Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

I'm badly Infected

Started by sangv001 , Jan 16 2008 01:37 AM

  • Please log in to reply

#1
sangv001
Posted 16 January 2008 - 01:37 AM

sangv001

    New Member

  • Member
  • Pip
  • 9 posts
My system got infected with a virus that seems to regenerate itself. I have installed spybot and avast and they find the infected files but they cannot delete them. If you can help that would be greatly appreciated. Otherwise, I will have to reformat my harddrive which I'm willing to do if this cannot be cleaned.
Thank you for your time.


Logfile of HijackThis v1.99.1
Scan saved at 11:26:06 PM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\svcd\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP USB Multimedia Keyboard\KMaestro.exe
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET .EXE
C:\Program Files\HP USB Multimedia Keyboard\KMaestro .exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol .exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML .exe
C:\Program Files\Mouse Driver\MouseDrv.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched .exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect .exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {65b42cc0-f997-461e-9e0c-4f1b1ade30e5} - C:\WINDOWS\system32\yqfnogf.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {D4576C73-52BD-4401-B966-5A128C4433D4} - C:\WINDOWS\system32\xxyvwvs.dll
O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\HP USB Multimedia Keyboard\KMaestro.exe"
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [WireLessMouse] C:\Program Files\Mouse Driver\StartAutorun.exe MouseDrv.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Asnw] "C:\WINDOWS\system32\SMBOLS~1\ati2evxx.exe" -vt yazb
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.6\webbuying.exe
O4 - HKCU\..\Run: [Zwhtinur] "C:\Program Files\?ppPatch\spool32.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Security Service (YHST) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe
  • 0

Advertisements

#2
Cookiegal
Posted 16 January 2008 - 07:12 PM

Cookiegal

    Visiting Consultant

  • Visiting Consultant
  • 889 posts
Hi and welcome to Geeks to Go!


Right click HERE and Save As (in IE it's "Save Target As") in order to download DelDomains.inf to your desktop.
To use: Right click DelDomains.inf and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.


Please close/disable all anti-virus and anti-malware programs so they do not interfere with the running of SDFix and make sure you are disconnected from the Internet after downloading the program but before extracting the files.

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix and remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re-enable the protection again afterwards before connecting to the Internet.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
  • Instead of Windows loading as normal, the Advanced Options Menu should appear
  • Select the first option, to run Windows in Safe Mode, then press Enter
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to the clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

  • 0

#3
sangv001
Posted 17 January 2008 - 09:17 PM

sangv001

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
So far so good. Thank you so much for your time.



SDFix: Version 1.127

Run by Administrator on Thu 01/17/2008 at 07:06 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\PROGRA~1\MSNGAM~1\RTEREL~1.HTM - Deleted
C:\PROGRA~1\MSNGAM~1\QUJAW187 - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\WINDOWS\system32\CID - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\system32\SvcNm - Deleted
C:\WINDOWS\system32\upds.log - Deleted
C:\WINDOWS\system32\url1 - Deleted
C:\WINDOWS\system32\url2 - Deleted
C:\WINDOWS\system32\url3 - Deleted


Could Not Remove C:\WINDOWS\system32\drivers\core.cache.dsk

Folder C:\Temp\1cb - Removed
Folder C:\Temp\tn3 - Removed
Folder C:\WINDOWS\system32\svcd - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 19:11:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Steam\\steamapps\\johnxgreenthumbx\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\johnxgreenthumbx\\counter-strike source\\hl2.exe:*:Disabled:hl2"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Disabled:Run a DLL as an App"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "
"C:\\Program Files\\Skype\\Phone\\Skype .exe"="C:\\Program Files\\Skype\\Phone\\Skype .exe:*:Enabled:Skype. Take a deep breath "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------
C:\WINDOWS\system32\drivers\core.cache.dsk Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 25 May 2005 3,112,968 A..H. --- "C:\Program Files\Picasa2\setup.exe"

Finished!
  • 0

#4
Cookiegal
Posted 18 January 2008 - 11:47 AM

Cookiegal

    Visiting Consultant

  • Visiting Consultant
  • 889 posts
Please close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix and make sure you are disconnected from the Internet after downloading the program and before scanning.

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix and remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re-enable the protection again afterwards before connecting to the Internet.

Download ComboFix and save it to your desktop.

**Note: In the event you already have ComboFix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running ComboFix.
  • WARNING: IF you have not already done so ComboFix will disconnect your machine from the Internet when it starts.
  • Please do not re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection when Combofix has completely finished then restart your computer to restore the connection.

Double-click on combofix.exe and follow the prompts. When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick comboFix's window while it's running. That may cause it to stall**
  • 0

#5
sangv001
Posted 18 January 2008 - 03:18 PM

sangv001

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
My computer just got worse after this fix.


ComboFix 08-01-18.5 - Administrator 2008-01-18 13:00:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.686 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator.JOHN-F58760FC57\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\outerinfo
C:\Program Files\pppatc~1
C:\temp\tn3
C:\WINDOWS\system32\awtqr.dll
C:\WINDOWS\system32\ddayw.dll
C:\WINDOWS\system32\e9
C:\WINDOWS\system32\e9\farstadcom2.exe
C:\WINDOWS\system32\gebcc.dll
C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\geeby.dll
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\mllji.dll
C:\WINDOWS\system32\p2
C:\WINDOWS\system32\pmkhe.dll
C:\WINDOWS\system32\pmkjg.dll
C:\WINDOWS\system32\pmkjk.dll
C:\WINDOWS\system32\rstwa.ini
C:\WINDOWS\system32\rstwa.ini2
C:\WINDOWS\system32\smbols~1
C:\WINDOWS\system32\smbols~1\s?mbols\
C:\WINDOWS\system32\ssqpo.dll
C:\WINDOWS\system32\ssqrp.dll
C:\WINDOWS\system32\sstqr.dll
C:\WINDOWS\system32\t8
C:\WINDOWS\system32\vtsqq.dll
C:\WINDOWS\system32\vturs.dll
C:\WINDOWS\system32\xxyvwvs.dll
C:\WINDOWS\system32\z4
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.

2008-01-18 13:06 . 2008-01-18 13:06 <DIR> d-------- C:\Temp\tn3
2008-01-18 12:59 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-17 19:25 . 2008-01-18 11:30 <DIR> d-------- C:\Program Files\Steam
2008-01-17 19:23 . 2008-01-17 19:23 <DIR> d-------- C:\Program Files\Valve
2008-01-17 19:10 . 2008-01-17 19:10 <DIR> d--hs---- C:\WINDOWS\system32\dllcache
2008-01-17 19:10 . 2008-01-18 13:05 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-17 19:05 . 2008-01-17 19:05 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-16 14:08 . 2008-01-16 14:09 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-01-16 14:07 . 2008-01-16 14:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-16 04:09 . 2008-01-16 04:09 <DIR> d-------- C:\Documents and Settings\Administrator.JOHN-F58760FC57\Application Data\Apple Computer
2008-01-16 02:10 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-16 01:58 . 2008-01-16 04:26 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-16 01:58 . 2008-01-16 04:06 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-16 01:58 . 2008-01-16 04:06 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-16 01:58 . 2008-01-16 04:06 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-16 00:42 . 2008-01-16 00:42 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-01-16 00:42 . 2008-01-16 00:42 <DIR> d-------- C:\Documents and Settings\Administrator.JOHN-F58760FC57\Application Data\Grisoft
2008-01-14 22:08 . 2008-01-14 22:09 2,604 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-14 16:05 . 2008-01-15 23:04 90,112 --a------ C:\WINDOWS\UpdReg .EXE
2008-01-14 16:04 . 2008-01-14 23:23 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-14 16:04 . 2008-01-16 04:01 265 --a------ C:\WINDOWS\wininit.ini
2008-01-14 15:08 . 2008-01-14 16:23 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-01-14 14:43 . 2008-01-16 01:47 <DIR> d-------- C:\WINDOWS\system32\edcA01
2008-01-14 14:43 . 2008-01-16 01:47 <DIR> d--hs---- C:\WINDOWS\Sm9obiBTYW5ndmVyYXBodW5zaXJp
2008-01-14 14:43 . 2008-01-14 14:43 <DIR> d-------- C:\Temp\Ryuan1
2008-01-14 14:43 . 2008-01-18 13:06 <DIR> d-------- C:\Temp
2008-01-14 14:43 . 2008-01-14 14:43 86,016 --a------ C:\WINDOWS\system32\drivers\sonydcamm.sys
2008-01-03 19:00 . 2008-01-03 19:00 <DIR> d---s---- C:\Documents and Settings\Administrator.JOHN-F58760FC57\UserData
2007-12-23 22:32 . 2007-12-23 22:32 <DIR> d-------- C:\Documents and Settings\Administrator.JOHN-F58760FC57\Application Data\Ventrilo
2007-12-21 14:45 . 2008-01-17 19:20 <DIR> d-------- C:\Documents and Settings\Administrator.JOHN-F58760FC57\Application Data\skypePM
2007-12-21 14:45 . 2008-01-18 13:06 <DIR> d-------- C:\Documents and Settings\Administrator.JOHN-F58760FC57\Application Data\Skype
2007-12-21 14:45 . 2007-12-21 14:45 32 --a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\ezsid.dat
2007-12-21 14:44 . 2007-12-21 14:44 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-12-21 14:44 . 2007-12-21 14:44 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Skype
2007-12-21 14:38 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2007-12-21 14:37 . 2007-12-21 14:37 <DIR> d-------- C:\Program Files\MSBuild
2007-12-21 14:37 . 2007-12-21 14:37 <DIR> d-------- C:\Program Files\Microsoft Works
2007-12-21 14:30 . 2007-12-21 14:39 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2007-12-21 14:29 . 2007-12-21 14:29 <DIR> dr-h----- C:\MSOCache
2007-12-21 14:24 . 2008-01-16 03:53 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-21 14:24 . 2007-12-22 16:49 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-21 14:23 . 2008-01-16 01:47 <DIR> d-------- C:\Program Files\QuickTime
2007-12-21 14:23 . 2007-12-21 14:23 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2007-12-21 14:22 . 2007-12-21 14:22 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-21 14:22 . 2007-12-21 14:22 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2007-12-21 14:02 . 2008-01-17 19:02 4,958,588 --------- C:\WINDOWS\{00000003-00000000-00000001-00001102-00000008-10211102}.BAK
2007-12-21 14:00 . 2008-01-18 13:04 32,136 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000003-00000000-00000001-00001102-00000008-10211102}.rfx
2007-12-21 14:00 . 2008-01-18 13:04 32,136 --a------ C:\WINDOWS\system32\BMXState-{00000003-00000000-00000001-00001102-00000008-10211102}.rfx
2007-12-21 14:00 . 2008-01-18 13:04 30,924 --a------ C:\WINDOWS\system32\BMXCtrlState-{00000003-00000000-00000001-00001102-00000008-10211102}.rfx
2007-12-21 14:00 . 2008-01-18 13:04 30,924 --a------ C:\WINDOWS\system32\BMXBkpCtrlState-{00000003-00000000-00000001-00001102-00000008-10211102}.rfx
2007-12-21 14:00 . 2008-01-18 13:04 11,564 --a------ C:\WINDOWS\system32\DVCState-{00000003-00000000-00000001-00001102-00000008-10211102}.rfx
2007-12-21 14:00 . 2008-01-18 13:04 1,080 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2007-12-21 14:00 . 2008-01-18 13:04 1,080 --a------ C:\WINDOWS\system32\settings.sfm
2007-12-21 13:26 . 2000-05-22 00:58 647,872 --a------ C:\WINDOWS\system32\Mscomct2.ocx
2007-12-21 13:26 . 1999-10-10 17:00 41,984 --------- C:\WINDOWS\Ctregrun.exe
2007-12-21 13:24 . 1999-12-12 17:01 44,032 --a------ C:\WINDOWS\system32\CTSVCCDA.EXE
2007-12-21 13:24 . 1999-11-17 17:00 25,088 --a------ C:\WINDOWS\system32\CTSVCCTL.EXE
2007-12-21 13:24 . 2007-12-21 13:25 183 --a------ C:\WINDOWS\setuplog
2007-12-21 13:22 . 2007-12-21 13:22 <DIR> d-------- C:\WINDOWS\system32\Defaults
2007-12-21 13:21 . 2007-12-21 13:21 <DIR> d-------- C:\WINDOWS\system32\Data
2007-12-21 13:21 . 2008-01-17 19:02 4,958,588 --a------ C:\WINDOWS\{00000003-00000000-00000001-00001102-00000008-10211102}.CDF
2007-12-21 13:21 . 2007-12-21 13:21 233,472 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-12-21 13:21 . 2007-12-21 13:21 81,920 --a------ C:\WINDOWS\system32\OpenAL32.dll
2007-12-21 13:21 . 2005-06-17 22:41 46,593 -ra------ C:\WINDOWS\system32\e10kxwdm.ini
2007-12-21 13:21 . 2005-06-17 22:08 11,776 --a------ C:\WINDOWS\INRES.DLL
2007-12-21 13:21 . 2005-06-17 22:01 10,240 --a------ C:\WINDOWS\CTDCRES.DLL
2007-12-21 13:21 . 2001-08-16 20:42 7,406 -ra------ C:\WINDOWS\system32\SBAudigy.ico
2007-12-21 13:21 . 2001-11-12 17:48 1,912 -ra------ C:\WINDOWS\system32\Audigy.bmp
2007-12-21 13:21 . 2005-06-17 21:41 193 -ra------ C:\WINDOWS\system32\ctzapxx.ini
2007-12-21 13:20 . 2007-12-23 20:06 <DIR> d-------- C:\Documents and Settings\Administrator.JOHN-F58760FC57\Application Data\Creative
2007-12-21 13:20 . 2003-11-11 11:08 77,824 --a------ C:\WINDOWS\system32\ctdvda32.dll
2007-12-21 13:19 . 2007-12-21 13:26 <DIR> d-------- C:\Program Files\Creative
2007-12-21 13:08 . 2008-01-16 01:47 <DIR> d-------- C:\Program Files\Mouse Driver
2007-12-21 12:50 . 2007-12-21 12:50 <DIR> d-------- C:\WINDOWS\Samsung
2007-12-21 12:50 . 2007-12-21 12:50 <DIR> d-------- C:\Program Files\Samsung ML-2010 Series
2007-12-21 12:50 . 2005-03-13 21:01 208,896 --a------ C:\WINDOWS\system32\SSRemove.exe
2007-12-21 12:50 . 2005-03-02 20:32 151,552 --a------ C:\WINDOWS\system32\SSCoInst.exe
2007-12-21 12:50 . 2005-03-03 02:09 57,344 --a------ C:\WINDOWS\system32\SSCoInst.dll
2007-12-21 12:50 . 2005-03-13 21:01 41,984 --------- C:\WINDOWS\system32\drivers\DGIVECP.SYS
2007-12-21 12:50 . 2005-04-07 18:29 20,622 --a------ C:\WINDOWS\system32\SUGS2LMK.DLL
2007-12-21 12:50 . 2005-03-13 21:01 8,478 --a------ C:\WINDOWS\system32\SP119.ICO
2007-12-21 12:50 . 2005-03-13 21:01 766 --------- C:\WINDOWS\Uninstall.ico
2007-12-21 12:50 . 2005-03-03 03:23 604 --a------ C:\WINDOWS\system32\SUGS2LMK.SMT
2007-12-21 12:48 . 2008-01-14 22:59 <DIR> d-------- C:\Program Files\HP USB Multimedia Keyboard
2007-12-21 12:48 . 2006-12-03 18:03 77,824 --a------ C:\WINDOWS\system32\KmRemove.exe
2007-12-21 12:46 . 2005-11-04 18:57 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-12-21 12:40 . 2005-11-04 18:57 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-12-21 12:39 . 2005-11-04 18:58 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-12-21 12:39 . 2005-11-04 18:58 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-12-20 20:55 . 2005-11-04 18:57 42,368 --a------ C:\WINDOWS\system32\drivers\AGP440.SYS
2007-12-20 20:53 . 2005-11-04 18:57 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2007-12-20 20:53 . 2005-11-04 18:57 870,784 --a------ C:\WINDOWS\system32\ati3d1ag.dll
2007-12-20 20:53 . 2005-11-04 18:57 701,440 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-12-20 20:53 . 2005-11-04 18:57 516,768 --a------ C:\WINDOWS\system32\ativvaxx.dll
2007-12-20 20:53 . 2005-11-04 18:57 229,376 --a------ C:\WINDOWS\system32\ati2cqag.dll
2007-12-20 20:53 . 2005-11-04 18:57 201,728 --a------ C:\WINDOWS\system32\ati2dvag.dll
2007-12-20 20:53 . 2005-11-04 18:57 117,760 --a------ C:\WINDOWS\system32\drivers\e100b325.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 22:08 --------- d-----w C:\Program Files\Lavasoft
2007-12-22 03:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-22 03:46 --------- d-----w C:\Program Files\InterVideo
2007-12-21 22:44 --------- d-----w C:\Program Files\Skype
2007-12-21 21:18 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
.
<pre>
----a-w			79,224 2008-01-15 06:53:11  C:\Program Files\Alwil Software\Avast4\ashDisp .exe
----a-w		   102,400 2008-01-16 07:04:59  C:\Program Files\Creative\MediaSource\Detector\CTDetect .exe
----a-w			45,056 2008-01-16 07:04:46  C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET .EXE
----a-w			57,344 2008-01-16 07:04:47  C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol .exe
----a-w			49,152 2008-01-16 07:04:48  C:\Program Files\Creative\Shared Files\Module Loader\DLLML .exe
----a-w		   339,968 2008-01-16 07:04:46  C:\Program Files\HP USB Multimedia Keyboard\KMaestro .exe
----a-w			36,975 2008-01-16 07:04:55  C:\Program Files\Java\jre1.5.0_05\bin\jusched .exe
----a-w		 1,667,584 2008-01-16 07:05:11  C:\Program Files\Messenger\msmsgs .exe
----a-w			31,016 2008-01-16 07:04:54  C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
----a-w			94,208 2008-01-16 07:04:45  C:\Program Files\Mouse Driver\StartAutorun .exe
----a-w		   286,720 2008-01-15 07:23:35  C:\Program Files\QuickTime\qttask   .exe
----a-w		   286,720 2008-01-16 05:36:42  C:\Program Files\QuickTime\qttask .exe
----a-w		21,686,568 2008-01-16 07:05:20  C:\Program Files\Skype\Phone\Skype .exe
----a-w			90,112 2008-01-16 07:04:50  C:\WINDOWS\UpdReg .EXE
----a-w		   372,736 2008-01-15 06:13:16  C:\WINDOWS\Samsung\ComSMMgr\ssmmgr .exe
----a-w			15,360 2008-01-15 07:23:42  C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{65b42cc0-f997-461e-9e0c-4f1b1ade30e5}]
C:\WINDOWS\system32\yqfnogf.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 15:08 21686568]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"Asnw"="C:\WINDOWS\system32\SMBOLS~1\ati2evxx.exe" [ ]
"Zwhtinur"="C:\Program Files\?ppPatch\spool32.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Samsung Common SM"="C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" [ ]
"WireLessMouse"="C:\Program Files\Mouse Driver\StartAutorun.exe" [ ]
"CTSysVol"="C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe" [ ]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [ ]
"CTHelper"="CTHELPER.EXE" [2005-06-17 22:01 16384 C:\WINDOWS\CTHELPER.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2008-01-15 21:36 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" [ ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="cmd.exe" [2004-08-03 20:56 388608 C:\WINDOWS\system32\cmd.exe]
"nlhr"="C:\WINDOWS\System32\AdvPack.Dll" [2004-08-03 20:56 99840]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 18:59 44544]

C:\Documents and Settings\Vic Sangveraphunsiri.P4_800\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Handspring\HOTSYNC.EXE [2005-07-02 20:20:58]
Webshots.lnk - C:\Program Files\Webshots\WebshotsTray.exe [2006-02-05 23:50:12]

R1 sonydcamm;sonydcamm;C:\WINDOWS\system32\drivers\sonydcamm.sys [2008-01-14 14:43]
S2 YHST;Security Service;C:\WINDOWS\system32\svcd\svchost.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##192.168.0.108#public]
\Shell\AutoRun\command - Z:\autorun.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 13:06:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-18 13:08:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-18 21:08:43
  • 0

#6
Cookiegal
Posted 19 January 2008 - 12:34 PM

Cookiegal

    Visiting Consultant

  • Visiting Consultant
  • 889 posts
Open Notepad and copy and paste the text in the code box below into it:

File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\sonydcamm.sys

Folder::
C:\Temp\tn3
C:\WINDOWS\system32\edcA01
C:\WINDOWS\Sm9obiBTYW5ndmVyYXBodW5zaXJp
C:\Temp\Ryuan1
C:\Temp
C:\WINDOWS\system32\svcd

Driver::
sonydcamm
YHST

RenV::
C:\Program Files\Alwil Software\Avast4\ashDisp .exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect .exe
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET .EXE
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol .exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML .exe
C:\Program Files\HP USB Multimedia Keyboard\KMaestro .exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
C:\Program Files\Mouse Driver\StartAutorun .exe
C:\Program Files\QuickTime\qttask   .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Skype\Phone\Skype .exe
C:\WINDOWS\UpdReg .EXE
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr .exe
C:\WINDOWS\system32\ctfmon .exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{65b42cc0-f997-461e-9e0c-4f1b1ade30e5}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Asnw"=-
"Zwhtinur"=-

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

Posted Image

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.
  • 0

#7
sangv001
Posted 19 January 2008 - 08:35 PM

sangv001

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
ComboFix 08-01-18.5 - Administrator 2008-01-19 18:23:06.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.620 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator.JOHN-F58760FC57\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator.JOHN-F58760FC57\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\sonydcamm.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1560OinAdmin.exe
C:\Program Files\Common Files\Yazzle1560OinUninstaller.exe
C:\Program Files\inetget2
C:\Temp
C:\Temp\gTiis19\lTig.log
C:\Temp\Ryuan1\tepU.log
C:\temp\tn3
C:\WINDOWS\b128.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\Sm9obiBTYW5ndmVyYXBodW5zaXJp
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\sonydcamm.sys
C:\WINDOWS\system32\edcA01
C:\WINDOWS\system32\icqmlib.exe
C:\WINDOWS\system32\iepref32.dll
C:\WINDOWS\system32\ierplc.dll
C:\WINDOWS\system32\ips.dll
C:\WINDOWS\system32\ksvcl.dll
C:\WINDOWS\system32\lanmandrv.sys
C:\WINDOWS\system32\lanmanwrk.exe
C:\WINDOWS\system32\laprxy.dllexe
C:\WINDOWS\system32\nnnnmnm.dll
C:\WINDOWS\system32\ocxapi.dll
C:\WINDOWS\system32\ocxloader.exe
C:\WINDOWS\system32\opnkigf.dll
C:\WINDOWS\system32\opnlkli.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qmopt.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_LANMANDRV
-------\LEGACY_SONYDCAMM
-------\LEGACY_YHST
-------\lanmandrv
-------\sonydcamm
-------\YHST


((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.

2008-01-19 15:29 . 2008-01-19 15:29 36,864 --a------ C:\WINDOWS\17PHolmes572.exe
2008-01-19 15:26 . 2008-01-19 15:26 <DIR> d-------- C:\WINDOWS\system32\nGpxx01
2008-01-19 15:26 . 2008-01-19 15:26 36,864 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2008-01-18 13:24 . 2008-01-18 13:24 39,424 --a------ C:\WINDOWS\system32\KernelDrv.exe
2008-01-18 13:24 . 2008-01-19 18:16 25,093 --a------ C:\WINDOWS\system32\kcopt.dll
2008-01-18 13:24 . 2008-01-18 13:24 13,824 --a------ C:\WINDOWS\system32\Dll.dll
2008-01-18 12:59 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-17 19:25 . 2008-01-18 14:12 <DIR> d-------- C:\Program Files\Steam
2008-01-17 19:23 . 2008-01-17 19:23 <DIR> d-------- C:\Program Files\Valve
2008-01-17 19:10 . 2008-01-17 19:10 <DIR> d--hs---- C:\WINDOWS\system32\dllcache
2008-01-17 19:05 . 2008-01-17 19:05 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-16 14:08 . 2008-01-16 14:09 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-01-16 14:07 . 2008-01-16 14:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-16 04:09 . 2008-01-16 04:09 <DIR> d-------- C:\Documents and Settings\Administrator.JOHN-F58760FC57\Application Data\Apple Computer
2008-01-16 02:10 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-16 01:58 . 2008-01-16 04:26 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-16 01:58 . 2008-01-16 04:06 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-16 01:58 . 2008-01-16 04:06 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-16 01:58 . 2008-01-16 04:06 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-16 00:42 . 2008-01-16 00:42 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-01-16 00:42 . 2008-01-16 00:42 <DIR> d-------- C:\Documents and Settings\Administrator.JOHN-F58760FC57\Application Data\Grisoft
2008-01-14 22:08 . 2008-01-14 22:09 2,604 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-14 16:05 . 2008-01-15 23:04 90,112 --a------ C:\WINDOWS\UpdReg.EXE
2008-01-14 16:04 . 2008-01-14 23:23 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-14 16:04 . 2008-01-16 04:01 265 --a------ C:\WINDOWS\wininit.ini
2008-01-14 15:08 . 2008-01-14 16:23 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-01-03 19:00 . 2008-01-03 19:00 <DIR> d---s---- C:\Documents and Settings\Administrator.JOHN-F58760FC57\UserData
2007-12-23 22:32 . 2007-12-23 22:32 <DIR> d-------- C:\Documents and Settings\Administrator.JOHN-F58760FC57\Application Data\Ventrilo
2007-12-21 14:45 . 2008-01-18 13:07 <DIR> d-------- C:\Documents and Settings\Administrator.JOHN-F58760FC57\Application Data\skypePM
2007-12-21 14:45 . 2008-01-19 18:30 <DIR> d-------- C:\Documents and Settings\Administrator.JOHN-F58760FC57\Application Data\Skype
2007-12-21 14:45 . 2007-12-21 14:45 32 --a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\ezsid.dat
2007-12-21 14:44 . 2007-12-21 14:44 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-12-21 14:44 . 2007-12-21 14:44 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Skype
2007-12-21 14:38 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2007-12-21 14:37 . 2007-12-21 14:37 <DIR> d-------- C:\Program Files\MSBuild
2007-12-21 14:37 . 2007-12-21 14:37 <DIR> d-------- C:\Program Files\Microsoft Works
2007-12-21 14:30 . 2007-12-21 14:39 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2007-12-21 14:29 . 2007-12-21 14:29 <DIR> dr-h----- C:\MSOCache
2007-12-21 14:24 . 2008-01-16 03:53 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-21 14:24 . 2007-12-22 16:49 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-21 14:23 . 2008-01-19 18:22 <DIR> d-------- C:\Program Files\QuickTime
2007-12-21 14:23 . 2007-12-21 14:23 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2007-12-21 14:22 . 2007-12-21 14:22 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-21 14:22 . 2007-12-21 14:22 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2007-12-21 14:02 . 2008-01-17 19:02 4,958,588 --------- C:\WINDOWS\{00000003-00000000-00000001-00001102-00000008-10211102}.BAK
2007-12-21 14:00 . 2008-01-19 18:28 30,432 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000003-00000000-00000001-00001102-00000008-10211102}.rfx
2007-12-21 14:00 . 2008-01-19 18:28 30,432 --a------ C:\WINDOWS\system32\BMXState-{00000003-00000000-00000001-00001102-00000008-10211102}.rfx
2007-12-21 14:00 . 2008-01-19 18:28 29,604 --a------ C:\WINDOWS\system32\BMXCtrlState-{00000003-00000000-00000001-00001102-00000008-10211102}.rfx
2007-12-21 14:00 . 2008-01-19 18:28 29,604 --a------ C:\WINDOWS\system32\BMXBkpCtrlState-{00000003-00000000-00000001-00001102-00000008-10211102}.rfx
2007-12-21 14:00 . 2008-01-19 18:28 11,564 --a------ C:\WINDOWS\system32\DVCState-{00000003-00000000-00000001-00001102-00000008-10211102}.rfx
2007-12-21 14:00 . 2008-01-19 18:28 1,080 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2007-12-21 14:00 . 2008-01-19 18:28 1,080 --a------ C:\WINDOWS\system32\settings.sfm
2007-12-21 13:26 . 2000-05-22 00:58 647,872 --a------ C:\WINDOWS\system32\Mscomct2.ocx
2007-12-21 13:26 . 1999-10-10 17:00 41,984 --------- C:\WINDOWS\Ctregrun.exe
2007-12-21 13:24 . 1999-12-12 17:01 44,032 --a------ C:\WINDOWS\system32\CTSVCCDA.EXE
2007-12-21 13:24 . 1999-11-17 17:00 25,088 --a------ C:\WINDOWS\system32\CTSVCCTL.EXE
2007-12-21 13:24 . 2007-12-21 13:25 183 --a------ C:\WINDOWS\setuplog
2007-12-21 13:22 . 2007-12-21 13:22 <DIR> d-------- C:\WINDOWS\system32\Defaults
2007-12-21 13:21 . 2007-12-21 13:21 <DIR> d-------- C:\WINDOWS\system32\Data
2007-12-21 13:21 . 2008-01-19 18:30 4,958,588 --a------ C:\WINDOWS\{00000003-00000000-00000001-00001102-00000008-10211102}.CDF
2007-12-21 13:21 . 2007-12-21 13:21 233,472 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-12-21 13:21 . 2007-12-21 13:21 81,920 --a------ C:\WINDOWS\system32\OpenAL32.dll
2007-12-21 13:21 . 2005-06-17 22:41 46,593 -ra------ C:\WINDOWS\system32\e10kxwdm.ini
2007-12-21 13:21 . 2005-06-17 22:08 11,776 --a------ C:\WINDOWS\INRES.DLL
2007-12-21 13:21 . 2005-06-17 22:01 10,240 --a------ C:\WINDOWS\CTDCRES.DLL
2007-12-21 13:21 . 2001-08-16 20:42 7,406 -ra------ C:\WINDOWS\system32\SBAudigy.ico
2007-12-21 13:21 . 2001-11-12 17:48 1,912 -ra------ C:\WINDOWS\system32\Audigy.bmp
2007-12-21 13:21 . 2005-06-17 21:41 193 -ra------ C:\WINDOWS\system32\ctzapxx.ini
2007-12-21 13:20 . 2007-12-23 20:06 <DIR> d-------- C:\Documents and Settings\Administrator.JOHN-F58760FC57\Application Data\Creative
2007-12-21 13:20 . 2003-11-11 11:08 77,824 --a------ C:\WINDOWS\system32\ctdvda32.dll
2007-12-21 13:19 . 2007-12-21 13:26 <DIR> d-------- C:\Program Files\Creative
2007-12-21 13:08 . 2008-01-19 18:22 <DIR> d-------- C:\Program Files\Mouse Driver
2007-12-21 12:50 . 2007-12-21 12:50 <DIR> d-------- C:\WINDOWS\Samsung
2007-12-21 12:50 . 2007-12-21 12:50 <DIR> d-------- C:\Program Files\Samsung ML-2010 Series
2007-12-21 12:50 . 2005-03-13 21:01 208,896 --a------ C:\WINDOWS\system32\SSRemove.exe
2007-12-21 12:50 . 2005-03-02 20:32 151,552 --a------ C:\WINDOWS\system32\SSCoInst.exe
2007-12-21 12:50 . 2005-03-03 02:09 57,344 --a------ C:\WINDOWS\system32\SSCoInst.dll
2007-12-21 12:50 . 2005-03-13 21:01 41,984 --------- C:\WINDOWS\system32\drivers\DGIVECP.SYS
2007-12-21 12:50 . 2005-04-07 18:29 20,622 --a------ C:\WINDOWS\system32\SUGS2LMK.DLL
2007-12-21 12:50 . 2005-03-13 21:01 8,478 --a------ C:\WINDOWS\system32\SP119.ICO
2007-12-21 12:50 . 2005-03-13 21:01 766 --------- C:\WINDOWS\Uninstall.ico
2007-12-21 12:50 . 2005-03-03 03:23 604 --a------ C:\WINDOWS\system32\SUGS2LMK.SMT
2007-12-21 12:48 . 2008-01-19 18:22 <DIR> d-------- C:\Program Files\HP USB Multimedia Keyboard
2007-12-21 12:48 . 2006-12-03 18:03 77,824 --a------ C:\WINDOWS\system32\KmRemove.exe
2007-12-21 12:46 . 2005-11-04 18:57 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-12-21 12:40 . 2005-11-04 18:57 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-12-21 12:39 . 2005-11-04 18:58 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-12-21 12:39 . 2005-11-04 18:58 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-12-20 20:55 . 2005-11-04 18:57 42,368 --a------ C:\WINDOWS\system32\drivers\AGP440.SYS
2007-12-20 20:53 . 2005-11-04 18:57 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2007-12-20 20:53 . 2005-11-04 18:57 870,784 --a------ C:\WINDOWS\system32\ati3d1ag.dll
2007-12-20 20:53 . 2005-11-04 18:57 701,440 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-12-20 20:53 . 2005-11-04 18:57 516,768 --a------ C:\WINDOWS\system32\ativvaxx.dll
2007-12-20 20:53 . 2005-11-04 18:57 229,376 --a------ C:\WINDOWS\system32\ati2cqag.dll
2007-12-20 20:53 . 2005-11-04 18:57 201,728 --a------ C:\WINDOWS\system32\ati2dvag.dll
2007-12-20 20:53 . 2005-11-04 18:57 117,760 --a------ C:\WINDOWS\system32\drivers\e100b325.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 22:08 --------- d-----w C:\Program Files\Lavasoft
2007-12-22 03:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-22 03:46 --------- d-----w C:\Program Files\InterVideo
2007-12-21 22:44 --------- d-----w C:\Program Files\Skype
2007-12-21 21:18 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
.
<pre>
----a-w		21,686,568 2008-01-16 07:05:20  C:\Program Files\Skype\Phone\Skype .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-18_13.08.31.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-18 21:00:05 1,433,600 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-20 02:21:47 1,433,600 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-18 21:00:05 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-20 02:21:47 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-18 21:00:05 1,433,600 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-20 02:21:48 1,433,600 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-18 21:00:05 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-20 02:21:48 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-18 21:00:05 4,268,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-20 02:21:48 4,268,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-18 21:00:05 28,672 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-20 02:21:48 28,672 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-15 06:13:16 372,736 ----a-w C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
+ 2008-01-19 13:13:12 32,768 ----a-w C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
+ 2008-01-20 02:29:32 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5f0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2008-01-15 23:04 102400]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-14 23:23 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 15:08 21686568]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-15 23:05 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Samsung Common SM"="C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" [2008-01-14 22:13 372736]
"WireLessMouse"="C:\Program Files\Mouse Driver\StartAutorun.exe" [2008-01-15 23:04 94208]
"CTSysVol"="C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe" [2008-01-15 23:04 57344]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2008-01-15 23:04 49152]
"CTHelper"="CTHELPER.EXE" [2005-06-17 22:01 16384 C:\WINDOWS\CTHELPER.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" [2008-01-15 23:04 36975]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-01-14 22:53 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="cmd.exe" [2004-08-03 20:56 388608 C:\WINDOWS\system32\cmd.exe]
"nlhr"="C:\WINDOWS\System32\AdvPack.Dll" [2004-08-03 20:56 99840]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 18:59 44544]

C:\Documents and Settings\Vic Sangveraphunsiri.P4_800\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Handspring\HOTSYNC.EXE [2005-07-02 20:20:58]
Webshots.lnk - C:\Program Files\Webshots\WebshotsTray.exe [2006-02-05 23:50:12]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{A051B1FF-8D7E-418B-AABE-4FF82F4280A2}"= C:\WINDOWS\system32\nnnnmnm.dll [ ]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##192.168.0.108#public]
\Shell\AutoRun\command - Z:\autorun.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 18:30:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-19 18:32:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-20 02:32:14
ComboFix2.txt 2008-01-18 21:08:46
  • 0

#8
Cookiegal
Posted 20 January 2008 - 12:14 PM

Cookiegal

    Visiting Consultant

  • Visiting Consultant
  • 889 posts
Please open the following file. It can be read in Notepad so double-clicking on it should open it. If not, try right-click and select "open with" and choose Notepad.

Copy and paste the entire contents of this file here please.

C:\WINDOWS\wininit.ini
  • 0

#9
sangv001
Posted 21 January 2008 - 01:46 AM

sangv001

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
[rename]
c:\tempjunk9047.tmp=C:\WINDOWS\system32\drivers\core.cache.dsk_tobedeleted
nul=c:\tempjunk5523.tmp
c:\tempjunk7895.tmp=C:\WINDOWS\system32\drivers\core.cache.dsk_tobedeleted
c:\tempjunk5523.tmp=C:\WINDOWS\system32\drivers\core.cache.dsk_tobedeleted

My computer seems to be running pretty good now. Thanks agian :)
  • 0

#10
Cookiegal
Posted 21 January 2008 - 01:03 PM

Cookiegal

    Visiting Consultant

  • Visiting Consultant
  • 889 posts
OK, thanks. I believe that was created by Spybot S&D.

Run Kaspersky online virus scan Kaspersky Online Scanner.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the "Extended database" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

Note: You have to use Internet Explorer to do the online scan.

Post a new HiJackThis log along with the results from the Kaspersky scan
  • 0

Advertisements

#11
sangv001
Posted 21 January 2008 - 07:44 PM

sangv001

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, January 21, 2008 5:40:56 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/01/2008
Kaspersky Anti-Virus database records: 525932
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 117590
Number of viruses found: 18
Number of infected objects: 46
Number of suspicious objects: 2
Duration of the scan process: 02:23:28

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator.JOHN-F58760FC57\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator.JOHN-F58760FC57\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator.JOHN-F58760FC57\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator.JOHN-F58760FC57\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator.JOHN-F58760FC57\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator.JOHN-F58760FC57\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator.JOHN-F58760FC57\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip/v1.8.6/wbuninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Vic Sangveraphunsiri.P4_800\My Documents\My Pictures\webgolf.exe/WISE0029.BIN Infected: not-a-virus:AdWare.Win32.Gator.1012 skipped
C:\Documents and Settings\Vic Sangveraphunsiri.P4_800\My Documents\My Pictures\webgolf.exe WiseSFX: infected - 1 skipped
C:\Documents and Settings\Vic Sangveraphunsiri.P4_800\My Documents\My Pictures\webswim.exe/WISE0029.BIN Infected: not-a-virus:AdWare.Win32.Gator.1012 skipped
C:\Documents and Settings\Vic Sangveraphunsiri.P4_800\My Documents\My Pictures\webswim.exe WiseSFX: infected - 1 skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinAdmin.exe.vir Infected: Trojan.Win32.Scapur.k skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1560OinAdmin.exe.vir Infected: Trojan.Win32.Scapur.k skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1560OinUninstaller.exe.vir/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1560OinUninstaller.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\b128.exe.vir Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu572.exe.vir Infected: Trojan-Downloader.Win32.Agent.hql skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xxyvwvs.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dlm skipped
C:\QooBox\Quarantine\catchme2008-01-19_183013.59.zip/lanmandrv.sys Infected: Rootkit.Win32.Agent.vc skipped
C:\QooBox\Quarantine\catchme2008-01-19_183013.59.zip/sonydcamm.sys Infected: Rootkit.Win32.Agent.to skipped
C:\QooBox\Quarantine\catchme2008-01-19_183013.59.zip ZIP: infected - 2 skipped
C:\SDFix\backups\backups.zip/backups/rterel.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\SDFix\backups\backups.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{9C42651E-D56E-401F-98F9-EF0463944543}\RP54\A0010393.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{9C42651E-D56E-401F-98F9-EF0463944543}\RP54\A0010394.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{9C42651E-D56E-401F-98F9-EF0463944543}\RP54\A0010395.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{9C42651E-D56E-401F-98F9-EF0463944543}\RP54\A0010396.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{9C42651E-D56E-401F-98F9-EF0463944543}\RP54\A0010397.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{9C42651E-D56E-401F-98F9-EF0463944543}\RP54\A0010398.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{9C42651E-D56E-401F-98F9-EF0463944543}\RP54\A0010399.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{9C42651E-D56E-401F-98F9-EF0463944543}\RP54\A0010400.EXE Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{9C42651E-D56E-401F-98F9-EF0463944543}\RP54\A0010401.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{9C42651E-D56E-401F-98F9-EF0463944543}\RP54\A0010402.exe Infected: Trojan-Downloader.Win32.Agent.haq skipped
C:\System Volume Information\_restore{9C42651E-D56E-401F-98F9-EF0463944543}\RP54\A0010405.exe Infected: Trojan-Downloader.Win32.VB.caw skipped
C:\System Volume Information\_restore{9C42651E-D56E-401F-98F9-EF0463944543}\RP54\A0010408.exe Infected: not-a-virus:AdWare.Win32.TimeSink skipped
C:\System Volume Information\_restore{9C42651E-D56E-401F-98F9-EF0463944543}\RP56\A0010554.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{9C42651E-D56E-401F-98F9-EF0463944543}\RP56\A0010554.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{9C42651E-D56E-401F-98F9-EF0463944543}\RP56\A0010554.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{9C42651E-D56E-401F-98F9-EF0463944543}\RP56\A0010563.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{9C42651E-D56E-401F-98F9-EF0463944543}\RP60\A0011489.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dlm skipped
C:\System Volume Information\_restore{9C42651E-D56E-401F-98F9-EF0463944543}\RP61\A0011618.exe Infected: Trojan-Downloader.Win32.Agent.hql skipped
C:\System Volume Information\_restore{9C42651E-D56E-401F-98F9-EF0463944543}\RP62\A0011629.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{9C42651E-D56E-401F-98F9-EF0463944543}\RP62\A0011630.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{9C42651E-D56E-401F-98F9-EF0463944543}\RP62\A0011631.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{9C42651E-D56E-401F-98F9-EF0463944543}\RP62\A0011631.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{9C42651E-D56E-401F-98F9-EF0463944543}\RP62\A0011632.exe Infected: Trojan-Downloader.Win32.Agent.hql skipped
C:\System Volume Information\_restore{9C42651E-D56E-401F-98F9-EF0463944543}\RP62\A0011633.exe Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\System Volume Information\_restore{9C42651E-D56E-401F-98F9-EF0463944543}\RP63\change.log Object is locked skipped
C:\WINDOWS\17PHolmes572.exe Infected: Trojan-Downloader.Win32.Agent.hql skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\mrofinu572.exe.tmp Infected: Trojan-Downloader.Win32.Agent.hql skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\Dll.dll Infected: Trojan-Spy.Win32.Small.it skipped
C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe Infected: Trojan-Downloader.Win32.VB.cge skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_5f0.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000003-00000000-00000001-00001102-00000008-10211102}.CDF Object is locked


Scan process completed.
  • 0

#12
Cookiegal
Posted 22 January 2008 - 05:59 PM

Cookiegal

    Visiting Consultant

  • Visiting Consultant
  • 889 posts
Go to Start - Search - All Files and Folders and under More advanced search options.
Make sure there is a check by Search System Folders and Search hidden files and folders and Search system subfolders.

Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files and Hide extensions for known file types. Now click Apply to all folders. Click Apply then OK.


Now, go to the following link and upload each of the following files for analysis and let me know what the results are please:

http://virusscan.jotti.org/

C:\Documents and Settings\Vic Sangveraphunsiri.P4_800\My Documents\My Pictures\webgolf.exe

C:\Documents and Settings\Vic Sangveraphunsiri.P4_800\My Documents\My Pictures\webswim.exe


Open Notepad and copy and paste the text in the code box below into it:

File::
C:\WINDOWS\17PHolmes572.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\system32\KernelDrv.exe
C:\WINDOWS\system32\kcopt.dll
C:\WINDOWS\system32\Dll.dll 

Folder::
C:\WINDOWS\system32\nGpxx01

RenV::
C:\Program Files\Skype\Phone\Skype .exe

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{A051B1FF-8D7E-418B-AABE-4FF82F4280A2}"=-

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

Posted Image

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Edited by Cookiegal, 09 February 2008 - 12:09 PM.

  • 0

#13
Cookiegal
Posted 09 February 2008 - 12:09 PM

Cookiegal

    Visiting Consultant

  • Visiting Consultant
  • 889 posts
Are you still with me?
  • 0

#14
Cookiegal
Posted 14 March 2008 - 01:56 PM

Cookiegal

    Visiting Consultant

  • Visiting Consultant
  • 889 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#15
Cookiegal
Posted 28 April 2008 - 07:51 PM

Cookiegal

    Visiting Consultant

  • Visiting Consultant
  • 889 posts
I received your private message and have reopened this thread.

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image


Now do the following to get the latest version of ComboFix:

Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix:

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

Combofix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP