Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Need Help ASAP!Trojan [SOLVED] Interfering with FinalProject due T

Started by diva3serita , Dec 14 2008 01:10 PM

  • This topic is locked This topic is locked

#1
diva3serita
Posted 14 December 2008 - 01:10 PM

diva3serita

    Member

  • Member
  • PipPip
  • 24 posts
Hi,
I have a Trojan virus in my system 32 folder. Please help. I'm in grad school and it's interfering with my final video project that's due tomorrow. Thanks.

Malwarebytes doesn't seem to find it when it does it's scan, but Avira detects it (almost every second) but can't seem to do anything with it. I've run ATF Cleaner which didn't help, and when I tried to run GMER, when it scanned the folder container the virus, my screen went blue, froze and displayed a page fault message with numbers something like 000000050. I can't run GMER in safe mode for some reason. Please Help me someone!! I've tried everything.

HiJackthis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:26:02 PM, on 12/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1222134078553
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1228010194940
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\dot3api32.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 4919 bytes

Combofix Log:
ComboFix 08-12-13.03 - Administrator 2008-12-14 11:39:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.254.95 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-11-14 to 2008-12-14 )))))))))))))))))))))))))))))))
.

2008-12-14 10:36 . 2008-12-14 10:52 250 --a------ c:\windows\gmer.ini
2008-12-14 07:42 . 2008-12-14 07:42 <DIR> d-------- c:\program files\Avira
2008-12-14 07:42 . 2008-12-14 07:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-14 07:36 . 2008-12-14 07:36 <DIR> d-------- C:\ERDNT
2008-12-14 07:36 . 2008-12-14 07:36 <DIR> d-------- C:\!FixIEDef
2008-12-14 06:34 . 2008-12-14 06:34 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-14 06:34 . 2008-12-14 06:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-14 06:34 . 2008-12-14 06:34 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-14 06:34 . 2008-12-03 19:54 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-14 06:34 . 2008-12-03 19:54 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-14 00:28 . 2008-12-14 00:28 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-12-14 00:24 . 2008-12-14 07:36 <DIR> d-------- c:\windows\ERUNT
2008-12-14 00:07 . 2008-12-14 07:30 <DIR> d-------- C:\SDFix
2008-12-06 07:53 . 2008-12-08 20:24 6,144 --a------ c:\windows\GnuHashes.ini
2008-12-06 07:45 . 2008-12-10 11:58 1,822 --ahs---- c:\windows\system32\GroupPolicy000.dat
2008-12-06 07:30 . 2008-12-06 07:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Windows Search
2008-12-06 00:35 . 2008-12-06 00:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\QlipBoard
2008-12-05 09:40 . 2008-12-14 06:21 <DIR> d-------- c:\program files\QuickTime
2008-11-30 20:51 . 2008-11-30 20:51 <DIR> d-------- c:\windows\Sun
2008-11-30 15:54 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-11-30 15:54 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-11-29 21:34 . 2008-12-06 18:25 <DIR> d-------- c:\documents and settings\Administrator\Application Data\LimeWire
2008-11-29 21:32 . 2008-11-29 21:31 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-29 21:32 . 2008-11-29 21:31 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-29 21:31 . 2008-11-29 21:31 <DIR> d-------- c:\program files\Java
2008-11-29 20:59 . 2008-11-29 20:59 <DIR> d-------- C:\UnInstall
2008-11-29 20:58 . 2008-11-29 20:58 <DIR> d-------- c:\program files\Pixelan
2008-11-29 18:55 . 2008-11-29 18:55 <DIR> d-------- c:\program files\ffdshow
2008-11-29 18:55 . 2008-11-29 18:55 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2008-11-29 18:55 . 2008-12-09 17:10 60,273 --a------ c:\windows\system32\pthreadGC2.dll
2008-11-29 18:55 . 2008-12-09 17:10 7,680 --a------ c:\windows\system32\ff_vfw.dll
2008-11-29 18:55 . 2008-12-09 17:10 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2008-11-29 14:18 . 2008-11-29 14:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trymedia
2008-11-20 20:10 . 2008-11-20 20:10 <DIR> d-------- c:\program files\Google
2008-11-20 20:08 . 2008-11-26 20:22 <DIR> d-------- c:\windows\system32\Adobe
2008-11-19 21:03 . 2008-11-30 15:52 <DIR> d-------- c:\documents and settings\Administrator\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-14 08:35 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-06 05:37 0 ---h--w c:\program files\LauncherAppUpdate.log
2008-11-29 23:56 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-09-23 13:26 65,541 ----a-w c:\windows\BricoPackUninst.cmd
2008-09-23 13:26 6,120 ----a-w c:\windows\BricoPackFoldersDelete.cmd
.

