Page 1 of 6 12345 ... LastLast
Results 1 to 10 of 56

Thread: Help remove virus

  1. #1
    Member
    Join Date
    Oct 2006
    Posts
    42

    Default Help remove virus

    Please help remove my virus's Iam am unable to open Spybot or AVG iget a message saying it is not a valid Win32 application. Plus the computer will not start in safe mode.
    This is my my hijackthis report.
    I also have the Kapersky online scanner report if you need it which found 3 virus's.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 09:08:43, on 20/01/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\TDK Systems\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\WINDOWS\system32\ps2.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
    C:\Program Files\Lexmark 2300 Series\ezprint.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\lxcgcoms.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\TDK Systems\Bluetooth Software\BTTray.exe
    C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-gb9.hpwis.com/
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
    O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
    O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
    O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
    O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
    O8 - Extra context menu item: &Search - ?p=ZK
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\TDK Systems\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\TDK Systems\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\TDK Systems\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/...oUploader2.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1175883329937
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1175880326796
    O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/.../en/crlocx.ocx
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
    O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\TDK Systems\Bluetooth Software\bin\btwdins.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: lxcg_device - Unknown owner - C:\WINDOWS\System32\lxcgcoms.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

    --
    End of file - 10917 bytes



    Scan process completed.

  2. #2
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi

    Download GMER and save it your desktop:
    • Extract it to your desktop and double-click GMER.exe
    • Click rootkit-tab and then scan.
    • Don't check
      Show All
      box while scanning in progress!
    • When scanning is ready, click Copy.
    • This copies log to clipboard
    • Post log in your reply.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  3. #3
    Member
    Join Date
    Oct 2006
    Posts
    42

    Default

    Thanks for your help so far the report is too big to post it is 132764 characters what is the best way to post this.

  4. #4
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi

    You may for example upload it to http://rapidshare.com
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  5. #5
    Member
    Join Date
    Oct 2006
    Posts
    42

  6. #6
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    1. Download this file -
    combofix.exe to your desktop.
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you. Post that log in your
    next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause
    it to stall
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  7. #7
    Member
    Join Date
    Oct 2006
    Posts
    42

    Default

    when i open combifix there are no prompts it is just a blank blue window.

  8. #8
    Member
    Join Date
    Oct 2006
    Posts
    42

    Default

    sorry i have it running now

  9. #9
    Member
    Join Date
    Oct 2006
    Posts
    42

    Default

    ComboFix 08-01-20.1 - Simon 2008-01-21 18:02:28.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.171 [GMT 0:00]
    Running from: C:\Documents and Settings\Simon\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Simon\Application Data\inst.exe
    C:\WINDOWS\system32\drivers\srosa.sys
    C:\WINDOWS\system32\u2g.f
    C:\WINDOWS\system32\winiconmon.ico
    C:\WINDOWS\system32\winiconmon.ico.bak0
    C:\WINDOWS\system32\winiconmon.ico.bak1
    C:\WINDOWS\system32\winiconmon.ico.bak2
    C:\WINDOWS\system32\wintems.exe
    D:\Autorun.inf

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_SROSA
    -------\srosa


    ((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
    .

    2008-01-21 18:00 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2008-01-21 16:36 . 2008-01-21 16:36 250 --a------ C:\WINDOWS\gmer.ini
    2008-01-20 13:48 . 2008-01-20 13:48 <DIR> d-------- C:\VundoFix Backups
    2008-01-19 09:09 . 2008-01-19 09:09 5,630 --a------ C:\WINDOWS\system32\tmp.reg
    2008-01-19 09:07 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
    2008-01-19 09:07 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2008-01-19 09:07 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
    2008-01-19 09:07 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2008-01-19 09:07 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2008-01-19 09:07 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
    2008-01-18 22:56 . 2008-01-18 15:51 602 --a------ C:\WINDOWS\system\hpsysdrv.dat.oth
    2008-01-18 22:52 . 2008-01-18 22:52 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2008-01-18 22:41 . 2008-01-18 22:41 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
    2008-01-18 22:41 . 2008-01-18 22:41 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
    2008-01-18 22:39 . 2008-01-18 22:39 <DIR> d-------- C:\Program Files\Kaspersky Lab
    2008-01-18 22:39 . 2008-01-18 22:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-01-18 22:39 . 2008-01-18 22:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
    2008-01-18 22:39 . 2008-01-21 18:14 342,048 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
    2008-01-18 22:39 . 2008-01-21 18:13 13,088 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
    2008-01-18 22:39 . 2008-01-21 18:13 5,060 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
    2008-01-18 22:39 . 2008-01-21 18:13 2,252 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
    2008-01-18 22:23 . 2008-01-18 22:23 <DIR> d-------- C:\Program Files\Trend Micro
    2008-01-18 20:44 . 2008-01-18 20:44 <DIR> d-------- C:\Program Files\Lavasoft
    2008-01-18 20:44 . 2008-01-18 20:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-01-18 20:43 . 2008-01-18 20:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-01-18 16:21 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
    2008-01-18 16:02 . 2008-01-18 16:02 <DIR> d--hs---- C:\Documents and Settings\All Users\DRM
    2008-01-18 16:00 . 2008-01-21 18:14 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
    2008-01-18 15:42 . 2008-01-18 15:42 <DIR> d-------- C:\Program Files\Enigma Software Group
    2008-01-18 15:15 . 2008-01-20 06:09 70,660 --a------ C:\WINDOWS\system32\mdelk.exe
    2008-01-18 15:14 . 2006-06-12 10:03 668,735 --------- C:\WINDOWS\system32\drivers\hldrrr.exe
    2008-01-18 15:13 . 2008-01-20 10:11 <DIR> d-------- C:\WINDOWS\system32\drivers\down
    2008-01-13 12:44 . 2008-01-13 14:47 <DIR> d-------- C:\PSP Movies
    2008-01-09 07:41 . 2008-01-09 07:41 <DIR> d-------- C:\Program Files\MSECache

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-21 16:33 --------- d-----w C:\Documents and Settings\Simon\Application Data\Skype
    2008-01-18 22:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
    2008-01-18 22:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-01-18 19:47 --------- d-----w C:\Program Files\Google
    2008-01-18 18:50 47,360 ----a-w C:\Documents and Settings\Simon\Application Data\pcouffin.sys
    2008-01-18 18:50 --------- d-----w C:\Program Files\VSO
    2008-01-18 18:50 --------- d-----w C:\Documents and Settings\Simon\Application Data\Vso
    2008-01-17 18:33 --------- d-----w C:\Program Files\Lx_cats
    2008-01-02 17:49 125,824 ----a-w C:\Documents and Settings\Simon\Application Data\GDIPFONTCACHEV1.DAT
    2007-12-18 00:43 23,396 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
    2007-12-14 21:20 --------- d-----w C:\Program Files\iTunes
    2007-12-14 21:19 --------- d-----w C:\Program Files\iPod
    2007-12-14 21:18 --------- d-----w C:\Program Files\QuickTime
    2007-12-13 13:28 24,592 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
    2007-12-11 07:29 --------- d-----w C:\Program Files\Common Files\xing shared
    2007-12-11 07:29 --------- d-----w C:\Program Files\Common Files\Real
    2007-12-03 12:16 --------- d-----w C:\Program Files\PQDVD
    2007-11-28 22:11 --------- d---a-w C:\Program Files\Java
    2007-04-09 15:00 99,488 -c--a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
    2005-08-28 16:04 38,060,544 ----a-w C:\Program Files\cjB2300EN.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NVIEW"="nview.dll" [2003-05-03 06:19 835654 C:\WINDOWS\system32\nview.dll]
    "BackupNotify"="c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe" [2006-06-12 10:03 668735]
    "msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56 15360]
    "Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-31 16:40 22879528]
    "MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-07 07:33 8720384]
    "german.exe"="C:\WINDOWS\system32\wintems.exe" [ ]
    "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
    "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-21 18:10 1460560]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:31 208952]
    "MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2003-01-21 06:59 59392]
    "PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2003-01-21 07:18 455168]
    "PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2003-01-21 07:18 455168]
    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 23:04 52736]
    "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 14:07 114688]
    "CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 14:23 90112]
    "HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-06-14 06:53 49152]
    "HPHUPD05"="c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-23 10:03 49152]
    "HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 09:55 483328]
    "StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 15:01 155648]
    "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 04:42 212992]
    "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-05-03 06:19 4640768]
    "nwiz"="nwiz.exe" [2003-05-03 06:19 323584 C:\WINDOWS\system32\nwiz.exe]
    "VTTimer"="VTTimer.exe" [2003-05-08 07:32 36864 C:\WINDOWS\system32\VTTimer.exe]
    "PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 23:57 81920]
    "ATIModeChange"="Ati2mdxx.exe" [2001-09-04 12:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
    "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-19 20:10 335872]
    "Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-09 11:27 139264]
    "Reminder"="C:\Windows\Creator\Remind_XP.exe" [2003-06-18 01:13 118784]
    "LXCGCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-04-27 14:21 69632]
    "lxcgmon.exe"="C:\Program Files\Lexmark 2300 Series\lxcgmon.exe" [2005-05-05 03:24 200704]
    "EzPrint"="C:\Program Files\Lexmark 2300 Series\ezprint.exe" [2005-06-08 11:19 94208]
    "FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2005-05-03 18:20 299008]
    "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 12:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 07:56 110592 C:\WINDOWS\system32\bthprops.cpl]
    "Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-25 04:20 28672]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-11 07:28 185896]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
    "AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-01-19 16:46 227856]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-07 07:33 8720384]

    C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
    AutoTBar.exe [2003-06-21 01:08:00 53248]
    mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 14:11:14 27136]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-09-17 19:42:55 113664]
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
    BTTray.lnk - C:\Program Files\TDK Systems\Bluetooth Software\BTTray.exe [2003-11-17 09:25:16 503869]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
    NETGEAR WG111T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe [2007-07-13 15:42:52 483412]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)

    SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
    @="Driver Group"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
    @="DiskDrive"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
    @="Hdc"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
    @="Keyboard"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
    @="Mouse"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
    @="System"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
    @="Volume"

    R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\DNINDIS5.SYS [2003-07-24 12:10]
    R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
    S3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\wg11tnd5.sys [2004-10-15 09:41]
    S3 ATHFMWDL;NETGEAR WG111T bootloader driver;C:\WINDOWS\system32\Drivers\ATHFMWDL.sys [2004-10-14 17:24]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
    \Shell\AutoRun\command - F:\iPodSetup.exe

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-01-18 17:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
    - C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
    "2008-01-02 18:38:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-21 18:14:41
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-01-21 18:18:59 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-01-21 18:18:56
    .
    2008-01-09 23:28:35 --- E O F ---

  10. #10
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi


    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    File::
    C:\WINDOWS\system32\mdelk.exe
    C:\WINDOWS\system32\drivers\hldrrr.exe
    
    Folder::
    C:\VundoFix Backups
    C:\WINDOWS\system32\drivers\down
    C:\Documents and Settings\Simon\Application Data\m
    
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "german.exe"=-
    "mule_st_key"=-
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AlcxMonitor"=-

    Save this as
    CFScript




    Refering to the picture above, drag CFScript into ComboFix.exe
    Then post the resultant log & a fresh hjt log.


    Combofix should never take more that 20 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    If that happened we want to know, and also what process you had to end.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •