Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

I am infected with Tagasaurus and others... [Solved]

Started by Katie_Harlow87 , Jan 09 2009 01:25 PM

This topic is locked

#31
Transience

Posted 12 January 2009 - 02:47 PM

Unofficial Music Guru

Retired Staff
2,448 posts

Sorry for the delay in my reply... it puzzles me how Vundo came back like that. Let's do this:

Uninstall Combofix

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

Now please redownload and run ComboFix again as per my previous instructions, I'll repeat them here for you:

Please download and save ComboFix from one of these locations:

Link 1 | Link 2 | Link 3

* It is very important that ComboFix is saved directly to your desktop.

Notes:

Before running ComboFix, you should disable all Antivirus and Antispyware applications so they don't interfere. You can often do this just by right-clicking on the system tray icon and clicking "Disable" or similar. If you need further instructions for how to disable your programs, look here.
ComboFix will temporarily disconnect your machine from the internet and change your clock settings, this is normal and both will be restored before the program terminates.
Do not attempt to run any programs or click on ComboFix's window while it is running, just allow it to run uninterrupted aside from okaying any prompts. It may appear to be doing nothing at times, this is normal, don't worry.

Next:

Double click on ComboFix.exe and follow the prompts.
As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a serious problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Recovery Console, and when prompted, agree to the End-User License Agreement to install it.

* Note: If the Recovery Console is already installed on your computer, ComboFix will ignore the installation routines and continue its malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware. The program will scan for malware and then perform various fixes. You may be asked to reboot, okay the prompt and allow your computer to reboot. Log in as normal and allow ComboFix to complete its run without doing anything else.

When it's finished, the program's log will appear in notepad as well as saving itself to C:\ComboFix.txt. Please include the full contents of the log in your next reply.

My suspicion is that there was some rootkit activity that none of our scans picked up which may be what brought back your infections. We'll run this rootkit check tool, I apologize that it's a lot of work for you but it's as good as it gets for finding things hiding deep down:

Please download and unzip Icesword to its own folder on your desktop

Note: If you get a lot of "red entries" in an IceSword log, don't panic, many of them are harmless.

Step 1 : Close all windows and doubleclick IceSword to run it (Vista users please right click and select Run as Administrator. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.

Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.

Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.

Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.

Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present.

Now post in a reply to this thread all of the data collected under the headings for:

Processes
Win32 Services
Startup
SSDT
Message Hooks

So when you can in your next reply I'd like to see the CF log and the information from IceSword.

Cheers,
Dave

#32
Katie_Harlow87

Posted 12 January 2009 - 04:44 PM

Member

Topic Starter
Member
25 posts

'Sorry for the delay in my reply' Shush, I greatly appreciate the time that you can give to me, and I know that you have your own life to live, etc. :] Thanks!

Here is the Combofix log:

ComboFix 09-01-11.04 - Andrew 2009-01-12 13:38:58.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.688 [GMT -8:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090112-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\cbXRjGVl.dll
c:\windows\system32\ohfajk.dll
c:\windows\system32\taoyvsfp.dll
c:\windows\system32\xxyawwVN.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.

2009-01-10 12:12 . 2009-01-10 12:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg7
2009-01-09 23:45 . 2008-04-13 16:12 221,184 --a------ c:\windows\system32\setb0.tmp
2009-01-09 23:26 . 2009-01-09 23:26 <DIR> d-------- c:\windows\system32\scripting
2009-01-09 23:26 . 2009-01-09 23:26 <DIR> d-------- c:\windows\system32\en
2009-01-09 23:26 . 2009-01-09 23:26 <DIR> d-------- c:\windows\l2schemas
2009-01-09 22:55 . 2008-10-16 12:38 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2009-01-09 22:55 . 2007-04-17 01:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2009-01-09 22:55 . 2007-03-07 21:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2009-01-09 22:55 . 2008-10-16 12:38 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2009-01-09 22:55 . 2008-10-16 12:38 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2009-01-09 22:55 . 2008-10-16 12:38 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2009-01-09 22:55 . 2008-10-16 12:38 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2009-01-09 22:55 . 2008-10-16 12:38 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-09 22:55 . 2008-10-16 05:11 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2009-01-09 22:51 . 2007-08-13 18:54 33,792 --a--c--- c:\windows\system32\dllcache\custsat.dll
2009-01-09 21:47 . 2009-01-09 21:47 <DIR> d-------- C:\9afedb290d5fd574c253e2
2009-01-09 19:53 . 2009-01-09 19:52 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-09 19:52 . 2009-01-09 19:52 <DIR> d-------- c:\program files\Java
2009-01-09 19:51 . 2009-01-09 19:51 0 --a------ c:\windows\system32\REND.tmp
2009-01-09 19:51 . 2009-01-09 19:51 0 --a------ c:\windows\system32\RENC.tmp
2009-01-09 19:51 . 2009-01-09 19:51 0 --a------ c:\windows\system32\RENB.tmp
2009-01-09 19:32 . 2009-01-09 19:45 <DIR> d-------- c:\documents and settings\Andrew\.SunDownloadManager
2009-01-08 17:47 . 2009-01-08 17:47 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-08 17:47 . 2009-01-08 17:47 <DIR> d-------- c:\documents and settings\Andrew\Application Data\Malwarebytes
2009-01-08 17:47 . 2009-01-08 17:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-08 17:47 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-08 17:47 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-08 14:48 . 2009-01-08 14:48 <DIR> d-------- c:\program files\Trend Micro
2009-01-08 09:34 . 2009-01-08 09:34 <DIR> d-------- c:\program files\XoftSpySE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-12 08:16 --------- d-----w c:\documents and settings\Andrew\Application Data\.purple
2009-01-10 21:29 --------- d-----w c:\documents and settings\Andrew\Application Data\gtk-2.0
2009-01-10 03:52 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"NetZero_uoltray"="c:\program files\NetZero\exec.exe" [2007-10-15 1636864]
"Aim6"="c:\program files\AIM6\aim6.exe" [2006-11-07 50736]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-04-27 7573504]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-04-27 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-09 136600]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"nwiz"="nwiz.exe" [2006-04-27 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2007-06-23 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-10 111184]
R3 pnicII;Linksys Fast Ethernet PCI Card;c:\windows\system32\drivers\LNE100.SYS [2000-02-10 20573]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-10 20560]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
.
Contents of the 'Scheduled Tasks' folder

2009-01-12 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-01-07 07:47]
.
- - - - ORPHANS REMOVED - - - -

BHO-{12A56145-AF5E-450D-BD00-9EF8AED62324} - (no file)
BHO-{7C7F0A88-E7D3-4D1B-BDD0-D98F6499CD82} - (no file)
Notify-byXOiJDs - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
TCP: {A16447C3-1E1E-462E-9A78-AE0FFB4A023B} = 4.2.2.2,4.2.2.1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 13:41:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-12 13:43:02
ComboFix-quarantined-files.txt 2009-01-12 21:42:57
ComboFix2.txt 2009-01-10 01:02:12

Pre-Run: 62,092,738,560 bytes free
Post-Run: 62,218,760,192 bytes free

139 --- E O F --- 2009-01-12 19:53:20

And here is the Icesword info:

Processes (none of them were red)

Process:

System Idle Process
System
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Program Files\NetZero\exec.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Andrew\LOCALS~1\Temp\Rar$EX02.156\IceSword122en\IceSword.exe
C:\WINDOWS\system32\notepad.exe

Win32 Services (none of these were red)

Started Service:

Service Name:ALG Display Name:Application Layer Gateway Service
Service Name:aswUpdSv Display Name:avast! iAVS4 Control Service
Service Name:AudioSrv Display Name:Windows Audio
Service Name:avast! Antivirus Display Name:avast! Antivirus
Service Name:avast! Mail Scanner Display Name:avast! Mail Scanner
Service Name:avast! Web Scanner Display Name:avast! Web Scanner
Service Name:BITS Display Name:Background Intelligent Transfer Service
Service Name:CryptSvc Display Name:Cryptographic Services
Service Name:DcomLaunch Display Name:DCOM Server Process Launcher
Service Name:Dhcp Display Name:DHCP Client
Service Name:Dnscache Display Name:DNS Client
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:Eventlog Display Name:Event Log
Service Name:EventSystem Display Name:COM+ Event System
Service Name:FastUserSwitchingCompatibility Display Name:Fast User Switching Compatibility
Service Name:helpsvc Display Name:Help and Support
Service Name:HidServ Display Name:HID Input Service
Service Name:JavaQuickStarterService Display Name:Java Quick Starter
Service Name:lanmanserver Display Name:Server
Service Name:lanmanworkstation Display Name:Workstation
Service Name:LmHosts Display Name:TCP/IP NetBIOS Helper
Service Name:Netman Display Name:Network Connections
Service Name:Nla Display Name:Network Location Awareness (NLA)
Service Name:NVSvc Display Name:NVIDIA Display Driver Service
Service Name:PlugPlay Display Name:Plug and Play
Service Name:PolicyAgent Display Name:IPSEC Services
Service Name:ProtectedStorage Display Name:Protected Storage
Service Name:RasMan Display Name:Remote Access Connection Manager
Service Name:RpcSs Display Name:Remote Procedure Call (RPC)
Service Name:SamSs Display Name:Security Accounts Manager
Service Name:Schedule Display Name:Task Scheduler
Service Name:seclogon Display Name:Secondary Logon
Service Name:SENS Display Name:System Event Notification
Service Name:SharedAccess Display Name:Windows Firewall/Internet Connection Sharing (ICS)
Service Name:ShellHWDetection Display Name:Shell Hardware Detection
Service Name:Spooler Display Name:Print Spooler
Service Name:srservice Display Name:System Restore Service
Service Name:SSDPSRV Display Name:SSDP Discovery Service
Service Name:stisvc Display Name:Windows Image Acquisition (WIA)
Service Name:TapiSrv Display Name:Telephony
Service Name:TermService Display Name:Terminal Services
Service Name:Themes Display Name:Themes
Service Name:TrkWks Display Name:Distributed Link Tracking Client
Service Name:W32Time Display Name:Windows Time
Service Name:WebClient Display Name:WebClient
Service Name:winmgmt Display Name:Windows Management Instrumentation
Service Name:wscsvc Display Name:Security Center
Service Name:wuauserv Display Name:Automatic Updates
Service Name:WZCSVC Display Name:Wireless Zero Configuration

Startup (none of these were red)

Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nwiz
nwiz.exe /install

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvMediaCenter
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe Reader Speed Launcher
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SunJavaUpdateSched
"C:\Program Files\Java\jre6\bin\jusched.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avast!
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
MSMSGS
"C:\Program Files\Messenger\msmsgs.exe" /background

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
NetZero_uoltray
C:\Program Files\NetZero\exec.exe regrun

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Aim6
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Yahoo! Pager
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Exif Launcher S.lnk
C:\Program Files\FinePixViewerS\QuickDCF2.exe (Remark£º)

C:\Documents and Settings\Andrew\Start Menu\Programs\Startup
desktop.ini

SSDT (all of these were red)

\SystemRoot\System32\Drivers\aswSP.SYS Name Ntclose
\SystemRoot\System32\Drivers\aswSP.SYS Name NtCreateKey
\SystemRoot\System32\Drivers\aswSP.SYS Name NtDeleteValueKey
\SystemRoot\System32\Drivers\aswSP.SYS Name NtDuplicateObject
\SystemRoot\System32\Drivers\aswSP.SYS Name NtOpenKey
\SystemRoot\System32\Drivers\aswSP.SYS Name NtOpenProcess
\SystemRoot\System32\Drivers\aswSP.SYS Name NtOpenThread
\SystemRoot\System32\Drivers\aswSP.SYS Name NtQueryValueKey
\SystemRoot\System32\Drivers\aswSP.SYS Name NtRestoreKey
\SystemRoot\System32\Drivers\aswSP.SYS Name NtSetValueKey

Message Hooks

WH_KEYBOARD C:\WINDOWS\explorer.exe
WH_KEYBOARD C:\WINDOWS\explorer.exe
WH_KEYBOARD C:\WINDOWS\explorer.exe
WH_KEYBOARD C:\Program Files\Internet Explorer\iexplorer.exe
WH_KEYBOARD C:\WINDOWS\explorer.exe
WH_KEYBOARD C:\WINDOWS\system32\ctfmon.exe
WH_KEYBOARD C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
WH_KEYBOARD C:\WINDOWS\explorer.exe
WH_KEYBOARD C:\Program Files\WinRAR\WinRAR.exe
WH_KEYBOARD C:\Program Files\Internet Explorer\iexplorer.exe
WH_KEYBOARD C:\Program Files\Internet Explorer\iexplorer.exe
WH_KEYBOARD C:\Program Files\Internet Explorer\iexplorer.exe
WH_KEYBOARD C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
WH_KEYBOARD C:\WINDOWS\system32\wscntfy.exe
WH_KEYBOARD C:\Program Files\Internet Explorer\iexplorer.exe
WH_KEYBOARD C:\WINDOWS\explorer.exe
WH_KEYBOARD C:\WINDOWS\system32\notepad.exe
WH_KEYBOARD C:\WINDOWS\system32\notepad.exe

#33
Transience

Posted 12 January 2009 - 07:52 PM

Unofficial Music Guru

Retired Staff
2,448 posts

Well it really is a mystery to me how that Vundo came back... nothing in your log to indicate there was any rootkit activity or anything else remaining that would have brought it back, but it appears to be gone again

. Just to take care of a couple files quickly:

1. Run a ComboFix script

Copy the entire contents of the code box below to notepad (Start > Programs > Accessories > Notepad).
Click on File > Save and name the file CFScript.txt. This name is important and must not be changed.
Change the Save as Type to All Files.
Save it directly on your desktop.

KillAll::

file::
c:\windows\system32\setb0.tmp
c:\windows\system32\REND.tmp
c:\windows\system32\RENC.tmp
c:\windows\system32\RENB.tmp

folder::
C:\9afedb290d5fd574c253e2

Note: If you are not the topic starter, DO NOT download or run this script as it could cause irreversible damage to your computer.

Please note that the same procedure applies to running ComboFix this time as before - disable your protection programs beforehand, close all other programs, don't interrupt it for any reason etc.

Posted Image

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe. This will cause ComboFix to start again. Allow it to complete running, following any prompts. Once the program has completed the log should appear automatically, if it doesn't it can be found at C:\ComboFix.txt. Please post the contents of that log in your next reply.

After that would you run the Kaspersky scan for me again and post the logs from both CF and kaspersky in your next reply? Hopefully Kaspersky will be clean which would mean that we've finally kicked the buggers

.

Cheers,
Dave

#34
Katie_Harlow87

Posted 12 January 2009 - 11:42 PM

Member

Topic Starter
Member
25 posts

Phew... That took a long while. When I went to use Kaspersky, it took a LONG time to upload the database, then I was able to scan. Unfortunately, Kaspersky found some Monder stuff... O_O *sigh* Should I use Malwarebytes again and or...another monder fix...? I'll await your advice, etc. I want to use some of the monder fixes that I posed earlier...but I don't know how reputable they are or whatever. I think we'll get there... You've been great help, and again, thank youuu. :]

Here is the Combofix log, followed by the Kaspersky log:

ComboFix 09-01-11.04 - Andrew 2009-01-12 18:35:05.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.714 [GMT -8:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Andrew\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090112-0] *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\RENB.tmp
c:\windows\system32\RENC.tmp
c:\windows\system32\REND.tmp
c:\windows\system32\setb0.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\9afedb290d5fd574c253e2
c:\9afedb290d5fd574c253e2\$shtdwn$.req
c:\9afedb290d5fd574c253e2\admparse.dll
c:\9afedb290d5fd574c253e2\admparse.dll.mui
c:\9afedb290d5fd574c253e2\advpack.dll
c:\9afedb290d5fd574c253e2\advpack.dll.mui
c:\9afedb290d5fd574c253e2\browseui.dll
c:\9afedb290d5fd574c253e2\corpol.dll
c:\9afedb290d5fd574c253e2\custsat.dll
c:\9afedb290d5fd574c253e2\dxtmsft.dll
c:\9afedb290d5fd574c253e2\dxtrans.dll
c:\9afedb290d5fd574c253e2\extmgr.dll
c:\9afedb290d5fd574c253e2\extmgr.dll.mui
c:\9afedb290d5fd574c253e2\feeddisc.wav
c:\9afedb290d5fd574c253e2\hmmapi.dll
c:\9afedb290d5fd574c253e2\hmmapi.dll.mui
c:\9afedb290d5fd574c253e2\html.iec
c:\9afedb290d5fd574c253e2\html.iec.mui
c:\9afedb290d5fd574c253e2\icardie.dll
c:\9afedb290d5fd574c253e2\icardie.dll.mui
c:\9afedb290d5fd574c253e2\icrav03.rat
c:\9afedb290d5fd574c253e2\ie4uinit.exe
c:\9afedb290d5fd574c253e2\ie4uinit.exe.mui
c:\9afedb290d5fd574c253e2\ieakeng.dll
c:\9afedb290d5fd574c253e2\ieakeng.dll.mui
c:\9afedb290d5fd574c253e2\ieakmmc.chm
c:\9afedb290d5fd574c253e2\ieaksie.dll
c:\9afedb290d5fd574c253e2\ieaksie.dll.mui
c:\9afedb290d5fd574c253e2\ieakui.dll
c:\9afedb290d5fd574c253e2\ieakui.dll.mui
c:\9afedb290d5fd574c253e2\ieapfltr.dat
c:\9afedb290d5fd574c253e2\ieapfltr.dll
c:\9afedb290d5fd574c253e2\iedkcs32.dll
c:\9afedb290d5fd574c253e2\iedkcs32.dll.mui
c:\9afedb290d5fd574c253e2\iedw.exe
c:\9afedb290d5fd574c253e2\iedw.exe.mui
c:\9afedb290d5fd574c253e2\ieencode.dll
c:\9afedb290d5fd574c253e2\ieeula.chm
c:\9afedb290d5fd574c253e2\ieframe.dll
c:\9afedb290d5fd574c253e2\ieframe.dll.mui
c:\9afedb290d5fd574c253e2\iepeers.dll
c:\9afedb290d5fd574c253e2\iepeers.dll.mui
c:\9afedb290d5fd574c253e2\ieproxy.dll
c:\9afedb290d5fd574c253e2\iernonce.dll
c:\9afedb290d5fd574c253e2\iernonce.dll.mui
c:\9afedb290d5fd574c253e2\iertutil.dll
c:\9afedb290d5fd574c253e2\iesetup.dll
c:\9afedb290d5fd574c253e2\iesetup.dll.mui
c:\9afedb290d5fd574c253e2\iesupp.chm
c:\9afedb290d5fd574c253e2\ieudinit.exe
c:\9afedb290d5fd574c253e2\ieui.dll
c:\9afedb290d5fd574c253e2\ieui.dll.mui
c:\9afedb290d5fd574c253e2\ieuinit.inf
c:\9afedb290d5fd574c253e2\ieunatt.exe.mui
c:\9afedb290d5fd574c253e2\iexplore.chm
c:\9afedb290d5fd574c253e2\iexplore.exe
c:\9afedb290d5fd574c253e2\iexplore.exe.mui
c:\9afedb290d5fd574c253e2\imgutil.dll
c:\9afedb290d5fd574c253e2\inetcorp.iem
c:\9afedb290d5fd574c253e2\inetcpl.cpl
c:\9afedb290d5fd574c253e2\inetcpl.cpl.mui
c:\9afedb290d5fd574c253e2\inetres.adm
c:\9afedb290d5fd574c253e2\inetset.iem
c:\9afedb290d5fd574c253e2\infobar.wav
c:\9afedb290d5fd574c253e2\inseng.dll
c:\9afedb290d5fd574c253e2\inseng.dll.mui
c:\9afedb290d5fd574c253e2\install.ins
c:\9afedb290d5fd574c253e2\jscript.dll
c:\9afedb290d5fd574c253e2\jsproxy.dll
c:\9afedb290d5fd574c253e2\licmgr10.dll
c:\9afedb290d5fd574c253e2\licmgr10.dll.mui
c:\9afedb290d5fd574c253e2\msfeeds.dll
c:\9afedb290d5fd574c253e2\msfeeds.mof
c:\9afedb290d5fd574c253e2\msfeedsbs.dll
c:\9afedb290d5fd574c253e2\msfeedsbs.dll.mui
c:\9afedb290d5fd574c253e2\msfeedsbs.mof
c:\9afedb290d5fd574c253e2\msfeedssync.exe
c:\9afedb290d5fd574c253e2\mshta.exe
c:\9afedb290d5fd574c253e2\mshta.exe.mui
c:\9afedb290d5fd574c253e2\mshtml.dll
c:\9afedb290d5fd574c253e2\mshtml.dll.mui
c:\9afedb290d5fd574c253e2\mshtml.tlb
c:\9afedb290d5fd574c253e2\mshtmled.dll
c:\9afedb290d5fd574c253e2\mshtmled.dll.mui
c:\9afedb290d5fd574c253e2\mshtmler.dll
c:\9afedb290d5fd574c253e2\mshtmler.dll.mui
c:\9afedb290d5fd574c253e2\msls31.dll
c:\9afedb290d5fd574c253e2\msrating.dll
c:\9afedb290d5fd574c253e2\msrating.dll.mui
c:\9afedb290d5fd574c253e2\mstime.dll
c:\9afedb290d5fd574c253e2\navstart.wav
c:\9afedb290d5fd574c253e2\occache.dll
c:\9afedb290d5fd574c253e2\occache.dll.mui
c:\9afedb290d5fd574c253e2\occache.ini
c:\9afedb290d5fd574c253e2\pngfilt.dll
c:\9afedb290d5fd574c253e2\popupblk.wav
c:\9afedb290d5fd574c253e2\shdocvw.dll
c:\9afedb290d5fd574c253e2\shlwapi.dll
c:\9afedb290d5fd574c253e2\spmsg.dll
c:\9afedb290d5fd574c253e2\spuninst.exe
c:\9afedb290d5fd574c253e2\spupdsvc.exe
c:\9afedb290d5fd574c253e2\tdc.ocx
c:\9afedb290d5fd574c253e2\ticrf.rat
c:\9afedb290d5fd574c253e2\update\eula.rtf
c:\9afedb290d5fd574c253e2\update\idndl.exe
c:\9afedb290d5fd574c253e2\update\ie7.cat
c:\9afedb290d5fd574c253e2\update\iecustom.dll
c:\9afedb290d5fd574c253e2\update\iereseticons.exe
c:\9afedb290d5fd574c253e2\update\iesetup.exe
c:\9afedb290d5fd574c253e2\update\legitlibm.dll
c:\9afedb290d5fd574c253e2\update\nlsdl.exe
c:\9afedb290d5fd574c253e2\update\update.exe
c:\9afedb290d5fd574c253e2\update\update.exe.manifest
c:\9afedb290d5fd574c253e2\update\update.inf
c:\9afedb290d5fd574c253e2\update\update.ver
c:\9afedb290d5fd574c253e2\update\updspapi.dll
c:\9afedb290d5fd574c253e2\update\xmllitesetup.exe
c:\9afedb290d5fd574c253e2\url.dll
c:\9afedb290d5fd574c253e2\urlmon.dll
c:\9afedb290d5fd574c253e2\urlmon.dll.mui
c:\9afedb290d5fd574c253e2\vbscript.dll
c:\9afedb290d5fd574c253e2\vgx.dll
c:\9afedb290d5fd574c253e2\webcheck.dll
c:\9afedb290d5fd574c253e2\webcheck.dll.mui
c:\9afedb290d5fd574c253e2\webcheck.ini
c:\9afedb290d5fd574c253e2\winfxdocobj.exe
c:\9afedb290d5fd574c253e2\winfxdocobj.exe.mui
c:\9afedb290d5fd574c253e2\wininet.dll
c:\9afedb290d5fd574c253e2\wininet.dll.mui
c:\windows\system32\RENB.tmp
c:\windows\system32\RENC.tmp
c:\windows\system32\REND.tmp
c:\windows\system32\setb0.tmp

.
((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13 )))))))))))))))))))))))))))))))
.

2009-01-10 12:12 . 2009-01-10 12:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg7
2009-01-09 23:26 . 2009-01-09 23:26 <DIR> d-------- c:\windows\system32\scripting
2009-01-09 23:26 . 2009-01-09 23:26 <DIR> d-------- c:\windows\system32\en
2009-01-09 23:26 . 2009-01-09 23:26 <DIR> d-------- c:\windows\l2schemas
2009-01-09 22:55 . 2008-10-16 12:38 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2009-01-09 22:55 . 2007-04-17 01:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2009-01-09 22:55 . 2007-03-07 21:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2009-01-09 22:55 . 2008-10-16 12:38 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2009-01-09 22:55 . 2008-10-16 12:38 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2009-01-09 22:55 . 2008-10-16 12:38 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2009-01-09 22:55 . 2008-10-16 12:38 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2009-01-09 22:55 . 2008-10-16 12:38 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-09 22:55 . 2008-10-16 05:11 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2009-01-09 22:51 . 2007-08-13 18:54 33,792 --a--c--- c:\windows\system32\dllcache\custsat.dll
2009-01-09 19:53 . 2009-01-09 19:52 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-09 19:52 . 2009-01-09 19:52 <DIR> d-------- c:\program files\Java
2009-01-09 19:32 . 2009-01-09 19:45 <DIR> d-------- c:\documents and settings\Andrew\.SunDownloadManager
2009-01-08 17:47 . 2009-01-08 17:47 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-08 17:47 . 2009-01-08 17:47 <DIR> d-------- c:\documents and settings\Andrew\Application Data\Malwarebytes
2009-01-08 17:47 . 2009-01-08 17:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-08 17:47 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-08 17:47 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-08 14:48 . 2009-01-08 14:48 <DIR> d-------- c:\program files\Trend Micro
2009-01-08 09:34 . 2009-01-08 09:34 <DIR> d-------- c:\program files\XoftSpySE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-12 08:16 --------- d-----w c:\documents and settings\Andrew\Application Data\.purple
2009-01-10 21:29 --------- d-----w c:\documents and settings\Andrew\Application Data\gtk-2.0
.

((((((((((((((((((((((((((((( snapshot@2009-01-12_13.41.58.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-13 02:38:32 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_49c.dat
+ 2009-01-13 02:38:42 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_718.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"NetZero_uoltray"="c:\program files\NetZero\exec.exe" [2007-10-15 1636864]
"Aim6"="c:\program files\AIM6\aim6.exe" [2006-11-07 50736]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 4670968]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-04-27 7573504]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-04-27 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-09 136600]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"nwiz"="nwiz.exe" [2006-04-27 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2007-06-23 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXOiJDs]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-10 111184]
R3 pnicII;Linksys Fast Ethernet PCI Card;c:\windows\system32\drivers\LNE100.SYS [2000-02-10 20573]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-10 20560]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
.
Contents of the 'Scheduled Tasks' folder

2009-01-13 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-01-07 07:47]
.
- - - - ORPHANS REMOVED - - - -

BHO-{12A56145-AF5E-450D-BD00-9EF8AED62324} - (no file)
BHO-{7C7F0A88-E7D3-4D1B-BDD0-D98F6499CD82} - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
TCP: {A16447C3-1E1E-462E-9A78-AE0FFB4A023B} = 4.2.2.2,4.2.2.1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 18:40:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\rundll32.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\windows\system32\devldr32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-12 18:42:25 - machine was rebooted [Andrew]
ComboFix-quarantined-files.txt 2009-01-13 02:42:21
ComboFix2.txt 2009-01-12 21:43:03
ComboFix3.txt 2009-01-10 01:02:12

Pre-Run: 62,165,159,936 bytes free
Post-Run: 62,151,802,880 bytes free

281 --- E O F --- 2009-01-12 19:53:20

Here is the Kasperky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, January 12, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, January 13, 2009 00:46:34
Records in database: 1611059
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 50953
Threat name: 3
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 01:12:45

File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\cbXRjGVl.dll.vir Infected: Trojan.Win32.Monderb.adqt 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ohfajk.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.gbc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\taoyvsfp.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.gbc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\xxyawwVN.dll.vir Infected: Trojan.Win32.Monderb.adwc 1

The selected area was scanned.

#35
Transience

Posted 13 January 2009 - 03:59 PM

Unofficial Music Guru

Retired Staff
2,448 posts

The files that Kaspersky found are files that were already in quarantine, no issues there. There is one last entry that needs to be removed that showed up in the CF log and then you're clean

. So if you would, hopefully for the last time:

1. Run a ComboFix script

Copy the entire contents of the code box below to notepad (Start > Programs > Accessories > Notepad).
Click on File > Save and name the file CFScript.txt. This name is important and must not be changed.
Change the Save as Type to All Files.
Save it directly on your desktop.

KillAll::

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXOiJDs]

SysRst::

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe. This will cause ComboFix to start again. Allow it to complete running, following any prompts. Once the program has completed the log should appear automatically, if it doesn't it can be found at C:\ComboFix.txt. Please post the contents of that log in your next reply.

It occurs to me that another scan which checks nicely for file infectors might give me a clue what caused those entries to come back on you as welll as assure us that you're completely clean:

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.

So if you could post the Dr.Web log and the CF log in your next reply that would be great

.

Cheers,
Dave

#36
Katie_Harlow87

Posted 14 January 2009 - 03:30 PM

Member

Topic Starter
Member
25 posts

Here are the logs, however, I don't know if I did the Dr Web thing right... Was I supposed to do something after it scanned? Such as curing things? Also, Sypbot asked if I wanted to block the CF log again after I enabled it after the Dr Web scan...

ComboFix 09-01-13.04 - Andrew 2009-01-14 11:36:52.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.725 [GMT -8:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Andrew\Desktop\CFScript.txt.txt
AV: avast! antivirus 4.8.1296 [VPS 090114-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-14 to 2009-01-14 )))))))))))))))))))))))))))))))
.

2009-01-10 12:12 . 2009-01-10 12:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg7
2009-01-09 23:26 . 2009-01-09 23:26 <DIR> d-------- c:\windows\system32\scripting
2009-01-09 23:26 . 2009-01-09 23:26 <DIR> d-------- c:\windows\system32\en
2009-01-09 23:26 . 2009-01-09 23:26 <DIR> d-------- c:\windows\l2schemas
2009-01-09 22:55 . 2008-10-16 12:38 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2009-01-09 22:55 . 2007-04-17 01:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2009-01-09 22:55 . 2007-03-07 21:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2009-01-09 22:55 . 2008-10-16 12:38 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2009-01-09 22:55 . 2008-10-16 12:38 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2009-01-09 22:55 . 2008-10-16 12:38 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2009-01-09 22:55 . 2008-10-16 12:38 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2009-01-09 22:55 . 2008-10-16 12:38 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-09 22:55 . 2008-10-16 05:11 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2009-01-09 22:51 . 2007-08-13 18:54 33,792 --a--c--- c:\windows\system32\dllcache\custsat.dll
2009-01-09 19:53 . 2009-01-09 19:52 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-09 19:52 . 2009-01-09 19:52 <DIR> d-------- c:\program files\Java
2009-01-09 19:32 . 2009-01-09 19:45 <DIR> d-------- c:\documents and settings\Andrew\.SunDownloadManager
2009-01-08 17:47 . 2009-01-08 17:47 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-08 17:47 . 2009-01-08 17:47 <DIR> d-------- c:\documents and settings\Andrew\Application Data\Malwarebytes
2009-01-08 17:47 . 2009-01-08 17:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-08 17:47 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-08 17:47 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-08 14:48 . 2009-01-08 14:48 <DIR> d-------- c:\program files\Trend Micro
2009-01-08 09:34 . 2009-01-08 09:34 <DIR> d-------- c:\program files\XoftSpySE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-14 06:28 --------- d-----w c:\documents and settings\Andrew\Application Data\.purple
2009-01-10 21:29 --------- d-----w c:\documents and settings\Andrew\Application Data\gtk-2.0
.

((((((((((((((((((((((((((((( snapshot@2009-01-12_13.41.58.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-14 19:48:20 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_49c.dat
- 2009-01-12 20:13:10 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_710.dat
+ 2009-01-14 19:48:30 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_710.dat
.
((((((((((((((((((((((((((((((((((((((( System Restore )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\9afedb290d5fd574c253e2\admparse.dll
2007-08-13 18:39 71680 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146203.dll

c:\9afedb290d5fd574c253e2\advpack.dll
2007-08-13 18:39 123904 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146204.dll

c:\9afedb290d5fd574c253e2\browseui.dll
2006-09-23 13:12 1022976 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146205.dll

c:\9afedb290d5fd574c253e2\corpol.dll
2007-08-13 18:42 17408 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146206.dll

c:\9afedb290d5fd574c253e2\custsat.dll
2007-08-13 18:54 33792 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146207.dll

c:\9afedb290d5fd574c253e2\dxtmsft.dll
2007-08-13 18:35 346624 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146208.dll

c:\9afedb290d5fd574c253e2\dxtrans.dll
2007-08-13 18:35 214528 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146209.dll

c:\9afedb290d5fd574c253e2\extmgr.dll
2007-08-13 18:54 131584 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146210.dll

c:\9afedb290d5fd574c253e2\hmmapi.dll
2007-08-13 18:18 60416 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146211.dll

c:\9afedb290d5fd574c253e2\icardie.dll
2007-08-13 18:36 61952 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146212.dll

c:\9afedb290d5fd574c253e2\ie4uinit.exe
2007-08-13 18:39 54784 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146214.exe

c:\9afedb290d5fd574c253e2\ieakeng.dll
2007-08-13 18:39 152064 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146215.dll

c:\9afedb290d5fd574c253e2\ieaksie.dll
2007-08-13 18:39 229376 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146216.dll

c:\9afedb290d5fd574c253e2\ieakui.dll
2007-08-13 17:56 161792 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146217.dll

c:\9afedb290d5fd574c253e2\ieapfltr.dll
2007-07-11 12:27 383488 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146218.dll

c:\9afedb290d5fd574c253e2\iedkcs32.dll
2007-08-13 18:39 382976 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146219.dll

c:\9afedb290d5fd574c253e2\iedw.exe
2007-08-13 18:44 69120 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146220.exe

c:\9afedb290d5fd574c253e2\ieencode.dll
2007-08-13 18:45 78336 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146221.dll

c:\9afedb290d5fd574c253e2\ieframe.dll
2007-08-13 18:54 6049280 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146222.dll

c:\9afedb290d5fd574c253e2\iepeers.dll
2007-08-13 18:54 191488 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146223.dll

c:\9afedb290d5fd574c253e2\ieproxy.dll
2007-08-13 18:54 287744 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146224.dll

c:\9afedb290d5fd574c253e2\iernonce.dll
2007-08-13 18:39 43008 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146225.dll

c:\9afedb290d5fd574c253e2\iertutil.dll
2007-08-13 18:34 266752 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146226.dll

c:\9afedb290d5fd574c253e2\iesetup.dll
2007-08-13 18:39 55296 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146227.dll

c:\9afedb290d5fd574c253e2\ieudinit.exe
2007-08-13 18:39 13312 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146228.exe

c:\9afedb290d5fd574c253e2\ieui.dll
2007-08-13 18:54 180736 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146229.dll

c:\9afedb290d5fd574c253e2\iexplore.exe
2007-08-13 18:43 622080 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146231.exe

c:\9afedb290d5fd574c253e2\imgutil.dll
2007-08-13 18:36 36352 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146232.dll

c:\9afedb290d5fd574c253e2\inseng.dll
2007-08-13 18:39 92672 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146234.dll

c:\9afedb290d5fd574c253e2\jscript.dll
2007-08-13 18:38 491520 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146236.dll

c:\9afedb290d5fd574c253e2\jsproxy.dll
2007-08-13 18:54 27136 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146237.dll

c:\9afedb290d5fd574c253e2\licmgr10.dll
2007-08-13 18:44 40960 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146238.dll

c:\9afedb290d5fd574c253e2\msfeeds.dll
2007-08-13 18:54 458752 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146239.dll

c:\9afedb290d5fd574c253e2\msfeedsbs.dll
2007-08-13 18:54 50688 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146241.dll

c:\9afedb290d5fd574c253e2\msfeedssync.exe
2007-08-13 18:36 12288 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146243.exe

c:\9afedb290d5fd574c253e2\mshta.exe
2007-08-13 18:32 45568 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146244.exe

c:\9afedb290d5fd574c253e2\mshtml.dll
2007-08-13 18:54 3578368 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146245.dll

c:\9afedb290d5fd574c253e2\mshtmled.dll
2007-08-13 18:54 475648 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146247.dll

c:\9afedb290d5fd574c253e2\mshtmler.dll
2007-08-13 18:01 48128 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146248.dll

c:\9afedb290d5fd574c253e2\msls31.dll
2007-08-13 18:54 156160 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146249.dll

c:\9afedb290d5fd574c253e2\msrating.dll
2007-08-13 18:44 192000 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146250.dll

c:\9afedb290d5fd574c253e2\mstime.dll
2007-08-13 18:54 670720 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146251.dll

c:\9afedb290d5fd574c253e2\occache.dll
2007-08-13 18:44 101376 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146252.dll

c:\9afedb290d5fd574c253e2\pngfilt.dll
2007-08-13 18:36 44544 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146254.dll

c:\9afedb290d5fd574c253e2\shdocvw.dll
2006-09-23 13:12 1497088 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146255.dll

c:\9afedb290d5fd574c253e2\shlwapi.dll
2006-09-23 13:12 474112 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146256.dll

c:\9afedb290d5fd574c253e2\spmsg.dll
2006-09-06 17:43 14048 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146257.dll

c:\9afedb290d5fd574c253e2\spuninst.exe
2006-09-06 17:43 213216 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146258.exe

c:\9afedb290d5fd574c253e2\spupdsvc.exe
2006-09-06 17:43 22752 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146259.exe

c:\9afedb290d5fd574c253e2\update\idndl.exe
2006-09-06 17:42 589672 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146262.exe

c:\9afedb290d5fd574c253e2\update\iecustom.dll
2007-08-13 18:54 32960 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146264.dll

c:\9afedb290d5fd574c253e2\update\iereseticons.exe
2007-08-13 18:52 66048 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146265.exe

c:\9afedb290d5fd574c253e2\update\iesetup.exe
2007-08-13 18:54 1084096 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146266.exe

c:\9afedb290d5fd574c253e2\update\legitlibm.dll
2007-02-12 16:10 635696 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146267.dll

c:\9afedb290d5fd574c253e2\update\nlsdl.exe
2006-09-06 17:42 498016 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146268.exe

c:\9afedb290d5fd574c253e2\update\update.exe
2006-09-06 17:43 716000 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146269.exe

c:\9afedb290d5fd574c253e2\update\updspapi.dll
2006-09-06 17:43 371424 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146273.dll

c:\9afedb290d5fd574c253e2\update\xmllitesetup.exe
2006-09-06 17:43 536888 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146274.exe

c:\9afedb290d5fd574c253e2\url.dll
2007-08-13 18:44 105984 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146275.dll

c:\9afedb290d5fd574c253e2\urlmon.dll
2007-08-13 18:54 1162240 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146276.dll

c:\9afedb290d5fd574c253e2\vbscript.dll
2007-08-13 18:54 413696 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146277.dll

c:\9afedb290d5fd574c253e2\vgx.dll
2007-08-13 18:54 765952 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146278.dll

c:\9afedb290d5fd574c253e2\webcheck.dll
2007-08-13 18:54 231424 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146279.dll

c:\9afedb290d5fd574c253e2\winfxdocobj.exe
2007-08-13 18:45 206336 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146281.exe

c:\9afedb290d5fd574c253e2\wininet.dll
2007-08-13 18:54 818688 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146282.dll

2009-01-14 11:30 1458 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegBHO-Global.reg
2009-01-12 00:16 1458 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146067.reg
2009-01-13 00:17 1595 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148567.reg

2009-01-14 11:30 8424 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegDPF-Global.reg
2009-01-12 00:16 8424 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146066.reg
2009-01-13 00:17 8424 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148605.reg

2009-01-14 11:30 60 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegDummy-Andrew.reg
2009-01-12 00:16 60 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146078.reg
2009-01-13 00:17 60 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148615.reg

2009-01-14 11:30 77 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegExtBat-Global.reg
2009-01-12 00:16 77 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146051.reg
2009-01-13 00:17 77 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148590.reg

2009-01-14 11:30 77 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegExtCmd-Global.reg
2009-01-12 00:16 77 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146045.reg
2009-01-13 00:17 77 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148584.reg

2009-01-14 11:30 77 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegExtCom-Global.reg
2009-01-12 00:16 77 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146050.reg
2009-01-13 00:17 77 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148589.reg

2009-01-14 11:30 77 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegExtExe-Global.reg
2009-01-12 00:16 77 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146049.reg
2009-01-13 00:17 77 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148588.reg

2009-01-14 11:30 77 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegExtPif-Global.reg
2009-01-12 00:16 77 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146048.reg
2009-01-13 00:17 77 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148587.reg

2009-01-14 11:30 86 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegExtReg-Global.reg
2009-01-12 00:16 86 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146046.reg
2009-01-13 00:17 86 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148585.reg

2009-01-14 11:30 77 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegExtScr-Global.reg
2009-01-12 00:16 77 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146047.reg
2009-01-13 00:17 77 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148586.reg

2009-01-14 11:30 81 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGBME-Global.reg
2009-01-12 00:16 81 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146062.reg
2009-01-13 00:17 81 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148601.reg

2009-01-14 11:30 116 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGBP1-Global.reg
2009-01-12 00:16 116 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146056.reg
2009-01-13 00:17 116 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148595.reg

2009-01-14 11:30 352 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGBP2a-Global.reg
2009-01-12 00:16 329 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146055.reg
2009-01-13 00:17 352 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148594.reg

2009-01-14 11:30 441 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGBP2b-Global.reg
2009-01-12 00:16 461 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146054.reg
2009-01-13 00:17 441 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148593.reg

2009-01-14 11:30 277 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGBP3-Global.reg
2009-01-12 00:16 277 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146053.reg
2009-01-13 00:17 277 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148592.reg

2009-01-14 11:30 116 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGBP4-Global.reg
2009-01-12 00:16 116 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146052.reg
2009-01-13 00:17 116 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148591.reg

2009-01-14 11:30 179 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGBTB1-Global.reg
2009-01-12 00:16 179 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146068.reg
2009-01-13 00:17 179 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148606.reg

2009-01-14 11:30 240 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGBTB2-Global.reg
2009-01-12 00:16 240 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146064.reg
2009-01-13 00:17 240 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148603.reg

2009-01-14 11:30 114 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGCP-Global.reg
2009-01-12 00:16 114 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146043.reg
2009-01-13 00:17 114 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148582.reg

2009-01-14 11:30 88 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGIESH-Global.reg
2009-01-12 00:16 88 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146031.reg
2009-01-13 00:17 88 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148570.reg

2009-01-14 11:30 244 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGNTCVW-Global.reg
2009-01-12 00:16 244 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146041.reg
2009-01-13 00:17 244 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148580.reg

2009-01-14 11:30 337 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGNTCVWL-Global.reg
2009-01-12 00:16 337 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146039.reg
2009-01-13 00:17 337 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148578.reg

2009-01-14 11:30 957 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGS1-Global.reg
2009-01-12 00:16 957 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146073.reg
2009-01-13 00:17 957 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148611.reg

2009-01-14 11:30 205 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGS1SM-Global.reg
2009-01-12 00:16 205 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146036.reg
2009-01-13 00:17 205 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148575.reg

2009-01-14 11:30 86 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGS2-Global.reg
2009-01-12 13:08 86 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146072.reg
2009-01-13 00:17 86 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148610.reg

2009-01-14 11:30 205 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGS2SM-Global.reg
2009-01-12 00:16 205 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146035.reg
2009-01-13 00:17 205 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148574.reg

2009-01-14 11:30 90 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGS3-Global.reg
2009-01-12 00:16 90 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146071.reg
2009-01-13 00:17 90 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148609.reg

2009-01-14 11:30 180 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGS3SM-Global.reg
2009-01-12 00:16 180 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146034.reg
2009-01-13 00:17 180 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148573.reg

2009-01-14 11:30 94 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGS4-Global.reg
2009-01-12 00:16 94 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146070.reg
2009-01-13 00:17 94 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148608.reg

2009-01-14 11:30 14017 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGSS-Global.reg
2009-01-12 00:16 14017 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146027.reg
2009-01-13 00:17 14017 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148568.reg

2009-01-14 11:30 323 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGSSODL-Global.reg
2009-01-12 00:16 323 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146037.reg
2009-01-13 00:17 323 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148576.reg

2009-01-14 11:30 3765 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGWLN-Global.reg
2009-01-12 00:16 3879 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146030.reg
2009-01-13 00:17 3765 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148569.reg

2009-01-14 11:30 717 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUBME-Andrew.reg
2009-01-12 00:16 717 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146063.reg
2009-01-13 00:17 717 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148602.reg

2009-01-14 11:30 115 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUBP1-Andrew.reg
2009-01-12 00:16 115 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146061.reg
2009-01-13 00:17 115 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148600.reg

2009-01-14 11:30 290 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUBP2a-Andrew.reg
2009-01-12 00:16 260 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146060.reg
2009-01-13 00:17 290 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148599.reg

2009-01-14 11:30 406 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUBP2b-Andrew.reg
2009-01-12 00:16 406 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146059.reg
2009-01-13 00:17 406 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148598.reg

2009-01-14 11:30 177 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUBP3-Andrew.reg
2009-01-12 00:16 177 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146058.reg
2009-01-13 00:17 177 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148597.reg

2009-01-14 11:30 160 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUBP4-Andrew.reg
2009-01-12 00:16 160 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146057.reg
2009-01-13 00:17 160 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148596.reg

2009-01-14 11:30 5912 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUBTB1-Andrew.reg
2009-01-12 00:16 5912 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146069.reg
2009-01-13 00:17 5912 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148607.reg

2009-01-14 11:30 671 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUBTB2-Andrew.reg
2009-01-12 00:16 671 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146065.reg
2009-01-13 00:17 671 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148604.reg

2009-01-14 11:30 113 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUCP-Andrew.reg
2009-01-12 00:16 113 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146044.reg
2009-01-13 00:17 113 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148583.reg

2009-01-14 11:30 136 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUDesk-Andrew.reg
2009-01-12 00:16 136 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146033.reg
2009-01-13 00:17 136 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148572.reg

2009-01-14 11:30 222 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUIESH-Andrew.reg
2009-01-12 00:16 222 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146032.reg
2009-01-13 00:17 222 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148571.reg

2009-01-14 11:30 235 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUNTCVW-Andrew.reg
2009-01-12 00:16 235 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146042.reg
2009-01-13 00:17 235 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148581.reg

2009-01-14 11:30 390 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUNTCVWL-Andrew.reg
2009-01-12 00:16 390 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146040.reg
2009-01-13 00:17 390 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148579.reg

2009-01-14 11:30 380 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUS1-Andrew.reg
2009-01-12 12:13 462 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146077.reg
2009-01-13 19:15 462 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148559.reg

2009-01-14 11:30 85 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUS2-Andrew.reg
2009-01-12 00:16 85 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146076.reg
2009-01-13 00:17 85 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148614.reg

2009-01-14 11:30 89 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUS3-Andrew.reg
2009-01-12 00:16 89 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146075.reg
2009-01-13 00:17 89 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148613.reg

2009-01-14 11:30 93 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUS4-Andrew.reg
2009-01-12 00:16 93 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146074.reg
2009-01-13 00:17 93 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148612.reg

2009-01-14 11:30 105 c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUSSODL-Andrew.reg
2009-01-12 00:16 105 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146038.reg
2009-01-13 00:17 105 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901\A0148577.reg

c:\documents and settings\Andrew\Desktop\avg75free_516a1225.exe
2008-02-11 14:11 31768752 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897\A0146023.exe

2009-01-14 11:48 245800 c:\program files\Alwil Software\Avast4\DATA\aswar0.dll
2009-01-12 12:12 237560 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146289.dll
2009-01-14 11:24 245800 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP902\A0148665.dll

2009-01-14 11:48 391216 c:\program files\Alwil Software\Avast4\DATA\clnr0.dll
2009-01-12 12:12 391216 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146290.dll
2009-01-14 11:24 391216 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP902\A0148666.dll

2009-01-14 11:48 9080 c:\program files\Alwil Software\Avast4\DATA\exts0.dll
2009-01-12 12:12 9080 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899\A0146291.dll
2009-01-14 11:24 9080 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP902\A0148667.dll

2008-11-26 09:15 97480 c:\windows\system32\AvastSS.scr
2008-11-26 09:15 97480 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP898\A0146192.scr
2008-11-26 09:15 97480 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP902\A0148680.scr

c:\windows\system32\cbXRjGVl.dll
2009-01-10 15:03 52224 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP898\A0146085.dll

c:\windows\system32\ohfajk.dll
2009-01-12 02:25 124928 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP898\A0146086.dll

c:\windows\system32\taoyvsfp.dll
2009-01-12 02:25 124928 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP898\A0146087.dll

c:\windows\system32\xxyawwVN.dll
2009-01-10 15:09 46592 {4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP898\A0146088.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"NetZero_uoltray"="c:\program files\NetZero\exec.exe" [2007-10-15 1636864]
"Aim6"="c:\program files\AIM6\aim6.exe" [2006-11-07 50736]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 4670968]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-04-27 7573504]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-04-27 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-09 136600]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"nwiz"="nwiz.exe" [2006-04-27 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2007-06-23 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-10 111184]
R3 pnicII;Linksys Fast Ethernet PCI Card;c:\windows\system32\drivers\LNE100.SYS [2000-02-10 20573]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-10 20560]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
.
Contents of the 'Scheduled Tasks' folder

2009-01-14 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-01-07 07:47]
.
- - - - ORPHANS REMOVED - - - -

BHO-{12A56145-AF5E-450D-BD00-9EF8AED62324} - (no file)
BHO-{7C7F0A88-E7D3-4D1B-BDD0-D98F6499CD82} - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
TCP: {A16447C3-1E1E-462E-9A78-AE0FFB4A023B} = 4.2.2.2,4.2.2.1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 11:49:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\rundll32.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\windows\system32\devldr32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-14 11:51:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-14 19:51:14
ComboFix2.txt 2009-01-13 02:42:26
ComboFix3.txt 2009-01-12 21:43:03
ComboFix4.txt 2009-01-10 01:02:12

Pre-Run: 61,919,154,176 bytes free
Post-Run: 62,123,466,752 bytes free

442 --- E O F --- 2009-01-12 19:53:20

Here is the next log:

36594438.FIL;C:\$VAULT$.AVG;Probably Trojan.Packed.196;;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3;Probably BACKDOOR.Trojan;;
ocpinst.exe\data529;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\ocpinst.exe;Probably BACKDOOR.Trojan;;
ocpinst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3;Archive contains infected objects;Moved.;
RegUBP2b-Andrew.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
aolsetup.exe;C:\Program Files\AIM6\services\softwareUpdate\ver2_13_13_7;Probably BACKDOOR.Trojan;;
cbXRjGVl.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod.1596;Deleted.;
ohfajk.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Probably Trojan.Packed.213;;
taoyvsfp.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Probably Trojan.Packed.213;;
xxyawwVN.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Probably Trojan.Packed.213;;
A0146059.reg;C:\System Volume Information\_restore{4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP897;Trojan.StartPage.1505;Deleted.;
A0146085.dll;C:\System Volume Information\_restore{4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP898;Trojan.Virtumod.1596;Deleted.;
A0146086.dll;C:\System Volume Information\_restore{4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP898;Probably Trojan.Packed.213;;
A0146087.dll;C:\System Volume Information\_restore{4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP898;Probably Trojan.Packed.213;;
A0146088.dll;C:\System Volume Information\_restore{4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP898;Probably Trojan.Packed.213;;
A0146091.bat;C:\System Volume Information\_restore{4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP898;Probably BATCH.Virus;;
A0146162.reg;C:\System Volume Information\_restore{4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP898;Trojan.StartPage.1505;Deleted.;
A0146299.bat;C:\System Volume Information\_restore{4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP899;Probably BATCH.Virus;;
A0147353.EXE;C:\System Volume Information\_restore{4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP900;Program.PsExec.170;;
A0147368.bat;C:\System Volume Information\_restore{4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP900;Probably BATCH.Virus;;
A0147377.EXE;C:\System Volume Information\_restore{4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP900;Program.PsExec.170;;
A0147469.reg;C:\System Volume Information\_restore{4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP900;Trojan.StartPage.1505;Deleted.;
A0148598.reg;C:\System Volume Information\_restore{4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901;Trojan.StartPage.1505;Deleted.;
A0148621.bat;C:\System Volume Information\_restore{4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP901;Probably BATCH.Virus;;
A0148675.bat;C:\System Volume Information\_restore{4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP902;Probably BATCH.Virus;;
A0148684.EXE;C:\System Volume Information\_restore{4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP902;Program.PsExec.170;;
A0148722.exe\data529;C:\System Volume Information\_restore{4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP902\A0148722.exe;Probably BACKDOOR.Trojan;;
A0148722.exe;C:\System Volume Information\_restore{4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP902;Archive contains infected objects;Moved.;
A0148723.reg;C:\System Volume Information\_restore{4733C595-D74F-4A8C-B2C1-B89BAE2468BE}\RP902;Trojan.StartPage.1505;Deleted.;

#37
Transience

Posted 14 January 2009 - 07:16 PM

Unofficial Music Guru

Retired Staff
2,448 posts

I have the news you've been waiting for: you're clean!

Congratulations.

We have a couple last things to take care of and then you're good to go.

Uninstall ComboFix and its traces from your computer:

Click on Start > Run
Type Combofix /u in the run box and click Ok. Note the space between the x and the /u, it needs to be there.

Over the course of the fix you've used a variety of special tools to help with the cleaning process - none of these are of any use to you now that you're clean, and it's best not to have them hanging around on your computer. OTCleanIt is a small program that removes all the leftover tools and logs from cleanup of malware.

Please download OTCleanIt! to your desktop.

Double-click OTCleanIt.exe to run it. (Vista users, please right click on OTCleanIt.exe and select "Run as an Administrator")
Click on the CleanUp! button
A list of tool components used in the cleanup of malware will be downloaded.
If your firewall or other protection attempts to block OTCleanIt's attempts to reach the internet, please allow it to run.
Click Yes to begin the Cleanup process and remove the tools we used, including this application.
You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
After the reboot all the tools we used should be gone.

Now to get you off to a good start we will clean your system restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

Select Start > All Programs > Accessories > System tools > System Restore.
On the dialogue box that appears select Create a Restore Point
Click NEXT
Enter a name e.g. Clean
Click CREATE

You now have a clean restore point, to get rid of the bad ones:

Select Start > All Programs > Accessories > System tools > Disk Cleanup.
In the Drop down box that appears select your main drive e.g. C
Click OK
The System will do some calculation and the display a dialogue box with TABS
Select the More Options Tab.
At the bottom will be a system restore box with a CLEANUP button click this
Accept the Warning and select OK again, the program will close and you are done

Here are some tips to reduce the potential for malware infection in the future; I strongly that you read them and take them to heart so that you don't have to endure the process of cleaning your computer again.

Make proper use of your antivirus and firewall
Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, and if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

You should keep your antivirus and firewall guard enabled at all times, don't shut them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure nothing has slipped through your protection. Once a week works well for many people. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

Finally, for a great tutorial on how to get the best protection out of your firewall, visit this link.

Use a safer web browser
Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a couple good free alternatives: Firefox and Opera. Both are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial here which will help you to make IE much safer.

If you decide to use the Firefox browser, a couple add-ons that will nicely help to enhance your security are:

McAfee SiteAdvisor: A great firefox add-on that puts McAfee's database of tested sites at your fingertips so you can know whether or not that link you're about to click is safe.
NoScript - This add-on helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing.

Be careful
Having security programs installed is very helpful to you, but none of them have the gift of human thought. The best way to make sure you don't get infected is to exercise common sense. Be careful of what websites you visit - if a site looks suspicious, trust your instincts and get out of there. Be careful of what attachments you open in emails and files you download from websites - check them over carefully and look at the file extensions to make sure that you know what you're getting. Using peer-to-peer file sharing programs or downloading cracks and keygens is something else to avoid - the files you will be downloading are infected in a vast majority of cases, and the benefits simply aren't worth the risk to your computer.

Keep up on Windows updates
Along with keeping all of the security programs that you choose to use updated, it is also important to keep up on system updates from Microsoft, as these patch critical security vulnerabilities and help to keep you safe. Typically the windows update icon will appear in your taskbar when new updates are available, whenever you see it you should open the menu up and install the updates that are available. Although it may be an annoyance, that little bit of extra time it takes to stay updated is very well worth it instead of getting infected from an exploit and having to clean your PC again.

Slow computer?
If your computer begins to slow down again in the future for no particular reason, your first step should not be to come back to the malware forum. As your computer ages and is used, its parts wear, files and programs accumulate, and its performance can decrease. To restore your computer's performance to its best possible level, follow the steps in this page written by malware expert Miekiemoes.

And finally, see Tony Klein's good advice (recently rewritten by our own admin Kat) which reinforces and extends on some of the above concepts: So how did I get infected in the first place?

I'll leave this thread open for a couple days in case you come across any lingering problems that need fixing, then I'll close it up. If you need it reopened for any reason just shoot me a PM and I'll be happy to open it back up for you. It's been a pleasure working with you, now best of luck!

Cheers,
Dave

#38
Transience

Posted 22 January 2009 - 03:46 PM

Unofficial Music Guru

Retired Staff
2,448 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.