Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Virus Alert on Toolbar with log [RESOLVED]

Started by saded , Sep 21 2008 04:29 AM

  • This topic is locked This topic is locked

#46
Rorschach112
Posted 29 September 2008 - 06:36 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::

FCopy::
C:\WINDOWS\system32\dllcache\winlogon.exe | C:\WINDOWS\system32\winlogon.exe
C:\Windows\System32\dllcache\explorer.exe | C:\WINDOWS\explorer.exe

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

Advertisements

#47
saded
Posted 29 September 2008 - 06:36 AM

saded

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
ComboFix 08-09-27.06 - Vlad 2008-09-29 20:21:24.8 - NTFSx86
Running from: C:\Documents and Settings\Vlad\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-30 )))))))))))))))))))))))))))))))
.

2008-09-29 10:47 . 2008-09-29 11:07 <DIR> d-------- C:\Documents and Settings\Vlad\DoctorWeb
2008-09-23 21:49 . 2008-09-23 21:52 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-23 21:49 . 2008-09-23 21:49 <DIR> d-------- C:\Documents and Settings\Vlad\Application Data\Malwarebytes
2008-09-23 21:49 . 2008-09-23 21:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-23 21:49 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-23 21:49 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-22 10:28 . 2008-09-22 10:28 244 --ah----- C:\sqmnoopt19.sqm
2008-09-21 19:25 . 2008-09-21 19:25 244 --ah----- C:\sqmnoopt18.sqm
2008-09-21 19:25 . 2008-09-21 19:25 232 --ah----- C:\sqmdata19.sqm
2008-09-21 19:15 . 2008-09-21 19:15 244 --ah----- C:\sqmnoopt17.sqm
2008-09-21 19:15 . 2008-09-21 19:15 232 --ah----- C:\sqmdata18.sqm
2008-09-21 18:43 . 2008-09-21 18:43 <DIR> d-------- C:\SDFix
2008-09-21 14:26 . 2008-09-21 14:26 268 --ah----- C:\sqmdata17.sqm
2008-09-21 14:26 . 2008-09-21 14:26 244 --ah----- C:\sqmnoopt16.sqm
2008-09-21 14:13 . 2008-09-21 14:13 268 --ah----- C:\sqmdata16.sqm
2008-09-21 14:13 . 2008-09-21 14:13 244 --ah----- C:\sqmnoopt15.sqm
2008-09-21 14:06 . 2008-09-21 14:06 244 --ah----- C:\sqmnoopt14.sqm
2008-09-21 14:06 . 2008-09-21 14:06 232 --ah----- C:\sqmdata15.sqm
2008-09-21 13:49 . 2008-09-21 13:49 244 --ah----- C:\sqmnoopt13.sqm
2008-09-21 13:49 . 2008-09-21 13:49 232 --ah----- C:\sqmdata14.sqm
2008-09-08 14:07 . 2008-09-08 14:07 232 --ah----- C:\sqmdata13.sqm
2008-09-05 15:49 . 2008-09-05 15:49 244 --ah----- C:\sqmnoopt12.sqm
2008-09-05 15:49 . 2008-09-05 15:49 232 --ah----- C:\sqmdata12.sqm
2008-09-05 14:16 . 2008-09-05 14:16 268 --ah----- C:\sqmdata11.sqm
2008-09-05 14:16 . 2008-09-05 14:16 244 --ah----- C:\sqmnoopt11.sqm
2008-09-05 14:12 . 2008-09-05 14:12 244 --ah----- C:\sqmnoopt10.sqm
2008-09-05 14:12 . 2008-09-05 14:12 232 --ah----- C:\sqmdata10.sqm
2008-09-05 14:00 . 2008-09-05 14:00 244 --ah----- C:\sqmnoopt09.sqm
2008-09-05 14:00 . 2008-09-05 14:00 244 --ah----- C:\sqmdata09.sqm
2008-09-01 14:27 . 2008-09-01 14:27 268 --ah----- C:\sqmdata08.sqm
2008-09-01 14:27 . 2008-09-01 14:27 244 --ah----- C:\sqmnoopt08.sqm
2008-08-29 09:42 . 2008-08-29 09:42 268 --ah----- C:\sqmdata07.sqm
2008-08-29 09:42 . 2008-08-29 09:42 244 --ah----- C:\sqmnoopt07.sqm
2008-08-28 03:28 . 2008-08-28 03:28 268 --ah----- C:\sqmdata06.sqm
2008-08-28 03:28 . 2008-08-28 03:28 244 --ah----- C:\sqmnoopt06.sqm
2008-08-26 10:34 . 2008-08-26 10:34 268 --ah----- C:\sqmdata05.sqm
2008-08-26 10:34 . 2008-08-26 10:34 244 --ah----- C:\sqmnoopt05.sqm
2008-08-04 12:29 . 2008-08-04 16:44 1,382,155 --ahs---- C:\WINDOWS\system32\bqtmfkit.ini
2008-08-04 12:24 . 2008-08-04 12:24 1,381,975 --ahs---- C:\WINDOWS\system32\bvhiphvh.ini
2008-08-04 12:11 . 2008-08-04 12:11 <DIR> d-------- C:\Documents and Settings\Vlad\App
  • 0

#48
Rorschach112
Posted 29 September 2008 - 06:37 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Do the step in my post just there
  • 0

#49
saded
Posted 29 September 2008 - 06:52 AM

saded

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
ComboFix 08-09-27.06 - Vlad 2008-09-29 20:40:17.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.852.1033.18.82 [GMT -8:00]
Running from: C:\Documents and Settings\Vlad\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Vlad\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-30 )))))))))))))))))))))))))))))))
.

2008-09-29 10:47 . 2008-09-29 11:07 <DIR> d-------- C:\Documents and Settings\Vlad\DoctorWeb
2008-09-23 21:49 . 2008-09-23 21:52 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-23 21:49 . 2008-09-23 21:49 <DIR> d-------- C:\Documents and Settings\Vlad\Application Data\Malwarebytes
2008-09-23 21:49 . 2008-09-23 21:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-23 21:49 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-23 21:49 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-22 10:28 . 2008-09-22 10:28 244 --ah----- C:\sqmnoopt19.sqm
2008-09-21 19:25 . 2008-09-21 19:25 244 --ah----- C:\sqmnoopt18.sqm
2008-09-21 19:25 . 2008-09-21 19:25 232 --ah----- C:\sqmdata19.sqm
2008-09-21 19:15 . 2008-09-21 19:15 244 --ah----- C:\sqmnoopt17.sqm
2008-09-21 19:15 . 2008-09-21 19:15 232 --ah----- C:\sqmdata18.sqm
2008-09-21 18:43 . 2008-09-21 18:43 <DIR> d-------- C:\SDFix
2008-09-21 14:26 . 2008-09-21 14:26 268 --ah----- C:\sqmdata17.sqm
2008-09-21 14:26 . 2008-09-21 14:26 244 --ah----- C:\sqmnoopt16.sqm
2008-09-21 14:13 . 2008-09-21 14:13 268 --ah----- C:\sqmdata16.sqm
2008-09-21 14:13 . 2008-09-21 14:13 244 --ah----- C:\sqmnoopt15.sqm
2008-09-21 14:06 . 2008-09-21 14:06 244 --ah----- C:\sqmnoopt14.sqm
2008-09-21 14:06 . 2008-09-21 14:06 232 --ah----- C:\sqmdata15.sqm
2008-09-21 13:49 . 2008-09-21 13:49 244 --ah----- C:\sqmnoopt13.sqm
2008-09-21 13:49 . 2008-09-21 13:49 232 --ah----- C:\sqmdata14.sqm
2008-09-08 14:07 . 2008-09-08 14:07 232 --ah----- C:\sqmdata13.sqm
2008-09-05 15:49 . 2008-09-05 15:49 244 --ah----- C:\sqmnoopt12.sqm
2008-09-05 15:49 . 2008-09-05 15:49 232 --ah----- C:\sqmdata12.sqm
2008-09-05 14:16 . 2008-09-05 14:16 268 --ah----- C:\sqmdata11.sqm
2008-09-05 14:16 . 2008-09-05 14:16 244 --ah----- C:\sqmnoopt11.sqm
2008-09-05 14:12 . 2008-09-05 14:12 244 --ah----- C:\sqmnoopt10.sqm
2008-09-05 14:12 . 2008-09-05 14:12 232 --ah----- C:\sqmdata10.sqm
2008-09-05 14:00 . 2008-09-05 14:00 244 --ah----- C:\sqmnoopt09.sqm
2008-09-05 14:00 . 2008-09-05 14:00 244 --ah----- C:\sqmdata09.sqm
2008-09-01 14:27 . 2008-09-01 14:27 268 --ah----- C:\sqmdata08.sqm
2008-09-01 14:27 . 2008-09-01 14:27 244 --ah----- C:\sqmnoopt08.sqm
2008-08-29 09:42 . 2008-08-29 09:42 268 --ah----- C:\sqmdata07.sqm
2008-08-29 09:42 . 2008-08-29 09:42 244 --ah----- C:\sqmnoopt07.sqm
2008-08-28 03:28 . 2008-08-28 03:28 268 --ah----- C:\sqmdata06.sqm
2008-08-28 03:28 . 2008-08-28 03:28 244 --ah----- C:\sqmnoopt06.sqm
2008-08-26 10:34 . 2008-08-26 10:34 268 --ah----- C:\sqmdata05.sqm
2008-08-26 10:34 . 2008-08-26 10:34 244 --ah----- C:\sqmnoopt05.sqm
2008-08-04 12:29 . 2008-08-04 16:44 1,382,155 --ahs---- C:\WINDOWS\system32\bqtmfkit.ini
2008-08-04 12:24 . 2008-08-04 12:24 1,381,975 --ahs---- C:\WINDOWS\system32\bvhiphvh.ini
2008-08-04 12:11 . 2008-08-04 12:11 <DIR> d-------- C:\Documents and Settings\Vlad\Application Data\TmpRecentIcons
2008-08-01 12:32 . 2008-08-01 12:32 268 --ah----- C:\sqmdata04.sqm
2008-08-01 12:32 . 2008-08-01 12:32 244 --ah----- C:\sqmnoopt04.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-01 22:27 --------- d-----w C:\Documents and Settings\Vlad\Application Data\DNA
2008-09-01 22:13 --------- d-----w C:\Program Files\DNA
2008-07-19 06:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 06:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 06:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 06:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 06:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 06:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 06:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 06:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 06:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 06:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-11 06:36 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-07-03 12:45 2,560 ----a-w C:\WINDOWS\system32\bitcometres.dll
2007-02-27 00:17 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

------- Sigcheck -------

2004-08-03 15:56 17408 a0cb467aeb82496348c1771097508a39 C:\WINDOWS\system32\svchost.exe

2006-11-20 00:50 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\system32\dllcache\tcpip.sys
2006-11-20 00:50 360576 c3b02652a90ca57b1b2891939d69fcca C:\WINDOWS\system32\drivers\tcpip.sys

2004-08-03 15:56 506368 a0dda1c222a45c93f39f9cc5351cbb8b C:\WINDOWS\system32\winlogon.exe

2006-11-20 00:48 1035776 3b3035757602a9894dd6c0df9299b26b C:\WINDOWS\explorer.exe

2004-08-03 15:56 110592 5919f6d178af2aa976cb3c733c13bfdf C:\WINDOWS\system32\services.exe

2004-08-03 15:56 14848 3991757b5d3da7b51f3ee44ead9ff4c5 C:\WINDOWS\system32\lsass.exe

2006-11-20 00:50 58880 99661e425d7835c3a07368b1b292accf C:\WINDOWS\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-11-07 3739672]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 221184]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-04 185896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 257088]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"MSUpdateSvc"= C:\WINDOWS\system32\MSServx.exe
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"24955:TCP"= 24955:TCP:BitComet 24955 TCP
"24955:UDP"= 24955:UDP:BitComet 24955 UDP

R2 U3SDR200;U3SDR200;C:\WINDOWS\System32\Drivers\U3SDR200.SYS [2008-04-05 4224]
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-29 20:42:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-09-29 20:47:58
ComboFix-quarantined-files.txt 2008-09-30 04:46:53
ComboFix2.txt 2008-09-30 04:29:47

Pre-Run: 4,017,885,184 bytes free
Post-Run: 4,008,542,208 bytes free

132
  • 0

#50
Rorschach112
Posted 29 September 2008 - 06:57 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
You seem to be just running ComboFix, you need to create the CFScript text file to your desktop, then drag that into ComboFix. Please do that
  • 0

#51
saded
Posted 29 September 2008 - 06:59 AM

saded

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
i did that alr. after i do that combo fix will jus run itself and the txt file will be missing.
  • 0

#52
Rorschach112
Posted 29 September 2008 - 07:05 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Try this

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::


FCopy::
C:\WINDOWS\system32\dllcache\winlogon.exe | C:\WINDOWS\system32\winlogon.exe
C:\Windows\System32\dllcache\explorer.exe | C:\WINDOWS\explorer.exe

Folder::

Registry::

Driver::


Save this as CFScript.txt onto your desktop



Click Start > Run > Copy and paste the following in bold

ComboFix "C:\Documents and Settings\Vlad\Desktop\CFScript.txt"

Click ok and let it run




When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

#53
saded
Posted 29 September 2008 - 07:38 AM

saded

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
ComboFix 08-09-27.06 - Vlad 2008-09-29 21:25:27.12 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.852.1033.18.79 [GMT -8:00]
Running from: C:\Documents and Settings\Vlad\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Vlad\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-30 )))))))))))))))))))))))))))))))
.

2008-09-29 10:47 . 2008-09-29 11:07 <DIR> d-------- C:\Documents and Settings\Vlad\DoctorWeb
2008-09-23 21:49 . 2008-09-23 21:52 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-23 21:49 . 2008-09-23 21:49 <DIR> d-------- C:\Documents and Settings\Vlad\Application Data\Malwarebytes
2008-09-23 21:49 . 2008-09-23 21:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-23 21:49 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-23 21:49 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-22 10:28 . 2008-09-22 10:28 244 --ah----- C:\sqmnoopt19.sqm
2008-09-21 19:25 . 2008-09-21 19:25 244 --ah----- C:\sqmnoopt18.sqm
2008-09-21 19:25 . 2008-09-21 19:25 232 --ah----- C:\sqmdata19.sqm
2008-09-21 19:15 . 2008-09-21 19:15 244 --ah----- C:\sqmnoopt17.sqm
2008-09-21 19:15 . 2008-09-21 19:15 232 --ah----- C:\sqmdata18.sqm
2008-09-21 18:43 . 2008-09-21 18:43 <DIR> d-------- C:\SDFix
2008-09-21 14:26 . 2008-09-21 14:26 268 --ah----- C:\sqmdata17.sqm
2008-09-21 14:26 . 2008-09-21 14:26 244 --ah----- C:\sqmnoopt16.sqm
2008-09-21 14:13 . 2008-09-21 14:13 268 --ah----- C:\sqmdata16.sqm
2008-09-21 14:13 . 2008-09-21 14:13 244 --ah----- C:\sqmnoopt15.sqm
2008-09-21 14:06 . 2008-09-21 14:06 244 --ah----- C:\sqmnoopt14.sqm
2008-09-21 14:06 . 2008-09-21 14:06 232 --ah----- C:\sqmdata15.sqm
2008-09-21 13:49 . 2008-09-21 13:49 244 --ah----- C:\sqmnoopt13.sqm
2008-09-21 13:49 . 2008-09-21 13:49 232 --ah----- C:\sqmdata14.sqm
2008-09-08 14:07 . 2008-09-08 14:07 232 --ah----- C:\sqmdata13.sqm
2008-09-05 15:49 . 2008-09-05 15:49 244 --ah----- C:\sqmnoopt12.sqm
2008-09-05 15:49 . 2008-09-05 15:49 232 --ah----- C:\sqmdata12.sqm
2008-09-05 14:16 . 2008-09-05 14:16 268 --ah----- C:\sqmdata11.sqm
2008-09-05 14:16 . 2008-09-05 14:16 244 --ah----- C:\sqmnoopt11.sqm
2008-09-05 14:12 . 2008-09-05 14:12 244 --ah----- C:\sqmnoopt10.sqm
2008-09-05 14:12 . 2008-09-05 14:12 232 --ah----- C:\sqmdata10.sqm
2008-09-05 14:00 . 2008-09-05 14:00 244 --ah----- C:\sqmnoopt09.sqm
2008-09-05 14:00 . 2008-09-05 14:00 244 --ah----- C:\sqmdata09.sqm
2008-09-01 14:27 . 2008-09-01 14:27 268 --ah----- C:\sqmdata08.sqm
2008-09-01 14:27 . 2008-09-01 14:27 244 --ah----- C:\sqmnoopt08.sqm
2008-08-29 09:42 . 2008-08-29 09:42 268 --ah----- C:\sqmdata07.sqm
2008-08-29 09:42 . 2008-08-29 09:42 244 --ah----- C:\sqmnoopt07.sqm
2008-08-28 03:28 . 2008-08-28 03:28 268 --ah----- C:\sqmdata06.sqm
2008-08-28 03:28 . 2008-08-28 03:28 244 --ah----- C:\sqmnoopt06.sqm
2008-08-26 10:34 . 2008-08-26 10:34 268 --ah----- C:\sqmdata05.sqm
2008-08-26 10:34 . 2008-08-26 10:34 244 --ah----- C:\sqmnoopt05.sqm
2008-08-04 12:29 . 2008-08-04 16:44 1,382,155 --ahs---- C:\WINDOWS\system32\bqtmfkit.ini
2008-08-04 12:24 . 2008-08-04 12:24 1,381,975 --ahs---- C:\WINDOWS\system32\bvhiphvh.ini
2008-08-04 12:11 . 2008-08-04 12:11 <DIR> d-------- C:\Documents and Settings\Vlad\Application Data\TmpRecentIcons
2008-08-01 12:32 . 2008-08-01 12:32 268 --ah----- C:\sqmdata04.sqm
2008-08-01 12:32 . 2008-08-01 12:32 244 --ah----- C:\sqmnoopt04.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-01 22:27 --------- d-----w C:\Documents and Settings\Vlad\Application Data\DNA
2008-09-01 22:13 --------- d-----w C:\Program Files\DNA
2008-07-19 06:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 06:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 06:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 06:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 06:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 06:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 06:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 06:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 06:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 06:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-11 06:36 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-07-03 12:45 2,560 ----a-w C:\WINDOWS\system32\bitcometres.dll
2007-02-27 00:17 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

------- Sigcheck -------

2004-08-03 15:56 17408 a0cb467aeb82496348c1771097508a39 C:\WINDOWS\system32\svchost.exe

2006-11-20 00:50 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\system32\dllcache\tcpip.sys
2006-11-20 00:50 360576 c3b02652a90ca57b1b2891939d69fcca C:\WINDOWS\system32\drivers\tcpip.sys

2004-08-03 15:56 506368 a0dda1c222a45c93f39f9cc5351cbb8b C:\WINDOWS\system32\winlogon.exe

2006-11-20 00:48 1035776 3b3035757602a9894dd6c0df9299b26b C:\WINDOWS\explorer.exe

2004-08-03 15:56 110592 5919f6d178af2aa976cb3c733c13bfdf C:\WINDOWS\system32\services.exe

2004-08-03 15:56 14848 3991757b5d3da7b51f3ee44ead9ff4c5 C:\WINDOWS\system32\lsass.exe

2006-11-20 00:50 58880 99661e425d7835c3a07368b1b292accf C:\WINDOWS\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-11-07 3739672]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 221184]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-04 185896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 257088]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"MSUpdateSvc"= C:\WINDOWS\system32\MSServx.exe
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"24955:TCP"= 24955:TCP:BitComet 24955 TCP
"24955:UDP"= 24955:UDP:BitComet 24955 UDP

.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-29 21:27:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-09-29 21:33:09
ComboFix-quarantined-files.txt 2008-09-30 05:32:05
ComboFix2.txt 2008-09-30 05:21:10
ComboFix3.txt 2008-09-30 05:10:07
ComboFix4.txt 2008-09-30 04:47:59
ComboFix5.txt 2008-09-30 05:24:57

Pre-Run: 3,956,092,928 bytes free
Post-Run: 3,951,419,392 bytes free

134
  • 0

#54
Rorschach112
Posted 29 September 2008 - 07:43 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Now we need to reconfigure Windows XP to show hidden files:
Double-click the My Computer icon on the Windows desktop.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.





* Click on the Start Button, Click Search
Click "All Files and Folders"
Click "Advanced Options", put a check next to the following:
Search System Folders
Search Hidden Files And Folders
Search Subfolders


Next copy and paste the following entries into the search box(one at a time):

winlogon.exe


Write down the paths for any files found and post them here for me
  • 0

#55
saded
Posted 29 September 2008 - 08:10 AM

saded

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
winlogon.exe MD5:e47df34547e4cb37d7fc626d35297817 virscan(virscan.org)
winlogon.exe MD5:a0dda1c222a45c93f39f9cc5351cbb8b virscan(virscan.org)
winlogon.exe C:\WINDOWS\system32
  • 0

Advertisements

#56
Rorschach112
Posted 29 September 2008 - 08:26 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Tell me can you find these files

C:\WINDOWS\system32\dllcache\winlogon.exe
C:\WINDOWS\ServicePackFiles\i386\winlogon.exe

?
  • 0

#57
saded
Posted 29 September 2008 - 08:29 AM

saded

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
no
  • 0

#58
Rorschach112
Posted 29 September 2008 - 08:39 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Ok run a full scan with Dr. Web Cureit in the mean time and post that log here while I think of something else
  • 0

#59
saded
Posted 29 September 2008 - 09:30 AM

saded

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
ComboFix.exe\32788R22FWJFW\C.bat;C:\Documents and Settings\Vlad\Desktop\ComboFix.exe;Probably BATCH.Virus;;
ComboFix.exe\32788R22FWJFW\List-C.bat;C:\Documents and Settings\Vlad\Desktop\ComboFix.exe;Probably BATCH.Virus;;
ComboFix.exe\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Vlad\Desktop\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;C:\Documents and Settings\Vlad\Desktop;Archive contains infected objects;Moved.;
A0076815.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP173;Probably BATCH.Virus;;
A0076829.EXE;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP174;Program.PsExec.170;;
A0076832.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP174;Probably BATCH.Virus;;
A0076929.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP176;Probably BATCH.Virus;;
A0076945.EXE;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP176;Program.PsExec.170;;
A0076948.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP176;Probably BATCH.Virus;;
A0077038.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP177;Probably BATCH.Virus;;
A0077063.EXE;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP177;Program.PsExec.170;;
A0077066.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP177;Probably BATCH.Virus;;
A0077110.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP177;Probably BATCH.Virus;;
A0077126.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP177;Probably BATCH.Virus;;
A0077149.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP178;Probably BATCH.Virus;;
A0077155.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP178;Probably BATCH.Virus;;
A0077205.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP178;Probably BATCH.Virus;;
A0077221.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP178;Probably BATCH.Virus;;
A0077245.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP179;Probably BATCH.Virus;;
A0077251.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP179;Probably BATCH.Virus;;
A0077287.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP179;Probably BATCH.Virus;;
A0077303.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP179;Probably BATCH.Virus;;
A0077325.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP180;Probably BATCH.Virus;;
A0077337.EXE;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP180;Program.PsExec.170;;
A0077340.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP180;Probably BATCH.Virus;;
A0077401.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP181;Probably BATCH.Virus;;
A0077406.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP181;Probably BATCH.Virus;;
A0077447.exe\32788R22FWJFW\C.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP181\A0077447.exe;Probably BATCH.Virus;;
A0077447.exe\32788R22FWJFW\List-C.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP181\A0077447.exe;Probably BATCH.Virus;;
A0077447.exe\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP181\A0077447.exe;Program.PsExec.171;;
A0077447.exe;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP181;Archive contains infected objects;Moved.;
A0077455.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP181;Probably BATCH.Virus;;
A0077459.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP181;Probably BATCH.Virus;;
A0077494.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP182;Probably BATCH.Virus;;
A0077498.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP182;Probably BATCH.Virus;;
A0077538.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP183;Probably BATCH.Virus;;
A0077542.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP183;Probably BATCH.Virus;;
A0077582.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP184;Probably BATCH.Virus;;
A0077586.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP184;Probably BATCH.Virus;;
A0077626.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP185;Probably BATCH.Virus;;
A0077630.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP185;Probably BATCH.Virus;;
A0077662.exe\32788R22FWJFW\C.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP185\A0077662.exe;Probably BATCH.Virus;;
A0077662.exe\32788R22FWJFW\List-C.bat;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP185\A0077662.exe;Probably BATCH.Virus;;
A0077662.exe\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP185\A0077662.exe;Program.PsExec.171;;
A0077662.exe;C:\System Volume Information\_restore{2AF0A64B-1346-4B75-BEF5-EBCC672E16D0}\RP185;Archive contains infected objects;Moved.;
  • 0

#60
Rorschach112
Posted 29 September 2008 - 10:09 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Ok just waiting for a second opinion since your problem is a bit strange
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP