Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Please help! Avast! showing Win32:TratBHO can't get rid of

Started by Altrockrulz , Jan 07 2008 05:11 PM

  • This topic is locked This topic is locked

#1
Altrockrulz
Posted 07 January 2008 - 05:11 PM

Altrockrulz

    New Member

  • Member
  • Pip
  • 8 posts
I have been trying unsuccessfully now for like 4 hours to get rid of this infection totally. There were three other infections on my desktop as well but it seems Avast! was able to handle those (Win32:Agent-NMX, Win32:PurityScan-V, and Win32:VB-IE) but this TratBHO left remnents behind and I need help with the damage.

current hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:20:55 PM, on 1/7/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tina\Desktop\VundoFix.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.n...lbar2.0/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.n...lbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F3 - REG:win.ini: load=.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {E1759A31-E627-4758-9562-6899DF36C9C2} - C:\WINDOWS\System32\ddcaaab.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxrnet.net/c...::/xpreload.ocx
O20 - Winlogon Notify: ddcaaab - C:\WINDOWS\SYSTEM32\ddcaaab.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\xume.html

--
End of file - 4979 bytes

Edited by Altrockrulz, 08 January 2008 - 11:24 PM.

  • 0

Advertisements

#2
Rorschach112
Posted 13 January 2008 - 12:30 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
  • 0

#3
Altrockrulz
Posted 13 January 2008 - 02:23 PM

Altrockrulz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Ok ran it and got the log. Thank you for helping me....I have no animosity over the wait I know you guys are busy. Here is the contents of the combofix log:


ComboFix 08-01-13.1 - Tina 2008-01-13 12:14:58.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.131 [GMT -8:00]
Running from: C:\Documents and Settings\Tina\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Documents and Settings\Tina\My Documents\MCROSO~1
C:\Program Files\Common Files\xume.html
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\kernel
C:\Program Files\kernel\kernel .exe
C:\Program Files\outlook
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInstall.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\b122.exe
C:\WINDOWS\Downloaded Program Files.\xpreload.ocx
C:\WINDOWS\stem~1
C:\WINDOWS\system32\ddcaaab.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\srstv.ini
C:\WINDOWS\system32\srstv.ini2
C:\WINDOWS\system32\wtsisvsu.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-13 12:18 . 2008-01-13 12:18 <DIR> d-------- C:\Temp\tn3
2008-01-13 12:13 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-09 14:02 . 2008-01-09 14:02 <DIR> d-------- C:\Documents and Settings\Tina\Application Data\Apple Computer
2008-01-07 15:18 . 2008-01-07 15:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-07 07:42 . 2007-12-04 04:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-07 07:42 . 2007-12-04 06:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-07 07:42 . 2007-12-04 06:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-07 07:42 . 2007-12-04 06:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-07 07:41 . 2008-01-07 07:41 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-07 07:41 . 2003-03-18 12:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-01-07 07:41 . 2007-12-04 05:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-07 07:41 . 2004-01-09 01:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-07 07:41 . 2007-12-04 06:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-07 07:41 . 2007-12-04 06:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-06 09:01 . 2008-01-06 09:01 <DIR> d--hs---- C:\WINDOWS\WHAgUHJv
2008-01-06 09:01 . 2008-01-06 09:01 <DIR> d-------- C:\WINDOWS\system32\usmvt3
2008-01-06 09:01 . 2008-01-06 09:01 <DIR> d-------- C:\WINDOWS\system32\drivr3
2008-01-06 09:01 . 2008-01-06 09:01 <DIR> d-------- C:\WINDOWS\system32\comp2
2008-01-06 09:01 . 2008-01-06 09:01 <DIR> d-------- C:\WINDOWS\system32\cache3
2008-01-06 09:01 . 2008-01-06 09:01 <DIR> d-------- C:\WINDOWS\system32\ardCo01
2008-01-06 09:01 . 2008-01-06 09:01 <DIR> d-------- C:\Temp\cEeer12
2008-01-06 09:01 . 2008-01-06 09:01 <DIR> d-------- C:\Temp
2008-01-06 09:01 . 2008-01-06 09:01 86,016 --a------ C:\WINDOWS\system32\drivers\usbhubb.sys
2008-01-06 09:01 . 2008-01-13 12:17 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-06 08:05 . 2008-01-06 08:06 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-06 07:37 . 2008-01-06 07:37 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-06 07:37 . 2008-01-06 07:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-06 07:33 . 2008-01-06 07:33 0 --a------ C:\3A.tmp
2008-01-06 07:32 . 2008-01-06 07:32 0 --a------ C:\20.tmp
2008-01-06 07:32 . 2008-01-06 07:32 0 --a------ C:\1C.tmp
2008-01-06 07:31 . 2008-01-06 07:31 0 --a------ C:\1B.tmp
2008-01-06 07:31 . 2008-01-06 07:31 0 --a------ C:\1A.tmp
2008-01-06 07:30 . 2008-01-06 07:30 0 --a------ C:\D.tmp
2008-01-06 07:30 . 2008-01-06 07:30 0 --a------ C:\19.tmp
2008-01-06 07:30 . 2008-01-06 07:30 0 --a------ C:\11.tmp
2008-01-06 07:22 . 2008-01-06 07:22 <DIR> d-------- C:\Documents and Settings\Tina\Application Data\ComcastToolbar
2008-01-03 10:49 . 2008-01-13 09:13 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-03 10:49 . 2008-01-03 10:49 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-29 09:36 . 2008-01-09 15:23 664 --a------ C:\WINDOWS\cdplayer.ini
2007-12-29 08:41 . 2007-12-29 08:41 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-22 17:17 . 2007-12-22 17:17 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2007-12-22 17:16 . 2007-12-22 17:16 <DIR> d-------- C:\Program Files\RCA
2007-12-16 09:03 . 2002-11-14 11:42 218,624 --a------ C:\WINDOWS\system32\srrstr.dll
2007-12-16 09:03 . 2002-11-14 11:42 218,624 --a------ C:\WINDOWS\system32\dllcache\srrstr.dll
2007-12-16 08:52 . 2004-01-09 21:11 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2007-12-15 15:02 . 2007-12-15 15:02 <DIR> d--h----- C:\WINDOWS\$xpsp1hfm$
2007-12-14 11:31 . 2007-12-14 11:31 <DIR> d-------- C:\Program Files\InstallShield Installation Information
2007-12-14 11:30 . 2007-12-14 11:30 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-12-13 07:26 . 2007-12-13 07:26 <DIR> d-------- C:\WINDOWS\system32\bits

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 17:02 246 ----a-w C:\Program Files\Common Files\teda
2007-12-31 17:38 36,624 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-12-31 17:38 2,560 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-31 17:38 2,432 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-31 17:38 158,456 ------w C:\WINDOWS\system32\pxwma.dll
2007-12-10 11:44 --------- d-----w C:\Program Files\QuickTime
2007-12-10 11:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-10 11:43 --------- d-----w C:\Program Files\Apple Software Update
2007-12-10 11:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-12-09 21:20 --------- d-----w C:\Documents and Settings\Tina\Application Data\acccore
2007-12-09 21:19 --------- d-----w C:\Program Files\AIM6
2007-12-09 21:05 --------- d-----w C:\Program Files\Common Files\xing shared
2007-12-09 21:04 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-12-09 21:04 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-12-09 21:04 --------- d-----w C:\Program Files\Real
2007-12-09 21:04 --------- d-----w C:\Program Files\Common Files\Real
2007-12-09 19:43 --------- d-----w C:\Documents and Settings\Tina\Application Data\LimeWire
2007-12-09 19:41 --------- d-----w C:\Program Files\LimeWire
2007-12-08 10:01 --------- d-----w C:\Documents and Settings\Tina\Application Data\Yahoo!
2007-12-08 10:00 --------- d-----w C:\Program Files\Viewpoint
2007-12-08 10:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-08 10:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-12-08 10:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-08 09:59 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-08 09:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-08 09:54 --------- d-----w C:\Program Files\Yahoo!
2007-12-08 08:48 --------- d-----w C:\Program Files\Google
2007-12-08 08:27 --------- d-----w C:\Program Files\Common Files\Scanner
2007-12-08 08:27 --------- d-----w C:\Program Files\ComcastToolbar
2007-12-08 08:16 --------- d-----w C:\Program Files\support.com
2007-12-08 08:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Support.com
2007-10-31 21:03 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2005-07-30 00:24 472 --sha-r C:\WINDOWS\WHAgUHJv\qJE0oJLS.vbs
.
<pre>
----a-w		   185,896 2008-01-07 17:10:46  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w		 1,077,277 2008-01-07 17:10:50  C:\Program Files\Messenger\msmsgs .exe
----a-w		   132,496 2008-01-07 17:10:46  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w		 4,670,704 2008-01-06 17:39:18  C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w		 4,670,704 2008-01-07 17:10:54  C:\Program Files\Yahoo!\Messenger\YAHOOM~1  .EXE
----a-w			39,792 2008-01-07 17:10:44  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w			79,224 2008-01-07 16:05:08  C:\Program Files\Alwil Software\Avast4\ashDisp .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli.dll scecli.dll

R1 usbhubb;usbhubb;C:\WINDOWS\System32\drivers\usbhubb.sys [2008-01-06 09:01]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 03:46:14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 12:18:58
Windows 5.1.2600 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-13 12:20:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-13 20:20:14
.
2007-12-21 15:26:45 --- E O F ---
  • 0

#4
Rorschach112
Posted 13 January 2008 - 02:55 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\3A.tmp
C:\20.tmp
C:\1C.tmp
C:\1B.tmp
C:\1A.tmp
C:\D.tmp
C:\19.tmp
C:\11.tmp

Folder::
C:\Temp\tn3
C:\WINDOWS\WHAgUHJv
C:\WINDOWS\system32\usmvt3
C:\WINDOWS\system32\drivr3
C:\WINDOWS\system32\comp2
C:\WINDOWS\system32\cache3
C:\WINDOWS\system32\ardCo01
C:\Temp\cEeer12

RenV::
----a-w 185,896 2008-01-07 17:10:46 C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w 1,077,277 2008-01-07 17:10:50 C:\Program Files\Messenger\msmsgs .exe
----a-w 132,496 2008-01-07 17:10:46 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 4,670,704 2008-01-06 17:39:18 C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w 4,670,704 2008-01-07 17:10:54 C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
----a-w 39,792 2008-01-07 17:10:44 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w 79,224 2008-01-07 16:05:08 C:\Program Files\Alwil Software\Avast4\ashDisp .exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Also post a new HijackThis log
  • 0

#5
Altrockrulz
Posted 13 January 2008 - 03:17 PM

Altrockrulz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Ok here you go:

Combofix log:
ComboFix 08-01-13.1 - Tina 2008-01-13 13:06:00.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.100 [GMT -8:00]
Running from: C:\Documents and Settings\Tina\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tina\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\11.tmp
C:\19.tmp
C:\1A.tmp
C:\1B.tmp
C:\1C.tmp
C:\20.tmp
C:\3A.tmp
C:\D.tmp
C:\WINDOWS\system32\drivers\core.cache.dsk
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\11.tmp
C:\19.tmp
C:\1A.tmp
C:\1B.tmp
C:\1C.tmp
C:\20.tmp
C:\3A.tmp
C:\D.tmp
C:\Temp\cEeer12
C:\Temp\cEeer12\skAt.log
C:\temp\tn3
C:\WINDOWS\system32\ardCo01
C:\WINDOWS\system32\ardCo01\ardCo011065.exe
C:\WINDOWS\system32\cache3
C:\WINDOWS\system32\cache3\vumpedll23.exe
C:\WINDOWS\system32\comp2
C:\WINDOWS\system32\drivr3
C:\WINDOWS\system32\usmvt3
C:\WINDOWS\WHAgUHJv
C:\WINDOWS\WHAgUHJv\qJE0oJLS.vbs
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-13 13:10 . 2008-01-13 13:10 <DIR> d-------- C:\Temp\tn3
2008-01-13 12:13 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-09 14:02 . 2008-01-09 14:02 <DIR> d-------- C:\Documents and Settings\Tina\Application Data\Apple Computer
2008-01-07 15:18 . 2008-01-07 15:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-07 07:42 . 2007-12-04 04:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-07 07:42 . 2007-12-04 06:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-07 07:42 . 2007-12-04 06:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-07 07:42 . 2007-12-04 06:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-07 07:41 . 2008-01-07 07:41 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-07 07:41 . 2003-03-18 12:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-01-07 07:41 . 2007-12-04 05:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-07 07:41 . 2004-01-09 01:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-07 07:41 . 2007-12-04 06:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-07 07:41 . 2007-12-04 06:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-06 09:01 . 2008-01-06 09:01 <DIR> d-------- C:\Temp
2008-01-06 09:01 . 2008-01-06 09:01 86,016 --a------ C:\WINDOWS\system32\drivers\usbhubb.sys
2008-01-06 09:01 . 2008-01-13 13:09 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-06 08:05 . 2008-01-06 08:06 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-06 07:37 . 2008-01-06 07:37 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-06 07:37 . 2008-01-06 07:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-06 07:22 . 2008-01-06 07:22 <DIR> d-------- C:\Documents and Settings\Tina\Application Data\ComcastToolbar
2008-01-03 10:49 . 2008-01-13 09:13 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-03 10:49 . 2008-01-03 10:49 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-29 09:36 . 2008-01-09 15:23 664 --a------ C:\WINDOWS\cdplayer.ini
2007-12-29 08:41 . 2007-12-29 08:41 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-22 17:17 . 2007-12-22 17:17 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2007-12-22 17:16 . 2007-12-22 17:16 <DIR> d-------- C:\Program Files\RCA
2007-12-16 09:03 . 2002-11-14 11:42 218,624 --a------ C:\WINDOWS\system32\srrstr.dll
2007-12-16 09:03 . 2002-11-14 11:42 218,624 --a------ C:\WINDOWS\system32\dllcache\srrstr.dll
2007-12-16 08:52 . 2004-01-09 21:11 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2007-12-15 15:02 . 2007-12-15 15:02 <DIR> d--h----- C:\WINDOWS\$xpsp1hfm$
2007-12-14 11:31 . 2007-12-14 11:31 <DIR> d-------- C:\Program Files\InstallShield Installation Information
2007-12-14 11:30 . 2007-12-14 11:30 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-12-13 07:26 . 2007-12-13 07:26 <DIR> d-------- C:\WINDOWS\system32\bits

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 17:02 246 ----a-w C:\Program Files\Common Files\teda
2007-12-31 17:38 36,624 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-12-31 17:38 2,560 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-31 17:38 2,432 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-31 17:38 158,456 ------w C:\WINDOWS\system32\pxwma.dll
2007-12-10 11:44 --------- d-----w C:\Program Files\QuickTime
2007-12-10 11:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-10 11:43 --------- d-----w C:\Program Files\Apple Software Update
2007-12-10 11:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-12-09 21:20 --------- d-----w C:\Documents and Settings\Tina\Application Data\acccore
2007-12-09 21:19 --------- d-----w C:\Program Files\AIM6
2007-12-09 21:05 --------- d-----w C:\Program Files\Common Files\xing shared
2007-12-09 21:04 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-12-09 21:04 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-12-09 21:04 --------- d-----w C:\Program Files\Real
2007-12-09 21:04 --------- d-----w C:\Program Files\Common Files\Real
2007-12-09 19:43 --------- d-----w C:\Documents and Settings\Tina\Application Data\LimeWire
2007-12-09 19:41 --------- d-----w C:\Program Files\LimeWire
2007-12-08 10:01 --------- d-----w C:\Documents and Settings\Tina\Application Data\Yahoo!
2007-12-08 10:00 --------- d-----w C:\Program Files\Viewpoint
2007-12-08 10:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-08 10:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-12-08 10:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-08 09:59 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-08 09:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-08 09:54 --------- d-----w C:\Program Files\Yahoo!
2007-12-08 08:48 --------- d-----w C:\Program Files\Google
2007-12-08 08:27 --------- d-----w C:\Program Files\Common Files\Scanner
2007-12-08 08:27 --------- d-----w C:\Program Files\ComcastToolbar
2007-12-08 08:16 --------- d-----w C:\Program Files\support.com
2007-12-08 08:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Support.com
2007-10-31 21:03 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
.
<pre>
----a-w		 4,670,704 2008-01-07 17:10:54  C:\Program Files\Yahoo!\Messenger\YAHOOM~1  .EXE
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-13_12.19.55.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-13 20:14:36 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-13 21:05:54 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-13 20:14:36 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-13 21:05:54 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-13 20:14:36 2,203,648 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-13 21:05:54 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-13 20:14:36 282,624 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-13 21:05:54 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-13 20:14:36 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-13 21:05:54 2,207,744 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-13 20:14:36 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-13 21:05:54 282,624 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-13 21:10:22 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_508.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2008-01-06 09:39 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-01-07 08:05 79224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli.dll scecli.dll scecli.dll scecli.dll

R1 usbhubb;usbhubb;C:\WINDOWS\System32\drivers\usbhubb.sys [2008-01-06 09:01]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 03:46:14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 13:10:49
Windows 5.1.2600 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-13 13:12:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-13 21:12:16
ComboFix2.txt 2008-01-13 20:20:18
.
2007-12-21 15:26:45 --- E O F ---

Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:28 PM, on 1/13/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxrnet.net/c...::/xpreload.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4947 bytes
  • 0

#6
Rorschach112
Posted 13 January 2008 - 04:36 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\web\related.htm
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE

Folder::
C:\Temp\tn3
C:\Program Files\Common Files\teda

RENV::
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

  • 0

#7
Altrockrulz
Posted 13 January 2008 - 06:21 PM

Altrockrulz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here you go.....


latest combofix log:

ComboFix 08-01-13.1 - Tina 2008-01-13 14:46:26.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.103 [GMT -8:00]
Running from: C:\Documents and Settings\Tina\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tina\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
C:\WINDOWS\web\related.htm
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\teda\
C:\temp\tn3
C:\WINDOWS\web\related.htm
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-13 14:49 . 2008-01-13 14:49 <DIR> d-------- C:\Temp\tn3
2008-01-13 12:13 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-09 14:02 . 2008-01-09 14:02 <DIR> d-------- C:\Documents and Settings\Tina\Application Data\Apple Computer
2008-01-07 15:18 . 2008-01-07 15:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-07 07:42 . 2007-12-04 04:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-07 07:42 . 2007-12-04 06:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-07 07:42 . 2007-12-04 06:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-07 07:42 . 2007-12-04 06:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-07 07:41 . 2008-01-07 07:41 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-07 07:41 . 2003-03-18 12:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-01-07 07:41 . 2007-12-04 05:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-07 07:41 . 2004-01-09 01:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-07 07:41 . 2007-12-04 06:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-07 07:41 . 2007-12-04 06:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-06 09:01 . 2008-01-06 09:01 <DIR> d-------- C:\Temp
2008-01-06 09:01 . 2008-01-06 09:01 86,016 --a------ C:\WINDOWS\system32\drivers\usbhubb.sys
2008-01-06 09:01 . 2008-01-13 14:49 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-06 08:05 . 2008-01-06 08:06 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-06 07:37 . 2008-01-06 07:37 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-06 07:37 . 2008-01-06 07:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-06 07:22 . 2008-01-06 07:22 <DIR> d-------- C:\Documents and Settings\Tina\Application Data\ComcastToolbar
2008-01-03 10:49 . 2008-01-13 09:13 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-03 10:49 . 2008-01-03 10:49 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-29 09:36 . 2008-01-09 15:23 664 --a------ C:\WINDOWS\cdplayer.ini
2007-12-29 08:41 . 2007-12-29 08:41 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-22 17:17 . 2007-12-22 17:17 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2007-12-22 17:16 . 2007-12-22 17:16 <DIR> d-------- C:\Program Files\RCA
2007-12-16 09:03 . 2002-11-14 11:42 218,624 --a------ C:\WINDOWS\system32\srrstr.dll
2007-12-16 09:03 . 2002-11-14 11:42 218,624 --a------ C:\WINDOWS\system32\dllcache\srrstr.dll
2007-12-16 08:52 . 2004-01-09 21:11 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2007-12-15 15:02 . 2007-12-15 15:02 <DIR> d--h----- C:\WINDOWS\$xpsp1hfm$
2007-12-14 11:31 . 2007-12-14 11:31 <DIR> d-------- C:\Program Files\InstallShield Installation Information
2007-12-14 11:30 . 2007-12-14 11:30 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-12-13 07:26 . 2007-12-13 07:26 <DIR> d-------- C:\WINDOWS\system32\bits

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 17:02 246 ----a-w C:\Program Files\Common Files\teda
2007-12-31 17:38 36,624 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-12-31 17:38 2,560 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-31 17:38 2,432 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-31 17:38 158,456 ------w C:\WINDOWS\system32\pxwma.dll
2007-12-10 11:44 --------- d-----w C:\Program Files\QuickTime
2007-12-10 11:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-10 11:43 --------- d-----w C:\Program Files\Apple Software Update
2007-12-10 11:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-12-09 21:20 --------- d-----w C:\Documents and Settings\Tina\Application Data\acccore
2007-12-09 21:19 --------- d-----w C:\Program Files\AIM6
2007-12-09 21:05 --------- d-----w C:\Program Files\Common Files\xing shared
2007-12-09 21:04 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-12-09 21:04 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-12-09 21:04 --------- d-----w C:\Program Files\Real
2007-12-09 21:04 --------- d-----w C:\Program Files\Common Files\Real
2007-12-09 19:43 --------- d-----w C:\Documents and Settings\Tina\Application Data\LimeWire
2007-12-09 19:41 --------- d-----w C:\Program Files\LimeWire
2007-12-08 10:01 --------- d-----w C:\Documents and Settings\Tina\Application Data\Yahoo!
2007-12-08 10:00 --------- d-----w C:\Program Files\Viewpoint
2007-12-08 10:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-08 10:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-12-08 10:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-08 09:59 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-08 09:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-08 09:54 --------- d-----w C:\Program Files\Yahoo!
2007-12-08 08:48 --------- d-----w C:\Program Files\Google
2007-12-08 08:27 --------- d-----w C:\Program Files\Common Files\Scanner
2007-12-08 08:27 --------- d-----w C:\Program Files\ComcastToolbar
2007-12-08 08:16 --------- d-----w C:\Program Files\support.com
2007-12-08 08:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Support.com
2007-10-31 21:03 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
.
<pre>
----a-w		 4,670,704 2008-01-07 17:10:54  C:\Program Files\Yahoo!\Messenger\YAHOOM~1  .EXE
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-13_12.19.55.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-13 20:14:36 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-13 22:46:22 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-13 20:14:36 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-13 22:46:22 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-13 20:14:36 2,203,648 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-13 22:46:24 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-13 20:14:36 282,624 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-13 22:46:24 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-13 20:14:36 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-13 22:46:24 2,207,744 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-13 20:14:36 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-13 22:46:24 282,624 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-13 22:49:26 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_4f4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2008-01-06 09:39 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-01-07 08:05 79224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli.dll scecli.dll scecli.dll scecli.dll scecli.dll scecli.dll scecli.dll scecli.dll

R1 usbhubb;usbhubb;C:\WINDOWS\System32\drivers\usbhubb.sys [2008-01-06 09:01]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 03:46:14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 14:50:01
Windows 5.1.2600 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-13 14:51:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-13 22:51:08
ComboFix3.txt 2008-01-13 20:20:18
ComboFix2.txt 2008-01-13 21:12:20
.
2007-12-21 15:26:45 --- E O F ---


and Superantispyware scan log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/13/2008 at 04:03 PM

Application Version : 3.9.1008

Core Rules Database Version : 3379
Trace Rules Database Version: 1373

Scan type : Complete Scan
Total Scan Time : 00:59:49

Memory items scanned : 338
Memory threats detected : 0
Registry items scanned : 4061
Registry threats detected : 0
File items scanned : 24275
File threats detected : 67

Adware.Tracking Cookie
C:\Documents and Settings\Tina\Cookies\[email protected][2].txt
C:\Documents and Settings\Tina\Cookies\[email protected][1].txt
C:\Documents and Settings\Tina\Cookies\tina@apmebf[1].txt
C:\Documents and Settings\Tina\Cookies\tina@doubleclick[2].txt
C:\Documents and Settings\Tina\Cookies\tina@findology[1].txt
C:\Documents and Settings\Tina\Cookies\[email protected][5].txt
C:\Documents and Settings\Tina\Cookies\[email protected][1].txt
C:\Documents and Settings\Tina\Cookies\tina@bluestreak[1].txt
C:\Documents and Settings\Tina\Cookies\tina@interclick[2].txt
C:\Documents and Settings\Tina\Cookies\tina@directtrack[1].txt
C:\Documents and Settings\Tina\Cookies\[email protected][2].txt
C:\Documents and Settings\Tina\Cookies\tina@atdmt[2].txt
C:\Documents and Settings\Tina\Cookies\[email protected][1].txt
C:\Documents and Settings\Tina\Cookies\tina@toseeka[1].txt
C:\Documents and Settings\Tina\Cookies\[email protected][1].txt
C:\Documents and Settings\Tina\Cookies\[email protected][2].txt
C:\Documents and Settings\Tina\Cookies\[email protected][2].txt
C:\Documents and Settings\Tina\Cookies\tina@specificclick[1].txt
C:\Documents and Settings\Tina\Cookies\tina@zedo[2].txt
C:\Documents and Settings\Tina\Cookies\[email protected][2].txt
C:\Documents and Settings\Tina\Cookies\[email protected][2].txt
C:\Documents and Settings\Tina\Cookies\[email protected][1].txt
C:\Documents and Settings\Tina\Cookies\[email protected][1].txt
C:\Documents and Settings\Tina\Cookies\[email protected][4].txt
C:\Documents and Settings\Tina\Cookies\tina@adrevolver[2].txt
C:\Documents and Settings\Tina\Cookies\tina@zedo[1].txt
C:\Documents and Settings\Tina\Cookies\[email protected][1].txt
C:\Documents and Settings\Tina\Cookies\tina@atdmt[1].txt
C:\Documents and Settings\Tina\Cookies\tina@revsci[2].txt
C:\Documents and Settings\Tina\Cookies\[email protected][1].txt
C:\Documents and Settings\Tina\Cookies\tina@burstnet[1].txt
C:\Documents and Settings\Tina\Cookies\tina@adrevolver[4].txt
C:\Documents and Settings\Tina\Cookies\[email protected][1].txt
C:\Documents and Settings\Tina\Cookies\[email protected][1].txt
C:\Documents and Settings\Tina\Cookies\[email protected][1].txt
C:\Documents and Settings\Tina\Cookies\tina@advertising[2].txt
C:\Documents and Settings\Tina\Cookies\[email protected][2].txt
C:\Documents and Settings\Tina\Cookies\[email protected][3].txt
C:\Documents and Settings\Tina\Cookies\[email protected][2].txt
C:\Documents and Settings\Tina\Cookies\tina@tradedoubler[1].txt
C:\Documents and Settings\Tina\Cookies\tina@adrevolver[3].txt
C:\Documents and Settings\Tina\Cookies\[email protected][1].txt
C:\Documents and Settings\Tina\Cookies\tina@zedo[3].txt
C:\Documents and Settings\Tina\Cookies\tina@casalemedia[1].txt
C:\Documents and Settings\Tina\Cookies\tina@enhance[2].txt
C:\Documents and Settings\Tina\Cookies\tina@specificclick[3].txt
C:\Documents and Settings\Tina\Cookies\[email protected][1].txt
C:\Documents and Settings\Tina\Cookies\[email protected][3].txt
C:\Documents and Settings\Tina\Cookies\[email protected][2].txt

RootKit.TnCore/Trace
C:\WINDOWS\system32\drivers\core.cache.dsk

Adware.Vundo-Variant
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\DATA\MOVED\MLJKL.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{20E37D35-CF25-48EC-866B-52CAD6F0EA08}\RP3\A0000048.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{20E37D35-CF25-48EC-866B-52CAD6F0EA08}\RP4\A0000058.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{20E37D35-CF25-48EC-866B-52CAD6F0EA08}\RP5\A0000067.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{20E37D35-CF25-48EC-866B-52CAD6F0EA08}\RP6\A0000138.DLL

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{20E37D35-CF25-48EC-866B-52CAD6F0EA08}\RP7\A0000157.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{20E37D35-CF25-48EC-866B-52CAD6F0EA08}\RP7\A0000158.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{20E37D35-CF25-48EC-866B-52CAD6F0EA08}\RP8\A0000219.VBS
C:\QOOBOX\QUARANTINE\C\WINDOWS\UNINSTALL_NMON.VBS.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WTSISVSU.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\WHAGUHJV\QJE0OJLS.VBS.VIR

Adware.StarsDoor
C:\SYSTEM VOLUME INFORMATION\_RESTORE{20E37D35-CF25-48EC-866B-52CAD6F0EA08}\RP7\A0000161.EXE
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\KERNEL\KERNEL .EXE.VIR

Trojan.Downloader-Gen/BundleBase
C:\SYSTEM VOLUME INFORMATION\_RESTORE{20E37D35-CF25-48EC-866B-52CAD6F0EA08}\RP8\A0000217.EXE
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\ARDCO01\ARDCO011065.EXE.VIR

Adware.ClickSpring/Yazzle
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1281OINUNINSTALLER.EXE.VIR

Adware.k8l
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\XUME.HTML.VIR
  • 0

#8
Altrockrulz
Posted 13 January 2008 - 06:22 PM

Altrockrulz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here you go.....


latest combofix log:

ComboFix 08-01-13.1 - Tina 2008-01-13 14:46:26.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.103 [GMT -8:00]
Running from: C:\Documents and Settings\Tina\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tina\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
C:\WINDOWS\web\related.htm
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\teda\
C:\temp\tn3
C:\WINDOWS\web\related.htm
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-13 14:49 . 2008-01-13 14:49 <DIR> d-------- C:\Temp\tn3
2008-01-13 12:13 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-09 14:02 . 2008-01-09 14:02 <DIR> d-------- C:\Documents and Settings\Tina\Application Data\Apple Computer
2008-01-07 15:18 . 2008-01-07 15:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-07 07:42 . 2007-12-04 04:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-07 07:42 . 2007-12-04 06:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-07 07:42 . 2007-12-04 06:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-07 07:42 . 2007-12-04 06:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-07 07:41 . 2008-01-07 07:41 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-07 07:41 . 2003-03-18 12:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-01-07 07:41 . 2007-12-04 05:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-07 07:41 . 2004-01-09 01:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-07 07:41 . 2007-12-04 06:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-07 07:41 . 2007-12-04 06:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-06 09:01 . 2008-01-06 09:01 <DIR> d-------- C:\Temp
2008-01-06 09:01 . 2008-01-06 09:01 86,016 --a------ C:\WINDOWS\system32\drivers\usbhubb.sys
2008-01-06 09:01 . 2008-01-13 14:49 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-06 08:05 . 2008-01-06 08:06 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-06 07:37 . 2008-01-06 07:37 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-06 07:37 . 2008-01-06 07:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-06 07:22 . 2008-01-06 07:22 <DIR> d-------- C:\Documents and Settings\Tina\Application Data\ComcastToolbar
2008-01-03 10:49 . 2008-01-13 09:13 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-03 10:49 . 2008-01-03 10:49 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-29 09:36 . 2008-01-09 15:23 664 --a------ C:\WINDOWS\cdplayer.ini
2007-12-29 08:41 . 2007-12-29 08:41 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-22 17:17 . 2007-12-22 17:17 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2007-12-22 17:16 . 2007-12-22 17:16 <DIR> d-------- C:\Program Files\RCA
2007-12-16 09:03 . 2002-11-14 11:42 218,624 --a------ C:\WINDOWS\system32\srrstr.dll
2007-12-16 09:03 . 2002-11-14 11:42 218,624 --a------ C:\WINDOWS\system32\dllcache\srrstr.dll
2007-12-16 08:52 . 2004-01-09 21:11 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2007-12-15 15:02 . 2007-12-15 15:02 <DIR> d--h----- C:\WINDOWS\$xpsp1hfm$
2007-12-14 11:31 . 2007-12-14 11:31 <DIR> d-------- C:\Program Files\InstallShield Installation Information
2007-12-14 11:30 . 2007-12-14 11:30 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-12-13 07:26 . 2007-12-13 07:26 <DIR> d-------- C:\WINDOWS\system32\bits

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 17:02 246 ----a-w C:\Program Files\Common Files\teda
2007-12-31 17:38 36,624 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-12-31 17:38 2,560 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-31 17:38 2,432 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-31 17:38 158,456 ------w C:\WINDOWS\system32\pxwma.dll
2007-12-10 11:44 --------- d-----w C:\Program Files\QuickTime
2007-12-10 11:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-10 11:43 --------- d-----w C:\Program Files\Apple Software Update
2007-12-10 11:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-12-09 21:20 --------- d-----w C:\Documents and Settings\Tina\Application Data\acccore
2007-12-09 21:19 --------- d-----w C:\Program Files\AIM6
2007-12-09 21:05 --------- d-----w C:\Program Files\Common Files\xing shared
2007-12-09 21:04 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-12-09 21:04 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-12-09 21:04 --------- d-----w C:\Program Files\Real
2007-12-09 21:04 --------- d-----w C:\Program Files\Common Files\Real
2007-12-09 19:43 --------- d-----w C:\Documents and Settings\Tina\Application Data\LimeWire
2007-12-09 19:41 --------- d-----w C:\Program Files\LimeWire
2007-12-08 10:01 --------- d-----w C:\Documents and Settings\Tina\Application Data\Yahoo!
2007-12-08 10:00 --------- d-----w C:\Program Files\Viewpoint
2007-12-08 10:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-08 10:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-12-08 10:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-08 09:59 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-08 09:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-08 09:54 --------- d-----w C:\Program Files\Yahoo!
2007-12-08 08:48 --------- d-----w C:\Program Files\Google
2007-12-08 08:27 --------- d-----w C:\Program Files\Common Files\Scanner
2007-12-08 08:27 --------- d-----w C:\Program Files\ComcastToolbar
2007-12-08 08:16 --------- d-----w C:\Program Files\support.com
2007-12-08 08:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Support.com
2007-10-31 21:03 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
.
<pre>
----a-w		 4,670,704 2008-01-07 17:10:54  C:\Program Files\Yahoo!\Messenger\YAHOOM~1  .EXE
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-13_12.19.55.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-13 20:14:36 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-13 22:46:22 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-13 20:14:36 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-13 22:46:22 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-13 20:14:36 2,203,648 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-13 22:46:24 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-13 20:14:36 282,624 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-13 22:46:24 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-13 20:14:36 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-13 22:46:24 2,207,744 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-13 20:14:36 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-13 22:46:24 282,624 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-13 22:49:26 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_4f4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2008-01-06 09:39 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-01-07 08:05 79224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli.dll scecli.dll scecli.dll scecli.dll scecli.dll scecli.dll scecli.dll scecli.dll

R1 usbhubb;usbhubb;C:\WINDOWS\System32\drivers\usbhubb.sys [2008-01-06 09:01]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 03:46:14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 14:50:01
Windows 5.1.2600 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-13 14:51:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-13 22:51:08
ComboFix3.txt 2008-01-13 20:20:18
ComboFix2.txt 2008-01-13 21:12:20
.
2007-12-21 15:26:45 --- E O F ---


and Superantispyware scan log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/13/2008 at 04:03 PM

Application Version : 3.9.1008

Core Rules Database Version : 3379
Trace Rules Database Version: 1373

Scan type : Complete Scan
Total Scan Time : 00:59:49

Memory items scanned : 338
Memory threats detected : 0
Registry items scanned : 4061
Registry threats detected : 0
File items scanned : 24275
File threats detected : 67

Adware.Tracking Cookie
C:\Documents and Settings\Tina\Cookies\[email protected][2].txt
C:\Documents and Settings\Tina\Cookies\[email protected][1].txt
C:\Documents and Settings\Tina\Cookies\tina@apmebf[1].txt
C:\Documents and Settings\Tina\Cookies\tina@doubleclick[2].txt
C:\Documents and Settings\Tina\Cookies\tina@findology[1].txt
C:\Documents and Settings\Tina\Cookies\[email protected][5].txt
C:\Documents and Settings\Tina\Cookies\[email protected][1].txt
C:\Documents and Settings\Tina\Cookies\tina@bluestreak[1].txt
C:\Documents and Settings\Tina\Cookies\tina@interclick[2].txt
C:\Documents and Settings\Tina\Cookies\tina@directtrack[1].txt
C:\Documents and Settings\Tina\Cookies\[email protected][2].txt
C:\Documents and Settings\Tina\Cookies\tina@atdmt[2].txt
C:\Documents and Settings\Tina\Cookies\[email protected][1].txt
C:\Documents and Settings\Tina\Cookies\tina@toseeka[1].txt
C:\Documents and Settings\Tina\Cookies\[email protected][1].txt
C:\Documents and Settings\Tina\Cookies\[email protected][2].txt
C:\Documents and Settings\Tina\Cookies\[email protected][2].txt
C:\Documents and Settings\Tina\Cookies\tina@specificclick[1].txt
C:\Documents and Settings\Tina\Cookies\tina@zedo[2].txt
C:\Documents and Settings\Tina\Cookies\[email protected][2].txt
C:\Documents and Settings\Tina\Cookies\[email protected][2].txt
C:\Documents and Settings\Tina\Cookies\[email protected][1].txt
C:\Documents and Settings\Tina\Cookies\[email protected][1].txt
C:\Documents and Settings\Tina\Cookies\[email protected][4].txt
C:\Documents and Settings\Tina\Cookies\tina@adrevolver[2].txt
C:\Documents and Settings\Tina\Cookies\tina@zedo[1].txt
C:\Documents and Settings\Tina\Cookies\[email protected][1].txt
C:\Documents and Settings\Tina\Cookies\tina@atdmt[1].txt
C:\Documents and Settings\Tina\Cookies\tina@revsci[2].txt
C:\Documents and Settings\Tina\Cookies\[email protected][1].txt
C:\Documents and Settings\Tina\Cookies\tina@burstnet[1].txt
C:\Documents and Settings\Tina\Cookies\tina@adrevolver[4].txt
C:\Documents and Settings\Tina\Cookies\[email protected][1].txt
C:\Documents and Settings\Tina\Cookies\[email protected][1].txt
C:\Documents and Settings\Tina\Cookies\[email protected][1].txt
C:\Documents and Settings\Tina\Cookies\tina@advertising[2].txt
C:\Documents and Settings\Tina\Cookies\[email protected][2].txt
C:\Documents and Settings\Tina\Cookies\[email protected][3].txt
C:\Documents and Settings\Tina\Cookies\[email protected][2].txt
C:\Documents and Settings\Tina\Cookies\tina@tradedoubler[1].txt
C:\Documents and Settings\Tina\Cookies\tina@adrevolver[3].txt
C:\Documents and Settings\Tina\Cookies\[email protected][1].txt
C:\Documents and Settings\Tina\Cookies\tina@zedo[3].txt
C:\Documents and Settings\Tina\Cookies\tina@casalemedia[1].txt
C:\Documents and Settings\Tina\Cookies\tina@enhance[2].txt
C:\Documents and Settings\Tina\Cookies\tina@specificclick[3].txt
C:\Documents and Settings\Tina\Cookies\[email protected][1].txt
C:\Documents and Settings\Tina\Cookies\[email protected][3].txt
C:\Documents and Settings\Tina\Cookies\[email protected][2].txt

RootKit.TnCore/Trace
C:\WINDOWS\system32\drivers\core.cache.dsk

Adware.Vundo-Variant
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\DATA\MOVED\MLJKL.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{20E37D35-CF25-48EC-866B-52CAD6F0EA08}\RP3\A0000048.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{20E37D35-CF25-48EC-866B-52CAD6F0EA08}\RP4\A0000058.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{20E37D35-CF25-48EC-866B-52CAD6F0EA08}\RP5\A0000067.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{20E37D35-CF25-48EC-866B-52CAD6F0EA08}\RP6\A0000138.DLL

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{20E37D35-CF25-48EC-866B-52CAD6F0EA08}\RP7\A0000157.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{20E37D35-CF25-48EC-866B-52CAD6F0EA08}\RP7\A0000158.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{20E37D35-CF25-48EC-866B-52CAD6F0EA08}\RP8\A0000219.VBS
C:\QOOBOX\QUARANTINE\C\WINDOWS\UNINSTALL_NMON.VBS.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WTSISVSU.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\WHAGUHJV\QJE0OJLS.VBS.VIR

Adware.StarsDoor
C:\SYSTEM VOLUME INFORMATION\_RESTORE{20E37D35-CF25-48EC-866B-52CAD6F0EA08}\RP7\A0000161.EXE
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\KERNEL\KERNEL .EXE.VIR

Trojan.Downloader-Gen/BundleBase
C:\SYSTEM VOLUME INFORMATION\_RESTORE{20E37D35-CF25-48EC-866B-52CAD6F0EA08}\RP8\A0000217.EXE
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\ARDCO01\ARDCO011065.EXE.VIR

Adware.ClickSpring/Yazzle
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1281OINUNINSTALLER.EXE.VIR

Adware.k8l
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\XUME.HTML.VIR
  • 0

#9
Rorschach112
Posted 13 January 2008 - 06:27 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Download RenV.exe to your desktop.
http://download.blee...s/Beta/RenV.exe

Double click RenV.exe to run it.

A text will open close it then drag and drop that text onto RenV.exe. Post the resulting log and tell me how your PC is running
  • 0

#10
Altrockrulz
Posted 14 January 2008 - 09:16 AM

Altrockrulz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Heres the RenV Log:

Ran on Mon 01/14/2008 -  7:14:50.38

----a-w		 4,670,704 2008-01-07 17:10:54  C:\Program Files\Yahoo!\Messenger\YAHOOM~1  .EXE

 Entries:				1  (1)
 Directories:			0  Files:			 1
 Bytes:		  4,670,704  Blocks:		9,123

And no problems, everything seems to be running perfectly.
  • 0

#11
Rorschach112
Posted 14 January 2008 - 10:19 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean ! We need to do a few things

Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#12
Altrockrulz
Posted 14 January 2008 - 11:53 AM

Altrockrulz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
No thank you for your quick responses to posts after initial reply...and I already use firefox never did trust IE unfortunately it has to stay on the machine or else I would delete it all together. Anyways thanks again and don't work too hard lol.
  • 0

#13
Rorschach112
Posted 14 January 2008 - 11:53 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP