-
this is new hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:48:03, on 11.6.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispat...=%s&tbid=60343
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ba/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60343
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_cu...spx?TbId=60343
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60343
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_cu...spx?TbId=60343
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://watson.microsoft.com/dw/dcp.a...&BRAND=WINDOWS
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: I&zvoz u Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Preuzmi odabrano Free Download Manager-om - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Preuzmi sa Free Download Managerom - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Preuzmi sve sa Free Download Manager-om - file://C:\Program Files\Free Download Manager\dlall.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Istraživanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7AF16863-5FF5-4227-9826-9F34B36E60B6}: NameServer = 85.255.114.51 85.255.112.158
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
--
End of file - 6989 bytes
-
ok. we will get another download to use. I would suggest reading the guide on another computer that isnt infected if thats possible.
The tool is called Combofix. read the guide, download combofix to your desktop, disable any antivirus and anti-malware that might be running, double click the combofix icon on your desktop and follow the prompts. post the combofix log.
the guide:
http://www.bleepingcomputer.com/comb...o-use-combofix
the download links are in the guide.
If you cant download it then we will try something else. Are you able to use another computer for downloading?
-
ComboFix log
ComboFix 09-06-11.06 - Administrator 12.06.2009 18:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.385.1033.18.1023.715 [GMT 2:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090611-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2009-05-12 to 2009-06-12 )))))))))))))))))))))))))))))))
.
2009-06-11 21:29 . 2009-06-11 21:29 1915520 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-06-09 23:01 . 2009-06-09 23:00 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-09 23:00 . 2009-06-09 23:00 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-07 07:56 . 2009-06-07 07:56 -------- d-----w- c:\program files\Trend Micro
2009-06-04 19:33 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-06-04 19:33 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-06-04 19:33 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-06-04 19:33 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-06-04 19:33 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-06-04 19:33 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-06-04 19:33 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-06-04 19:33 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-06-04 19:33 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-06-04 19:32 . 2009-06-04 19:32 -------- d-----w- c:\program files\Alwil Software
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 16:13 . 2008-02-16 21:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Free Download Manager
2009-06-12 16:04 . 2008-04-12 15:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Spyware Terminator
2009-06-09 23:02 . 2007-10-25 20:22 -------- d-----w- c:\program files\Java
2009-06-08 16:49 . 2009-05-08 22:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-04 20:39 . 2008-12-29 17:51 -------- d-----w- c:\program files\WinClamAVShield
2009-05-28 18:47 . 2008-07-11 16:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-05-28 18:19 . 2009-05-12 19:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-05-26 11:20 . 2009-05-08 22:17 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 11:19 . 2009-05-08 22:17 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-20 22:16 . 2008-01-07 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-05-20 22:12 . 2008-04-12 15:04 -------- d-----w- c:\program files\Spyware Terminator
2009-05-13 19:58 . 2008-02-16 21:01 -------- d-----w- c:\program files\Free Download Manager
2009-05-08 22:17 . 2009-05-08 22:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-08 22:17 . 2009-05-08 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-06 21:45 . 2006-10-20 17:08 44112 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-06 20:26 . 2006-10-20 16:53 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-03 00:33 . 2008-01-01 14:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-02 19:52 . 2009-05-02 19:52 -------- d-----w- c:\program files\MSSOAP
2009-04-18 12:47 . 2006-10-20 17:11 -------- d-----w- c:\program files\Valve
.
------- Sigcheck -------
[7] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2002-08-29 01:58 332928 244A2F9816BC9B593957281EF577D976 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-03 21:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB917953$\tcpip.sys
[7] 2004-08-03 21:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\system32\dllcache\tcpip.sys
[-] 2006-04-20 11:51 359808 B4E29943B4B04BD5E7381546848E6669 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-08-25 28672]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 344064]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2009-05-08 1783808]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-08-25 28672]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoFileUrl"= 0 (0x0)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Free Download Manager\\fdmwi.exe"=
"c:\\Program Files\\Free Download Manager\\fdm.exe"=
"c:\\Program Files\\Valve\\hl.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 0 (0x0)
"AllowInboundTimestampRequest"= 0 (0x0)
"AllowInboundMaskRequest"= 0 (0x0)
"AllowInboundRouterRequest"= 0 (0x0)
"AllowOutboundDestinationUnreachable"= 0 (0x0)
"AllowOutboundSourceQuench"= 0 (0x0)
"AllowOutboundParameterProblem"= 0 (0x0)
"AllowOutboundTimeExceeded"= 0 (0x0)
"AllowRedirect"= 0 (0x0)
"AllowOutboundPacketTooBig"= 0 (0x0)
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4.6.2009 21:33 114768]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [12.4.2008 17:05 141312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4.6.2009 21:33 20560]
R3 PAC207;i-Look 111;c:\windows\system32\drivers\PFC027.SYS [29.6.2007 16:32 611584]
S2 Akamai;Akamai;c:\windows\System32\svchost.exe -k Akamai [23.8.2001 14:00 14336]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\Windows Live\Messenger\usnsvc.exe [18.10.2007 11:31 98328]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ba/
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: I&zvoz u Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Preuzmi odabrano Free Download Manager-om - file://c:\program files\Free Download Manager\dlselected.htm
IE: Preuzmi sa Free Download Managerom - file://c:\program files\Free Download Manager\dllink.htm
IE: Preuzmi sve sa Free Download Manager-om - file://c:\program files\Free Download Manager\dlall.htm
Trusted Zone: google.ba\www
Trusted Zone: live.com \www
Trusted Zone: safer-networking.org\www
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-12 18:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1078081533-1801674531-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,08,25,11,cc,ca,bd,4b,97,42,24,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,08,25,11,cc,ca,bd,4b,97,42,24,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,08,25,11,cc,ca,bd,4b,97,42,24,\
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="6013BED46240E7E816847E01A76B661D583E6AA8CD94DE9705991B1A99C421A6EA7327FAE797D3E68270E7748E83223AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D6794A6A0AC4980AC7933FEBC9E127BECC74CA1AAF134A19346334F32F294DF176F45E439A07946096C955CC2981FDCACD795A93CC03AC6446DA4F4C08C2FAED0B094AB670B547AEAEFAC671ED14255AA8DC6969C2F360A1F9B7A80DEAE0A2ACFCB5896B8ECAC0556A72F92EB3CBFF487A0EFE9631B31F225698D8B63F5F2FEA626FEF062BE3CDB9065C880E44C5A17D77012BB69959460DDE1D7C168B121AF6F989E1D642B20446270C4E686AAB8E53750D5B7CDE3B182D2057A63CC612A1543707090FB92D95B970216918F33E4E34108849CF180BA6214C7B84636BD8CD844ED5153AD86CF908147545D0976CCE499D00F3DFC1846D63491FB5088B128791547C0844452C92874E337BD3939C492E35C8582D78CD18E49BE4EFEF1D9C0C95CA465D3C76D753AC9EC1EB62E7401E74BCAA1E5B1733B0CEC1E61E25F8A7E71C72387078C89E530DC6C096539D31C38FD35BC777C16C624C0F4079F84C86FEA845314F7A20A8E4C8F6120F66E389626ABA556DA6E711B8163FA396DD8D0038348BB9B93E505C9A1C6BC2BAC29B6502B8B1C114680B744A0005D9298180F0D60CAD3D25A70C8541869649ADD84179194D58A3486F24F3154BC3AD38340294776C58A93632252D06B65B37EF5E1D50302C958A979C55035424C265F1E94F1CD91F93F5AD5A0D5C22A2BF60DEFE7A4B469A7600113410988645EA9BEF41E769F4F2BC6477053BA95B9AF71A0617D66981436726DDA6EF9C608AABF1DA2A474A124A1EA2004E51E9551EBD7366ED2B4841D3F5046EB9AD96D4E6DDACA56BADD1E55A7E8CEF4494E74FC5A567053D55BB3F48FB284745913E02FE1DB3CD5B1DA3F7F0E71DDBEB0CDC71CFE89155CBD5C43E2F742C8B88040E9F14D9D8779A044168F28297FEC95D58862DB040EEC036A377E50A0D591A935B136F5E9E9AC63A997C84C2A09A0B35114D8FA4B6AF9E3EF74B3F0DF9166B37749EBA6814270194D9CC1D88072900ADE2CD8E75959105E8746C3B785083A40BE24DAAC9996D724A5DE662B2D59045DD3F594331CB2CBBB03DAC3868EE79EB5F9979B5BD80C0CACDC02F3A7A67EDAB6B6FA8DF3F6F0E082E5C41C43E803BABDCB611C0A5B704A9C52097E36D3C604E1C3A91E3F3EAF1380E9FA8AD6F8514A4707209E93323360A4185C6C4213B9856E6851EF35BC333FC67AD51E2E14ED9C84B6D6B85560E83536744878BAB58679314A2905F3B05FD22AB8953D3D061715EA986D54B2DD47400A61FC30947EFC8C41C0C8AEA0CA40CE45F95D20F78E30"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(568)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-06-12 18:21
ComboFix-quarantined-files.txt 2009-06-12 16:21
Pre-Run: 27.582.144.512 bytes free
Post-Run: 27.570.438.144 bytes free
157 --- E O F --- 2007-12-21 18:34
-
please be noticed that ComboFix did not instal WRC
I did not have any mesage for instaling Windows Recowery Console (what is that anyway?), I tried to instal it from microsoft web page but is blank.
Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:
ComboFix Recovery Console
At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console. Once it has finished installing, you will be presented with the screen shown below.
ComboFix Recovery Console Finished
You should now press the Yes button to continue. If at any time during the Recovery Console installation you receive a message stating that it failed to install, please allow ComboFix to continue with the scan of your computer. When it is done, and a log has been created, you can then perform the manual install of the Recovery Console using the steps found in the Manually installing the Windows Recovery Console section.
ComboFix will now disconnect your computer from the Internet
-
hi,
The Windows recovery console is a command line shell for doing certain tasks with out booting fully into the Windows environment.
Did you try installing it by clicking yes to have combofix download it and install if for you? You did not get a message from combofix saying that it wasnt installed?
As for the malware on your machine, we are not making much progress. your web browsing is being redirected, thats why you cant get to certain web pages. Malwarebytes in my past experience is capable of removing this trojan. I dont know why its not removing yours. Combofix also did not remove any malware and i dont recognize any malware in the log.
Its best to remove malware as soon as possible, a infection that drags on for whatever reason is not good. Malware on a machine will "fetch" more malware. I would use the machine as little as possible and when not in use unplug your modem and/or router so there is no network connectivity.
run combofix again and see if you get the message about installing the recovery console.
we will also get another download to use. Its called SDfix, only runs in safe mode. Link and directions for Sdfix:
Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/R...ools/SDFix.exe
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
* Finally paste the contents of the Report.txt in your reply.
-
combofix did not ask me ˝yes˝ or ˝no˝ to instal wrc
I did not have pop up window (ComboFix attach exsample in my pevious message) with question to instal WRC ....
Here below is report of SDfix:
SDFix: Version 1.240
Run by Administrator on sub 13.06.2009 at 17:00
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
No Trojan Files Found
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-13 17:12:55
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ekqwsf]
"DisplayName"="Task Installer"
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"%SystemRoot%\system32\svchost.exe -k netsvcs"
"ObjectName"="LocalSystem"
"Description"="Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start."
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ekqwsf\Parameters]
"ServiceDll"=str(2):"C:\WINDOWS\system32\itxlf.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ekqwsf]
"DisplayName"="Task Installer"
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"%SystemRoot%\system32\svchost.exe -k netsvcs"
"ObjectName"="LocalSystem"
"Description"="Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start."
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ekqwsf\Parameters]
"ServiceDll"=str(2):"C:\WINDOWS\system32\itxlf.dll"
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System]
"OODEFRAG10.00.00.01WORKSTATION"="6013BED46240E7E816847E01A76B661D583E6AA8CD94DE9705991B1A99C421A6EA7327FAE797D3E68270E7748E83223AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D6794A6A0AC4980AC7933FEBC9E127BECC74CA1AAF134A19346334F32F294DF176F45E439A07946096C955CC2981FDCACD795A93CC03AC6446DA4F4C08C2FAED0B094AB670B547AEAEFAC671ED14255AA8DC6969C2F360A1F9B7A80DEAE0A2ACFCB5896B8ECAC0556A72F92EB3CBFF487A0EFE9631B31F225698D8B63F5F2FEA626FEF062BE3CDB9065C880E44C5A17D77012BB69959460DDE1D7C168B121AF6F989E1D642B20446270C4E686AAB8E53750D5B7CDE3B182D2057A63CC612A1543707090FB92D95B970216918F33E4E34108849CF180BA6214C7B84636BD8CD844ED5153AD86CF908147545D0976CCE499D00F3DFC1846D63491FB5088B128791547C0844452C92874E337BD3939C492E35C8582D78CD18E49BE4EFEF1D9C0C95CA465D3C76D753AC9EC1EB62E7401E74BCAA1E5B1733B0CEC1E61E25F8A7E71C72387078C89E530DC6C096539D31C38FD35BC777C16C624C0F4079F84C86FEA845314F7A20A8E4C8F6120F66E389626ABA556DA6E711B8163FA396DD8D0038348BB9B93E505C9A1C6BC2BAC29B6502B8B1C114680B744A0005D9298180F0D60CAD3D25A70C8541869649ADD84179194D58A3486F24F3154BC3AD38340294776C58A93632252D06B65B37EF5E1D50302C958A979C55035424C265F1E94F1CD91F93F5AD5A0D5C22A2BF60DEFE7A4B469A7600113410988645EA9BEF41E769F4F2BC6477053BA95B9AF71A0617D66981436726DDA6EF9C608AABF1DA2A474A124A1EA2004E51E9551EBD7366ED2B4841D3F5046EB9AD96D4E6DDACA56BADD1E55A7E8CEF4494E74FC5A567053D55BB3F48FB284745913E02FE1DB3CD5B1DA3F7F0E71DDBEB0CDC71CFE89155CBD5C43E2F742C8B88040E9F14D9D8779A044168F28297FEC95D58862DB040EEC036A377E50A0D591A935B136F5E9E9AC63A997C84C2A09A0B35114D8FA4B6AF9E3EF74B3F0DF9166B37749EBA6814270194D9CC1D88072900ADE2CD8E75959105E8746C3B785083A40BE24DAAC9996D724A5DE662B2D59045DD3F594331CB2CBBB03DAC3868EE79EB5F9979B5BD80C0CACDC02F3A7A67EDAB6B6FA8DF3F6F0E082E5C41C43E803BABDCB611C0A5B704A9C52097E36D3C604E1C3A91E3F3EAF1380E9FA8AD6F8514A4707209E93323360A4185C6C4213B9856E6851EF35BC333FC67AD51E2E14ED9C84B6D6B85560E83536744878BAB58679314A2905F3B05FD22AB8953D3D061715EA986D54B2DD47400A61FC30947EFC8C41C0C8AEA0CA40CE45F95D20F78E30"
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe"="C:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe:*:Disabled:Ad-Aware SE Personal"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Disabled:DNA"
"C:\\Program Files\\Free Download Manager\\fdmwi.exe"="C:\\Program Files\\Free Download Manager\\fdmwi.exe:*:Disabled:FDM remote control server"
"C:\\Program Files\\Free Download Manager\\fdm.exe"="C:\\Program Files\\Free Download Manager\\fdm.exe:*:Disabled:Free Download Manager"
"C:\\Program Files\\Valve\\hl.exe"="C:\\Program Files\\Valve\\hl.exe:*:Disabled:Half-Life Launcher"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Disabled:iTunes"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Disabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"="C:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe:*:Disabled:Nero Home"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
Remaining Files :
Files with Hidden Attributes :
Mon 16 Apr 2007 89,280 A.SHR --- "C:\WINDOWS\system32\itxlf.dll"
Finished!
-
hi,
see if you can locate this .dll in the system32 dir. if so you can upload it to a web site:
itxlf.dll
located here:
C:\WINDOWS\system32 (C:\WINDOWS\system32\itxlf.dll)
you can go to this website, browse for the file on your computer and click the send button to upload it. After the scan is done you can copy/paste the URL (http://....) in your reply.
upload file here:
http://www.virustotal.com/
we will also get another download to use;
Please download: RootRepeal
http://rootrepeal.googlepages.com/RootRepeal.zip
Extract the file to your desktop.
Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan
May take some time to complete.
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply
-
Shelf life
Virustotal.com is blank page.
this file itxfl.dll is 7 years old, I don't think that is a problem...
RootRepeal have some problems, it canot scan files and hidden services...
-
It's ok, just RootRepeal settings - options - disc acsess level i set to high
it's wos on special, so then it can't scan files and hidden services
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Time: 2009/06/15 20:42
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP2
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA91D000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D7C000 Size: 8192 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9CE1000 Size: 49152 File Visible: No Signed: -
Status: -
SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1d606
#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1d05a
#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1cd3c
#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1e652
#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1ce46
#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1cf30
#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaab2014c
#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1d8cc
#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1d362
#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaab2064e
#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaab2008c
#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaab200f0
#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaab2076e
#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaab2072e
#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1cbba
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1d814
#: 274 Function Name: NtWriteFile
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1d494
Hidden Services
-------------------
Service Name: ekqwsf
Image Path: %SystemRoot%\system32\svchost.exe -k netsvcs
==EOF==
-
file itxfl.dll is system file, can't be copyed even in safe mode
file itxfl.dll is active / running even if network connection is broken or in safe mode, this is importand system file, so I can't copyed on desktop or upload here....
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules