View Full Version : Virtumonde infection
alexchris
2008-10-20, 15:35
here is the HJ log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:33:02 PM, on 10/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\lsfwhkfe\jkfklwdm.exe
C:\WINDOWS\system32\tatwvink.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\tatwvink.exe
E:\HjackTHIS ex 2.0.2\HiJackThis.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: {f93735a8-ce23-54f9-0014-5e0027b6c1cd} - {dc1c6b72-00e5-4100-9f45-32ec8a53739f} - C:\WINDOWS\system32\jdkigf.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [BMN] "C:\Program Files\Common Files\SystemErrorFixer\strpmon.exe" dm=http://systemerrorfixer.com ad=http://systemerrorfixer.com sd=http://inspaid.systemerrorfixer.com
O4 - HKCU\..\Run: [srvdb] C:\WINDOWS\system32\tatwvink.exe
O4 - HKCU\..\Run: [MsgGenUtil] C:\WINDOWS\system32\glubmzob.exe
O4 - HKCU\..\Run: [procact] C:\WINDOWS\system32\titafgzu.exe
O4 - HKCU\..\Run: [StrMon] C:\WINDOWS\system32\nsbypedo.exe
O4 - HKCU\..\Run: [WebMsg] C:\WINDOWS\system32\yfgtmpil.exe
O4 - HKLM\..\Policies\Explorer\Run: [HNZtE9bHWk] C:\Documents and Settings\All Users\Application Data\lsfwhkfe\jkfklwdm.exe
O8 - Extra context menu item: &Search - ?p=ZKxdm014YYSG
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
O20 - AppInit_DLLs: jdkigf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwssvc.exe (file missing)
--
End of file - 4634 bytes
+++Virtumonde keep appearing inspite of the fact Sptbot says its been clean. Please advice what can I do to gete rid of it permanently, thanks
alexchris
2008-10-21, 03:17
May I know is there any action that I need to with the HJ log. Many thanks
pskelley
2008-10-21, 03:20
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.
1) It appears the directions were not followed? HJT is located unsafely, follow these directions.
Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log. <<< close HJT until you need it later.
2) TeaTimer is not running, DO NOT start TeaTimer while we are working together.
3) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)
4) Remove any old copies of combofix before you proceed.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
Read and follow these directions
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the Uninstall list, the combofix log and a new HJT log.
Thanks
alexchris
2008-10-21, 11:51
There are the 3 files : a/ HJ B/Uninstall C/ComboFix
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:46:31 PM, on 10/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Documents and Settings\All Users\Application Data\lsfwhkfe\jkfklwdm.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Policies\Explorer\Run: [HNZtE9bHWk] C:\Documents and Settings\All Users\Application Data\lsfwhkfe\jkfklwdm.exe
O8 - Extra context menu item: &Search - ?p=ZKxdm014YYSG
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: jdkigf.dll,avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
--
End of file - 4919 bytes
+++
Ad-Aware
Adobe AIR
Adobe AIR
Adobe Flash Player ActiveX
Adobe Reader 9
Adobe Shockwave Player
AVG Free 8.0
Camera RAW Plug-In for EPSON Creativity Suite
CX4300_5500_DX4400 manual
DSL206U ADSL USB Modem
EPSON Attach To Email
EPSON Copy Utility 3
EPSON Easy Photo Print
EPSON File Manager
EPSON Scan
EPSON Scan Assistant
EPSON Web-To-Page
EPSON¦Lªí¾÷³nÅé
Feeding Frenzy 2 (1.0)
Free WMA to MP3 Converter 1.16
GunboundWC
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Insaniquarium Deluxe 1.0
Intel(R) Extreme Graphics Driver
Java(TM) 6 Update 3
MapleStory
Microsoft .NET Framework 2.0
Microsoft Office XP Professional with FrontPage
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
MSN Toolbar
NetBattle
QuickTime
Rakion International
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Spybot - Search & Destroy
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Virtools 3D Life Player
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Live installer
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Writer
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
Wonderland Online 2.0.3
+++
omboFix 08-10-19.04 - Administrator 2008-10-21 16:28:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.78 [GMT 8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrator\My Documents\My Documents.url
C:\Documents and Settings\Administrator\My Documents\My Music\My Music.url
C:\Documents and Settings\Administrator\My Documents\My Pictures\My Pictures.url
C:\Documents and Settings\Administrator\My Documents\My Videos\My Video.url
C:\WINDOWS\BM236c1fab.txt
C:\WINDOWS\BM236c1fab.xml
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\ajnvgnsl.ini
C:\WINDOWS\system32\ayhkfbdn.ini
C:\WINDOWS\system32\bembhhcm.ini
C:\WINDOWS\system32\casino1.ico
C:\WINDOWS\system32\casino2.ico
C:\WINDOWS\system32\casino3.ico
C:\WINDOWS\system32\dytwqcvd.ini
C:\WINDOWS\system32\ecedkfgq.ini
C:\WINDOWS\system32\gvyaokrp.ini
C:\WINDOWS\system32\ifvbvejl.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nesjulcg.ini
C:\WINDOWS\system32\nioggmkd.ini
C:\WINDOWS\system32\nxavguud.ini
C:\WINDOWS\system32\qmvyaxpo.ini
C:\WINDOWS\system32\spkvgyxx.ini
C:\WINDOWS\system32\TDSSerrors.log
C:\WINDOWS\system32\tdsspopup1.url
C:\WINDOWS\system32\tdsspopup2.url
C:\WINDOWS\system32\tdsspopup3.url
C:\WINDOWS\system32\tdssservers.dat
C:\WINDOWS\system32\winsrc.dll.tmp
C:\WINDOWS\system32\YFOoqtwa.ini
C:\WINDOWS\system32\YFOoqtwa.ini2
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_TDSSSERV
-------\Service_MyWebSearchService
-------\Service_TDSSserv
((((((((((((((((((((((((( Files Created from 2008-09-21 to 2008-10-21 )))))))))))))))))))))))))))))))
.
2008-10-21 15:24 . 2008-10-21 15:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-21 08:30 . 2008-10-21 09:08 <DIR> d--h----- C:\$AVG8.VAULT$
2008-10-21 08:25 . 2008-10-21 08:25 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-10-21 08:25 . 2008-10-21 08:25 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-10-21 08:25 . 2008-10-21 08:25 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-10-21 08:24 . 2008-10-21 08:27 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-10-21 08:24 . 2008-10-21 08:24 <DIR> d-------- C:\Program Files\AVG
2008-10-21 08:24 . 2008-10-21 08:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-10-20 13:19 . 2008-10-20 13:19 77,824 --a------ C:\WINDOWS\system32\yfgtmpil.exe
2008-10-20 12:29 . 2008-10-20 12:29 <DIR> d-------- C:\Program Files\Lavasoft
2008-10-20 12:29 . 2008-10-20 12:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-20 12:27 . 2008-10-20 12:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-20 11:06 . 2008-10-20 11:06 77,824 --a------ C:\WINDOWS\system32\nsbypedo.exe
2008-10-20 09:18 . 2008-10-20 09:18 81,920 --a------ C:\WINDOWS\system32\titafgzu.exe
2008-10-20 08:55 . 2008-10-20 09:10 1,494 --a------ C:\WINDOWS\system32\tmp.reg
2008-10-20 08:34 . 2008-10-20 08:34 81,920 --a------ C:\WINDOWS\system32\glubmzob.exe
2008-10-19 23:01 . 2008-10-19 23:01 77,824 --a------ C:\WINDOWS\system32\tatwvink.exe
2008-10-19 21:46 . 2008-10-19 21:43 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-10-19 21:42 . 2008-10-20 14:15 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-10-19 19:11 . 2008-10-19 19:11 91 --a------ C:\WINDOWS\wininit.ini
2008-10-19 12:38 . 2008-10-19 12:38 <DIR> d-------- C:\CurUserIETempDir
2008-10-18 17:19 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-10-18 17:19 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-10-18 17:19 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-10-18 17:19 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-10-17 13:41 . 2008-10-17 13:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\lsfwhkfe
2008-10-11 19:18 . 2008-10-11 19:18 0 --a------ C:\WINDOWS\system32\nioggmkd.tmp
2008-10-10 11:51 . 2008-10-10 11:51 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SystemErrorFixer
2008-10-10 11:46 . 2008-10-19 16:53 <DIR> d-------- C:\Program Files\Common Files\SystemErrorFixer
2008-10-10 11:46 . 2008-10-10 11:46 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-10-10 11:46 . 2004-10-07 14:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-10-10 11:46 . 2004-10-07 14:39 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-10-10 11:46 . 2004-10-07 14:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-10-10 11:45 . 2008-10-10 11:51 <DIR> d-------- C:\Program Files\SystemErrorFixer
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-19 14:56 --------- d-----w C:\Program Files\WAV
2008-10-19 09:58 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-19 09:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-18 09:32 --------- d-----w C:\Program Files\Google
2008-10-18 09:03 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-13 03:20 --------- d-----w C:\Program Files\NetBattle
2008-09-08 07:32 --------- d-----w C:\Program Files\Yahoo! Games
2008-09-08 07:30 --------- d-----w C:\Program Files\FlashGet
2008-09-06 15:59 --------- d-----w C:\Program Files\NOS
2008-09-06 15:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
2008-09-06 15:40 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-09-06 15:39 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-05 14:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\DNA
2008-09-05 01:22 --------- d-----w C:\Program Files\DNA
2008-07-20 10:01 0 ----a-w C:\Documents and Settings\Administrator\jagex_runescape_preferences.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-10-21 1177368]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"HNZtE9bHWk"="C:\Documents and Settings\All Users\Application Data\lsfwhkfe\jkfklwdm.exe" [2008-10-17 57344]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=jdkigf.dll,avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= C:\Program Files\WIZET\MapleStory\l3codeca.acm
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DSLMON.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DSLMON.lnk
backup=C:\WINDOWS\pss\DSLMON.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX5500 Series]
--a------ 2007-03-01 14:01 180736 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATICAP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-07-01 11:58 118784 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-07-01 12:02 155648 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgGenUtil]
--a------ 2008-10-20 08:34 81920 C:\WINDOWS\system32\glubmzob.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\procact]
--a------ 2008-10-20 09:18 81920 C:\WINDOWS\system32\titafgzu.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-06 13:15 98304 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srvdb]
--a------ 2008-10-19 23:01 77824 C:\WINDOWS\system32\tatwvink.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StrMon]
--a------ 2008-10-20 11:06 77824 C:\WINDOWS\system32\nsbypedo.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebMsg]
--a------ 2008-10-20 13:19 77824 C:\WINDOWS\system32\yfgtmpil.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\WIZET\\MapleStory\\Patcher.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"=
"C:\\Program Files\\softnyx\\Rakion\\Bin\\rakion.bin"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-10-21 96520]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-10-21 902424]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-21 282904]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-10-21 75272]
S3 dump_wmimmc;dump_wmimmc;C:\Program Files\WIZET\MapleStory\GameGuard\dump_wmimmc.sys [ ]
.
- - - - ORPHANS REMOVED - - - -
BHO-{dc1c6b72-00e5-4100-9f45-32ec8a53739f} - C:\WINDOWS\system32\jdkigf.dll
HKLM-Run-BMN - C:\Program Files\Common Files\SystemErrorFixer\strpmon.exe dm=http://systemerrorfixer.com ad=http://systemerrorfixer.com
MSConfigStartUp-65398707435508597256336380907838 - C:\Program Files\Antivirus 2009\av2009.exe
MSConfigStartUp-Antivirus - C:\Program Files\WAV\wav.exe
MSConfigStartUp-aspch - C:\Program Files\aspch\ASpCh.exe
MSConfigStartUp-cwriter - C:\Program Files\SystemErrorFixer\ucookw.exe
MSConfigStartUp-ieupdate - C:\WINDOWS\system32\ieupdates.exe
MSConfigStartUp-My Web Search Bar - C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL
MSConfigStartUp-MyWebSearch Plugin - C:\PROGRA~1\MYWEBS~1\bar\2.bin\M3PLUGIN.DLL
MSConfigStartUp-ShSmart - C:\WINDOWS\system32\shkzoxcd.exe
MSConfigStartUp-Somefox - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\a.exe
MSConfigStartUp-swg - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-SystemErrorFixer - C:\Program Files\SystemErrorFixer\SysRep.exe
MSConfigStartUp-wblogon - C:\WINDOWS\system32\ubpr01.exe
.
------- Supplementary Scan -------
.
O8 -: &Search - ?p=ZKxdm014YYSG
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-21 16:34:17
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\TEMP\50262499-1c62-4fbc-8ad1-956daa1524f5.tmp 0 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-10-21 16:41:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-21 08:40:49
Pre-Run: 30,803,865,600 bytes free
Post-Run: 30,757,134,336 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
214 --- E O F --- 2008-09-10 12:02:07
Hope we have furnised all the info and in the right manner, thanks
pskelley
2008-10-21, 14:54
Thanks for returning your information, please read and follow the directions carefully and in the humbered order.
First a look at the Uninstall list, I am looking for security issues and malware only and will not know many of your programs.
Java(TM) 6 Update 3 <<< out of date, see this information, update now.
http://forums.spybot.info/showpost.php?p=12880&postcount=2
The rest look ok as far as I can see.
C:\CurUserIETempDir <<< do you have any idea what this is?
SystemErrorFixer <<< see this information:
http://www.ca.com/securityadvisor/pest/pest.aspx?id=453120379
Rogue Security Software: Security software that uses deceptive means for installation and purpose. Once installed, the rogue software usually uses scare tactics to inform the user that spyware or malware is installed on their system. The rogue security software then claims to offer remediation in exchange of payment. These applications can come bundled with other malware that serve other purposes. This software usually comes in the form of Anti-spyware, or Anti-virus applications.
1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
2) Open notepad and copy/paste the text in the codebox below into it:
File::
C:\WINDOWS\system32\yfgtmpil.exe
C:\WINDOWS\system32\nsbypedo.exe
C:\WINDOWS\system32\titafgzu.exe
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\glubmzob.exe
C:\WINDOWS\system32\tatwvink.exe
C:\WINDOWS\system32\nioggmkd.tmp
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
"AppInit_DLLs"="avgrsstx.dll"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"HNZtE9bHWk"=-
Folder::
C:\Documents and Settings\All Users\Application Data\lsfwhkfe
C:\Documents and Settings\All Users\Application Data\SystemErrorFixer
C:\Program Files\Common Files\SystemErrorFixer
C:\Program Files\SystemErrorFixer
C:\Program Files\WAV
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)
3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
(some items may be gone, removed by CFScript)
O4 - HKLM\..\Policies\Explorer\Run: [HNZtE9bHWk] C:\Documents and Settings\All Users\Application Data\lsfwhkfe\jkfklwdm.exe
O20 - AppInit_DLLs: jdkigf.dll,avgrsstx.dll
Close all programs but HJT and all browser windows, then click on "Fix Checked"
4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.
How is the computer running now?
Thanks...Phil
alexchris
2008-10-21, 20:22
(What a ride), At last, when I run the Spybot scan, it do not detect any infection. For completeness here are the following scan logs
Malwarebytes' Anti-Malware 1.29
Database version: 1302
Windows 5.1.2600 Service Pack 2
10/22/2008 12:09:34 AM
mbam-log-2008-10-22 (00-09-34).txt
Scan type: Full Scan (C:\|)
Objects scanned: 67431
Time elapsed: 26 minute(s), 44 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 15
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 10
Files Infected: 28
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SystemErrorFixer (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SystemErrorFixerDownloader (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\SystemErrorFixer (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Purchased Products (Rogue.Multiple) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\Common Files\SystemErrorFixer (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Program Files\SystemErrorFixer (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Program Files\SystemErrorFixer\Res (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Program Files\WAV (Rogue.WindowsAntivirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\968070 (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMon (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMon\Data (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\SystemErrorFixer (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\All Users\Application Data\lsfwhkfe\jkfklwdm.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\NetBattle\virtual.drv (Adware.Winad) -> Quarantined and deleted successfully.
C:\Program Files\SystemErrorFixer\atl71.dll (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Program Files\SystemErrorFixer\License.rtf (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Program Files\SystemErrorFixer\mfc71.dll (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Program Files\SystemErrorFixer\msvcp71.dll (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Program Files\SystemErrorFixer\msvcr71.dll (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Program Files\SystemErrorFixer\Readme.rtf (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Program Files\SystemErrorFixer\rm.url (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Program Files\SystemErrorFixer\sr.log (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Program Files\SystemErrorFixer\swupd.log (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Program Files\SystemErrorFixer\sysrep.exe.Log (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Program Files\SystemErrorFixer\SysRep.exe.xml (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Program Files\SystemErrorFixer\SysRep.url (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Program Files\SystemErrorFixer\unins000.dat (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Program Files\SystemErrorFixer\unins000.exe (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Program Files\SystemErrorFixer\urls.ini (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Program Files\SystemErrorFixer\Res\Main.ico (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Program Files\SystemErrorFixer\Res\RecycleBin.ico (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Program Files\SystemErrorFixer\Res\support.ico (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\ac (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\ActivationDomain (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\em (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\oid (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\save2.db (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\user (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\SystemErrorFixer\Contact Customer Service.lnk (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\SystemErrorFixer\SystemErrorFixer.lnk (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
ComboFix 08-10-19.04 - Administrator 2008-10-21 16:28:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.78 [GMT 8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrator\My Documents\My Documents.url
C:\Documents and Settings\Administrator\My Documents\My Music\My Music.url
C:\Documents and Settings\Administrator\My Documents\My Pictures\My Pictures.url
C:\Documents and Settings\Administrator\My Documents\My Videos\My Video.url
C:\WINDOWS\BM236c1fab.txt
C:\WINDOWS\BM236c1fab.xml
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\ajnvgnsl.ini
C:\WINDOWS\system32\ayhkfbdn.ini
C:\WINDOWS\system32\bembhhcm.ini
C:\WINDOWS\system32\casino1.ico
C:\WINDOWS\system32\casino2.ico
C:\WINDOWS\system32\casino3.ico
C:\WINDOWS\system32\dytwqcvd.ini
C:\WINDOWS\system32\ecedkfgq.ini
C:\WINDOWS\system32\gvyaokrp.ini
C:\WINDOWS\system32\ifvbvejl.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nesjulcg.ini
C:\WINDOWS\system32\nioggmkd.ini
C:\WINDOWS\system32\nxavguud.ini
C:\WINDOWS\system32\qmvyaxpo.ini
C:\WINDOWS\system32\spkvgyxx.ini
C:\WINDOWS\system32\TDSSerrors.log
C:\WINDOWS\system32\tdsspopup1.url
C:\WINDOWS\system32\tdsspopup2.url
C:\WINDOWS\system32\tdsspopup3.url
C:\WINDOWS\system32\tdssservers.dat
C:\WINDOWS\system32\winsrc.dll.tmp
C:\WINDOWS\system32\YFOoqtwa.ini
C:\WINDOWS\system32\YFOoqtwa.ini2
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_TDSSSERV
-------\Service_MyWebSearchService
-------\Service_TDSSserv
((((((((((((((((((((((((( Files Created from 2008-09-21 to 2008-10-21 )))))))))))))))))))))))))))))))
.
2008-10-21 15:24 . 2008-10-21 15:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-21 08:30 . 2008-10-21 09:08 <DIR> d--h----- C:\$AVG8.VAULT$
2008-10-21 08:25 . 2008-10-21 08:25 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-10-21 08:25 . 2008-10-21 08:25 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-10-21 08:25 . 2008-10-21 08:25 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-10-21 08:24 . 2008-10-21 08:27 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-10-21 08:24 . 2008-10-21 08:24 <DIR> d-------- C:\Program Files\AVG
2008-10-21 08:24 . 2008-10-21 08:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-10-20 13:19 . 2008-10-20 13:19 77,824 --a------ C:\WINDOWS\system32\yfgtmpil.exe
2008-10-20 12:29 . 2008-10-20 12:29 <DIR> d-------- C:\Program Files\Lavasoft
2008-10-20 12:29 . 2008-10-20 12:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-20 12:27 . 2008-10-20 12:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-20 11:06 . 2008-10-20 11:06 77,824 --a------ C:\WINDOWS\system32\nsbypedo.exe
2008-10-20 09:18 . 2008-10-20 09:18 81,920 --a------ C:\WINDOWS\system32\titafgzu.exe
2008-10-20 08:55 . 2008-10-20 09:10 1,494 --a------ C:\WINDOWS\system32\tmp.reg
2008-10-20 08:34 . 2008-10-20 08:34 81,920 --a------ C:\WINDOWS\system32\glubmzob.exe
2008-10-19 23:01 . 2008-10-19 23:01 77,824 --a------ C:\WINDOWS\system32\tatwvink.exe
2008-10-19 21:46 . 2008-10-19 21:43 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-10-19 21:42 . 2008-10-20 14:15 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-10-19 19:11 . 2008-10-19 19:11 91 --a------ C:\WINDOWS\wininit.ini
2008-10-19 12:38 . 2008-10-19 12:38 <DIR> d-------- C:\CurUserIETempDir
2008-10-18 17:19 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-10-18 17:19 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-10-18 17:19 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-10-18 17:19 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-10-17 13:41 . 2008-10-17 13:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\lsfwhkfe
2008-10-11 19:18 . 2008-10-11 19:18 0 --a------ C:\WINDOWS\system32\nioggmkd.tmp
2008-10-10 11:51 . 2008-10-10 11:51 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SystemErrorFixer
2008-10-10 11:46 . 2008-10-19 16:53 <DIR> d-------- C:\Program Files\Common Files\SystemErrorFixer
2008-10-10 11:46 . 2008-10-10 11:46 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-10-10 11:46 . 2004-10-07 14:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-10-10 11:46 . 2004-10-07 14:39 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-10-10 11:46 . 2004-10-07 14:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-10-10 11:45 . 2008-10-10 11:51 <DIR> d-------- C:\Program Files\SystemErrorFixer
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-19 14:56 --------- d-----w C:\Program Files\WAV
2008-10-19 09:58 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-19 09:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-18 09:32 --------- d-----w C:\Program Files\Google
2008-10-18 09:03 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-13 03:20 --------- d-----w C:\Program Files\NetBattle
2008-09-08 07:32 --------- d-----w C:\Program Files\Yahoo! Games
2008-09-08 07:30 --------- d-----w C:\Program Files\FlashGet
2008-09-06 15:59 --------- d-----w C:\Program Files\NOS
2008-09-06 15:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
2008-09-06 15:40 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-09-06 15:39 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-05 14:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\DNA
2008-09-05 01:22 --------- d-----w C:\Program Files\DNA
2008-07-20 10:01 0 ----a-w C:\Documents and Settings\Administrator\jagex_runescape_preferences.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-10-21 1177368]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"HNZtE9bHWk"="C:\Documents and Settings\All Users\Application Data\lsfwhkfe\jkfklwdm.exe" [2008-10-17 57344]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=jdkigf.dll,avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= C:\Program Files\WIZET\MapleStory\l3codeca.acm
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DSLMON.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DSLMON.lnk
backup=C:\WINDOWS\pss\DSLMON.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX5500 Series]
--a------ 2007-03-01 14:01 180736 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATICAP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-07-01 11:58 118784 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-07-01 12:02 155648 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgGenUtil]
--a------ 2008-10-20 08:34 81920 C:\WINDOWS\system32\glubmzob.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\procact]
--a------ 2008-10-20 09:18 81920 C:\WINDOWS\system32\titafgzu.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-06 13:15 98304 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srvdb]
--a------ 2008-10-19 23:01 77824 C:\WINDOWS\system32\tatwvink.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StrMon]
--a------ 2008-10-20 11:06 77824 C:\WINDOWS\system32\nsbypedo.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebMsg]
--a------ 2008-10-20 13:19 77824 C:\WINDOWS\system32\yfgtmpil.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\WIZET\\MapleStory\\Patcher.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"=
"C:\\Program Files\\softnyx\\Rakion\\Bin\\rakion.bin"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-10-21 96520]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-10-21 902424]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-21 282904]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-10-21 75272]
S3 dump_wmimmc;dump_wmimmc;C:\Program Files\WIZET\MapleStory\GameGuard\dump_wmimmc.sys [ ]
.
- - - - ORPHANS REMOVED - - - -
BHO-{dc1c6b72-00e5-4100-9f45-32ec8a53739f} - C:\WINDOWS\system32\jdkigf.dll
HKLM-Run-BMN - C:\Program Files\Common Files\SystemErrorFixer\strpmon.exe dm=http://systemerrorfixer.com ad=http://systemerrorfixer.com
MSConfigStartUp-65398707435508597256336380907838 - C:\Program Files\Antivirus 2009\av2009.exe
MSConfigStartUp-Antivirus - C:\Program Files\WAV\wav.exe
MSConfigStartUp-aspch - C:\Program Files\aspch\ASpCh.exe
MSConfigStartUp-cwriter - C:\Program Files\SystemErrorFixer\ucookw.exe
MSConfigStartUp-ieupdate - C:\WINDOWS\system32\ieupdates.exe
MSConfigStartUp-My Web Search Bar - C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL
MSConfigStartUp-MyWebSearch Plugin - C:\PROGRA~1\MYWEBS~1\bar\2.bin\M3PLUGIN.DLL
MSConfigStartUp-ShSmart - C:\WINDOWS\system32\shkzoxcd.exe
MSConfigStartUp-Somefox - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\a.exe
MSConfigStartUp-swg - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-SystemErrorFixer - C:\Program Files\SystemErrorFixer\SysRep.exe
MSConfigStartUp-wblogon - C:\WINDOWS\system32\ubpr01.exe
.
------- Supplementary Scan -------
.
O8 -: &Search - ?p=ZKxdm014YYSG
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-21 16:34:17
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\TEMP\50262499-1c62-4fbc-8ad1-956daa1524f5.tmp 0 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-10-21 16:41:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-21 08:40:49
Pre-Run: 30,803,865,600 bytes free
Post-Run: 30,757,134,336 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
214 --- E O F --- 2008-09-10 12:02:07
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:17:02 AM, on 10/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O8 - Extra context menu item: &Search - ?p=ZKxdm014YYSG
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
--
End of file - 4860 bytes
Guess, all the logs should looks ok.... at least I hope. Btw I dont know what this is quote: 'C:\CurUserIETempDir <<< do you have any idea what this is?"
Got no idea how it landed in the pc.
Many thanks for your patient and help.
pskelley
2008-10-21, 21:11
C:\CurUserIETempDir <<< since you do not know this item, delete it.
We are using some powerful tools here and it is very important that you pay attention and follow directions carefully.
This is the same post twice.
1) Post #4
omboFix 08-10-19.04 - Administrator 2008-10-21 16:28:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.78 [GMT 8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
2) Post #6
ComboFix 08-10-19.04 - Administrator 2008-10-21 16:28:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.78 [GMT 8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
My instructions were:
please read and follow the directions carefully and in the numbered order.
The MBAM scan found and removed Rogue.SystemErrorFixer that would likely not have been there since it was part of the removal in CFScript.
Folder::
C:\Documents and Settings\All Users\Application Data\lsfwhkfe
C:\Documents and Settings\All Users\Application Data\SystemErrorFixer
C:\Program Files\Common Files\SystemErrorFixer
C:\Program Files\SystemErrorFixer
C:\Program Files\WAV
What I would like you to do is read the directions I posted in my last instructions, then follow then. When they have been completed, post the report from combofix which will be CFScript.exe.
alexchris
2008-10-22, 15:40
Very sorry for the error. Just re-run the Combofix.exe and the log as attached
(fyi when we run the spybot now, there is no infection specifically there is o Virtumonde. Thanks very much for your help and patience
omboFix 08-10-21.03 - Administrator 2008-10-22 20:27:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.64 [GMT 8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-09-22 to 2008-10-22 )))))))))))))))))))))))))))))))
.
2008-10-21 23:38 . 2008-10-21 23:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-21 23:38 . 2008-10-21 23:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-21 23:38 . 2008-10-21 23:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-10-21 23:38 . 2008-10-16 20:25 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-21 23:38 . 2008-10-16 20:25 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-21 15:24 . 2008-10-21 15:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-21 08:30 . 2008-10-21 09:08 <DIR> d--h----- C:\$AVG8.VAULT$
2008-10-21 08:25 . 2008-10-22 20:16 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-10-21 08:25 . 2008-10-22 20:16 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-10-21 08:25 . 2008-10-22 20:16 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-10-21 08:24 . 2008-10-22 20:17 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-10-21 08:24 . 2008-10-21 08:24 <DIR> d-------- C:\Program Files\AVG
2008-10-21 08:24 . 2008-10-21 08:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-10-20 13:19 . 2008-10-20 13:19 77,824 --a------ C:\WINDOWS\system32\yfgtmpil.exe
2008-10-20 12:29 . 2008-10-20 12:29 <DIR> d-------- C:\Program Files\Lavasoft
2008-10-20 12:29 . 2008-10-20 12:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-20 12:27 . 2008-10-20 12:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-20 11:06 . 2008-10-20 11:06 77,824 --a------ C:\WINDOWS\system32\nsbypedo.exe
2008-10-20 09:18 . 2008-10-20 09:18 81,920 --a------ C:\WINDOWS\system32\titafgzu.exe
2008-10-20 08:55 . 2008-10-20 09:10 1,494 --a------ C:\WINDOWS\system32\tmp.reg
2008-10-20 08:34 . 2008-10-20 08:34 81,920 --a------ C:\WINDOWS\system32\glubmzob.exe
2008-10-19 23:01 . 2008-10-19 23:01 77,824 --a------ C:\WINDOWS\system32\tatwvink.exe
2008-10-19 21:42 . 2008-10-21 23:08 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-10-19 19:11 . 2008-10-19 19:11 91 --a------ C:\WINDOWS\wininit.ini
2008-10-19 12:38 . 2008-10-19 12:38 <DIR> d-------- C:\CurUserIETempDir
2008-10-18 17:19 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-10-18 17:19 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-10-18 17:19 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-10-18 17:19 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-10-17 13:41 . 2008-10-22 00:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\lsfwhkfe
2008-10-11 19:18 . 2008-10-11 19:18 0 --a------ C:\WINDOWS\system32\nioggmkd.tmp
2008-10-10 11:46 . 2004-10-07 14:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-10-10 11:46 . 2004-10-07 14:39 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-10-10 11:46 . 2004-10-07 14:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-21 15:17 --------- d-----w C:\Program Files\Java
2008-10-19 09:58 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-19 09:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-18 09:32 --------- d-----w C:\Program Files\Google
2008-10-18 09:03 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-13 03:20 --------- d-----w C:\Program Files\NetBattle
2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-08 07:32 --------- d-----w C:\Program Files\Yahoo! Games
2008-09-08 07:30 --------- d-----w C:\Program Files\FlashGet
2008-09-06 15:59 --------- d-----w C:\Program Files\NOS
2008-09-06 15:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
2008-09-06 15:40 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-09-06 15:39 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-05 14:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\DNA
2008-09-05 01:22 --------- d-----w C:\Program Files\DNA
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-20 05:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:00 2,180,352 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:22 2,057,728 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-07-20 10:01 0 ----a-w C:\Documents and Settings\Administrator\jagex_runescape_preferences.dat
.
((((((((((((((((((((((((((((( snapshot@2008-10-21_16.38.40.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-02-28 09:08:48 2,136,064 ------w C:\WINDOWS\Driver Cache\i386\ntkrnlmp.exe
+ 2008-08-14 09:58:27 2,136,064 ------w C:\WINDOWS\Driver Cache\i386\ntkrnlmp.exe
- 2007-02-28 08:38:55 2,057,600 ------w C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
+ 2008-08-14 09:22:13 2,057,728 ------w C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
- 2007-02-28 08:38:57 2,015,744 ------w C:\WINDOWS\Driver Cache\i386\ntkrpamp.exe
+ 2008-08-14 09:22:14 2,015,744 ------w C:\WINDOWS\Driver Cache\i386\ntkrpamp.exe
- 2007-02-28 09:10:57 2,180,352 ------w C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
+ 2008-08-14 10:00:45 2,180,352 ------w C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
- 2008-09-10 12:00:01 167,936 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2008-10-21 09:04:35 167,936 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
- 2008-09-10 12:00:01 2,560 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2008-10-21 09:04:35 2,560 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2008-09-10 12:00:01 81,920 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2008-10-21 09:04:35 81,920 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
- 2008-09-10 12:00:00 34,304 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2008-10-21 09:04:35 34,304 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2008-09-10 12:00:01 8,192 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2008-10-21 09:04:35 8,192 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2008-09-10 12:00:01 3,584 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2008-10-21 09:04:35 3,584 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2008-09-10 12:00:01 114,688 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2008-10-21 09:04:35 114,688 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2008-09-10 12:00:01 16,384 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2008-10-21 09:04:35 16,384 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2008-09-10 12:00:01 30,720 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2008-10-21 09:04:35 30,720 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2008-09-10 12:00:01 22,528 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2008-10-21 09:04:35 22,528 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2008-09-10 12:00:00 45,056 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2008-10-21 09:04:35 45,056 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2008-09-10 12:00:00 90,112 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2008-10-21 09:04:35 90,112 ----a-r C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
- 2008-06-23 15:38:28 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2008-08-20 05:38:45 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
- 2008-06-23 15:38:29 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
+ 2008-08-20 05:38:39 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
- 2008-06-23 15:38:30 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
+ 2008-08-20 05:38:40 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
- 2008-06-20 10:44:38 138,368 -c--a-w C:\WINDOWS\system32\dllcache\afd.sys
+ 2008-08-14 09:51:43 138,368 -c--a-w C:\WINDOWS\system32\dllcache\afd.sys
- 2008-06-23 15:38:28 1,023,488 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
+ 2008-08-20 05:38:45 1,023,488 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
- 2008-06-23 15:38:29 151,040 -c--a-w C:\WINDOWS\system32\dllcache\cdfview.dll
+ 2008-08-20 05:38:39 151,040 -c--a-w C:\WINDOWS\system32\dllcache\cdfview.dll
- 2008-06-23 15:38:30 1,054,208 -c--a-w C:\WINDOWS\system32\dllcache\danim.dll
+ 2008-08-20 05:38:40 1,054,208 -c--a-w C:\WINDOWS\system32\dllcache\danim.dll
- 2008-06-23 15:38:30 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-08-20 05:38:40 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2008-06-23 15:38:30 205,312 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-08-20 05:38:40 205,312 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2008-06-23 15:38:30 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-08-20 05:38:40 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2008-06-23 09:49:29 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2008-08-19 09:30:39 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
- 2008-06-23 15:38:31 251,392 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2008-08-20 05:38:41 251,392 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2008-06-23 15:38:31 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2008-08-20 05:38:41 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
- 2008-06-23 15:38:31 16,384 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-08-20 05:38:44 16,384 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2008-06-23 15:38:33 3,059,712 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-08-20 05:38:47 3,060,224 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2008-06-23 15:38:33 449,024 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-08-20 05:38:43 449,024 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2008-06-23 15:38:33 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-08-20 05:38:41 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2008-06-23 15:38:33 532,480 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-08-20 05:38:41 532,480 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-02-28 09:08:48 2,136,064 -c----w C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
+ 2008-08-14 09:58:27 2,136,064 -c----w C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
- 2007-02-28 08:38:55 2,057,600 -c----w C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
+ 2008-08-14 09:22:13 2,057,728 -c----w C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
- 2007-02-28 08:38:57 2,015,744 -c----w C:\WINDOWS\system32\dllcache\ntkrpamp.exe
+ 2008-08-14 09:22:14 2,015,744 -c----w C:\WINDOWS\system32\dllcache\ntkrpamp.exe
- 2007-02-28 09:10:57 2,180,352 -c----w C:\WINDOWS\system32\dllcache\ntoskrnl.exe
+ 2008-08-14 10:00:45 2,180,352 -c----w C:\WINDOWS\system32\dllcache\ntoskrnl.exe
- 2008-06-23 15:38:33 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-08-20 05:38:41 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2008-06-23 15:38:34 1,494,528 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
+ 2008-08-20 05:38:42 1,494,528 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
- 2008-06-23 15:38:34 474,112 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
+ 2008-08-20 05:38:44 474,112 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
- 2006-08-14 10:34:41 332,928 -c--a-w C:\WINDOWS\system32\dllcache\srv.sys
+ 2008-08-28 10:04:17 333,056 -c--a-w C:\WINDOWS\system32\dllcache\srv.sys
- 2008-06-23 15:38:34 615,936 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-08-20 05:38:45 615,936 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2008-03-19 09:47:00 1,845,248 -c--a-w C:\WINDOWS\system32\dllcache\win32k.sys
+ 2008-09-15 11:57:41 1,846,016 -c--a-w C:\WINDOWS\system32\dllcache\win32k.sys
- 2008-06-23 15:38:34 659,456 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-08-20 05:38:43 659,456 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2008-06-20 10:44:38 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
+ 2008-08-14 09:51:43 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
- 2008-10-21 00:25:00 26,184 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2008-10-22 12:16:21 26,824 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
- 2008-06-23 15:38:30 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-08-20 05:38:40 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2008-06-23 15:38:30 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-08-20 05:38:40 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2008-06-23 15:38:30 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-08-20 05:38:40 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2008-04-09 12:58:09 114,968 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-10-21 09:06:28 114,968 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2008-06-23 15:38:31 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2008-08-20 05:38:41 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2008-06-23 15:38:31 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2008-08-20 05:38:41 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
- 2007-09-24 14:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-09 17:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-09-24 14:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-09 17:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-09-24 15:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-09 18:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2008-06-23 15:38:31 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-08-20 05:38:44 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2008-08-26 20:28:12 16,208,504 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-10-07 19:19:40 16,721,856 ----a-w C:\WINDOWS\system32\MRT.exe
- 2008-06-23 15:38:33 3,059,712 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-08-20 05:38:47 3,060,224 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2008-06-23 15:38:33 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-08-20 05:38:43 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2008-06-23 15:38:33 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-08-20 05:38:41 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
- 2008-06-23 15:38:33 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-08-20 05:38:41 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
- 2008-06-23 15:38:33 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-08-20 05:38:41 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2008-06-23 15:38:34 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
+ 2008-08-20 05:38:42 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
- 2008-06-23 15:38:34 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2008-08-20 05:38:44 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
- 2007-11-30 12:39:22 17,272 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w C:\WINDOWS\system32\spmsg.dll
- 2008-06-23 15:38:34 615,936 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-08-20 05:38:45 615,936 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2008-07-03 09:14:02 351,744 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2008-08-19 09:20:32 351,744 ----a-w C:\WINDOWS\system32\xpsp3res.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-10-22 1234712]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=jdkigf.dll,avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= C:\Program Files\WIZET\MapleStory\l3codeca.acm
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DSLMON.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DSLMON.lnk
backup=C:\WINDOWS\pss\DSLMON.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX5500 Series]
--a------ 2007-03-01 14:01 180736 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATICAP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-07-01 11:58 118784 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-07-01 12:02 155648 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgGenUtil]
--a------ 2008-10-20 08:34 81920 C:\WINDOWS\system32\glubmzob.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\procact]
--a------ 2008-10-20 09:18 81920 C:\WINDOWS\system32\titafgzu.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-06 13:15 98304 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srvdb]
--a------ 2008-10-19 23:01 77824 C:\WINDOWS\system32\tatwvink.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StrMon]
--a------ 2008-10-20 11:06 77824 C:\WINDOWS\system32\nsbypedo.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebMsg]
--a------ 2008-10-20 13:19 77824 C:\WINDOWS\system32\yfgtmpil.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\WIZET\\MapleStory\\Patcher.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"=
"C:\\Program Files\\softnyx\\Rakion\\Bin\\rakion.bin"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-10-22 97928]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-10-22 875288]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-22 231704]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-10-22 76040]
S3 dump_wmimmc;dump_wmimmc;C:\Program Files\WIZET\MapleStory\GameGuard\dump_wmimmc.sys [ ]
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-SunJavaUpdateSched - C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
.
------- Supplementary Scan -------
.
O8 -: &Search - ?p=ZKxdm014YYSG
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-22 20:30:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-10-22 20:33:32
ComboFix-quarantined-files.txt 2008-10-22 12:33:20
ComboFix2.txt 2008-10-21 08:41:09
pskelley
2008-10-22, 16:24
Alex, listen up...these are the directions you must follow, please concentrate on these instructions and no others.
1) Open notepad and copy/paste the text in the codebox below into it:
File::
C:\WINDOWS\system32\yfgtmpil.exe
C:\WINDOWS\system32\nsbypedo.exe
C:\WINDOWS\system32\titafgzu.exe
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\glubmzob.exe
C:\WINDOWS\system32\tatwvink.exe
C:\WINDOWS\system32\nioggmkd.tmp
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
"AppInit_DLLs"="avgrsstx.dll"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"HNZtE9bHWk"=-
Folder::
C:\Documents and Settings\All Users\Application Data\lsfwhkfe
C:\Documents and Settings\All Users\Application Data\SystemErrorFixer
C:\Program Files\Common Files\SystemErrorFixer
C:\Program Files\SystemErrorFixer
C:\Program Files\WAV
2) Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
3) Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
You can see this happen in this thread:
http://forums.spybot.info/showthread.php?t=34008&page=2
Posts 14 and 15
When these instructions are executed correctly, the report will look like this:
Running from: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
Post that report
alexchris
2008-10-22, 17:27
ok very sorry.What I have just done,copy and paste the code in a notepad and save as CFScript on the desktop. Drag into ComboFix and the log as follows together with a new HJ log Hope I have done the right thing this time round, thanks
ComboFix 08-10-21.04 - Administrator 2008-10-22 22:15:00.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.58 [GMT 8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\system32\glubmzob.exe
C:\WINDOWS\system32\nioggmkd.tmp
C:\WINDOWS\system32\nsbypedo.exe
C:\WINDOWS\system32\tatwvink.exe
C:\WINDOWS\system32\titafgzu.exe
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\yfgtmpil.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\lsfwhkfe
C:\WINDOWS\system32\glubmzob.exe
C:\WINDOWS\system32\nioggmkd.tmp
C:\WINDOWS\system32\nsbypedo.exe
C:\WINDOWS\system32\tatwvink.exe
C:\WINDOWS\system32\titafgzu.exe
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\yfgtmpil.exe
.
((((((((((((((((((((((((( Files Created from 2008-09-22 to 2008-10-22 )))))))))))))))))))))))))))))))
.
2008-10-21 23:38 . 2008-10-21 23:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-21 23:38 . 2008-10-21 23:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-21 23:38 . 2008-10-21 23:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-10-21 23:38 . 2008-10-16 20:25 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-21 23:38 . 2008-10-16 20:25 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-21 15:24 . 2008-10-21 15:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-21 08:30 . 2008-10-21 09:08 <DIR> d--h----- C:\$AVG8.VAULT$
2008-10-21 08:25 . 2008-10-22 20:16 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-10-21 08:25 . 2008-10-22 20:16 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-10-21 08:25 . 2008-10-22 20:16 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-10-21 08:24 . 2008-10-22 20:17 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-10-21 08:24 . 2008-10-21 08:24 <DIR> d-------- C:\Program Files\AVG
2008-10-21 08:24 . 2008-10-21 08:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-10-20 12:29 . 2008-10-20 12:29 <DIR> d-------- C:\Program Files\Lavasoft
2008-10-20 12:29 . 2008-10-20 12:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-20 12:27 . 2008-10-20 12:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-19 21:42 . 2008-10-21 23:08 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-10-19 19:11 . 2008-10-19 19:11 91 --a------ C:\WINDOWS\wininit.ini
2008-10-19 12:38 . 2008-10-19 12:38 <DIR> d-------- C:\CurUserIETempDir
2008-10-18 17:19 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-10-18 17:19 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-10-18 17:19 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-10-18 17:19 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-10-10 11:46 . 2004-10-07 14:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-10-10 11:46 . 2004-10-07 14:39 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-10-10 11:46 . 2004-10-07 14:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-21 15:17 --------- d-----w C:\Program Files\Java
2008-10-19 09:58 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-19 09:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-18 09:32 --------- d-----w C:\Program Files\Google
2008-10-18 09:03 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-13 03:20 --------- d-----w C:\Program Files\NetBattle
2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-08 07:32 --------- d-----w C:\Program Files\Yahoo! Games
2008-09-08 07:30 --------- d-----w C:\Program Files\FlashGet
2008-09-06 15:59 --------- d-----w C:\Program Files\NOS
2008-09-06 15:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
2008-09-06 15:40 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-09-06 15:39 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-05 14:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\DNA
2008-09-05 01:22 --------- d-----w C:\Program Files\DNA
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-20 05:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:00 2,180,352 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:22 2,057,728 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-07-20 10:01 0 ----a-w C:\Documents and Settings\Administrator\jagex_runescape_preferences.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-10-22 1234712]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= C:\Program Files\WIZET\MapleStory\l3codeca.acm
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DSLMON.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DSLMON.lnk
backup=C:\WINDOWS\pss\DSLMON.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX5500 Series]
--a------ 2007-03-01 14:01 180736 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATICAP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-07-01 11:58 118784 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-07-01 12:02 155648 C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-06 13:15 98304 C:\Program Files\QuickTime\qttask.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\WIZET\\MapleStory\\Patcher.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"=
"C:\\Program Files\\softnyx\\Rakion\\Bin\\rakion.bin"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-10-22 97928]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-10-22 875288]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-22 231704]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-10-22 76040]
S3 dump_wmimmc;dump_wmimmc;C:\Program Files\WIZET\MapleStory\GameGuard\dump_wmimmc.sys [ ]
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-MsgGenUtil - C:\WINDOWS\system32\glubmzob.exe
MSConfigStartUp-procact - C:\WINDOWS\system32\titafgzu.exe
MSConfigStartUp-srvdb - C:\WINDOWS\system32\tatwvink.exe
MSConfigStartUp-StrMon - C:\WINDOWS\system32\nsbypedo.exe
MSConfigStartUp-WebMsg - C:\WINDOWS\system32\yfgtmpil.exe
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-22 22:17:39
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-10-22 22:20:18
ComboFix-quarantined-files.txt 2008-10-22 14:20:13
ComboFix2.txt 2008-10-22 12:33:36
ComboFix3.txt 2008-10-21 08:41:09
Pre-Run: 30,262,390,784 bytes free
Post-Run: 30,254,530,560 bytes free
147 --- E O F --- 2008-10-21 09:04:41
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:50 PM, on 10/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O8 - Extra context menu item: &Search - ?p=ZKxdm014YYSG
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
--
End of file - 4775 bytes
pskelley
2008-10-22, 17:44
If the computer is now running like it should, proceed like this.
Remove combofix from the computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Clean the System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
Update AVG and scan the system, to be sure it is running right and scanning clean. If all is well at that point, let me know and I will lose the topic.
Here is a bit of information for you:
FAQ: http://www.avg.com/faq
AVG Free Forum
http://freeforum.avg.com/
If you are interested:
http://russelltexas.com/tutorials/avg8install.htm
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
http://users.telenet.be/bluepatchy/miekiemoes/Links.html