View Full Version : Smitfraud-C., Virtumonde & Antivirus XP 2008 window
Totally grateful for any help in advance!
I noticed that our computer was "acting weird"...the screen would flash and boxes would pop up out of nowhere. So, I scanned and scanned and scanned with Ad-Aware and Spybot. I followed the "BEFORE you POST" directions, but even after a half a dozen scans the Smitfraud-C. continues to show up.
There is also a window that popped up for "Antivirus XP 2008". It ONLY gives you the option to accept the agreement and install...which I have not done. From what I've researched on the internet, this appears to actually be a virus NOT an antivirus program.
Below is my HijakThis Log. I will post my Kaspersky Scan once that is complete. Again, thank you for any assistance you can offer.
HJT Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:45:40 AM, on 9/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\CAPM3RSK.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\All Users\Application Data\fyxilary\jixkpybe.exe
C:\Program Files\NETGEAR\WG311 Wireless Smart Configuration\Utility\NetgearAG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\Atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\lphcrd9j0evn9.exe
C:\Documents and Settings\server\Local Settings\Temp\.ttC.tmp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\DOCUME~1\server\LOCALS~1\Temp\g.exe
C:\WINDOWS\system32\fobsdyle.exe
C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\CAPM3LAK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3SWK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3SWK.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\CAPM3SWK.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Redirector module - {C4B24ECA-DB17-43e0-9E25-99A142F079EA} - C:\WINDOWS\system32\msrsa.dll
O4 - HKLM\..\Run: [AS01_Netgear] C:\Program Files\NETGEAR\WG311 Wireless Smart Configuration\Utility\NetgearAG.exe -hide
O4 - HKLM\..\Run: [AS00_Netgear] C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe -hide
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [lphcrd9j0evn9] C:\WINDOWS\system32\lphcrd9j0evn9.exe
O4 - HKLM\..\Run: [inrhcvd9j0evn9] C:\Documents and Settings\server\Local Settings\Temp\.ttC.tmp.exe /CR=E75BC5158BBE27093AD0E0616070532527A381EE55D8E1F23D70BC7C71F03529C472C5D32F2D2F0C1F84F9DC5A5955675BCCB1B306379AF9478135748B1D197B58869A281AC4063F1336A39A83E645EE88
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Cognac] C:\DOCUME~1\server\LOCALS~1\Temp\g.exe
O4 - HKCU\..\Run: [StrMsgCom] C:\WINDOWS\system32\fobsdyle.exe
O4 - HKCU\..\Run: [Antivirus] C:\Program Files\SAV\sav.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB8409] command /c del "C:\WINDOWS\SYSTEM32\phcrd9j0evn9.bmp"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5578] cmd /c del "C:\WINDOWS\SYSTEM32\phcrd9j0evn9.bmp"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6515] command /c del "C:\Documents and Settings\server\Local Settings\Temp\x.ico"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3678] cmd /c del "C:\Documents and Settings\server\Local Settings\Temp\x.ico"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1382] command /c del "C:\WINDOWS\SYSTEM32\phcrd9j0evn9.bmp"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4769] cmd /c del "C:\WINDOWS\SYSTEM32\phcrd9j0evn9.bmp"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1793] command /c del "C:\Documents and Settings\server\Local Settings\Temp\x.ico"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8535] cmd /c del "C:\Documents and Settings\server\Local Settings\Temp\x.ico"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6939] command /c del "C:\WINDOWS\SYSTEM32\phcrd9j0evn9.bmp"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1552] cmd /c del "C:\WINDOWS\SYSTEM32\phcrd9j0evn9.bmp"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1285] command /c del "C:\Documents and Settings\server\Local Settings\Temp\x.ico"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9333] cmd /c del "C:\Documents and Settings\server\Local Settings\Temp\x.ico"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3966] command /c del "C:\WINDOWS\SYSTEM32\phcrd9j0evn9.bmp"
O4 - HKCU\..\RunOnce: [SpybotDeletingD85] cmd /c del "C:\WINDOWS\SYSTEM32\phcrd9j0evn9.bmp"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6845] command /c del "C:\Documents and Settings\server\Local Settings\Temp\x.ico"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6557] cmd /c del "C:\Documents and Settings\server\Local Settings\Temp\x.ico"
O4 - HKLM\..\Policies\Explorer\Run: [RhRrs7egkd] C:\Documents and Settings\All Users\Application Data\fyxilary\jixkpybe.exe
O4 - HKUS\S-1-5-19\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')
O4 - Global Startup: Canon PC1200 iC D700 Status Window.LNK = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\CAPM3LAK.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN_XP.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182195887631
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: OPHE DCS Loader - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHELDCS.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 10947 bytes
pskelley
2008-09-23, 16:23
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.
Hi Stacey, before we start , you have new malware in the HJT log and one of our experts would like to look at it.
This is what she would like a sample of:
O2 - BHO: Redirector module - {C4B24ECA-DB17-43e0-9E25-99A142F079EA} - C:\WINDOWS\system32\msrsa.dll
You can upload it here:
http://www.bleepingcomputer.com/submit-malware.php?channel=8
You may have to show hidden files and folders to see that file?
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Link to topic where this file was requested:
http://forums.spybot.info/showthread.php?t=34487
Browse to that file: C:\WINDOWS\system32\msrsa.dll
In the comment box, please indicate the file for Mieke,
Then click "Send File
This will help others who get infected with that junk, I will post the first of the instructions to clean up your computer soon.
Thanks...Phil
pskelley
2008-09-23, 16:52
You have nasty junk on the computer, please review the directions first.
1) I would so appreciate it if you upload the file described in my first post before you start these instructions.
2) Note: In notepad under Format, uncheck "Word Wrap" Produce all HJT logs like this, single spaced.
3) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
4) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Thanks...Phil
Hi Stacey, before we start , you have new malware in the HJT log and one of our experts would like to look at it.
This is what she would like a sample of:
O2 - BHO: Redirector module - {C4B24ECA-DB17-43e0-9E25-99A142F079EA} - C:\WINDOWS\system32\msrsa.dll
You can upload it here:
http://www.bleepingcomputer.com/submit-malware.php?channel=8
You may have to show hidden files and folders to see that file?
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Link to topic where this file was requested:
http://forums.spybot.info/showthread.php?t=34487
Browse to that file: C:\WINDOWS\system32\msrsa.dll
In the comment box, please indicate the file for Mieke,
Then click "Send File
Good Morning Phil ~
I'm sorry I could not get back to you at all yesterday, I was in school all day.
First, I have read the BEFORE you POST in it's entirety. I had a problem once before and Shaba helped me with great success. I completely understand that there could be "other" problems that result from this or that we may not be able to solve the cureent "problems", but I completely appreciate any help you can give me. Second, I am not a very "techie" person, but I can follow instructions well so I will do my best. Third, the Kaspersky scan took forever to complete...do you want me to upload that?
Now, on the above quote from your first post...I'm not quite sure I follow. How do I get a sample of the file to here? Is it following the links you provided and browsing for the file and then uploading it? I'm sorry, but it will take me a few minutes to get "in the swing" on this. :red:
I will wait to hear back from you on the above BEFORE proceeding with the instructions in your second post.
Thank you again for your time!
Warmest Blessings,
Stacey
Phil ~
Please disregard that first post...I was able to figure out how to upload the file to Mieke! :red:
Please let me know about the Kaspersky log and whether or not you want that uploaded yet. I will proceed with the rest of your instructions in the second post...
Thanks again!
Stacey
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, September 24, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, September 22, 2008 18:43:47
Records in database: 1250582
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
S:\
T:\
Scan statistics:
Files scanned: 88220
Threat name: 42
Infected objects: 84
Suspicious objects: 12
Duration of the scan: 06:49:59
File name / Threat name / Threats count
C:\WINDOWS\system32\lphcrd9j0evn9.exe/C:\WINDOWS\system32\lphcrd9j0evn9.exe Infected: Backdoor.Win32.Frauder.fb 1
C:\Documents and Settings\server\Local Settings\Temp\.ttC.tmp.exe/C:\Documents and Settings\server\Local Settings\Temp\.ttC.tmp.exe Infected: not-a-virus:FraudTool.Win32.XPAntivirus.sx 1
C:\WINDOWS\system32\fobsdyle.exe/C:\WINDOWS\system32\fobsdyle.exe Infected: Trojan.Win32.Obfuscated.gx 1
C:\WINDOWS\SYSTEM32\fobsdyle.exe Infected: Trojan.Win32.Obfuscated.gx 1
C:\WINDOWS\SYSTEM32\sav.cpl Infected: not-a-virus:FraudTool.Win32.UltimateAntivirus.cc 1
C:\WINDOWS\SYSTEM32\rmxinsny.exe Infected: Trojan.Win32.Obfuscated.gx 1
C:\WINDOWS\SYSTEM32\tufojefe.exe Infected: Trojan.Win32.Obfuscated.gx 1
C:\WINDOWS\SYSTEM32\kvwdgfwd.exe Infected: Trojan.Win32.Obfuscated.gx 1
C:\WINDOWS\SYSTEM32\lphcrd9j0evn9.exe Infected: Backdoor.Win32.Frauder.fb 1
C:\WINDOWS\raven_def.exe Infected: Trojan-Downloader.Win32.Wren.r 1
C:\Program Files\Norton AntiVirus\Quarantine\54DE71DA.exe Infected: Net-Worm.Win32.Welchia.a 1
C:\Program Files\Norton AntiVirus\Quarantine\722474C6.dat Infected: P2P-Worm.Win32.SpyBot.eu 1
C:\Program Files\Norton AntiVirus\Quarantine\097D4F49.exe Infected: Backdoor.Win32.IRCBot.gen 1
C:\Program Files\Norton AntiVirus\Quarantine\0AB363F3.exe Infected: Backdoor.Win32.IRCBot.gen 1
C:\Program Files\Norton AntiVirus\Quarantine\4B187796 Infected: Trojan-Dropper.Win32.Small.gj 1
C:\Program Files\Norton AntiVirus\Quarantine\4E4F4C0D Infected: Trojan-Downloader.Win32.Small.id 1
C:\Program Files\Norton AntiVirus\Quarantine\57ED7577 Infected: Trojan-Clicker.Win32.Delf.r 1
C:\Program Files\Norton AntiVirus\Quarantine\57F11F73 Infected: Trojan-Downloader.Win32.Small.en 1
C:\Program Files\Norton AntiVirus\Quarantine\721D4BBC Infected: not-a-virus:AdWare.Win32.VirtualBouncer.d 1
C:\Program Files\Norton AntiVirus\Quarantine\227E2A0D Infected: not-a-virus:AdWare.Win32.Cydoor 1
C:\Program Files\Norton AntiVirus\Quarantine\0BCB697A Infected: Backdoor.Win32.Ruledor.c 1
C:\Program Files\Norton AntiVirus\Quarantine\43272BA8 Infected: not-a-virus:AdWare.Win32.ClearSearch.d 1
C:\Program Files\Norton AntiVirus\Quarantine\4AC83964 Infected: Backdoor.Win32.Ruledor.c 1
C:\Program Files\Norton AntiVirus\Quarantine\17F45E0A Infected: Trojan-Downloader.Win32.Dyfuca.ak 1
C:\Program Files\Norton AntiVirus\Quarantine\03A713A4 Infected: not-a-virus:AdWare.Win32.SaveNow.c 1
C:\Program Files\Norton AntiVirus\Quarantine\03A713A4 Infected: not-a-virus:AdWare.Win32.SaveNow.af 1
C:\Program Files\Norton AntiVirus\Quarantine\03A713A4 Infected: not-a-virus:AdWare.Win32.SaveNow.ay 1
C:\Program Files\Norton AntiVirus\Quarantine\03A713A4 Infected: not-a-virus:AdWare.Win32.SaveNow.f 1
C:\Program Files\Norton AntiVirus\Quarantine\67E70A5E Infected: not-a-virus:AdWare.Win32.SaveNow.s 1
C:\Program Files\Norton AntiVirus\Quarantine\57F7736C Infected: not-a-virus:AdWare.Win32.SaveNow.cj 1
C:\Program Files\Norton AntiVirus\Quarantine\731348BB Infected: Trojan.Win32.SecondThought.ai 1
C:\Program Files\Norton AntiVirus\Quarantine\241C529B Infected: Trojan-Dropper.Win32.Delf.z 1
C:\Program Files\Norton AntiVirus\Quarantine\7B1C3690 Infected: Trojan-Downloader.Win32.Dyfuca.cn 1
C:\Program Files\Norton AntiVirus\Quarantine\33166207 Infected: Email-Worm.Win32.NetSky.q 1
C:\Program Files\Norton AntiVirus\Quarantine\332A5DF2 Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Program Files\Norton AntiVirus\Quarantine\334757D1 Infected: Email-Worm.Win32.NetSky.q 1
C:\Program Files\Norton AntiVirus\Quarantine\1AB30CC9 Infected: Email-Worm.Win32.NetSky.q 1
C:\Program Files\Norton AntiVirus\Quarantine\60DB18FB Infected: Email-Worm.Win32.NetSky.q 1
C:\Program Files\Norton AntiVirus\Quarantine\610210D0 Infected: Email-Worm.Win32.NetSky.q 1
C:\Program Files\Norton AntiVirus\Quarantine\610864C8 Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Program Files\Norton AntiVirus\Quarantine\4CC525A2 Infected: Email-Worm.Win32.NetSky.q 1
C:\Program Files\Norton AntiVirus\Quarantine\4CE5497E Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Program Files\Norton AntiVirus\Quarantine\4CEF4773 Infected: Email-Worm.Win32.NetSky.q 1
C:\Program Files\Norton AntiVirus\Quarantine\04064BA8 Infected: Email-Worm.Win32.NetSky.q 1
C:\Program Files\Norton AntiVirus\Quarantine\04626344 Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Program Files\Norton AntiVirus\Quarantine\28AB247A Infected: Trojan-Downloader.Win32.Dyfuca.cn 1
C:\Program Files\Norton AntiVirus\Quarantine\5D1048D0 Infected: Email-Worm.Win32.NetSky.q 1
C:\Program Files\Norton AntiVirus\Quarantine\02F03922 Infected: Email-Worm.Win32.NetSky.q 1
C:\Program Files\Norton AntiVirus\Quarantine\02FA3718 Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Program Files\Norton AntiVirus\Quarantine\38045FDC Infected: Email-Worm.Win32.NetSky.q 1
C:\Program Files\Norton AntiVirus\Quarantine\381B05C3 Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Program Files\Norton AntiVirus\Quarantine\382503B8 Infected: Email-Worm.Win32.NetSky.q 1
C:\Program Files\Norton AntiVirus\Quarantine\0BEF21C3 Infected: Email-Worm.Win32.NetSky.q 1
C:\Program Files\Norton AntiVirus\Quarantine\0C480F62 Infected: Email-Worm.Win32.NetSky.q 1
C:\Program Files\Norton AntiVirus\Quarantine\0C510D57 Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Program Files\Norton AntiVirus\Quarantine\442E7502 Infected: Email-Worm.Win32.NetSky.q 1
C:\Program Files\Norton AntiVirus\Quarantine\35A25B4B Infected: Email-Worm.Win32.NetSky.q 1
C:\Program Files\Norton AntiVirus\Quarantine\35C37F27 Infected: Email-Worm.Win32.NetSky.q 1
C:\Program Files\Norton AntiVirus\Quarantine\35CD7D1C Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Program Files\Norton AntiVirus\Quarantine\03552058 Infected: Email-Worm.Win32.NetSky.q 1
C:\Program Files\Norton AntiVirus\Quarantine\03681C42 Infected: Email-Worm.Win32.NetSky.q 1
C:\Program Files\Norton AntiVirus\Quarantine\036C463F Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Program Files\Norton AntiVirus\Quarantine\6B3B4490 Infected: Email-Worm.Win32.NetSky.q 1
C:\Program Files\Norton AntiVirus\Quarantine\6B4E407A Infected: Email-Worm.Win32.NetSky.q 1
C:\Program Files\Norton AntiVirus\Quarantine\6B551473 Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Program Files\Norton AntiVirus\Quarantine\041956D9 Infected: not-a-virus:AdWare.Win32.Cash 1
C:\Temp\bar.exe Infected: not-a-virus:AdWare.Win32.IeSearchBar 1
C:\Temp\ss_cdt_setup.exe Infected: not-a-virus:AdWare.Win32.Sidesearch.e 1
C:\Temp\__unin__.exe Infected: not-a-virus:AdWare.Win32.Altnet.b 1
C:\Temp\TvmUpdater.exe Infected: not-a-virus:AdWare.Win32.TotalVelocity.e 1
C:\Temp\TvmUpdater.exe Infected: not-a-virus:AdWare.Win32.TotalVelocity.j 2
C:\Documents and Settings\default\Application Data\Identities\{58A8D38F-A258-4414-B3D5-B2FE3A8756BC}\Microsoft\Outlook Express\Inbox.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 2
C:\Documents and Settings\default\Application Data\Identities\{58A8D38F-A258-4414-B3D5-B2FE3A8756BC}\Microsoft\Outlook Express\Inbox.dbx Infected: Email-Worm.Win32.Klez.h 3
C:\Documents and Settings\Tisha Acuna\Local Settings\Temp\EACDownload\RAVEN_~1.EXE Infected: Trojan-Downloader.Win32.Wren.r 1
C:\Documents and Settings\Tisha Acuna\My Documents\explodhdt.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\Documents and Settings\Tisha Acuna\My Documents\explodhdt.exe Infected: not-a-virus:AdWare.Win32.EZula.cp 1
C:\Documents and Settings\Tisha Acuna\My Documents\explodhdt.exe Infected: not-a-virus:AdWare.Win32.Gator.3103 1
C:\Documents and Settings\server\Local Settings\Temp\a.exe Infected: Trojan.Win32.FraudPack.um 1
C:\Documents and Settings\server\Local Settings\Temp\d.exe Infected: Trojan.Win32.FraudPack.to 1
C:\Documents and Settings\server\Local Settings\Temp\e.exe Infected: not-a-virus:FraudTool.Win32.MSAntivirus.v 1
C:\Documents and Settings\server\Local Settings\Temp\e.exe Infected: not-a-virus:FraudTool.Win32.UltimateAntivirus.cc 1
C:\Documents and Settings\server\Local Settings\Temp\f.exe Infected: Trojan.Win32.FraudPack.um 1
C:\Documents and Settings\server\Local Settings\Temp\i.exe Infected: not-a-virus:FraudTool.Win32.MSAntivirus.v 1
C:\Documents and Settings\server\Local Settings\Temp\i.exe Infected: not-a-virus:FraudTool.Win32.UltimateAntivirus.cc 1
C:\Documents and Settings\server\Local Settings\Temp\.tt9.tmp.vbs Infected: Backdoor.Win32.Frauder.eo 1
C:\Documents and Settings\server\Local Settings\Temp\.ttC.tmp Infected: not-a-virus:FraudTool.Win32.XPAntivirus.sx 1
C:\Documents and Settings\server\Local Settings\Temp\.ttC.tmp.exe Infected: not-a-virus:FraudTool.Win32.XPAntivirus.sx 1
C:\Documents and Settings\server\Local Settings\Temp\.tt1.tmp.vbs Infected: Backdoor.Win32.Frauder.eo 1
C:\Documents and Settings\server\Local Settings\Temp\.ttA.tmp.vbs Infected: Backdoor.Win32.Frauder.eo 1
C:\Documents and Settings\server\Local Settings\Temp\lexutstw.exe Infected: Backdoor.Win32.Frauder.fb 1
C:\Documents and Settings\server\Local Settings\Temp\.tt2.tmp.vbs Infected: Backdoor.Win32.Frauder.eo 1
C:\Documents and Settings\server\Local Settings\Temp\.tt16.tmp.vbs Infected: Backdoor.Win32.Frauder.eo 1
The selected area was scanned.
ComboFix 08-09-22.06 - server 2008-09-24 9:41:48.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.160 [GMT -7:00]
Running from: C:\Documents and Settings\server\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\server\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\default\Cookies\default@ehg-espn.hitbox[1].txt
C:\Documents and Settings\default\Cookies\MM2048.DAT
C:\Documents and Settings\default\Cookies\MM256.DAT
C:\Documents and Settings\Tisha Acuna\Local Settings\Temporary Internet Files\Tvm.log
C:\Program Files\MyWay
C:\WINDOWS\Downloaded Program Files\netia32.inf
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\start.exe
C:\WINDOWS\system32\akttzn.exe
C:\WINDOWS\system32\anticipator.dll
C:\WINDOWS\system32\awtoolb.dll
C:\WINDOWS\system32\bdn.com
C:\WINDOWS\system32\blphcrd9j0evn9.scr
C:\WINDOWS\system32\bsva-egihsg52.exe
C:\WINDOWS\system32\dao350.dll
C:\WINDOWS\system32\dpcproxy.exe
C:\WINDOWS\system32\FTPx.dll
C:\WINDOWS\system32\hoproxy.dll
C:\WINDOWS\system32\hxiwlgpm.dat
C:\WINDOWS\system32\hxiwlgpm.exe
C:\WINDOWS\system32\lphcrd9j0evn9.exe
C:\WINDOWS\system32\msgp.exe
C:\WINDOWS\system32\msnbho.dll
C:\WINDOWS\system32\mssecu.exe
C:\WINDOWS\system32\msvchost.exe
C:\WINDOWS\system32\mtr2.exe
C:\WINDOWS\system32\mwin32.exe
C:\WINDOWS\system32\netode.exe
C:\WINDOWS\system32\newsd32.exe
C:\WINDOWS\system32\phcrd9j0evn9.bmp
C:\WINDOWS\system32\ps1.exe
C:\WINDOWS\system32\psof1.exe
C:\WINDOWS\system32\psoft1.exe
C:\WINDOWS\system32\regc64.dll
C:\WINDOWS\system32\regm64.dll
C:\WINDOWS\system32\Rundl1.exe
C:\WINDOWS\system32\smp
C:\WINDOWS\system32\smp\msrc.exe
C:\WINDOWS\system32\sncntr.exe
C:\WINDOWS\system32\ssurf022.dll
C:\WINDOWS\system32\ssvchost.com
C:\WINDOWS\system32\ssvchost.exe
C:\WINDOWS\system32\sysreq.exe
C:\WINDOWS\system32\sysrest32.exe
C:\WINDOWS\system32\taack.dat
C:\WINDOWS\system32\taack.exe
C:\WINDOWS\system32\temp#01.exe
C:\WINDOWS\system32\thun.dll
C:\WINDOWS\system32\thun32.dll
C:\WINDOWS\system32\VBIEWER.OCX
C:\WINDOWS\system32\vbsys2.dll
C:\WINDOWS\system32\vcatchpi.dll
C:\WINDOWS\system32\windows.scr
C:\WINDOWS\system32\winlogonpc.exe
C:\WINDOWS\system32\winsystem.exe
C:\WINDOWS\system32\WINWGPX.EXE
C:\WINDOWS\tmlpcert2005
C:\WINDOWS\Web\default.htt
C:\WINDOWS\winhelp.ini
.
((((((((((((((((((((((((( Files Created from 2008-08-24 to 2008-09-24 )))))))))))))))))))))))))))))))
.
2008-09-22 11:14 . 2008-09-22 11:14 <DIR> d-------- C:\WINDOWS\Sun
2008-09-22 11:12 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-09-22 11:10 . 2008-09-22 11:10 <DIR> d-------- C:\Program Files\Java
2008-09-22 11:08 . 2008-09-22 11:08 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-22 10:43 . 2008-09-22 10:43 106,496 --a------ C:\WINDOWS\SYSTEM32\kvwdgfwd.exe
2008-09-19 16:06 . 2008-09-19 16:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-19 14:23 . 2008-09-19 14:24 206 --a------ C:\WINDOWS\SYSTEM32\MRT.INI
2008-09-19 13:45 . 2008-09-19 13:45 86,016 --a------ C:\WINDOWS\SYSTEM32\tufojefe.exe
2008-09-19 07:37 . 2008-09-19 07:37 90,112 --a------ C:\WINDOWS\SYSTEM32\rmxinsny.exe
2008-09-18 11:05 . 2008-09-18 11:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\fyxilary
2008-09-18 11:05 . 2008-09-18 09:00 165,888 --a------ C:\WINDOWS\SYSTEM32\sav.cpl
2008-09-18 11:05 . 2008-09-18 11:05 94,208 --a------ C:\WINDOWS\SYSTEM32\fobsdyle.exe
2008-09-18 11:05 . 2008-09-18 11:05 71,684 --a------ C:\WINDOWS\SYSTEM32\msrsa.dll
2008-09-18 11:04 . 2008-09-18 11:05 120,836 --a------ C:\WINDOWS\SYSTEM32\msxml71.dll
2008-09-03 13:48 . 2008-09-03 13:48 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-09-03 13:48 . 2008-09-03 13:48 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-09-03 13:48 . 2008-09-03 13:48 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-03 11:52 . 2008-04-13 17:12 897,024 --------- C:\WINDOWS\SYSTEM32\dllcache\wmspdmoe.dll
2008-09-03 11:51 . 2008-04-13 17:12 786,432 --------- C:\WINDOWS\SYSTEM32\dllcache\migrate.exe
2008-09-03 11:50 . 2008-04-13 17:12 1,119,744 --------- C:\WINDOWS\SYSTEM32\dllcache\wmsdmoe2.dll
2008-09-03 11:49 . 2008-04-13 10:28 2,940,928 --------- C:\WINDOWS\SYSTEM32\dllcache\wmploc.dll
2008-09-03 11:48 . 2001-08-23 05:00 381,425 --------- C:\WINDOWS\SYSTEM32\dllcache\copycd.wmv
2008-09-03 11:47 . 2002-11-04 19:02 613,334 --------- C:\WINDOWS\SYSTEM32\dllcache\wmplayer.chm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\dllcache\cdm.dll
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wuaueng.dll
2008-07-19 05:07 270,880 ----a-w C:\WINDOWS\SYSTEM32\mucltui.dll
2008-07-19 05:07 210,976 ----a-w C:\WINDOWS\SYSTEM32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\SYSTEM32\dllcache\es.dll
2008-06-24 17:57 3,592,192 ------w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll
2008-06-24 16:43 74,240 ------w C:\WINDOWS\SYSTEM32\dllcache\mscms.dll
2007-08-13 18:18 76,672 ----a-w C:\Documents and Settings\server\Application Data\GDIPFONTCACHEV1.DAT
2004-06-04 22:59 72,600 ----a-w C:\Documents and Settings\Tisha Acuna\Application Data\GDIPFONTCACHEV1.DAT
2004-05-28 17:52 34 ----a-w C:\Documents and Settings\Tisha Acuna\Application Data\tvmuknwrd.dll
2004-05-28 16:04 167,983 ----a-w C:\Documents and Settings\Tisha Acuna\Application Data\tvmknwrd.dll
2003-03-18 03:27 307,904 ----a-w C:\WINDOWS\inf\wg311nd5.sys
2003-02-03 15:36 2,238 ----a-w C:\Program Files\software.ico
2003-02-03 15:36 2,238 ----a-w C:\Program Files\computer.ico
2002-07-31 18:36 41,158 ----a-w C:\Program Files\unetUninstall.exe
2002-06-14 22:18 28,136 ----a-w C:\Documents and Settings\default\Application Data\GDIPFONTCACHEV1.DAT
2001-08-13 16:27 271 --sh--w C:\Program Files\desktop.ini
2001-01-11 15:02 794,624 ----a-w C:\WINDOWS\inf\OTHER\audio3d.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4B24ECA-DB17-43e0-9E25-99A142F079EA}]
2008-09-18 11:05 71684 --a------ C:\WINDOWS\system32\msrsa.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"StrMsgCom"="C:\WINDOWS\system32\fobsdyle.exe" [2008-09-18 94208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AS01_Netgear"="C:\Program Files\NETGEAR\WG311 Wireless Smart Configuration\Utility\NetgearAG.exe" [2003-12-19 446464]
"AS00_Netgear"="C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe" [2003-05-16 389120]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"Tweak UI"="TWEAKUI.CPL" [2002-12-02 C:\WINDOWS\SYSTEM32\TWEAKUI.CPL]
"AtiPTA"="Atiptaxx.exe" [2001-10-10 C:\WINDOWS\SYSTEM32\atiptaxx.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 C:\WINDOWS\KHALMNPR.Exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\PROGRA~1\MESSEN~1\msmsgs.exe" [2008-04-13 1695232]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2006-09-02 100032]
"ctfmon.exe"="ctfmon.exe" [2008-04-13 C:\WINDOWS\SYSTEM32\ctfmon.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Printing Migration"="C:\WINDOWS\System32\spool\migrate.dll" [2001-08-23 30208]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"RhRrs7egkd"="C:\Documents and Settings\All Users\Application Data\fyxilary\jixkpybe.exe" [2008-09-18 65536]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Canon PC1200 iC D700 Status Window.LNK - C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\CAPM3LAK.EXE [2004-02-13 30208]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-02-22 67128]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yvu9"= ATIYVU9.DLL
"VIDC.VDOM"= vdowave.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Canon PC1200 iC D700 Status Window.LNK]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Canon PC1200 iC D700 Status Window.LNK
backup=C:\WINDOWS\pss\Canon PC1200 iC D700 Status Window.LNKCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk
backup=C:\WINDOWS\pss\Forget Me Not.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideACT!.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SideACT!.lnk
backup=C:\WINDOWS\pss\SideACT!.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LimeShop]
wjview [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--------- 2004-05-24 13:56 1396846 C:\Program Files\ahead\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 17:12 1695232 C:\PROGRA~1\MESSEN~1\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\SYSTEM32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Openwares LiveUpdate]
--a------ 2003-12-13 10:17 61440 C:\Program Files\LIVEUPDATE\LiveUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2003-10-01 09:57 77824 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2003-11-25 12:48 151597 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
--a------ 2001-10-22 10:24 1216512 C:\WINDOWS\mixer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ScanRegistry"=C:\WINDOWS\scanregw.exe /autorun
"TaskMonitor"=C:\WINDOWS\taskmon.exe
"PCHealth"=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
"SystemTray"=SysTray.Exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Tour"=C:\WINDOWS\wincool.exe /30m
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"HP LaserJet ToolBox"=hppropty.exe
"UpdateMgr.exe"="C:\PROGRAM FILES\EARTHLINK 5.0\UPDATEMGR.EXE" /NOCM
"ConMgr.exe"="C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
"AccessRampMonitor"="C:\Program Files\EarthLink 5.0\FastLane\ARMon32.exe"
"CMESys"="C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
"Winkec"=C:\WINDOWS\SYSTEM32\Winkec.exe
"LoadQM"=loadqm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"SchedulingAgent"=mstask.exe
"SSDPSRV"=C:\WINDOWS\SYSTEM\ssdpsrv.exe
"*StateMgr"=C:\WINDOWS\System\Restore\StateMgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Hawking PrintServer Utilities\\PortSetup.exe"=
"C:\\Program Files\\Hawking PrintServer Utilities\\WinUtil\\PSAdmin.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\ACT\\ActUpdt.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"2891:UDP"= 2891:UDP:Windows Media Format SDK (iexplore.exe)
"2890:UDP"= 2890:UDP:Windows Media Format SDK (iexplore.exe)
R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys [2001-11-08 8040]
R2 RapidPortM3;RapidPortM3;C:\WINDOWS\System32\Drivers\CAPM3LP.SYS [2003-06-03 22976]
R3 ati2mpad;ati2mpad;C:\WINDOWS\system32\DRIVERS\ati2mpad.sys [2001-12-21 303232]
R3 AWINDIS5;AWINDIS5 Protocol Driver;C:\WINDOWS\System32\AWINDIS5.SYS [2002-04-11 16194]
S3 NETGEAR_WG311_SERVICE;NETGEAR WG311 Wireless PCI Adapter Service;C:\WINDOWS\system32\DRIVERS\wg311nd5.sys [2003-03-17 307936]
S3 OPHE DCS Loader;OPHE DCS Loader;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHELDCS.EXE [2005-08-17 24576]
S4 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys [2001-12-04 299904]
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-lphcrd9j0evn9 - C:\WINDOWS\system32\lphcrd9j0evn9.exe
HKLM-Run-inrhcvd9j0evn9 - C:\Documents and Settings\server\Local Settings\Temp\.ttC.tmp.exe
MSConfigStartUp-ConMgr - C:\Program Files\EarthLink 5.0\ConMgr.exe
MSConfigStartUp-fash - C:\WINDOWS\fash.exe
MSConfigStartUp-Microsoft Works Update Detection - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
MSConfigStartUp-RunDLL - C:\WINDOWS\Downloaded Program Files\bridge.dll
MSConfigStartUp-TV Media - C:\Program Files\TV Media\Tvm.exe
.
------- Supplementary Scan -------
.
R0 -: HKLM-Main,Search Bar = hxxp://www.earthlink.net/partner/more/msie/button/search.html
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-Internet Settings,ProxyOverride = <local>
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O18 -: Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\SYSTEM\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-24 09:47:40
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-09-24 9:49:22
ComboFix-quarantined-files.txt 2008-09-24 16:49:14
Pre-Run: 3,100,196,864 bytes free
Post-Run: 4,983,504,896 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout = 30
default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
294 --- E O F --- 2008-09-19 21:25:14
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:04 AM, on 9/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\CAPM3RSK.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\All Users\Application Data\fyxilary\jixkpybe.exe
C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe
C:\WINDOWS\system32\Atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\fobsdyle.exe
C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\CAPM3LAK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3SWK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3SWK.EXE
C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\CAPM3SWK.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Redirector module - {C4B24ECA-DB17-43e0-9E25-99A142F079EA} - C:\WINDOWS\system32\msrsa.dll
O4 - HKLM\..\Run: [AS01_Netgear] C:\Program Files\NETGEAR\WG311 Wireless Smart Configuration\Utility\NetgearAG.exe -hide
O4 - HKLM\..\Run: [AS00_Netgear] C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe -hide
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [StrMsgCom] C:\WINDOWS\system32\fobsdyle.exe
O4 - HKLM\..\Policies\Explorer\Run: [RhRrs7egkd] C:\Documents and Settings\All Users\Application Data\fyxilary\jixkpybe.exe
O4 - HKUS\S-1-5-19\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')
O4 - Global Startup: Canon PC1200 iC D700 Status Window.LNK = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\CAPM3LAK.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182195887631
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: OPHE DCS Loader - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHELDCS.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 8162 bytes
pskelley
2008-09-24, 20:48
Thanks for returning your information and the feedback. I appreciate you sending that file to Mieke. I will mention briefly that a Kaspersky scan is no longer required (unless we ask for it) but since you posted it, I will look at it first.
KASPERSKY ONLINE SCANNER 7 REPORT Wednesday, September 24, 2008
The majority of the bad items are in the NAV quarantine, if you have not done so, do this.
C:\Program Files\Norton AntiVirus\Quarantine\ <<< delete everything in that folder in red.
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000041213443506
The rest will likely be removed during the process that is ahead. I will ask you to run Kaspersky Online Scan (KOS) again at the end to make sure we missed nothing.
Read and follow the directions carefully and in the numbered order.
1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
2) Open notepad and copy/paste the text in the codebox below into it:
File::
C:\WINDOWS\system32\fobsdyle.exe
C:\WINDOWS\system32\msrsa.dll
C:\WINDOWS\SYSTEM32\kvwdgfwd.exe
C:\WINDOWS\SYSTEM32\tufojefe.exe
C:\WINDOWS\SYSTEM32\rmxinsny.exe
C:\WINDOWS\SYSTEM32\fobsdyle.exe
C:\WINDOWS\SYSTEM32\msxml71.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4B24ECA-DB17-43e0-9E25-99A142F079EA}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"RhRrs7egkd"=-
Folder::
C:\Documents and Settings\All Users\Application Data\fyxilary
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)
3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: Redirector module - {C4B24ECA-DB17-43e0-9E25-99A142F079EA} - C:\WINDOWS\system32\msrsa.dll
O4 - HKCU\..\Run: [StrMsgCom] C:\WINDOWS\system32\fobsdyle.exe
O4 - HKLM\..\Policies\Explorer\Run: [RhRrs7egkd] C:\Documents and Settings\All Users\Application Data\fyxilary\jixkpybe.exe
Close all programs but HJT and all browser windows, then click on "Fix Checked"
4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the Log from MBAM and a new HJT log.
How is the computer running now?
Thanks...Phil
Phil ~
It's probably not a good sign when I'm stuck at the first step!
I went to the hyperlink you sent for deleting files from Norton. When I click on Norton AntiVirus from my Start menu...the only option is Live/Update, Quarantine & Restore. Then I tried going to Symantec Client Security which leads to Symantec Antivirus...but there is no Reports option on the left hand side. There was an option to view Quarantined which I did, but nothing showed up and I had "all files" selected. So, I tried going at it from the otherside by going to "My Computer" and then opening folders to get to the Quarantine folder...there are some files listed in this folder, but none are in red!
Help....should I continue with the other steps or ???
Stace
pskelley
2008-09-24, 21:40
Hi Stacey, I don't use Norton/Symantec and the information I posted for you was provided by them.
C:\Program Files\Norton AntiVirus\Quarantine\ <<< delete everything in that folder in red.
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000041213443506
Removing files from Norton AntiVirus Quarantine
That's what you have there: C:\Program Files\Norton AntiVirus
If Norton/Symantec's own instructions do not work, you will have to contact them for new instructions, here is the link for technical support:
http://www.symantec.com/enterprise/support/index.jsp
The items in question are quarantined and can do you no harm as such, but you should be able to delete files from the quarantine folder of a program you pay for? What say you?
You may continue with the rest of the directions, the outcome does not depend on the NAV quarantine. It will not do any good, however, to run KOS looking for it to be clean as it will continue to show those quarantined items.
Thanks
Phil ~ Would there be any harm in just deleting all of the files located in the Quarantine folder??? ~ Stacey
pskelley
2008-09-24, 21:46
Not at all:) in fact that is what I said.
C:\Program Files\Norton AntiVirus\Quarantine\
<<< delete everything in that folder in red.
Sorry...I was actually looking for something to show up in red. :oops:
I'm on it now...I'll repost when I get all my assignments you gave me completed...
Okay, I'm going to post all scans below. The computer is running MUCH better!!!
One note: when I got to step 3 where you told me to "Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:". I did the scan, but the line items you listed were not there. I don't know if maybe they were removed when the Norton Quarantine files were deleted or when the ComboFix for the CFScript was run. :scratch:
So here is my CFScript Log...
ComboFix 08-09-24.01 - server 2008-09-24 12:17:17.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.174 [GMT -7:00]
Running from: C:\Documents and Settings\server\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\server\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\system32\fobsdyle.exe
C:\WINDOWS\SYSTEM32\fobsdyle.exe
C:\WINDOWS\system32\fobsdyle.exe
C:\WINDOWS\SYSTEM32\fobsdyle.exe
C:\WINDOWS\SYSTEM32\kvwdgfwd.exe
C:\WINDOWS\system32\msrsa.dll
C:\WINDOWS\SYSTEM32\msxml71.dll
C:\WINDOWS\SYSTEM32\rmxinsny.exe
C:\WINDOWS\SYSTEM32\tufojefe.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\fyxilary
C:\Documents and Settings\All Users\Application Data\fyxilary\jixkpybe.exe
C:\WINDOWS\SYSTEM32\fobsdyle.exe
C:\WINDOWS\SYSTEM32\kvwdgfwd.exe
C:\WINDOWS\system32\msrsa.dll
C:\WINDOWS\SYSTEM32\msxml71.dll
C:\WINDOWS\SYSTEM32\rmxinsny.exe
C:\WINDOWS\SYSTEM32\tufojefe.exe
.
((((((((((((((((((((((((( Files Created from 2008-08-24 to 2008-09-24 )))))))))))))))))))))))))))))))
.
2008-09-24 10:57 . 2008-09-24 10:57 90,112 --a------ C:\WINDOWS\SYSTEM32\ngzadmvs.exe
2008-09-22 11:14 . 2008-09-22 11:14 <DIR> d-------- C:\WINDOWS\Sun
2008-09-22 11:12 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-09-22 11:10 . 2008-09-22 11:10 <DIR> d-------- C:\Program Files\Java
2008-09-22 11:08 . 2008-09-22 11:08 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-19 16:06 . 2008-09-19 16:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-19 14:23 . 2008-09-19 14:24 206 --a------ C:\WINDOWS\SYSTEM32\MRT.INI
2008-09-18 11:05 . 2008-09-18 09:00 165,888 --a------ C:\WINDOWS\SYSTEM32\sav.cpl
2008-09-03 13:48 . 2008-09-03 13:48 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-09-03 13:48 . 2008-09-03 13:48 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-09-03 13:48 . 2008-09-03 13:48 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-03 11:52 . 2008-04-13 17:12 897,024 --------- C:\WINDOWS\SYSTEM32\dllcache\wmspdmoe.dll
2008-09-03 11:51 . 2008-04-13 17:12 786,432 --------- C:\WINDOWS\SYSTEM32\dllcache\migrate.exe
2008-09-03 11:50 . 2008-04-13 17:12 1,119,744 --------- C:\WINDOWS\SYSTEM32\dllcache\wmsdmoe2.dll
2008-09-03 11:49 . 2008-04-13 10:28 2,940,928 --------- C:\WINDOWS\SYSTEM32\dllcache\wmploc.dll
2008-09-03 11:48 . 2001-08-23 05:00 381,425 --------- C:\WINDOWS\SYSTEM32\dllcache\copycd.wmv
2008-09-03 11:47 . 2002-11-04 19:02 613,334 --------- C:\WINDOWS\SYSTEM32\dllcache\wmplayer.chm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\dllcache\cdm.dll
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wuaueng.dll
2008-07-19 05:07 270,880 ----a-w C:\WINDOWS\SYSTEM32\mucltui.dll
2008-07-19 05:07 210,976 ----a-w C:\WINDOWS\SYSTEM32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\SYSTEM32\dllcache\es.dll
2008-06-24 17:57 3,592,192 ------w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll
2008-06-24 16:43 74,240 ------w C:\WINDOWS\SYSTEM32\dllcache\mscms.dll
2007-08-13 18:18 76,672 ----a-w C:\Documents and Settings\server\Application Data\GDIPFONTCACHEV1.DAT
2004-06-04 22:59 72,600 ----a-w C:\Documents and Settings\Tisha Acuna\Application Data\GDIPFONTCACHEV1.DAT
2004-05-28 17:52 34 ----a-w C:\Documents and Settings\Tisha Acuna\Application Data\tvmuknwrd.dll
2004-05-28 16:04 167,983 ----a-w C:\Documents and Settings\Tisha Acuna\Application Data\tvmknwrd.dll
2003-03-18 03:27 307,904 ----a-w C:\WINDOWS\inf\wg311nd5.sys
2003-02-03 15:36 2,238 ----a-w C:\Program Files\software.ico
2003-02-03 15:36 2,238 ----a-w C:\Program Files\computer.ico
2002-07-31 18:36 41,158 ----a-w C:\Program Files\unetUninstall.exe
2002-06-14 22:18 28,136 ----a-w C:\Documents and Settings\default\Application Data\GDIPFONTCACHEV1.DAT
2001-08-13 16:27 271 --sh--w C:\Program Files\desktop.ini
2001-01-11 15:02 794,624 ----a-w C:\WINDOWS\inf\OTHER\audio3d.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ChkApi"="C:\WINDOWS\system32\ngzadmvs.exe" [2008-09-24 90112]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AS01_Netgear"="C:\Program Files\NETGEAR\WG311 Wireless Smart Configuration\Utility\NetgearAG.exe" [2003-12-19 446464]
"AS00_Netgear"="C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe" [2003-05-16 389120]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"Tweak UI"="TWEAKUI.CPL" [2002-12-02 C:\WINDOWS\SYSTEM32\TWEAKUI.CPL]
"AtiPTA"="Atiptaxx.exe" [2001-10-10 C:\WINDOWS\SYSTEM32\atiptaxx.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 C:\WINDOWS\KHALMNPR.Exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\PROGRA~1\MESSEN~1\msmsgs.exe" [2008-04-13 1695232]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2006-09-02 100032]
"ctfmon.exe"="ctfmon.exe" [2008-04-13 C:\WINDOWS\SYSTEM32\ctfmon.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Printing Migration"="C:\WINDOWS\System32\spool\migrate.dll" [2001-08-23 30208]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Canon PC1200 iC D700 Status Window.LNK - C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\CAPM3LAK.EXE [2004-02-13 30208]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-02-22 67128]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yvu9"= ATIYVU9.DLL
"VIDC.VDOM"= vdowave.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Canon PC1200 iC D700 Status Window.LNK]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Canon PC1200 iC D700 Status Window.LNK
backup=C:\WINDOWS\pss\Canon PC1200 iC D700 Status Window.LNKCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk
backup=C:\WINDOWS\pss\Forget Me Not.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideACT!.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SideACT!.lnk
backup=C:\WINDOWS\pss\SideACT!.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LimeShop]
wjview [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--------- 2004-05-24 13:56 1396846 C:\Program Files\ahead\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 17:12 1695232 C:\PROGRA~1\MESSEN~1\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\SYSTEM32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Openwares LiveUpdate]
--a------ 2003-12-13 10:17 61440 C:\Program Files\LIVEUPDATE\LiveUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2003-10-01 09:57 77824 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2003-11-25 12:48 151597 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
--a------ 2001-10-22 10:24 1216512 C:\WINDOWS\mixer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ScanRegistry"=C:\WINDOWS\scanregw.exe /autorun
"TaskMonitor"=C:\WINDOWS\taskmon.exe
"PCHealth"=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
"SystemTray"=SysTray.Exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Tour"=C:\WINDOWS\wincool.exe /30m
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"HP LaserJet ToolBox"=hppropty.exe
"UpdateMgr.exe"="C:\PROGRAM FILES\EARTHLINK 5.0\UPDATEMGR.EXE" /NOCM
"ConMgr.exe"="C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
"AccessRampMonitor"="C:\Program Files\EarthLink 5.0\FastLane\ARMon32.exe"
"CMESys"="C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
"Winkec"=C:\WINDOWS\SYSTEM32\Winkec.exe
"LoadQM"=loadqm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"SchedulingAgent"=mstask.exe
"SSDPSRV"=C:\WINDOWS\SYSTEM\ssdpsrv.exe
"*StateMgr"=C:\WINDOWS\System\Restore\StateMgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Hawking PrintServer Utilities\\PortSetup.exe"=
"C:\\Program Files\\Hawking PrintServer Utilities\\WinUtil\\PSAdmin.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\ACT\\ActUpdt.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"2891:UDP"= 2891:UDP:Windows Media Format SDK (iexplore.exe)
"2890:UDP"= 2890:UDP:Windows Media Format SDK (iexplore.exe)
R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys [2001-11-08 8040]
R2 RapidPortM3;RapidPortM3;C:\WINDOWS\System32\Drivers\CAPM3LP.SYS [2003-06-03 22976]
R3 ati2mpad;ati2mpad;C:\WINDOWS\system32\DRIVERS\ati2mpad.sys [2001-12-21 303232]
R3 AWINDIS5;AWINDIS5 Protocol Driver;C:\WINDOWS\System32\AWINDIS5.SYS [2002-04-11 16194]
S3 NETGEAR_WG311_SERVICE;NETGEAR WG311 Wireless PCI Adapter Service;C:\WINDOWS\system32\DRIVERS\wg311nd5.sys [2003-03-17 307936]
S3 OPHE DCS Loader;OPHE DCS Loader;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHELDCS.EXE [2005-08-17 24576]
S4 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys [2001-12-04 299904]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-StrMsgCom - C:\WINDOWS\system32\fobsdyle.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-24 12:21:51
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-09-24 12:23:19
ComboFix-quarantined-files.txt 2008-09-24 19:23:12
ComboFix2.txt 2008-09-24 16:49:26
Pre-Run: 4,927,930,368 bytes free
Post-Run: 4,931,731,456 bytes free
216 --- E O F --- 2008-09-19 21:25:14
Here is my MBAM Log...
Malwarebytes' Anti-Malware 1.28
Database version: 1203
Windows 5.1.2600 Service Pack 3
9/24/2008 2:33:20 PM
mbam-log-2008-09-24 (14-33-20).txt
Scan type: Full Scan (A:\|C:\|D:\|E:\|S:\|T:\|)
Objects scanned: 123347
Time elapsed: 1 hour(s), 55 minute(s), 1 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chkapi (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\SYSTEM32\ngzadmvs.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\sav.cpl (Rogue.SystemAntiVirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tisha Acuna\Application Data\tvmknwrd.dll (Trojan.Agent) -> Quarantined and deleted successfully.
Here is my new HJT log...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:40:35 PM, on 9/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CAPM3RSK.EXE
C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe
C:\WINDOWS\system32\Atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\CAPM3LAK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3SWK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3SWK.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\CAPM3SWK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AS01_Netgear] C:\Program Files\NETGEAR\WG311 Wireless Smart Configuration\Utility\NetgearAG.exe -hide
O4 - HKLM\..\Run: [AS00_Netgear] C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe -hide
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')
O4 - Global Startup: Canon PC1200 iC D700 Status Window.LNK = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\CAPM3LAK.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182195887631
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: OPHE DCS Loader - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHELDCS.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 7889 bytes
pskelley
2008-09-25, 02:16
Those items you asked about at the start of post #15 were removed by the CFScript, I often do a doublecheck to make sure they are gone.
Everything looks good, this infection called Vundo or Virtumonde has the ability to morph and recreate files if it is not all removed. I see one file I want you to look for to be sure it is gone. First, make sure you can view all files and folders:
How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
Now navigate to the C:\WINDOWS\SYSTEM32\ <<< this folder and look for this file: ngzadmvs.exe If it is there, right click and delete it, then empty the Recycle Bin to make sure it is gone. If it is not there, be sure, then move on.
Remove combofix from the computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Clean the System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Update MBAM and run a scan to make sure we got all of the junk, no need to post a clean scan result.
Update Symantec and scan the system to make sure it is running right and scanning clean. If you have problems with the program, contact tech support for help.
http://www.symantec.com/enterprise/support/index.jsp
If all is going well at this point, then run KOS again and post the results (unless it is clean)
Thanks...Phil
KOS? Is that the Kaspersky Scan?
pskelley
2008-09-25, 02:47
From my post #9
The rest will likely be removed during the process that is ahead. I will ask you to run Kaspersky Online Scan (KOS) again at the end to make sure we missed nothing.
Good Morning Phil ~
Well, I thought we were doing so good...the file you asked me to look for and delete - ngzadmvs.exe - was not there. MBAM and Symantec came back clean...but the KOS did not. :sad:
Below is the KOS report... I guess I'll be looking forward to your next post :)
Stace
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, September 26, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, September 25, 2008 21:42:40
Records in database: 1261581
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
S:\
T:\
Scan statistics:
Files scanned: 78631
Threat name: 7
Infected objects: 8
Suspicious objects: 2
Duration of the scan: 06:25:44
File name / Threat name / Threats count
C:\WINDOWS\raven_def.exe Infected: Trojan-Downloader.Win32.Wren.r 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CC80000\4CD9BD24.VBN Infected: Email-Worm.Win32.Zhelatin.vl 1
C:\Documents and Settings\default\Application Data\Identities\{58A8D38F-A258-4414-B3D5-B2FE3A8756BC}\Microsoft\Outlook Express\Inbox.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 2
C:\Documents and Settings\default\Application Data\Identities\{58A8D38F-A258-4414-B3D5-B2FE3A8756BC}\Microsoft\Outlook Express\Inbox.dbx Infected: Email-Worm.Win32.Klez.h 3
C:\Documents and Settings\Tisha Acuna\My Documents\explodhdt.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\Documents and Settings\Tisha Acuna\My Documents\explodhdt.exe Infected: not-a-virus:AdWare.Win32.EZula.cp 1
C:\Documents and Settings\Tisha Acuna\My Documents\explodhdt.exe Infected: not-a-virus:AdWare.Win32.Gator.3103 1
The selected area was scanned.
pskelley
2008-09-26, 19:14
This is not too bad, since there are only seven (7) I will show them all to you so you will know where the junk hides and what malware is being put on your computer.
(Delete the file in red)
C:\WINDOWS\raven_def.exe ------> Trojan-Downloader.Win32.Wren.r 1
(Delete everything in that quarantine folder)
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CC80000\4CD9BD24.VBN ------> Email-Worm.Win32.Zhelatin.vl 1
(may be tricky, infected email, may be only one. I suggest you delete everything in the area in red)
C:\Documents and Settings\default\Application Data\Identities\{58A8D38F-A258-4414-B3D5-B2FE3A8756BC}\Microsoft\Outlook Express\Inbox.dbx <------Exploit.HTML.Iframe.FileDownload 2
C:\Documents and Settings\default\Application Data\Identities\{58A8D38F-A258-4414-B3D5-B2FE3A8756BC}\Microsoft\Outlook Express\Inbox.dbx ------> Email-Worm.Win32.Klez.h 3
(This may just be one file also, delete any you see in the MyDocuments folder)
C:\Documents and Settings\Tisha Acuna\My Documents\explodhdt.exe ------> AdWare.Win32.NewDotNet 1
C:\Documents and Settings\Tisha Acuna\My Documents\explodhdt.exe ------> AdWare.Win32.EZula.cp 1
C:\Documents and Settings\Tisha Acuna\My Documents\explodhdt.exe ------> AdWare.Win32.Gator.3103 1
If that takes care of your problems, then I will leave this information with you.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
I would like to say that everything came back clean...but...
MBAM came back clean
Symantec came back clean
KOS shows one infection...log is below
Hope you had a great weekend!
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, September 29, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, September 26, 2008 22:02:08
Records in database: 1264151
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
S:\
T:\
Scan statistics:
Files scanned: 78770
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 06:50:03
File name / Threat name / Threats count
C:\System Volume Information\_restore{3A31054E-0FE0-41DC-8250-6AB776C1815F}\RP1\A0000013.exe Infected: Trojan-Downloader.Win32.Wren.r 1
The selected area was scanned.
pskelley
2008-09-29, 18:34
C:\System Volume Information\_restore
MANUAL INSTRUCTIONS FOR SYSTEM RESTORE
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
:eek: