Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Virus - no updates, blank screen, no regedit, comp savvy but about to

Started by kickaxe , Apr 24 2009 02:01 AM

  • Please log in to reply

#1
kickaxe
Posted 24 April 2009 - 02:01 AM

kickaxe

    New Member

  • Member
  • Pip
  • 6 posts
I have had a virus that I have been working on for a week now.

Some symptoms (but probably not all) include:

Cannot access regedit.
Cannot update antivirus tools.
Cannot access windows update.
IE redirected occasionally.
Cannot change admin icons on selection screen.
Cannot change backgrounds except for one or two selections, others have no effect.
Cannot connect to bleepingcomputer.com.
I have two admin users and one comes up with a blank screen most of the time, sometimes normal, sometimes with no background, and when "restore active desktop" is selected it gives a script error. The other appears normally but with restrictions that are the same as the other.

I am running a Presario SR1330NX with XP.
I have run almost every tool I could think of: adaware, MBAM, Spybot (which updates ok), avg, Microsoft MSRT, McAfee stinger, smitfraudfix, Superantispyware, killbox, and others, in safe mode and normal mode, but nothing seems to work. Some of them found things and removed them and now find nothing. I ran hijackthis and found nothing out of the ordinary. My hosts file seems to be OK. It is the one from spybot. I cleared my hosts file completely except for local and I still couldn't connect for updates or bleepingcomputer.com.

I keep pretty good control of my computer and have not had to reformat for many years and I don't want to now if I can help it, but I am about to give up. I have no idea how I got this. I have done nothing out of the ordinary lately. It just showed up one day when I booted up.

Here is my hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:55:33 AM, on 4/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\The KMPlayer\KMPlayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1240528006718
O20 - AppInit_DLLs: zyebxb.dll C:\WINDOWS\system32\zuziberi.dll frwdxe.dll c:\windows\system32\yafakeje.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4193 bytes

Any help would be greatly appreciated.

Edited by kickaxe, 24 April 2009 - 02:08 AM.

  • 0

Advertisements

#2
loophole
Posted 24 April 2009 - 02:51 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
  • 0

#3
kickaxe
Posted 24 April 2009 - 04:30 AM

kickaxe

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Here is the report from combofix. Again, I don't see anything unusual, but I could be wrong.





ComboFix 09-04-24.01 - Kickaxe 04/24/2009 5:18.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.220 [GMT -5:00]
Running from: c:\documents and settings\Kickaxe\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\lwlk.wfr
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000021_.tmp.dll
c:\windows\system32\_000022_.tmp.dll
c:\windows\system32\_000023_.tmp.dll
c:\windows\system32\_000024_.tmp.dll
c:\windows\system32\404Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\kesackmq.ini
c:\windows\system32\kfuqouwa.ini
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\wiaserviv.log
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-4-24 )))))))))))))))))))))))))))))))
.

2009-04-24 04:34 . 2009-04-24 04:34 -------- d-----w C:\!KillBox
2009-04-18 02:47 . 2009-04-18 03:03 -------- d-----w c:\documents and settings\Kickaxe\Application Data\XnView
2009-04-18 02:00 . 2009-04-18 02:00 -------- d-----w c:\documents and settings\Kickaxe\Application Data\Malwarebytes
2009-04-18 00:35 . 2009-04-18 00:35 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-17 04:04 . 2009-04-17 04:04 -------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2009-04-17 04:04 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-17 04:04 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-17 04:04 . 2009-04-17 04:04 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-17 02:52 . 2009-04-17 02:52 -------- d-----w c:\documents and settings\Kickaxe\Application Data\SUPERAntiSpyware.com
2009-04-17 02:47 . 2009-04-17 02:47 33184 ----a-w c:\documents and settings\Kickaxe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-17 02:31 . 2009-04-17 02:31 -------- d-----w c:\documents and settings\Kickaxe\.housecall6.6
2009-04-17 02:13 . 2009-04-17 02:23 -------- d-----w c:\documents and settings\Kickaxe\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-24 07:12 . 2009-04-24 07:12 -------- d-----w c:\program files\Trend Micro
2009-04-23 23:37 . 2009-04-23 23:32 304182 ----a-w C:\rapport.txt
2009-04-18 02:00 . 2009-04-17 04:04 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-01 23:32 . 2003-09-10 00:19 -------- d-----w c:\program files\burst
2009-03-28 01:28 . 2008-08-23 12:58 -------- d-----w c:\program files\SUPERAntiSpyware
2009-03-27 06:58 . 2009-04-17 02:53 1203922 ----a-w c:\windows\AppPatch\SETC.tmp
2009-03-24 16:44 . 2003-09-10 01:14 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-06 14:22 . 2003-01-01 07:04 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2009-03-03 00:18 826368 ----a-w c:\windows\system32\SET6D.tmp
2009-03-03 00:18 . 2003-01-01 07:05 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2009-02-20 18:09 1160192 ----a-w c:\windows\system32\SET6F.tmp
2009-02-20 18:09 . 2009-02-20 18:09 105984 ----a-w c:\windows\system32\SET70.tmp
2009-02-20 18:09 . 2003-01-01 07:03 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-20 18:09 . 2009-02-20 18:09 52224 ----a-w c:\windows\system32\SET77.tmp
2009-02-20 18:09 . 2009-02-20 18:09 459264 ----a-w c:\windows\system32\SET78.tmp
2009-02-20 18:09 . 2009-02-20 18:09 3595264 ----a-w c:\windows\system32\SET76.tmp
2009-02-20 18:09 . 2009-02-20 18:09 268288 ----a-w c:\windows\system32\SET7C.tmp
2009-02-20 18:09 . 2009-02-20 18:09 63488 ----a-w c:\windows\system32\SET87.tmp
2009-02-20 18:09 . 2009-02-20 18:09 6066176 ----a-w c:\windows\system32\SET7F.tmp
2009-02-20 18:09 . 2009-02-20 18:09 383488 ----a-w c:\windows\system32\SET81.tmp
2009-02-20 18:09 . 2009-02-20 18:09 124928 ----a-w c:\windows\system32\SET8A.tmp
2009-02-09 18:29 . 2009-02-09 18:19 174 ----a-w c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
2009-02-09 12:10 . 2003-01-01 07:03 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2009-04-17 02:53 401408 ----a-w c:\windows\system32\SET42.tmp
2009-02-09 12:10 . 2004-10-21 09:42 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2003-01-01 07:46 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2003-01-01 07:04 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2003-01-01 07:05 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 00:02 . 2004-08-04 05:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2003-01-01 07:04 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2003-01-01 07:04 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2003-01-01 07:04 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ----a-w c:\windows\system32\SETD9.tmp
2009-02-03 19:59 . 2003-01-01 07:04 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-12 05:45 . 2003-09-10 05:37 33184 ----a-w c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-10-13 12:46 . 2007-10-13 12:46 32008 ----a-w c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2004-10-21 11:54 . 2007-09-25 21:27 128 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2004-10-21 11:54 . 2007-09-20 01:32 128 ----a-w c:\documents and settings\Guest\Local Settings\Application Data\fusioncache.dat
2004-10-21 11:54 . 2007-09-20 01:15 128 ----a-w c:\documents and settings\Kickaxe\Local Settings\Application Data\fusioncache.dat
2003-09-10 08:41 . 2003-01-01 08:14 135 ----a-w c:\documents and settings\Compaq_Owner\Local Settings\Application Data\fusioncache.dat
2008-08-23 15:07 . 2008-08-23 15:07 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082320080824\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-18 196608]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-21 155648]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-08 57344]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2004-07-29 2551808]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-30 88363]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-03-24 03:31 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"MDM"=2 (0x2)
"aawservice"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\burst\\core-new1.1.3\\btdownloadheadless.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Microsoft Games\\Dungeon Siege 2\\DungeonSiege2.exe"=
"c:\\Program Files\\The KMPlayer\\KMPlayer.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-08-20 7408]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-28 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-08-20 55024]

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-24 05:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'explorer.exe'(1948)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll----------------------- Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-24 5:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-24 10:25

Pre-Run: 22,750,121,984 bytes free
Post-Run: 23,089,303,552 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=,1,2,3,4
178 --- E O F --- 2009-04-17 04:56
  • 0

#4
kickaxe
Posted 24 April 2009 - 04:36 AM

kickaxe

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I also wanted to add that if you and I cannot come up with a solution, please let others know. I don't have many tech-savvy friends, and the more help and opinions I can get the better.
  • 0

#5
loophole
Posted 24 April 2009 - 10:17 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi again

I also wanted to add that if you and I cannot come up with a solution, please let others know. I don't have many tech-savvy friends, and the more help and opinions I can get the better.

Sure

Can you please post a new hijack log and also do the following

  • Make sure to use Internet Explorer for this
  • Please go to VirSCAN.org FREE on-line scan service
  • Browse to the following file path in the "Suspicious files to scan" box on the top of the page:

    • c:\windows\system32\SET42.tmp
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

  • 0

#6
kickaxe
Posted 24 April 2009 - 11:11 PM

kickaxe

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Here is my latest hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:58 PM, on 4/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1240528006718
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4243 bytes


Here is the virscan repot.


VirSCAN.org Scanned Report :
Scanned time : 2009/04/25 00:00:29 (CDT)
Scanner results: All Scanners reported not find malware!
File Name : SET42.tmp
File Size : 401408 byte
File Type : PE32 executable for MS Windows (DLL) (console) Intel 80386 3
MD5 : 6b27a5c03dfb94b4245739065431322c
SHA1 : 7391155a9976797c2072e013fa3c38197b268de7
Online report : http://virscan.org/r...3d06bc163b.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090424020229 2009-04-24 5.18 -
AhnLab V3 2009.04.25.00 2009.04.25 2009-04-25 2.09 -
AntiVir 7.9.0.156 7.1.3.108 2009-04-24 2.16 -
Antiy 2.0.18 20090425.2318496 2009-04-25 0.37 -
Arcavir 2009 200904240931 2009-04-24 0.06 -
Authentium 5.1.1 200904241611 2009-04-24 1.99 -
AVAST! 3.0.1 090425-0 2009-04-25 0.02 -
AVG 7.5.52.442 270.12.4/2079 2009-04-24 2.09 -
BitDefender 7.81008.2850237 7.24995 2009-04-25 2.66 -
CA (VET) 9.0.0.143 31.6.6474 2009-04-25 21.76 -
ClamAV 0.95 9287 2009-04-25 0.10 -
Comodo 3.8 1133 2009-04-24 1.30 -
CP Secure 1.1.0.715 2009.04.25 2009-04-25 8.67 -
Dr.Web 4.44.0.9170 2009.04.24 2009-04-24 4.54 -
F-Prot 4.4.4.56 20090424 2009-04-24 1.82 -
F-Secure 5.51.6100 2009.04.25.01 2009-04-25 0.06 -
Fortinet 2.81-3.117 10.318 2009-04-24 0.57 -
GData 19.4833/19.310 20090425 2009-04-25 11.76 -
ViRobot 20090424 2009.04.24 2009-04-24 1.69 -
Ikarus T3.1.01.49 2009.04.24.72629 2009-04-24 2.73 -
JiangMin 11.0.706 2009.04.24 2009-04-24 9.68 -
Kaspersky 5.5.10 2009.04.24 2009-04-24 0.06 -
KingSoft 2009.2.5.15 2009.4.24.21 2009-04-24 10.21 -
McAfee 5.3.00 5595 2009-04-24 2.80 -
Microsoft 1.4602 2009.04.25 2009-04-25 14.76 -
mks_vir 2.01 2009.04.24 2009-04-24 2.83 -
Norman 6.00.06 6.00.00 2009-04-24 10.01 -
Panda 9.05.01 2009.04.24 2009-04-24 3.35 -
Trend Micro 8.700-1004 5.984.08 2009-04-24 0.03 -
Quick Heal 10.00 2009.04.23 2009-04-23 6.92 -
Rising 20.0 21.26.44.00 2009-04-24 3.23 -
Sophos 2.85.0 4.40 2009-04-25 2.32 -
Sunbelt 5111 5111 2009-04-24 20.31 -
Symantec 1.3.0.24 20090424.003 2009-04-24 0.23 -
nProtect 20090424.03 3494918 2009-04-24 22.96 -
The Hacker 6.3.4.1 v00314 2009-04-24 1.82 -
VBA32 3.12.10.3 20090423.1331 2009-04-23 1.80 -
VirusBuster 4.5.11.10 10.105.5/1306828 2009-04-24 1.69 -



BTW I am not on the computer too very often, so it might take awhile to hear back from me.
I will try to check at least once a day though.

Thanks again.
  • 0

#7
loophole
Posted 25 April 2009 - 02:49 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi again

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\AppPatch\SETC.tmp
c:\windows\system32\SET6D.tmp
c:\windows\system32\SET6F.tmp
c:\windows\system32\SET70.tmp
c:\windows\system32\SET77.tmp
c:\windows\system32\SET78.tmp
c:\windows\system32\SET76.tmp
c:\windows\system32\SET7C.tmp
c:\windows\system32\SET87.tmp
c:\windows\system32\SET7F.tmp
c:\windows\system32\SET81.tmp
c:\windows\system32\SET8A.tmp
c:\windows\system32\SET42.tmp
c:\windows\system32\SETD9.tmp



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

  • 0

#8
kickaxe
Posted 25 April 2009 - 10:51 PM

kickaxe

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Here is the latest combofix log.



ComboFix 09-04-24.01 - Kickaxe 04/25/2009 18:33.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.255 [GMT -5:00]
Running from: c:\documents and settings\Kickaxe\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Kickaxe\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\AppPatch\SETC.tmp
c:\windows\system32\SET42.tmp
c:\windows\system32\SET6D.tmp
c:\windows\system32\SET6F.tmp
c:\windows\system32\SET70.tmp
c:\windows\system32\SET76.tmp
c:\windows\system32\SET77.tmp
c:\windows\system32\SET78.tmp
c:\windows\system32\SET7C.tmp
c:\windows\system32\SET7F.tmp
c:\windows\system32\SET81.tmp
c:\windows\system32\SET87.tmp
c:\windows\system32\SET8A.tmp
c:\windows\system32\SETD9.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\AppPatch\SETC.tmp
c:\windows\system32\SET42.tmp
c:\windows\system32\SET6D.tmp
c:\windows\system32\SET6F.tmp
c:\windows\system32\SET70.tmp
c:\windows\system32\SET76.tmp
c:\windows\system32\SET77.tmp
c:\windows\system32\SET78.tmp
c:\windows\system32\SET7C.tmp
c:\windows\system32\SET7F.tmp
c:\windows\system32\SET81.tmp
c:\windows\system32\SET87.tmp
c:\windows\system32\SET8A.tmp
c:\windows\system32\SETD9.tmp

.
((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-4-25 )))))))))))))))))))))))))))))))
.

2009-04-25 04:54 . 2008-10-16 19:06 27496 ----a-w c:\windows\system32\mucltui.dll.mui
2009-04-25 04:54 . 2008-10-16 19:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-04-24 04:34 . 2009-04-24 04:34 -------- d-----w C:\!KillBox
2009-04-18 02:47 . 2009-04-25 05:20 -------- d-----w c:\documents and settings\Kickaxe\Application Data\XnView
2009-04-18 02:00 . 2009-04-18 02:00 -------- d-----w c:\documents and settings\Kickaxe\Application Data\Malwarebytes
2009-04-18 00:35 . 2009-04-18 00:35 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-17 04:04 . 2009-04-17 04:04 -------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2009-04-17 04:04 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-17 04:04 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-17 04:04 . 2009-04-17 04:04 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-17 02:53 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-17 02:53 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 02:53 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 02:53 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 02:53 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 02:53 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-17 02:53 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 02:53 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 02:53 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 02:53 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 02:53 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-17 02:53 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-17 02:52 . 2009-04-17 02:52 -------- d-----w c:\documents and settings\Kickaxe\Application Data\SUPERAntiSpyware.com
2009-04-17 02:47 . 2009-04-17 02:47 33184 ----a-w c:\documents and settings\Kickaxe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-17 02:31 . 2009-04-17 02:31 -------- d-----w c:\documents and settings\Kickaxe\.housecall6.6
2009-04-17 02:13 . 2009-04-17 02:23 -------- d-----w c:\documents and settings\Kickaxe\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-25 04:56 . 2009-04-25 04:56 -------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-04-24 07:12 . 2009-04-24 07:12 -------- d-----w c:\program files\Trend Micro
2009-04-23 23:37 . 2009-04-23 23:32 304182 ----a-w C:\rapport.txt
2009-04-18 02:00 . 2009-04-17 04:04 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-01 23:32 . 2003-09-10 00:19 -------- d-----w c:\program files\burst
2009-03-28 01:28 . 2008-08-23 12:58 -------- d-----w c:\program files\SUPERAntiSpyware
2009-03-24 16:44 . 2003-09-10 01:14 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-06 14:22 . 2003-01-01 07:04 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2003-01-01 07:05 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2003-01-01 07:03 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 18:29 . 2009-02-09 18:19 174 ----a-w c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
2009-02-09 12:10 . 2003-01-01 07:03 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-10-21 09:42 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2003-01-01 07:46 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2003-01-01 07:04 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2003-01-01 07:05 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 00:02 . 2004-08-04 05:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2003-01-01 07:04 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2003-01-01 07:04 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2003-01-01 07:04 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2003-01-01 07:04 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-12 05:45 . 2003-09-10 05:37 33184 ----a-w c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-10-13 12:46 . 2007-10-13 12:46 32008 ----a-w c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2004-10-21 11:54 . 2007-09-25 21:27 128 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2004-10-21 11:54 . 2007-09-20 01:32 128 ----a-w c:\documents and settings\Guest\Local Settings\Application Data\fusioncache.dat
2004-10-21 11:54 . 2007-09-20 01:15 128 ----a-w c:\documents and settings\Kickaxe\Local Settings\Application Data\fusioncache.dat
2003-09-10 08:41 . 2003-01-01 08:14 135 ----a-w c:\documents and settings\Compaq_Owner\Local Settings\Application Data\fusioncache.dat
2008-08-23 15:07 . 2008-08-23 15:07 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082320080824\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-18 196608]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-21 155648]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-08 57344]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2004-07-29 2551808]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-30 88363]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-03-24 03:31 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"MDM"=2 (0x2)
"aawservice"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\burst\\core-new1.1.3\\btdownloadheadless.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Microsoft Games\\Dungeon Siege 2\\DungeonSiege2.exe"=
"c:\\Program Files\\The KMPlayer\\KMPlayer.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-08-20 7408]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-28 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-08-20 55024]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d52e0b6-66f6-11dc-a278-0011d83f7c97}]
\Shell\AutoRun\command - k:\_autorun\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c487d1a0-6860-11dc-a27b-0011d83f7c97}]
\Shell\AutoRun\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dbc949ad-66fa-11dc-a279-0011d83f7c97}]
\Shell\AutoRun\command - L:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dbc949ae-66fa-11dc-a279-0011d83f7c97}]
\Shell\AutoRun\command - M:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dbc949af-66fa-11dc-a279-0011d83f7c97}]
\Shell\AutoRun\command - N:\Setup.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-25 18:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2009-04-25 18:37
ComboFix-quarantined-files.txt 2009-04-25 23:37
ComboFix2.txt 2009-04-24 10:25

Pre-Run: 22,945,136,640 bytes free
Post-Run: 23,008,026,624 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=,1,2,3,4
185 --- E O F --- 2009-04-25 04:56



Here is the result of Kaspersky.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, April 25, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, April 26, 2009 03:43:59
Records in database: 2079389
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
H:\

Scan statistics:
Files scanned: 128562
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 02:20:51


File name / Threat name / Threats count
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-62df7ac9.zip Infected: Trojan-Downloader.Java.Agent.f 1

The selected area was scanned.
  • 0

#9
loophole
Posted 25 April 2009 - 11:51 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi again

Do you use a flash drive?

Similar directions as before

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

folder::k:\_autorunfile::G:\autorun.exeL:\autorun.exeM:\Autorun.exeN:\Setup.exeregistry::[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d52e0b6-66f6-11dc-a278-0011d83f7c97}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c487d1a0-6860-11dc-a27b-0011d83f7c97}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dbc949ad-66fa-11dc-a279-0011d83f7c97}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dbc949ae-66fa-11dc-a279-0011d83f7c97}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dbc949af-66fa-11dc-a279-0011d83f7c97}]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Also let me know jhow the computer is behaving
  • 0

#10
kickaxe
Posted 26 April 2009 - 05:35 PM

kickaxe

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Good news I think.


New combofix log.

ComboFix 09-04-25.A3 - Kickaxe 04/26/2009 18:04.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.284 [GMT -5:00]
Running from: c:\documents and settings\Kickaxe\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Kickaxe\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-4-26 )))))))))))))))))))))))))))))))
.

2009-04-25 04:56 . 2009-04-25 04:56 -------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-04-25 04:54 . 2008-10-16 19:06 27496 ----a-w c:\windows\system32\mucltui.dll.mui
2009-04-25 04:54 . 2008-10-16 19:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-04-24 07:12 . 2009-04-24 07:12 -------- d-----w c:\program files\Trend Micro
2009-04-24 04:34 . 2009-04-24 04:34 -------- d-----w C:\!KillBox
2009-04-18 02:47 . 2009-04-25 05:20 -------- d-----w c:\documents and settings\Kickaxe\Application Data\XnView
2009-04-18 02:00 . 2009-04-18 02:00 -------- d-----w c:\documents and settings\Kickaxe\Application Data\Malwarebytes
2009-04-18 00:35 . 2009-04-18 00:35 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-17 04:04 . 2009-04-17 04:04 -------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2009-04-17 04:04 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-17 04:04 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-17 04:04 . 2009-04-18 02:00 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-17 04:04 . 2009-04-17 04:04 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-17 02:53 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-17 02:53 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 02:53 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 02:53 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 02:53 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 02:53 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-17 02:53 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 02:53 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 02:53 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 02:53 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 02:53 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-17 02:53 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-17 02:52 . 2009-04-17 02:52 -------- d-----w c:\documents and settings\Kickaxe\Application Data\SUPERAntiSpyware.com
2009-04-17 02:47 . 2009-04-17 02:47 33184 ----a-w c:\documents and settings\Kickaxe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-17 02:31 . 2009-04-17 02:31 -------- d-----w c:\documents and settings\Kickaxe\.housecall6.6
2009-04-17 02:13 . 2009-04-17 02:23 -------- d-----w c:\documents and settings\Kickaxe\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-26 02:11 . 2007-09-14 12:47 -------- d-----w c:\program files\Temp
2009-04-25 23:37 . 2003-09-10 01:14 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-23 23:37 . 2009-04-23 23:32 304182 ----a-w C:\rapport.txt
2009-04-01 23:32 . 2003-09-10 00:19 -------- d-----w c:\program files\burst
2009-03-28 01:28 . 2008-08-23 12:58 -------- d-----w c:\program files\SUPERAntiSpyware
2009-03-06 14:22 . 2003-01-01 07:04 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2003-01-01 07:05 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2003-01-01 07:03 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 18:29 . 2009-02-09 18:19 174 ----a-w c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
2009-02-09 12:10 . 2003-01-01 07:03 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-10-21 09:42 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2003-01-01 07:46 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2003-01-01 07:04 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2003-01-01 07:05 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 00:02 . 2004-08-04 05:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2003-01-01 07:04 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2003-01-01 07:04 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2003-01-01 07:04 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2003-01-01 07:04 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-12 05:45 . 2003-09-10 05:37 33184 ----a-w c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-10-13 12:46 . 2007-10-13 12:46 32008 ----a-w c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2004-10-21 11:54 . 2007-09-25 21:27 128 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2004-10-21 11:54 . 2007-09-20 01:32 128 ----a-w c:\documents and settings\Guest\Local Settings\Application Data\fusioncache.dat
2004-10-21 11:54 . 2007-09-20 01:15 128 ----a-w c:\documents and settings\Kickaxe\Local Settings\Application Data\fusioncache.dat
2003-09-10 08:41 . 2003-01-01 08:14 135 ----a-w c:\documents and settings\Compaq_Owner\Local Settings\Application Data\fusioncache.dat
2008-08-23 15:07 . 2008-08-23 15:07 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082320080824\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-18 196608]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-21 155648]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-08 57344]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2004-07-29 2551808]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-30 88363]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-03-24 03:31 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"MDM"=2 (0x2)
"aawservice"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\burst\\core-new1.1.3\\btdownloadheadless.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Microsoft Games\\Dungeon Siege 2\\DungeonSiege2.exe"=
"c:\\Program Files\\The KMPlayer\\KMPlayer.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-08-20 7408]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-28 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-08-20 55024]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c487d1a0-6860-11dc-a27b-0011d83f7c97}]
\Shell\AutoRun\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dbc949af-66fa-11dc-a279-0011d83f7c97}]
\Shell\AutoRun\command - N:\Setup.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-26 18:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'explorer.exe'(2904)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-26 18:07
ComboFix-quarantined-files.txt 2009-04-26 23:07
ComboFix2.txt 2009-04-26 22:57
ComboFix3.txt 2009-04-25 23:37
ComboFix4.txt 2009-04-24 10:25

Pre-Run: 25,210,126,336 bytes free
Post-Run: 25,195,638,784 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=,1,2,3,4
157 --- E O F --- 2009-04-25 04:56



New hijackthis log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:10:54 PM, on 4/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1240528006718
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4266 bytes



Computer actually seems to be running ok so far. I updated AVG and Superantispyware. No blank screen on either admin user. Other problems from first post seem to be fixed as well.
Anything else you think I should do?

Thanks lots. I will let you know if anything comes up.
  • 0

#11
loophole
Posted 27 April 2009 - 01:02 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts

Hi again

Do you use a flash drive?

Please answer this
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP