zlob, broken strangeness, etc. [Archive]

View Full Version : zlob, broken strangeness, etc.

thedeejay

2008-05-01, 19:39

Yeah. I ran Spybot and got rid of a lot, but that one entry is still around. I read some other threads and used something called ComboFix, and got a log from it before I signed up here. Here are my logs, please help?

ComboFix 08-04-29.5 - Administrator 2008-05-01 12:31:16.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1672 [GMT -4:00]
Running from: C:\Documents and Settings\All Users\Documents\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cssrss.exe
C:\WINDOWS\system32\ieupdates.exe
C:\WINDOWS\system32\kdlwz.exe
C:\WINDOWS\system32\update32.exe
C:\WINDOWS\system32\wscmp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Service_Iprip

((((((((((((((((((((((((( Files Created from 2008-04-01 to 2008-05-01 )))))))))))))))))))))))))))))))
.

2008-05-01 12:24 . 2008-05-01 12:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-01 11:30 . 2008-05-01 11:30 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-01 11:30 . 2008-05-01 11:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-01 11:25 . 2008-05-01 11:25 <DIR> d-------- C:\Documents and Settings\Administrator.DEEJAY-QZ1AWZW8
2008-05-01 11:25 . 2008-05-01 12:32 1,024 --ah----- C:\Documents and Settings\Administrator.DEEJAY-QZ1AWZW8\ntuser.dat.LOG
2008-05-01 11:23 . 2008-05-01 11:23 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-01 11:23 . 2008-05-01 12:31 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-01 11:13 . 2008-05-01 11:13 204,800 --a------ C:\WINDOWS\system32\winsrc.dll.tmp
2008-05-01 11:09 . 2008-05-01 11:09 93,184 --a------ C:\WINDOWS\system32\win32dbg.exe
2008-05-01 11:08 . 2008-05-01 11:08 269,334 --a------ C:\WINDOWS\system32\ctfmonb.bmp
2008-05-01 11:08 . 2008-05-01 11:08 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-05-01 11:08 . 2008-05-01 11:08 46,080 --a------ C:\07mmui.exe
2008-05-01 11:08 . 2008-05-01 11:08 4,672 --a------ C:\WINDOWS\system32\iHEaWZ.syz
2008-04-29 22:22 . 2008-04-29 22:22 <DIR> d-------- C:\Documents and Settings\DJ\Application Data\Nexon
2008-04-29 22:17 . 2008-04-29 22:17 <DIR> d-------- C:\Nexon
2008-04-28 12:49 . 2008-04-28 12:49 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-04-25 12:25 . 2008-04-25 12:25 <DIR> d-------- C:\Program Files\Electronic Arts
2008-04-25 10:23 . 2008-04-25 10:24 <DIR> d-------- C:\Program Files\Tomb Raider - Anniversary Demo
2008-04-25 10:22 . 2008-04-25 10:22 <DIR> d-------- C:\Program Files\Microsoft Games
2008-04-20 18:43 . 2008-04-20 18:44 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-16 21:23 . 2008-04-20 15:37 <DIR> d-------- C:\Documents and Settings\DJ\Application Data\Bioshock
2008-04-16 21:23 . 2008-04-16 21:23 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-04-16 21:09 . 2008-04-16 21:09 <DIR> d-------- C:\Program Files\2K Games
2008-04-14 11:31 . 2008-04-14 11:31 <DIR> d-------- C:\Program Files\OGPlanet
2008-04-14 00:05 . 2008-04-14 00:05 <DIR> d-------- C:\Program Files\Xvid
2008-04-14 00:05 . 2007-06-28 18:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-04-14 00:05 . 2007-06-28 18:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-04-14 00:05 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2008-04-13 15:40 . 2008-04-13 15:40 324 --a------ C:\WINDOWS\game.ini
2008-04-13 15:37 . 2008-04-13 15:37 <DIR> d-------- C:\Program Files\Activision
2008-04-09 23:48 . 2008-04-30 21:14 <DIR> d-------- C:\Program Files\Essence RO
2008-04-06 02:21 . 2008-04-06 10:10 <DIR> d-------- C:\Program Files\Legacy Online
2008-04-05 10:32 . 2008-04-06 00:59 <DIR> d-------- C:\Documents and Settings\DJ\Application Data\Software Informer
2008-04-04 13:19 . 2008-04-30 20:49 <DIR> d-------- C:\Downloads
2008-04-04 13:18 . 2008-05-01 11:21 <DIR> d-------- C:\Documents and Settings\DJ\Application Data\Free Download Manager
2008-04-02 16:43 . 2008-04-02 16:43 <DIR> d-------- C:\Documents and Settings\DJ\Application Data\InstallShield Installation Information
2008-04-02 16:41 . 2008-04-02 16:41 <DIR> d-------- C:\Program Files\Unreal Tournament 3 Demo
2008-04-02 16:40 . 2008-04-02 16:40 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-04-02 16:40 . 2008-04-02 16:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-02 16:40 . 2008-04-02 16:40 <DIR> d-------- C:\Program Files\AGEIA Technologies

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-01 15:04 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-25 15:33 --------- d-----w C:\Documents and Settings\DJ\Application Data\IGN_DLM
2008-04-25 14:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-06 17:27 --------- d-----w C:\Program Files\Lineage II
2008-04-04 17:18 --------- d-----w C:\Program Files\Free Download Manager
2008-03-30 19:18 --------- d-----w C:\Documents and Settings\Homes\Application Data\LimeWire
2008-03-28 04:25 --------- d-----w C:\Program Files\LimeWire
2008-03-28 04:25 --------- d-----w C:\Program Files\Java
2008-03-28 04:24 --------- d-----w C:\Program Files\Common Files\Java
2008-03-27 09:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-03-27 09:41 --------- d-----w C:\Program Files\Yahoo!
2008-03-27 05:42 --------- d-----w C:\Program Files\Guild Wars
2008-03-26 17:50 --------- d-----w C:\Program Files\Trayconizer
2008-03-25 23:00 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-25 23:00 --------- d-----w C:\Program Files\Windows Live
2008-03-25 22:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-24 02:40 --------- d-----w C:\Program Files\Bethesda Softworks
2008-03-24 02:38 --------- d-----w C:\Program Files\IObit
2008-03-23 20:35 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-03-23 20:13 --------- d-----w C:\Documents and Settings\DJ\Application Data\InstallShield
2008-03-23 14:06 --------- d-----w C:\Program Files\Download Manager
2008-03-23 14:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\FreeDownloadManager.ORG
2008-03-23 04:18 --------- d-----w C:\Program Files\Realtek
2008-03-23 03:28 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-03-23 00:56 --------- d-----w C:\Program Files\directx
2008-03-22 20:34 --------- d-----w C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor
2008-03-22 20:34 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-22 20:22 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-03-22 19:58 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-12 19:23 36,640 ----a-w C:\WINDOWS\nvflash.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 17:57 1103480]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Fraps"="C:\FRAPS\FRAPS.EXE" [2008-01-14 08:53 913064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 15:49 16377344 C:\WINDOWS\RTHDCPL.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"WMDM PMSP Service"="C:\WINDOWS\system32\cssrss.exe" [ ]

C:\Documents and Settings\DJ\Start Menu\Programs\Startup\
Shortcut to 03-royksopp-49_percent-prs (2).lnk - C:\Documents and Settings\DJ\My Documents\My Music\03-royksopp-49_percent-prs.mp3 [2008-03-26 14:03:09 7761485]

C:\Documents and Settings\Homes\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-08 17:32:57 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Unreal Tournament 3 Demo\\Binaries\\UT3Demo.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe"=
"C:\\Program Files\\Free Download Manager\\fdm.exe"=
"F:\\From Home\\Games\\Age\\age2_x1.exe"=
"F:\\From Home\\Games\\Age\\empires2.EXE"=
"c:\\07mmui.exe"=

R2 NVR0FLASHDev;NVR0FLASHDev;C:\WINDOWS\nvflash.sys [2008-03-12 15:23]
R2 UpdateCenterService;Update Center Service;C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe [2008-03-12 15:26]
R2 WUSB54GSSVC;WUSB54GSSVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54GS.exe" []
R3 USB_RNDIS_XP;Linksys Wireless-G USB Network Adapter with SpeedBooster Driver;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 00:04]
S3 {DEF85C80-216A-43ab-AF70-1665EDBE2780};{DEF85C80-216A-43ab-AF70-1665EDBE2780};C:\WINDOWS\TEMP\C.tmp []
S3 XDva134;XDva134;C:\WINDOWS\system32\XDva134.sys []

*Newly Created Service* - GTNDIS5
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-01 13:28:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{DEF85C80-216A-43ab-AF70-1665EDBE2780}]
"ImagePath"="\??\C:\WINDOWS\TEMP\C.tmp"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GS.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-01 13:30:07 - machine was rebooted [DJ]
ComboFix-quarantined-files.txt 2008-05-01 17:30:05

Pre-Run: 53,046,697,984 bytes free
Post-Run: 53,535,666,176 bytes free

168

______________

And here is the HijackThis log

______________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:38, on 2008-05-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GS.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\FRAPS\FRAPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.affinityclan.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WMDM PMSP Service] C:\WINDOWS\system32\cssrss.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - Startup: Shortcut to 03-royksopp-49_percent-prs (2).lnk = C:\Documents and Settings\DJ\My Documents\My Music\03-royksopp-49_percent-prs.mp3
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206483690359
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{47524537-2542-4A94-AA4A-49BAA2B4CF8B}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC6BA300-53FE-49BB-8832-F05F55559B55}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB8EAACB-5D53-47BB-A546-F4C6905A2A32}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{D85C3AF4-168D-4246-BE68-E8DD67FDC182}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
O23 - Service: WUSB54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 6440 bytes

____________

Please help. I don't want strange explicit icons or blue backgrounds to come back.

pskelley

2008-05-02, 14:38

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You missed some instructions at the top of this forum.
Do NOT run 'fixes' before helpers have analyzed HJT/KAV scans
http://forums.spybot.info/showthread.php?t=16806

ComboFix is not a general purpose cleaning tool. Please do not use this tool without supervision.

You have/had a very nasty trojan, read about it:
http://www.castlecops.com/startuplist-14930.html
http://www.bleepingcomputer.com/startups/Driver-18254.html
http://www.sophos.com/security/analyses/viruses-and-spyware/trojknockita.html

You also have evidence, the 017 items in the HJT log that you were or still are hacked by Ukrainians.
It looks like combofix removed some of the infections but I do not have enough information to be sure it removed it all. If you wish to find out, follow these directions.

Before we start, because of the trojan and out of concern for your safety, I believe you should view this information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

(if you prefer to reformat, just let me know)

1) Make sure you are viewing all files and folders:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
C:\Windows\System32\drivers\nso12k.sys <<< navigate to that file and delete it if there.

2) Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to yourDesktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log.

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKLM\..\Run: [WMDM PMSP Service] C:\WINDOWS\system32\cssrss.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{47524537-2542-4A94-AA4A-49BAA2B4CF8B}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC6BA300-53FE-49BB-8832-F05F55559B55}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB8EAACB-5D53-47BB-A546-F4C6905A2A32}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{D85C3AF4-168D-4246-BE68-E8DD67FDC182}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program. +

Restart and post the report from Fixwareout, a new HJT log and some feedback from you. How is the computer running? Any malware issues.

Thanks

thedeejay

2008-05-02, 17:11

Ok, I apologize for not reading the rules more thoroughly, I will remember to ask the experts next time.

Here is the log produced by Fixwareout:

Username "DJ" - 2008-05-02 11:00:30 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.

System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"RTHDCPL"="RTHDCPL.EXE"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="C:\\Program Files\\Download Manager\\DLM.exe /windowsstart /startifwork"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Fraps"="C:\\FRAPS\\FRAPS.EXE"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

I will edit this post with the rest, as this computer likes to BSOD lately. Something about RNDISMP.SYS, has been happening since this hack.

thedeejay

2008-05-02, 17:26

... And yet again, I have failed to notice some rule. Now I see at the bottom of the page that I may NOT edit my post. My apologies again for not knowing the ways of forums very well :sad:

Here is the new Fixwareout log:

Username "DJ" - 2008-05-02 11:18:58 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.

System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"RTHDCPL"="RTHDCPL.EXE"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="C:\\Program Files\\Download Manager\\DLM.exe /windowsstart /startifwork"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Fraps"="C:\\FRAPS\\FRAPS.EXE"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

Here is the new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23, on 2008-05-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GS.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\FRAPS\FRAPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.affinityclan.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - Startup: Shortcut to 03-royksopp-49_percent-prs (2).lnk = C:\Documents and Settings\DJ\My Documents\My Music\03-royksopp-49_percent-prs.mp3
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206483690359
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
O23 - Service: WUSB54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 5839 bytes

I BSOD'd throughout this, it giving me an error about RNDISMP.SYS in the blue screen. I looked it up and saw that this is also a problem for people using my form of Linksys router, but it never occured before this hack (been using computer for months now). Should this be solved now?

Thanks for all of this help, as well. I am glad there is still hope for my computer :laugh:

pskelley

2008-05-02, 17:54

Thanks for returning your HJT log and it looks fine. When you have error messages you need to post them word for word, exacly as Windows presents them to you. There are too many to research any other way. As you reported, it has occured before, have a look here:
http://www.bleepingcomputer.com/forums/topic75067.html
and here: http://www.google.com/search?hl=en&q=RNDISMP.SYS+&btnG=Google+Search
my amateur guess, perhaps check for a driver update.

Hackers know the tools we use, more and more they hide from HJT. I would like to see a KOS results to make sure nothing is missing.

Before we can do that, we have this bridge to cross.
I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

Since we do not need to scan with combofix, click NO

http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif

http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif

Thanks

thedeejay

2008-05-02, 18:41

Awesome, now I have a recovery console. Here is the CF-RC:

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

And the error log from my BSOD:

A Problem has been detected and Windows has been shut down to prevent damage to your computer.

DRIVER_IRQL_NOT_LESS_OR_EQUAL

Technical Information:

*** STOP: 0x000000D1 (4 other strings of numbers)

*** RNDISMP/SYS = Address BAC24B9C Base at BAC20000, DateStamp 41f94e02

Beginning Dump of physical memory
Physical memory dump complete
Contact your system administrator or technical support group for further assistance.

I cut out some instruction steps the BSOD had, didn't want to type a bunch of redundant things. Does this help?

pskelley

2008-05-02, 20:54

Looks like it is some kind of a driver issue, perhaps something here will help:
http://www.google.com/search?hl=en&q=DRIVER_IRQL_NOT_LESS_OR_EQUAL&btnG=Google+Search

Recovery Console was installed correctly, remove combofix and the C:\Qoobox\Quarantine\ folder and scan with Kaspersky to make sure nothing is hiding from us:

Run this online scan using Internet Explorer:

Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks

thedeejay

2008-05-03, 17:59

Here is my Kaspersky report:

008-05-03 11:56
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/05/2008
Kaspersky Anti-Virus database records: 737249
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
E:\
Scan Statistics
Total number of scanned objects 47825
Number of viruses found 4
Number of infected objects 6
Number of suspicious objects 0
Duration of the scan process 00:48:16

Infected Object Name Virus Name Last Action
C:\Documents and Settings\DJ\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\DJ\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\DJ\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\DJ\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\DJ\Local Settings\Temp\Free Download Manager\tic8.tmp Object is locked skipped
C:\Documents and Settings\DJ\Local Settings\Temp\Free Download Manager\tic9.tmp Object is locked skipped
C:\Documents and Settings\DJ\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\DJ\ntuser.dat Object is locked skipped
C:\Documents and Settings\DJ\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wscmp.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.aph skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{936AD36E-B9D0-4B75-8CEA-153F174C09D6}\RP0\A0000008.exe Infected: Trojan-Downloader.Win32.Zlob.ljl skipped
C:\System Volume Information\_restore{936AD36E-B9D0-4B75-8CEA-153F174C09D6}\RP0\A0000013.dll Infected: not-a-virus:AdWare.Win32.BHO.aph skipped
C:\System Volume Information\_restore{936AD36E-B9D0-4B75-8CEA-153F174C09D6}\RP17\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\iHEaWZ.syz Infected: Backdoor.Win32.Agent.hgk skipped
C:\WINDOWS\system32\nmp.log Object is locked skipped
C:\WINDOWS\system32\ntload.dll Infected: not-virus:Hoax.Win32.Renos.bja skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\win32dbg.exe Infected: Trojan-Downloader.Win32.Zlob.ljl skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

4 viruses and 6 infected files.. :(

pskelley

2008-05-03, 18:23

Thanks for returning your scan results, proceed like this:

1) Make sure you are still viewing all files and folder:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

2) Delete the files in red

C:\WINDOWS\system32\iHEaWZ.syz ------> Backdoor.Win32.Agent.hgk
C:\WINDOWS\system32\ntload.dll ------> not-virus:Hoax.Win32.Renos.bja
C:\WINDOWS\system32\win32dbg.exe ------> Trojan-Downloader.Win32.Zlob.ljl

3) C:\QooBox\Quarantine\ <<< delete that folder and contents

4) Empty the Recycle Bin on your Desktop and restart the computer

5) Follow these directions to clean infected System Restore files:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

No need to post a clean KOS result

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

thedeejay

2008-05-03, 19:16

Thank you for all the help, it is more than I could have ever asked for. Computer is operating fine and I can continue doing what I was doing again. Thanks so much :laugh:

And thank you for the donation link, I am definitely going to do so.