- C:\sqmdata04.sqm
2008-10-25 16:47 . 2008-10-25 16:47 244 --ah----- C:\sqmnoopt04.sqm
2008-10-23 13:32 . 2008-08-14 04:55 2,142,720 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-23 13:32 . 2008-08-14 04:18 2,020,864 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-05 17:44 --------- d-----w c:\program files\Steam
2008-11-05 09:36 --------- d-----w c:\documents and settings\Andy\Application Data\.purple
2008-11-05 03:42 --------- d-----w c:\documents and settings\Andy\Application Data\gtk-2.0
2008-11-04 09:03 --------- d-----w c:\program files\Viewpoint
2008-11-04 09:03 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-04 08:59 --------- d-----w c:\program files\Windows Live
2008-11-04 08:59 --------- d-----w c:\program files\AIM
2008-11-04 08:58 --------- d-----w c:\program files\Common Files\AOL
2008-11-04 08:46 --------- d-----w c:\program files\uTorrent
2008-11-04 08:46 --------- d-----w c:\documents and settings\Andy\Application Data\uTorrent
2008-10-26 03:26 --------- d-----w c:\program files\Streamripper
2008-10-25 20:18 --------- d-----w c:\program files\Warsow
2008-10-02 11:08 --------- d-----w c:\program files\Codemasters
2008-09-30 23:00 --------- d-----w c:\program files\VoiceSync
2008-09-30 02:33 --------- d-----w c:\documents and settings\Andy\Application Data\Canneverbe_Limited
2008-09-29 23:15 --------- d-----w c:\program files\Reference Assemblies
2008-09-29 23:15 --------- d-----w c:\program files\MSBuild
2008-09-29 07:55 --------- d-----w c:\program files\Winamp
2008-09-29 07:55 --------- d-----w c:\documents and settings\All Users\Application Data\OrbNetworks
2008-09-29 07:54 --------- d-----w c:\documents and settings\Andy\Application Data\Winamp
2008-09-29 07:44 --------- d-----w c:\program files\Winamp Toolbar
2008-09-29 07:44 --------- d-----w c:\program files\Winamp Remote
2008-09-29 07:44 --------- d-----w c:\documents and settings\All Users\Application Data\Winamp Toolbar
2008-09-28 09:35 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-09-28 09:33 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-09-22 04:04 --------- d-----w c:\program files\Drug Wars
2008-09-21 22:51 --------- d-----w c:\program files\MSXML 6.0
2008-09-21 22:45 --------- d-----w c:\program files\MSXML 4.0
2008-09-19 07:54 --------- d-----w c:\documents and settings\Andy\Application Data\Warsow
2008-09-16 20:34 --------- d-----w c:\documents and settings\Andy\Application Data\streamripper
2008-09-16 04:42 --------- d-----w c:\program files\Audacity
2008-09-16 03:02 --------- d-----w c:\documents and settings\Andy\Application Data\NCH Software
2008-09-16 03:02 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Software
2002-10-01 19:43 119,798 -c--a-w c:\windows\inf\spca561.sys
2002-01-01 05:57 2 --shatr c:\windows\winstart.bat
.

((((((((((((((((((((((((((((( snapshot@2008-11-04_23.31.21.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-05 17:44:43 16,384 ----atw c:\windows\temp\Perflib_Perfdata_13c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2008-07-16 1266992]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Andy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2002-01-02 133104]
"Steam"="c:\program files\steam\steam.exe" [2002-01-01 1410296]
"Uniblue RegistryBooster 2009"="c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe" [2008-08-26 2019624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 36975]
"Media Codec Update Service"="c:\program files\Essentials Codec Pack\update.exe" [2007-04-08 303104]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [2008-06-27 c:\windows\system32\CtHelper.exe]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=

R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.SYS [2008-06-27 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.SYS [2008-06-27 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.SYS [2008-06-27 566296]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [2008-06-27 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [2008-06-27 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.SYS [2008-06-27 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [2008-06-27 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [2008-06-27 566296]
S3 partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [ ]
S3 regguard;RegGuard;c:\windows\system32\Drivers\regguard.sys [2002-01-01 25773]
.
Contents of the 'Scheduled Tasks' folder

2002-01-01 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Andy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2002-01-02 03:00]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-05 12:43:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\windows\system32\rundll32.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-05 12:48:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-05 17:48:10
ComboFix2.txt 2008-11-05 04:32:05

Pre-Run: 157,377,974,272 bytes free
Post-Run: 157,364,269,056 bytes free

196 --- E O F --- 2008-11-03 06:11:13

New HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:00 PM, on 11/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Documents and Settings\Andy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\program files\steam\steam.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://windiwsfsearch.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.net-studio.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = google.net-studio.org
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = google.net-studio.org
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Andy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3882 bytes
  • 0

#6
kahdah
Posted 05 November 2008 - 08:13 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
==============================================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=====================
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#7
Andy Br00t4l
Posted 06 November 2008 - 01:49 AM

Andy Br00t4l

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I messed up a little bit, but I don't think that will create a huge difference. I ran MalwareByte and started deleting the entries, forgetting to create a log, so I stopped the removal, and re-ran. It messed up and blue-screened on me (tragic, I know.) I ran ATF again, then re-ran MalwareByte and it ran fine, so this is what I was left with. Most of the Trojans were deleted. I hope this doesn't prevent complete cleaning or screw anything up.

MalwareByte log (or what was left of it):

Malwarebytes' Anti-Malware 1.30
Database version: 1368
Windows 5.1.2600 Service Pack 2

11/6/2008 2:36:51 AM
mbam-log-2008-11-06 (02-36-47).txt

Scan type: Quick Scan
Objects scanned: 33328
Time elapsed: 4 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\912525 (Trojan.BHO) -> No action taken.

Files Infected:
C:\WINDOWS\system32\avffhiya.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\EFCCRQPF.DLL.del (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\qoMcbyyV.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\KSAF83HFD.del (Trojan.FakeAlert) -> No action taken.
C:\pxdyf.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\SERVICES.del (Heuristics.Reserved.Word.Exploit) -> No action taken.

As for Kapersky... Every time I download it, it downloads completely, but when it starts to update, Firefox closes and won't complete the scan/installation. This is as far as I've gotten.
  • 0

#8
kahdah
Posted 06 November 2008 - 05:14 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
These entries in MalwareBytes say no action taken.
If you had removed them after the log was taken that is fine but if not you will have to run it again and choose Remove Selected when prompted.

AFter that try this one:

Please go HERE to run Panda's TotalScan
  • Select the bubble for Full scan
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • Then the scan will begin
  • When the scan completes, click the Save button on the right of Scan details
  • Save it to a convenient location. Post the contents of the TotalScan report

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP