PDA

View Full Version : Got sidetracked on last set of instructions


jayroc30
2008-05-02, 06:18
My last set of instructions was to download combofix, save log as well as a fresh hijack log. I had a little trouble at first because after I started combofix,it would freeze up. I disabled Norton antivirus auto protect and it did what it was supposed to, I guess. Here are my logs.

ComboFix 08-04-22.5 - Owner 2008-04-30 22:46:12.5 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\rs.txt
C:\WINDOWS\system32\bbdfwsfj.ini
C:\WINDOWS\system32\cdyxtsae.dll
C:\WINDOWS\system32\nfsabeem.dll
C:\WINDOWS\system32\nnofqyno.ini
C:\WINDOWS\system32\nxlokwtp.ini
C:\WINDOWS\system32\odcgroxs.ini
C:\WINDOWS\system32\reuktbhl.dll
C:\WINDOWS\system32\ufupefen.dll
C:\WINDOWS\system32\wwHgPqss.ini2
C:\WINDOWS\system32\YFMUxGgh.ini
C:\WINDOWS\system32\YFMUxGgh.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-01 to 2008-05-01 )))))))))))))))))))))))))))))))
.

2008-04-24 22:51 . 2008-04-24 22:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-04-24 22:48 . 2008-04-24 22:51 <DIR> d-------- C:\Program Files\Linksys EasyLink Advisor
2008-04-24 22:43 . 2008-04-24 22:44 1,509,099 --ahs---- C:\WINDOWS\system32\ithebmjp.ini
2008-04-23 20:35 . 2008-04-24 20:35 1,540,617 --ahs---- C:\WINDOWS\system32\egeogcaf.ini
2008-04-15 23:10 . 2008-04-16 20:03 1,602,774 --ahs---- C:\WINDOWS\system32\yubpobfe.ini
2008-04-14 23:13 . 2008-04-14 23:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-14 23:04 . 2008-04-15 23:04 1,602,593 --ahs---- C:\WINDOWS\system32\ingxtckm.ini
2008-04-14 22:54 . 2008-04-27 20:30 326 --a------ C:\WINDOWS\wininit.ini
2008-04-14 20:46 . 2008-04-14 20:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-14 20:45 . 2008-04-14 20:45 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-14 20:33 . 2008-04-14 20:33 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-14 20:33 . 2008-04-14 22:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-13 17:51 . 2003-11-12 20:20 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-13 17:51 . 2003-11-12 20:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-04-13 17:51 . 2003-11-12 20:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-04-13 17:51 . 2003-11-12 21:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2008-04-13 17:51 . 2008-04-13 17:51 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-13 17:51 . 2008-04-27 20:39 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-13 15:25 . 2008-03-01 08:06 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-13 15:25 . 2008-03-01 08:06 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-13 15:25 . 2008-03-01 08:06 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-13 15:24 . 2008-03-01 08:06 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-13 15:24 . 2007-04-17 04:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-13 15:24 . 2007-03-08 00:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-13 15:24 . 2008-03-01 08:06 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-13 15:24 . 2008-03-01 08:06 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-13 15:24 . 2008-02-22 05:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-13 15:19 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-13 15:19 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-13 08:46 . 2008-04-13 08:46 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-13 07:59 . 2008-04-24 22:48 <DIR> d-ah----- C:\Documents and Settings\All Users\Application Data\Gtek
2008-04-13 07:59 . 2008-04-13 07:59 3,960 --a------ C:\WINDOWS\system32\OEMINFO.PNF
2008-04-13 07:58 . 2008-04-24 22:51 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\GTek
2008-04-13 07:58 . 2007-07-09 08:16 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-13 07:23 . 2006-08-21 04:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-04-13 07:23 . 2006-08-21 04:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-04-13 07:23 . 2006-08-21 07:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-04-12 22:43 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-04-12 22:39 . 2008-04-12 22:39 <DIR> d-------- C:\fc28dcdf7f0b665bd1d8774016
2008-04-12 19:59 . 2008-04-12 19:59 276 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-12 17:57 . 2008-04-12 17:57 <DIR> d-------- C:\WINDOWS\provisioning
2008-04-12 17:57 . 2008-04-12 17:57 <DIR> d-------- C:\WINDOWS\peernet
2008-04-12 17:50 . 2008-04-12 17:50 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-04-12 17:36 . 2008-04-12 17:36 <DIR> d-------- C:\WINDOWS\EHome
2008-04-12 15:39 . 2008-04-12 19:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\zmjwtepe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-19 20:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-04-14 02:55 --------- d-----w C:\Documents and Settings\Owner\Application Data\Symantec
2008-04-14 02:34 --------- d-----w C:\Program Files\Norton AntiVirus
2008-04-13 01:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-25 03:43 --------- d-----w C:\Program Files\Java
2008-03-22 04:17 --------- d-----w C:\Program Files\LimeWire
2008-03-22 04:13 --------- d-----w C:\Program Files\Common Files\Java
2008-03-21 22:33 --------- d-----w C:\Program Files\ICQ
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-12 01:37 144 ----a-w C:\domains.dat
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-27_20.43.57.70 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-28 01:39:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-01 03:42:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2CBBDD29-B12E-47B1-ABB8-3268C4A60DCA}]
C:\WINDOWS\system32\hgGxUMFY.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1F8A048D-9A0B-4565-A3D0-2A2E6B44592A}"= "C:\WINDOWS\sgoblxtm.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{1f8a048d-9a0b-4565-a3d0-2a2e6b44592a}]
[HKEY_CLASSES_ROOT\sgoblxtm.1]
[HKEY_CLASSES_ROOT\TypeLib\{7ABB2F2F-8108-4813-BDEC-4C82B0D16992}]
[HKEY_CLASSES_ROOT\sgoblxtm]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 18:16 454784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 11:47 71328]
"CARPService"="carpserv.exe" [2003-03-06 18:50 4608 C:\WINDOWS\system32\carpserv.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-01-09 20:46 126976]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-01-09 20:45 581632]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-05-16 00:10 323584]
"Broadcom Wireless Manager UI"="C:\WINDOWS\System32\bcmntray" [ ]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-02-12 20:54 95960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"MRT"="C:\WINDOWS\system32\MRT.exe" [ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"d808fec3"="C:\WINDOWS\system32\jfswfdbb.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBtUmNF]
geBtUmNF.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-05-01 03:46:02 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-27 14:25:04 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Owner.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEh/task:
"2008-04-05 13:27:02 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2008-05-01 03:50:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 22:49:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-30 22:54:08
ComboFix-quarantined-files.txt 2008-05-01 03:54:03

Pre-Run: 72,946,257,920 bytes free
Post-Run: 72,936,849,408 bytes free

157 --- E O F --- 2008-04-25 02:57:09


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:15 PM, on 4/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\bcmntray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2CBBDD29-B12E-47B1-ABB8-3268C4A60DCA} - C:\WINDOWS\system32\hgGxUMFY.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: sgoblxtm - {1F8A048D-9A0B-4565-A3D0-2A2E6B44592A} - C:\WINDOWS\sgoblxtm.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\bcmntray
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [MRT] "C:\WINDOWS\system32\MRT.exe" /R
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [d808fec3] rundll32.exe "C:\WINDOWS\system32\jfswfdbb.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208038652566
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
O20 - Winlogon Notify: geBtUmNF - geBtUmNF.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 7279 bytes
Blade81
2008-05-04, 21:14
Hi

First of all remove old copy of ComboFix.exe file and download new one to your desktop thru one of following links:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)



Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\WINDOWS\system32\ithebmjp.ini
C:\WINDOWS\system32\egeogcaf.ini
C:\WINDOWS\system32\yubpobfe.ini
C:\WINDOWS\system32\ingxtckm.ini
C:\domains.dat

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2CBBDD29-B12E-47B1-ABB8-3268C4A60DCA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1F8A048D-9A0B-4565-A3D0-2A2E6B44592A}"=-

[-HKEY_CLASSES_ROOT\clsid\{1f8a048d-9a0b-4565-a3d0-2a2e6b44592a}]
[-HKEY_CLASSES_ROOT\sgoblxtm.1]
[-HKEY_CLASSES_ROOT\TypeLib\{7ABB2F2F-8108-4813-BDEC-4C82B0D16992}]
[-HKEY_CLASSES_ROOT\sgoblxtm]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"d808fec3"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBtUmNF]



Save this as
CFScript


http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, click Yes.
The program will launch and start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings and select the following:
Scan using the following Anti-Virus database:
Extended (If available, otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK.
Under
select a target to scan
, select My Computer.
The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.Once the scan is complete:
Click on the Save as Text button.
Save the file to your desktop.
Copy and paste that information into your next post if the AV content will fit into one post only. Post also a fresh hjt log and above meantioned ComboFix resultant log.


Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

If having a problme doing the above

Make sure that your Internet security settings are set to default values.

To set default security settings for Internet Explorer:

* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.