((((((((((((((((((((((((((((( snapshot@2008-12-14_10.29.49.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-14 15:36:00 884,736 ----a-w c:\windows\gmer.dll
+ 2008-12-14 15:35:45 811,008 ----a-w c:\windows\gmer.exe
+ 2008-12-14 15:36:00 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
+ 2008-12-14 16:26:31 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
RocketDock.lnk - c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-18 630784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\dot3api32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-14 38496]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-14 11:42:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(540)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2008-12-14 11:45:09
ComboFix-quarantined-files.txt 2008-12-14 16:44:42
ComboFix2.txt 2008-12-14 15:31:06

Pre-Run: 29,671,948,288 bytes free
Post-Run: 29,666,267,136 bytes free

108 --- E O F --- 2008-12-14 08:32

RSIT log:

info.txt logfile of random's system information tool 1.04 2008-12-14 12:41:42

======Uninstall list======

-->C:\Program Files\InstallShield Installation Information\{2460923D-1AA6-47FE-A375-76308780D20F}\setup.exe -runfromtemp -l0x0009
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
Adobe Shockwave Player-->C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
BCM V.92 56K Modem-->C:\WINDOWS\BCMSMU.exe quiet
Broadcom 440x 10/100 Integrated Controller-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{52504CE6-E909-4113-B232-4AFEC6543A61} /l1033
Dell Wireless WLAN Card-->"C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe" verbose /rootkey="Software\Broadcom\802.11\UninstallInfo" /rootdir="C:\Program Files\Dell\Dell Wireless WLAN Card"
ffdshow [rev 1692] [2007-12-09]-->"C:\Program Files\ffdshow\unins000.exe"
Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Hijackthis 1.99.1-->"C:\Program Files\Hijackthis\unins000.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915800-v4)-->"C:\WINDOWS\$NtUninstallKB915800-v4$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Intel® Extreme Graphics 2 Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582
Java™ 6 Update 10-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216010FF}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
MSN Toolbar-->MsiExec.exe /I{6710FE30-27F7-492B-A660-D31D4A898A43}
Nero OEM-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Pack Vista Inspirat 2 1.0-->C:\WINDOWS\BricoPacks\Vista Inspirat 2\Remove.exe
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Security Update for 2007 Microsoft Office System (KB951550)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {B243E9A5-ED77-4F1B-B338-2486FD82DC85}
Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7}
Security Update for 2007 Microsoft Office System (KB958439)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {6491B8AA-D11C-4648-A461-6234B31EB7E2}
Security Update for Microsoft .NET Framework 2.0 (KB928365)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {8056AC9E-49C5-4375-9ADE-B2F862C9DF51} /package {7131646D-CD3C-40F4-97B9-CD9E4E6262EF}
Security Update for Microsoft Office Excel 2007 (KB958437)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {648FC016-2D6B-4A16-8D87-404533642F4B}
Security Update for Microsoft Office OneNote 2007 (KB950130)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F1B2401C-B610-4BF2-AA1C-52C55827A8F4}
Security Update for Microsoft Office PowerPoint 2007 (KB951338)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {558B709B-821B-4FC5-90FC-9A8890641E77}
Security Update for Microsoft Office Publisher 2007 (KB950114)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F}
Security Update for Microsoft Office system 2007 (KB956828)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {885E081B-72BD-4E76-8E98-30B4BE468FAC}
Security Update for Microsoft Office Word 2007 (KB956358)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {4551666D-0FD6-4C69-8A81-1C6F2E64517C}
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
SpiceFX 4.0 for Movie Maker-->C:\PROGRA~1\Pixelan\SpiceFX\UNINST~1\UNINST~1.EXE C:\PROGRA~1\Pixelan\SpiceFX\UNINST~1\Install.log
Update for Microsoft Office Outlook 2007 (KB952142)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {4AD3A076-427C-491F-A5B7-7D1DE788A756}
Update for Office 2007 (KB946691)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb958619)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {79B301C1-DBC0-467C-AFDA-2A6CDAFA4302}
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Search 4.0-->"C:\WINDOWS\$NtUninstallKB940157$\spuninst\spuninst.exe"
Windows XP Creativity Fun Packs - Windows Movie Maker 2-->MsiExec.exe /X{DA2D4D11-1811-4A24-B719-BF9F048C6106}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

======Hosts File======

127.0.0.1 localhost

======Security center information======

AV: Avira AntiVir PersonalEdition

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 9, GenuineIntel
"PROCESSOR_REVISION"=0209
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------
  • 0

Advertisements

#2
andrewuk
Posted 14 December 2008 - 03:40 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hello diva3serita

welcome to geekstogo :)

Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
C:\WINDOWS\System32\dot3api32.dll

Click on the submit button

Please post the results of the scan in your next reply.

If Jotti is busy, try the same atVirustotal

andrewuk
  • 0

#3
diva3serita
Posted 14 December 2008 - 03:53 PM

diva3serita

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

This is from the Jotti's Malware Scan. ps. sorry for the double post- I incorrectly stated the location of the virus (system 23) and thought that people wouldn't respond.
  • 0

#4
andrewuk
Posted 14 December 2008 - 03:56 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\System32\dot3api32.dll


Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=-


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

and a new hijackthis log please.

andrewuk
  • 0

#5
diva3serita
Posted 14 December 2008 - 04:21 PM

diva3serita

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Thanks so much for helping me. I really appreciate it.

Here's the new Combofix log:

ComboFix 08-12-13.03 - Administrator 2008-12-14 17:03:59.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.254.65 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\System32\dot3api32.dll
.

((((((((((((((((((((((((( Files Created from 2008-11-14 to 2008-12-14 )))))))))))))))))))))))))))))))
.

2008-12-14 12:41 . 2008-12-14 12:41 <DIR> d-------- C:\rsit
2008-12-14 12:25 . 2008-12-14 12:25 <DIR> d-------- c:\program files\Trend Micro
2008-12-14 10:36 . 2008-12-14 10:52 250 --a------ c:\windows\gmer.ini
2008-12-14 07:42 . 2008-12-14 07:42 <DIR> d-------- c:\program files\Avira
2008-12-14 07:42 . 2008-12-14 07:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-14 07:36 . 2008-12-14 07:36 <DIR> d-------- C:\ERDNT
2008-12-14 07:36 . 2008-12-14 07:36 <DIR> d-------- C:\!FixIEDef
2008-12-14 06:34 . 2008-12-14 06:34 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-14 06:34 . 2008-12-14 06:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-14 06:34 . 2008-12-14 06:34 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-14 06:34 . 2008-12-03 19:54 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-14 06:34 . 2008-12-03 19:54 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-14 00:28 . 2008-12-14 00:28 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-12-14 00:24 . 2008-12-14 07:36 <DIR> d-------- c:\windows\ERUNT
2008-12-14 00:07 . 2008-12-14 07:30 <DIR> d-------- C:\SDFix
2008-12-06 07:53 . 2008-12-08 20:24 6,144 --a------ c:\windows\GnuHashes.ini
2008-12-06 07:45 . 2008-12-10 11:58 1,822 --ahs---- c:\windows\system32\GroupPolicy000.dat
2008-12-06 07:30 . 2008-12-06 07:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Windows Search
2008-12-06 00:35 . 2008-12-06 00:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\QlipBoard
2008-12-05 09:40 . 2008-12-14 06:21 <DIR> d-------- c:\program files\QuickTime
2008-11-30 20:51 . 2008-11-30 20:51 <DIR> d-------- c:\windows\Sun
2008-11-30 15:54 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-11-30 15:54 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-11-29 21:34 . 2008-12-06 18:25 <DIR> d-------- c:\documents and settings\Administrator\Application Data\LimeWire
2008-11-29 21:32 . 2008-11-29 21:31 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-29 21:32 . 2008-11-29 21:31 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-29 21:31 . 2008-11-29 21:31 <DIR> d-------- c:\program files\Java
2008-11-29 20:59 . 2008-11-29 20:59 <DIR> d-------- C:\UnInstall
2008-11-29 20:58 . 2008-11-29 20:58 <DIR> d-------- c:\program files\Pixelan
2008-11-29 18:55 . 2008-11-29 18:55 <DIR> d-------- c:\program files\ffdshow
2008-11-29 18:55 . 2008-11-29 18:55 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2008-11-29 18:55 . 2008-12-09 17:10 60,273 --a------ c:\windows\system32\pthreadGC2.dll
2008-11-29 18:55 . 2008-12-09 17:10 7,680 --a------ c:\windows\system32\ff_vfw.dll
2008-11-29 18:55 . 2008-12-09 17:10 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2008-11-29 14:18 . 2008-11-29 14:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trymedia
2008-11-20 20:10 . 2008-11-20 20:10 <DIR> d-------- c:\program files\Google
2008-11-20 20:08 . 2008-11-26 20:22 <DIR> d-------- c:\windows\system32\Adobe
2008-11-19 21:03 . 2008-11-30 15:52 <DIR> d-------- c:\documents and settings\Administrator\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-14 08:35 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-06 05:37 0 ---h--w c:\program files\LauncherAppUpdate.log
2008-11-29 23:56 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-23 13:26 65,541 ----a-w c:\windows\BricoPackUninst.cmd
2008-09-23 13:26 6,120 ----a-w c:\windows\BricoPackFoldersDelete.cmd
2008-09-23 13:26 218,624 ----a-w c:\windows\system32\uxtheme.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((( snapshot@2008-12-14_10.29.49.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-14 15:36:00 884,736 ----a-w c:\windows\gmer.dll
+ 2008-12-14 15:35:45 811,008 ----a-w c:\windows\gmer.exe
+ 2008-12-14 15:36:00 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
+ 2008-12-14 16:26:31 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
RocketDock.lnk - c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-18 630784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-14 38496]

*Newly Created Service* - CATCHME
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-14 17:06:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(540)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2008-12-14 17:09:04
ComboFix-quarantined-files.txt 2008-12-14 22:08:36
ComboFix2.txt 2008-12-14 16:45:12
ComboFix3.txt 2008-12-14 15:31:06

Pre-Run: 29,643,096,064 bytes free
Post-Run: 29,638,713,344 bytes free

128 --- E O F --- 2008-12-14 08:36:13

and the HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:05 PM, on 12/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1222134078553
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1228010194940
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 4737 bytes
  • 0

#6
andrewuk
Posted 14 December 2008 - 04:27 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
i suspect we have cleared the main infection.

we have more to do, but the next step is likely to take 2 to 3 hours at least.

given the time constraint you are under, is your machine in working order?

if so, let me know and you can continue with your project and come back tomorrow.

if not, let me know also.

andrewuk
  • 0

#7
diva3serita
Posted 14 December 2008 - 05:39 PM

diva3serita

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi I emailed my professor to let her know that I'd run into some problems. She already has my draft (I only had to make a few changes), and she said it would be okay if I got it to her on Tuesday. I would like to get this thing under control if possible. Once again, thanks for helping me. BTW, I'm accustomed to all nighters!!! So 2-3 hours is no big deal. I can wait.
  • 0

#8
andrewuk
Posted 14 December 2008 - 05:55 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
in this post we will do some general scans to clear away any remnants and ensure nothing else sneaked onto your machine.

the scans will likely take 3 hours, quite possibly much longer. so just let them run.


====STEP 1====
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.



====STEP 2====
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
====STEP 3====
Please go HERE to run Panda's TotalScan
  • Select the bubble for Scan now
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • Then the scan will begin
  • When the scan completes, click the Save button on the right of Scan details
  • Save it to a convenient location. Post the contents of the TotalScan report
In your next reply could i see:
1. the superantispyware log
2. the pandatotalscan log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#9
diva3serita
Posted 14 December 2008 - 07:19 PM

diva3serita

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
When running the above programs should I disable all anti-virus/malware?
  • 0

#10
andrewuk
Posted 14 December 2008 - 07:25 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

When running the above programs should I disable all anti-virus/malware?

no, you dont need to.
  • 0

#11
diva3serita
Posted 14 December 2008 - 11:25 PM

diva3serita

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
SuperAntiSpyware

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/14/2008 at 09:38 PM

Application Version : 4.23.1006

Core Rules Database Version : 3674
Trace Rules Database Version: 1653

Scan type : Complete Scan
Total Scan Time : 01:03:52

Memory items scanned : 370
Memory threats detected : 0
Registry items scanned : 5591
Registry threats detected : 0
File items scanned : 30305
File threats detected : 2

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt

Pandatotalscan:
;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-12-14 23:51:17
PROTECTIONS: 1
MALWARE: 11
SUSPECTS: 2
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
Avira AntiVir PersonalEdition 8.0.1.30 Yes Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[2].txt
00519333 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{8BA1F710-6C35-4E31-8159-CA3F0BA640C7}\RP43\A0039831.exe
01185375 Application/Psexec.A HackTools No 0 Yes No C:\WINDOWS\PSEXESVC.EXE
03738686 Generic Malware Virus/Trojan No 0 Yes No C:\SDFix\catchme.exe
03738686 Generic Malware Virus/Trojan No 0 Yes No C:\SDFix\apps\Cghtme.exe
04306495 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\GroupPolicyManifest\4.setup.zip.vir[setup.exe]
04306500 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\GroupPolicyManifest\2.crack.zip.vir[crack.exe]
04306509 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\GroupPolicyManifest\3.video.zip.vir[video.exe]
04306510 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\GroupPolicyManifest\7.keygen.zip.vir[keygen.exe]
04315709 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\GroupPolicyManifest\6.limepro.zip.vir[lime_pro_crack.exe]
04329360 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\GroupPolicyManifest\5.unpack.zip.vir[unpack.exe]
04366342 Generic Trojan Virus/Trojan No 0 Yes No C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location >R
;===============================================================================
=================================================================================
===================
No C:\System Volume Information\_restore{8BA1F710-6C35-4E31-8159-CA3F0BA640C7}\RP41\A0039442.dll >R
No C:\System Volume Information\_restore{8BA1F710-6C35-4E31-8159-CA3F0BA640C7}\RP43\A0039830.dll >R
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description >R
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
  • 0

#12
andrewuk
Posted 15 December 2008 - 05:07 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
the pandatotalscan only picked up items safely quarantined. so we will clear up few stragglers.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\GnuHashes.ini
c:\windows\system32\GroupPolicy000.dat


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

and a new hijackthis log.

could you also tell me how your machine is running now

andrewuk
  • 0

#13
diva3serita
Posted 15 December 2008 - 09:52 AM

diva3serita

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
It's running much, much better!!! I finished my project this morning and submitted it on time! Thank you so much!!!

ComboFix

ComboFix 08-12-13.03 - Administrator 2008-12-15 10:21:07.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.254.66 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\GnuHashes.ini
c:\windows\system32\GroupPolicy000.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\GnuHashes.ini
c:\windows\system32\GroupPolicy000.dat

.
((((((((((((((((((((((((( Files Created from 2008-11-15 to 2008-12-15 )))))))))))))))))))))))))))))))
.

2008-12-14 22:13 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-12-14 22:12 . 2008-12-14 22:12 <DIR> d-------- c:\windows\LastGood
2008-12-14 22:12 . 2008-12-14 22:12 <DIR> d-------- c:\program files\Panda Security
2008-12-14 20:30 . 2008-12-14 20:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-14 20:29 . 2008-12-14 20:29 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-14 20:29 . 2008-12-14 20:29 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-12-14 20:28 . 2008-12-14 20:28 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-14 12:41 . 2008-12-14 12:41 <DIR> d-------- C:\rsit
2008-12-14 12:25 . 2008-12-14 12:25 <DIR> d-------- c:\program files\Trend Micro
2008-12-14 10:36 . 2008-12-14 10:52 250 --a------ c:\windows\gmer.ini
2008-12-14 07:42 . 2008-12-14 07:42 <DIR> d-------- c:\program files\Avira
2008-12-14 07:42 . 2008-12-14 07:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-14 07:36 . 2008-12-14 07:36 <DIR> d-------- C:\ERDNT
2008-12-14 07:36 . 2008-12-14 07:36 <DIR> d-------- C:\!FixIEDef
2008-12-14 06:34 . 2008-12-14 06:34 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-14 06:34 . 2008-12-14 06:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-14 06:34 . 2008-12-14 06:34 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-14 06:34 . 2008-12-03 19:54 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-14 06:34 . 2008-12-03 19:54 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-14 00:28 . 2008-12-14 00:28 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-12-14 00:24 . 2008-12-14 07:36 <DIR> d-------- c:\windows\ERUNT
2008-12-14 00:07 . 2008-12-14 07:30 <DIR> d-------- C:\SDFix
2008-12-06 07:30 . 2008-12-06 07:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Windows Search
2008-12-06 00:35 . 2008-12-06 00:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\QlipBoard
2008-12-05 09:40 . 2008-12-14 06:21 <DIR> d-------- c:\program files\QuickTime
2008-11-30 20:51 . 2008-11-30 20:51 <DIR> d-------- c:\windows\Sun
2008-11-30 15:54 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-11-30 15:54 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-11-29 21:34 . 2008-12-06 18:25 <DIR> d-------- c:\documents and settings\Administrator\Application Data\LimeWire
2008-11-29 21:32 . 2008-11-29 21:31 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-29 21:32 . 2008-11-29 21:31 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-29 21:31 . 2008-11-29 21:31 <DIR> d-------- c:\program files\Java
2008-11-29 20:59 . 2008-11-29 20:59 <DIR> d-------- C:\UnInstall
2008-11-29 20:58 . 2008-11-29 20:58 <DIR> d-------- c:\program files\Pixelan
2008-11-29 18:55 . 2008-11-29 18:55 <DIR> d-------- c:\program files\ffdshow
2008-11-29 18:55 . 2008-11-29 18:55 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2008-11-29 18:55 . 2008-12-09 17:10 60,273 --a------ c:\windows\system32\pthreadGC2.dll
2008-11-29 18:55 . 2008-12-09 17:10 7,680 --a------ c:\windows\system32\ff_vfw.dll
2008-11-29 18:55 . 2008-12-09 17:10 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2008-11-29 14:18 . 2008-11-29 14:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trymedia
2008-11-20 20:10 . 2008-11-20 20:10 <DIR> d-------- c:\program files\Google
2008-11-20 20:08 . 2008-11-26 20:22 <DIR> d-------- c:\windows\system32\Adobe
2008-11-19 21:03 . 2008-11-30 15:52 <DIR> d-------- c:\documents and settings\Administrator\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-14 08:35 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-06 05:37 0 ---h--w c:\program files\LauncherAppUpdate.log
2008-11-29 23:56 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-23 13:26 65,541 ----a-w c:\windows\BricoPackUninst.cmd
2008-09-23 13:26 6,120 ----a-w c:\windows\BricoPackFoldersDelete.cmd
2008-09-23 13:26 218,624 ----a-w c:\windows\system32\uxtheme.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
.

------- Sigcheck -------

2008-04-13 19:12 975872 561a50497324f378e30f55d09b4e1258 c:\windows\explorer.exe
2004-08-04 05:00 1032192 a0732187050030ae399b241436565e64 c:\windows\$NtServicePackUninstall$\explorer.exe
2008-04-13 19:12 975872 561a50497324f378e30f55d09b4e1258 c:\windows\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((((((( snapshot@2008-12-14_10.29.49.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-30 15:39:58 128,256 ----a-w c:\windows\Downloaded Program Files\as2stubie.dll
+ 2008-12-14 15:36:00 884,736 ----a-w c:\windows\gmer.dll
+ 2008-12-14 15:35:45 811,008 ----a-w c:\windows\gmer.exe
+ 2008-12-15 01:29:53 18,944 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-12-15 01:29:53 65,024 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-12-14 15:36:00 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
+ 2008-12-14 16:26:31 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-04 1809648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
RocketDock.lnk - c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-18 630784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-14 38496]

*Newly Created Service* - CATCHME
*Newly Created Service* - SASDIFSV
*Newly Created Service* - SASENUM
*Newly Created Service* - SASKUTIL
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-15 10:24:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(540)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2008-12-15 10:26:50
ComboFix-quarantined-files.txt 2008-12-15 15:26:20
ComboFix2.txt 2008-12-14 22:09:06
ComboFix3.txt 2008-12-14 16:45:12
ComboFix4.txt 2008-12-14 15:31:06

Pre-Run: 29,395,722,240 bytes free
Post-Run: 29,397,622,784 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

164 --- E O F --- 2008-12-14 08:36:13

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:05 PM, on 12/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1222134078553
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1228010194940
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 4737 bytes
  • 0

#14
andrewuk
Posted 15 December 2008 - 11:07 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hello diva3serita

congratulations, your logs are clean and another fix is in the can :)

It's running much, much better!!! I finished my project this morning and submitted it on time! Thank you so much!!!

great :wave: . now that you have had the panic of your life, moral of the story "dont have P2P programs on your work/school work computer, and careful what you download". :)

in this post we will clear away the fix tools (this is so that should you ever be re-infected, you will download updated versions and it will also remove the quarantined Malware from your computer), reset your restore points (there will be infections lurking in there) and i will leave you with some ideas on how to enhance the protection of your machine against future infection.

====STEP 1====
Follow these steps to uninstall Combofix, the tools used in the removal of malware and to flush your system restore points
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image
you can remove malwarebytes via the add/remove programs in your control panel


====STEP 2====
because i notice that you also tried other fix programs, we will use this tool to make sure they and all the infections they quarantined are gone:

Please download the OTCleanIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTCleanIT.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
you can also clear away any other tools we used.


====IDEAS TO SPEED UP YOUR MACHINE====
this page http://users.telenet...owcomputer.html gives some good ideas on how to improve the efficiency of your machine and has one or two useful links to help your further.


====AND FINALLY====
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

best wishes

andrewuk
  • 0

#15
andrewuk
Posted 18 December 2008 - 05:09 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP