Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Another infected computer! Please assist

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Another infected computer! Please assist

Unread postby makem » November 13th, 2007, 8:57 am

Hi, I turned on another computer today (I already have a thread here for another machine) and found Spybot and NOD32 throwing up lots of problems. I denied access to all changes and now the 'thing' keeps trying to spread, making the machine unusable. This is what is shown:

PSW.x-Virtrojan
Trojan-Spy.win52@mx
Win32/Adware.SecToolbar
Networm-i.Virus@fp
Numerous WinLogon random named files which Resident denies access to.

I keep getting a yellow triangle warning is the sys tray - click here to download software to remove etc which I have not done.

Also get popups in sys tray:
sys performance down by 47%
Internet decreased by 39%

Also a notice from Internet Explorer saying it is infected and would I like to download software etc. which I do not do.

Internet Explorer opens and says I do not have antivirus software - suggests downloading:
BestSellerAntivirus, StorageProtector and OnlineHelpmate via 'download' buttons. I have not done this.

The overall impression is that I am being asked to download software by the 'thing' that is causing the infection. Can someone assist please.
makem
Regular Member
 
Posts: 45
Joined: November 10th, 2007, 3:31 pm
Advertisement
Register to Remove

Re: Another infected computer! Please assist

Unread postby Scotty » November 13th, 2007, 9:03 am

Hi! Welcome to the MWR forums.
My name is Scotty. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research.

Please be patient as my posts to you have to be checked before I reply, so they make take longer.


Click here to download HJTsetup.exe

  • Save HJTsetup.exe to your desktop.
  • Double click on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
  • Click Save to save the log file and then the log will open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Another infected computer! Please assist

Unread postby makem » November 13th, 2007, 9:15 am

Log as requested:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:13:04, on 13/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\SYSTEM32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
F:\WINDOWS\system32\texlyrwg.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\Program Files\Eset\nod32krn.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\SYSTEM32\winlogon.exe
F:\WINDOWS\SYSTEM32\logonui.exe
F:\WINDOWS\SYSTEM32\rdpclip.exe
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Eset\nod32kui.exe
F:\WINDOWS\system32\ctfmon.exe
F:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - F:\WINDOWS\system32\slczgvbi.dll
O4 - HKLM\..\Run: [Cmaudio] -RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] -F:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] -F:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [SoundMan] -SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] -"F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] -"F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [nod32kui] "F:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DiskeeperSystray] "F:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ICQ Lite] -"F:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [6cdc9ce0] rundll32.exe "F:\WINDOWS\system32\yujugjhw.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] -"F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MailWasher] F:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
O4 - HKCU\..\Run: [Steam] "F:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - F:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - F:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - F:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0175246499
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0177533779
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O20 - AppInit_DLLs: F:\WINDOWS\system32\__c0034006.dat
O23 - Service: Adobe LM Service - Unknown owner - -"F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: DomainService - - F:\WINDOWS\system32\texlyrwg.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - F:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - -F:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - -"F:\Program Files\MSN Messenger\usnsvc.exe" (file missing)

--
End of file - 6463 bytes
makem
Regular Member
 
Posts: 45
Joined: November 10th, 2007, 3:31 pm

Re: Another infected computer! Please assist

Unread postby Scotty » November 13th, 2007, 9:24 am

Hi

Rename HijackThis
There is a possibility an infection which is hiding part of the HijackThis log because it's called hijackthis.exe.
Please rename hijackthis.exe to iseeu.exe by right-clicking on the Desktop icon and selecting Rename.

Now scan again and post a new log, please.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Another infected computer! Please assist

Unread postby makem » November 13th, 2007, 9:37 am

I renamed the exe file in the install folder rather than the shortcut on the desktop. I hope this was correct.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:35:24, on 13/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\SYSTEM32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
F:\WINDOWS\system32\texlyrwg.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\Program Files\Eset\nod32krn.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\SYSTEM32\winlogon.exe
F:\WINDOWS\SYSTEM32\logonui.exe
F:\WINDOWS\SYSTEM32\rdpclip.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Eset\nod32kui.exe
F:\WINDOWS\system32\ctfmon.exe
F:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\WINDOWS\SYSTEM32\logon.scr
F:\Program Files\Trend Micro\HijackThis\iseeu.exe
F:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E19385E-C7EE-43E5-B10E-29450DADEEA7} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - F:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - F:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {512FFA74-9917-40DD-BC10-3653FA9B52F7} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - F:\WINDOWS\system32\goadgviy.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - F:\WINDOWS\system32\slczgvbi.dll
O2 - BHO: (no name) - {E99A764D-A1D1-414F-9D6C-0FE40231C90A} - F:\WINDOWS\system32\ddcyv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - F:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - F:\WINDOWS\system32\slczgvbi.dll
O4 - HKLM\..\Run: [Cmaudio] -RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] -F:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] -F:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [SoundMan] -SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] -"F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] -"F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [nod32kui] "F:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DiskeeperSystray] "F:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ICQ Lite] -"F:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [6cdc9ce0] rundll32.exe "F:\WINDOWS\system32\yujugjhw.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] -"F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MailWasher] F:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
O4 - HKCU\..\Run: [Steam] "F:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - F:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - F:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - F:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0175246499
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0177533779
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O20 - AppInit_DLLs: F:\WINDOWS\system32\__c0034006.dat
O20 - Winlogon Notify: slczgvbi - F:\WINDOWS\SYSTEM32\slczgvbi.dll
O23 - Service: Adobe LM Service - Unknown owner - -"F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: DomainService - Unknown owner - F:\WINDOWS\system32\texlyrwg.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - F:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - -F:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - -"F:\Program Files\MSN Messenger\usnsvc.exe" (file missing)

--
End of file - 7591 bytes
makem
Regular Member
 
Posts: 45
Joined: November 10th, 2007, 3:31 pm

Re: Another infected computer! Please assist

Unread postby makem » November 13th, 2007, 10:17 am

NOD32 now says:
f:\windows\system32\texlyrwg.exe - Win32/Adware.Ezula application
f:\windows\system32\slczgvbi.dll - Win32/Adware.SecToolbar application
F:\WINDOWS\SYSTEM32\slczgvbi.dll - Win32/Adware.SecToolbar application
F:\WINDOWS\system32\texlyrwg.exe - Win32/Adware.Ezula application

It offers to deal with these and has deleted 2 but need a reboot to deal with the others.
makem
Regular Member
 
Posts: 45
Joined: November 10th, 2007, 3:31 pm

Re: Another infected computer! Please assist

Unread postby Scotty » November 13th, 2007, 11:18 am

Hi

Dont do anything until I get back to you.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Another infected computer! Please assist

Unread postby makem » November 13th, 2007, 11:23 am

Sorry but NOD32 is scanning and deleting files - it does produce a log tho.
makem
Regular Member
 
Posts: 45
Joined: November 10th, 2007, 3:31 pm

Re: Another infected computer! Please assist

Unread postby Scotty » November 15th, 2007, 1:33 pm

Hi

Disable Teatimer
First:

  • Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
  • Choose Exit Spybot S&D Resident

Second:

  • Open Spybot S&D
  • Click Mode, check Advanced Mode
  • Go To Left Panel, Click Tools, then also in left panel, click Resident
  • If your firewall raises a question, say OK
  • Uncheck the box labeled Resident Tea-Timer and OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.


Download and Save ComboFix

  • Download this file from below:

    Here
  • Save it to your Desktop.
  • Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
  • Then double click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.

Note 1: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Note 2:Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Another infected computer! Please assist

Unread postby makem » November 15th, 2007, 7:47 pm

After Combofix rebooted the machine and was preparing the Log Report the following windows error message came up:

sed.cfexe has encountered a problem and needs to close. We are sorry etc........
There was a debug button and a close button. I licked the close button and Combofix continued and prepared the log.

I tell you this because I have not seen that error when using Combofix previously.

ComboFix 07-11-08.3 - makem 2007-11-15 23:30:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.674 [GMT 0:00]
Running from: F:\Documents and Settings\makem.HAL\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\WINDOWS\system32\Cache
F:\WINDOWS\system32\ddcyv.dll
F:\WINDOWS\system32\goadgviy.dll
F:\WINDOWS\system32\slczgvbi.dllbox
F:\WINDOWS\system32\vycdd.bak1
F:\WINDOWS\system32\vycdd.bak2
F:\WINDOWS\system32\vycdd.ini
F:\WINDOWS\system32\vycdd.ini2
F:\WINDOWS\system32\vycdd.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_SVCHOST
-------\nm


((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.

2007-11-15 23:29 51,200 --a------ F:\WINDOWS\NirCmd.exe
2007-11-15 15:07 85,056 --a------ F:\WINDOWS\system32\quygnenq.dll
2007-11-15 14:52 10,816 --a------ F:\WINDOWS\system32\qbkhisue.dll
2007-11-13 13:10 <DIR> d-------- F:\Program Files\Trend Micro
2007-11-13 12:26 88,128 --a------ F:\WINDOWS\system32\kieqmjqa.dll
2007-11-13 12:25 10,816 --a------ F:\WINDOWS\system32\aockpxva.dll
2007-11-13 12:22 10,816 --a------ F:\WINDOWS\system32\qfqquhsw.dll
2007-10-30 09:17 589 --a------ F:\WINDOWS\system32\etkmtkbl.dll
2007-10-26 15:41 10,816 --a------ F:\WINDOWS\system32\xpgvbhly.dll
2007-10-16 11:02 1,422 --a------ F:\Documents and Settings\makem.HAL\clean.reg
2007-10-16 10:54 <DIR> d-------- F:\WINDOWS\ERUNT
2007-10-16 10:24 <DIR> d-------- F:\Documents and Settings\makem.HAL\Application Data\Leadertech
2007-10-16 10:23 <DIR> d-------- F:\Program Files\Diskeeper Corporation
2007-10-15 23:51 6 --a------ F:\WINDOWS\system32\kmdsregl.exe
2007-10-15 23:42 <DIR> d-------- F:\Program Files\Dealio
2007-10-15 23:42 <DIR> d-------- F:\Program Files\Common Files\SWF Studio
2007-10-15 23:41 <DIR> d-------- F:\WINDOWS\Web Download
2007-10-15 23:33 512,096 --a------ F:\WINDOWS\system32\drivers\amon.sys
2007-10-15 23:33 298,104 --a------ F:\WINDOWS\system32\imon.dll
2007-10-15 23:33 15,424 --a------ F:\WINDOWS\system32\drivers\nod32drv.sys
2007-10-15 22:57 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Avg7
2007-10-15 21:34 584,192 -----c--- F:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-15 23:37 --------- d-----w F:\Documents and Settings\makem.HAL\Application Data\MailWasherPro
2007-11-15 14:52 --------- d-----w F:\Program Files\Steam
2007-10-23 13:32 --------- d-----w F:\Program Files\FlashFXP.v3.3.5.1110.BETA5
2007-10-16 11:24 --------- d-----w F:\Program Files\FlashGet
2007-10-16 10:24 --------- d-----w F:\Program Files\Executive Software
2007-10-16 10:19 --------- d-----w F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-15 22:55 --------- d-----w F:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-05 20:45 --------- d-----w F:\Program Files\Microsoft Works
2007-10-04 22:10 --------- d-----w F:\Program Files\tz_mIRC
2007-10-04 22:10 --------- d-----w F:\Program Files\geordies_mIRC
2007-10-04 21:36 --------- d-----w F:\Program Files\GuildFTPd
2007-09-29 20:43 --------- d-----w F:\Program Files\Common Files\L&H
2007-09-27 09:07 --------- d-----w F:\Program Files\DigiGuide TV Guide
2007-09-27 09:00 --------- d-----w F:\Program Files\zone_mIRC
2007-09-25 21:19 --------- d-----w F:\Documents and Settings\makem.HAL\Application Data\Lavasoft
2007-09-24 16:53 --------- d-----w F:\Documents and Settings\makem.HAL\Application Data\FlashFXP
2007-09-23 10:53 --------- d-----w F:\Program Files\tbsg_mIRC
2007-09-23 10:51 --------- d-----w F:\Documents and Settings\makem.HAL\Application Data\mIRC
2007-09-23 10:49 --------- d-----w F:\Program Files\new_zone_mIRC
2007-09-21 18:01 --------- d-----w F:\Documents and Settings\makem.HAL\Application Data\ACD Systems
2007-09-21 14:07 --------- d-----w F:\Documents and Settings\makem.HAL\Application Data\.BitTornado
2007-09-16 15:27 --------- d-----w F:\Program Files\MailWasher Pro
2007-09-16 15:25 --------- d-----w F:\Documents and Settings\makem\Application Data\MailWasherPro
2006-03-11 17:55 457 ----a-w F:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E19385E-C7EE-43E5-B10E-29450DADEEA7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{512FFA74-9917-40DD-BC10-3653FA9B52F7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="-cmicnfg.cpl" []
"NeroFilterCheck"="-F:\WINDOWS\System32\NeroCheck.exe" []
"IMEKRMIG6.1"="-F:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" []
"SoundMan"="-SOUNDMAN.EXE" []
"QuickTime Task"="-F:\Program Files\QuickTime\qttask.exe" []
"!AVG Anti-Spyware"="-F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" []
"nod32kui"="F:\Program Files\Eset\nod32kui.exe" [2007-10-15 23:33]
"DiskeeperSystray"="F:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 16:38]
"ICQ Lite"="-F:\Program Files\ICQLite\ICQLite.exe" []
"6cdc9ce0"="F:\WINDOWS\system32\yujugjhw.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"msnmsgr"="-F:\Program Files\MSN Messenger\msnmsgr.exe" []
"MailWasher"="F:\PROGRA~1\MAILWA~1\MAILWA~1.EXE" [2003-11-10 13:25]

F:\Documents and Settings\makem\Start Menu\Programs\Startup\
DigiGuide.lnk - F:\Program Files\DigiGuide TV Guide\Client.exe [2005-10-30 22:55:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"Norun"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"DisableReistryTools"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\slczgvbi]
slczgvbi.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 F:\WINDOWS\system32\ddcyv.dll
"Notification Packages"= scecli scecli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Acronis Scheduler2 Service"="F:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
"SunJavaUpdateSched"=F:\Program Files\Java\jre1.5.0_05\bin\jusched.exe

R2 AsProbe;AsProbe;\??\F:\WINDOWS\System32\drivers\AsProbe.sys
R2 UxTuneUp;TuneUp Design Expansion;F:\WINDOWS\System32\svchost.exe -k netsvcs
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;F:\WINDOWS\system32\DRIVERS\AN983.sys
R3 HCW848NT;Hauppauge Win/TV;F:\WINDOWS\system32\DRIVERS\hcw848nt.sys
S3 AvFlt;Antivirus Filter Driver;F:\WINDOWS\system32\drivers\av5flt.sys
S3 HWACCESS;HWACCESS;\??\F:\WINDOWS\system32\HWACCESS.SYS
S3 LMImirr;LMImirr;F:\WINDOWS\system32\DRIVERS\LMImirr.sys
S3 mirrorv3;mirrorv3;F:\WINDOWS\system32\DRIVERS\rminiv3.sys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2007-10-26 16:15:00 F:\WINDOWS\Tasks\1-Click Maintenance.job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 23:37:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MailWasher = F:\PROGRA~1\MAILWA~1\MAILWA~1.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-15 23:41:27 - machine was rebooted
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:47:16, on 15/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\Program Files\Eset\nod32krn.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\logonui.exe
F:\WINDOWS\system32\rdpclip.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Eset\nod32kui.exe
F:\WINDOWS\system32\ctfmon.exe
F:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
F:\WINDOWS\system32\NOTEPAD.EXE
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Trend Micro\HijackThis\iseeu.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E19385E-C7EE-43E5-B10E-29450DADEEA7} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - F:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - F:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {512FFA74-9917-40DD-BC10-3653FA9B52F7} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - F:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [Cmaudio] -RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] -F:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] -F:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [SoundMan] -SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] -"F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] -"F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [nod32kui] "F:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DiskeeperSystray] "F:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ICQ Lite] -"F:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [6cdc9ce0] rundll32.exe "F:\WINDOWS\system32\yujugjhw.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] -"F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MailWasher] F:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - F:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - F:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - F:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0175246499
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0177533779
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O20 - Winlogon Notify: slczgvbi - slczgvbi.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - -"F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - F:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - -F:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - -"F:\Program Files\MSN Messenger\usnsvc.exe" (file missing)

--
End of file - 6816 bytes
makem
Regular Member
 
Posts: 45
Joined: November 10th, 2007, 3:31 pm

Re: Another infected computer! Please assist

Unread postby Scotty » November 16th, 2007, 7:48 pm

Hi

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

Code: Select all
File::
F:\WINDOWS\system32\quygnenq.dll
F:\WINDOWS\system32\qbkhisue.dll
F:\WINDOWS\system32\kieqmjqa.dll
F:\WINDOWS\system32\aockpxva.dll
F:\WINDOWS\system32\qfqquhsw.dll
F:\WINDOWS\system32\etkmtkbl.dll
F:\WINDOWS\system32\xpgvbhly.dll
F:\WINDOWS\system32\kmdsregl.exe
F:\WINDOWS\system32\ddcyv.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E19385E-C7EE-43E5-B10E-29450DADEEA7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{512FFA74-9917-40DD-BC10-3653FA9B52F7}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"6cdc9ce0"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"DisableReistryTools"=dword:00000000
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\slczgvbi] 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00 
 

 


Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Image


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log with a new HijackThis log.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Another infected computer! Please assist

Unread postby makem » November 16th, 2007, 9:39 pm

Hi, Your instructions said: Rename the file "CFScript.txt" (including the quotes) but of course you cannot use quotes in a file name.

ComboFix 07-11-08.3 - makem 2007-11-17 1:30:52.2 - NTFSx86
Running from: F:\Documents and Settings\makem.HAL\Desktop\ComboFix.exe
Command switches used :: F:\Documents and Settings\makem.HAL\Desktop\CFScript.txt
* Created a new restore point

FILE
F:\WINDOWS\system32\aockpxva.dll
F:\WINDOWS\system32\ddcyv.dll
F:\WINDOWS\system32\etkmtkbl.dll
F:\WINDOWS\system32\kieqmjqa.dll
F:\WINDOWS\system32\kmdsregl.exe
F:\WINDOWS\system32\qbkhisue.dll
F:\WINDOWS\system32\qfqquhsw.dll
F:\WINDOWS\system32\quygnenq.dll
F:\WINDOWS\system32\xpgvbhly.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\WINDOWS\system32\etkmtkbl.dll
F:\WINDOWS\system32\kieqmjqa.dll
F:\WINDOWS\system32\kmdsregl.exe
F:\WINDOWS\system32\quygnenq.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))
.

2007-11-15 23:29 51,200 --a------ F:\WINDOWS\NirCmd.exe
2007-11-13 13:10 <DIR> d-------- F:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-17 01:35 --------- d-----w F:\Documents and Settings\makem.HAL\Application Data\MailWasherPro
2007-11-15 14:52 --------- d-----w F:\Program Files\Steam
2007-10-23 13:32 --------- d-----w F:\Program Files\FlashFXP.v3.3.5.1110.BETA5
2007-10-16 11:24 --------- d-----w F:\Program Files\FlashGet
2007-10-16 11:02 1,422 ----a-w F:\Documents and Settings\makem.HAL\clean.reg
2007-10-16 10:24 --------- d-----w F:\Program Files\Executive Software
2007-10-16 10:24 --------- d-----w F:\Program Files\Diskeeper Corporation
2007-10-16 10:24 --------- d-----w F:\Documents and Settings\makem.HAL\Application Data\Leadertech
2007-10-16 10:19 --------- d-----w F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-15 23:45 --------- d-----w F:\Program Files\Dealio
2007-10-15 23:42 --------- d-----w F:\Program Files\Common Files\SWF Studio
2007-10-15 23:33 512,096 ----a-w F:\WINDOWS\system32\drivers\amon.sys
2007-10-15 23:33 15,424 ----a-w F:\WINDOWS\system32\drivers\nod32drv.sys
2007-10-15 22:57 --------- d-----w F:\Documents and Settings\All Users\Application Data\Avg7
2007-10-15 22:55 --------- d-----w F:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-05 20:45 --------- d-----w F:\Program Files\Microsoft Works
2007-10-04 22:10 --------- d-----w F:\Program Files\tz_mIRC
2007-10-04 22:10 --------- d-----w F:\Program Files\geordies_mIRC
2007-10-04 21:36 --------- d-----w F:\Program Files\GuildFTPd
2007-09-29 20:43 --------- d-----w F:\Program Files\Common Files\L&H
2007-09-27 09:07 --------- d-----w F:\Program Files\DigiGuide TV Guide
2007-09-27 09:00 --------- d-----w F:\Program Files\zone_mIRC
2007-09-25 21:19 --------- d-----w F:\Documents and Settings\makem.HAL\Application Data\Lavasoft
2007-09-24 16:53 --------- d-----w F:\Documents and Settings\makem.HAL\Application Data\FlashFXP
2007-09-23 10:53 --------- d-----w F:\Program Files\tbsg_mIRC
2007-09-23 10:51 --------- d-----w F:\Documents and Settings\makem.HAL\Application Data\mIRC
2007-09-23 10:49 --------- d-----w F:\Program Files\new_zone_mIRC
2007-09-21 18:01 --------- d-----w F:\Documents and Settings\makem.HAL\Application Data\ACD Systems
2007-09-21 14:07 --------- d-----w F:\Documents and Settings\makem.HAL\Application Data\.BitTornado
2006-03-11 17:55 457 ----a-w F:\Program Files\INSTALL.LOG
2001-11-23 12:08 712,704 ----a-w F:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

((((((((((((((((((((((((((((( snapshot@2007-11-15_23.38.16.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-16 02:03:17 593,920 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2007-11-17 01:29:26 593,920 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2007-10-16 02:03:17 12,288 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2007-11-17 01:29:26 12,288 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-10-16 02:03:17 86,016 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2007-11-17 01:29:26 86,016 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2007-10-16 02:03:17 135,168 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2007-11-17 01:29:25 135,168 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2007-10-16 02:03:17 11,264 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2007-11-17 01:29:26 11,264 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2007-10-16 02:03:17 27,136 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2007-11-17 01:29:26 27,136 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2007-10-16 02:03:17 4,096 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2007-11-17 01:29:26 4,096 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-10-16 02:03:18 794,624 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2007-11-17 01:29:27 794,624 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2007-10-16 02:03:17 249,856 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2007-11-17 01:29:26 249,856 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2007-10-16 02:03:17 61,440 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2007-11-17 01:29:25 61,440 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2007-10-16 02:03:18 23,040 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2007-11-17 01:29:27 23,040 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2007-10-16 02:03:17 286,720 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2007-11-17 01:29:25 286,720 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2007-10-16 02:03:16 409,600 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2007-11-17 01:29:25 409,600 ----a-r F:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2006-12-19 21:52:18 8,453,632 -c----w F:\WINDOWS\system32\dllcache\shell32.dll
+ 2007-10-26 03:34:01 8,460,288 -c--a-w F:\WINDOWS\system32\dllcache\shell32.dll
- 2007-09-27 21:19:40 18,089,592 ----a-w F:\WINDOWS\system32\MRT.exe
+ 2007-11-02 07:12:57 18,238,072 ----a-w F:\WINDOWS\system32\MRT.exe
- 2006-12-19 21:52:18 8,453,632 ----a-w F:\WINDOWS\system32\shell32.dll
+ 2007-10-26 03:34:01 8,460,288 ----a-w F:\WINDOWS\system32\shell32.dll
- 2005-10-12 23:12:25 14,048 ----a-w F:\WINDOWS\system32\spmsg.dll
+ 2007-03-06 01:22:33 14,048 ------w F:\WINDOWS\system32\spmsg.dll
- 2007-08-21 10:13:33 350,720 ----a-w F:\WINDOWS\system32\xpsp3res.dll
+ 2007-10-29 10:04:03 350,720 ----a-w F:\WINDOWS\system32\xpsp3res.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="-cmicnfg.cpl" []
"NeroFilterCheck"="-F:\WINDOWS\System32\NeroCheck.exe" []
"IMEKRMIG6.1"="-F:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" []
"SoundMan"="-SOUNDMAN.EXE" []
"QuickTime Task"="-F:\Program Files\QuickTime\qttask.exe" []
"!AVG Anti-Spyware"="-F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" []
"nod32kui"="F:\Program Files\Eset\nod32kui.exe" [2007-10-15 23:33]
"DiskeeperSystray"="F:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 16:38]
"ICQ Lite"="-F:\Program Files\ICQLite\ICQLite.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"msnmsgr"="-F:\Program Files\MSN Messenger\msnmsgr.exe" []
"MailWasher"="F:\PROGRA~1\MAILWA~1\MAILWA~1.EXE" [2003-11-10 13:25]

F:\Documents and Settings\makem\Start Menu\Programs\Startup\
DigiGuide.lnk - F:\Program Files\DigiGuide TV Guide\Client.exe [2005-10-30 22:55:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"Norun"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"DisableReistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli scecli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Acronis Scheduler2 Service"="F:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
"SunJavaUpdateSched"=F:\Program Files\Java\jre1.5.0_05\bin\jusched.exe

R2 AsProbe;AsProbe;\??\F:\WINDOWS\System32\drivers\AsProbe.sys
R2 UxTuneUp;TuneUp Design Expansion;F:\WINDOWS\System32\svchost.exe -k netsvcs
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;F:\WINDOWS\system32\DRIVERS\AN983.sys
R3 HCW848NT;Hauppauge Win/TV;F:\WINDOWS\system32\DRIVERS\hcw848nt.sys
S3 AvFlt;Antivirus Filter Driver;F:\WINDOWS\system32\drivers\av5flt.sys
S3 HWACCESS;HWACCESS;\??\F:\WINDOWS\system32\HWACCESS.SYS
S3 LMImirr;LMImirr;F:\WINDOWS\system32\DRIVERS\LMImirr.sys
S3 mirrorv3;mirrorv3;F:\WINDOWS\system32\DRIVERS\rminiv3.sys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2007-10-26 16:15:00 F:\WINDOWS\Tasks\1-Click Maintenance.job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-17 01:35:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MailWasher = F:\PROGRA~1\MAILWA~1\MAILWA~1.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-17 1:36:10 - machine was rebooted
F:\ComboFix2.txt ... 2007-11-15 23:41
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:38:57, on 17/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\Program Files\Eset\nod32krn.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\logonui.exe
F:\WINDOWS\system32\rdpclip.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Eset\nod32kui.exe
F:\WINDOWS\system32\ctfmon.exe
F:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
F:\WINDOWS\system32\notepad.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Trend Micro\HijackThis\iseeu.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - F:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - F:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - F:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [Cmaudio] -RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] -F:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] -F:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [SoundMan] -SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] -"F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] -"F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [nod32kui] "F:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DiskeeperSystray] "F:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ICQ Lite] -"F:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] -"F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MailWasher] F:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - F:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - F:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - F:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0175246499
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0177533779
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O23 - Service: Adobe LM Service - Unknown owner - -"F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - F:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - -F:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - -"F:\Program Files\MSN Messenger\usnsvc.exe" (file missing)

--
End of file - 6525 bytes
makem
Regular Member
 
Posts: 45
Joined: November 10th, 2007, 3:31 pm

Re: Another infected computer! Please assist

Unread postby Scotty » November 17th, 2007, 8:35 am

Hi

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present):

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit HijackThis.



Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:

      + Extended(If available otherwise Standard)
    • Scan Options:

      + Scan Archives
      + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post with a new HijackThis log.

With the exception of Internet Explorer, which is needed for the Kaspersky Scan, keep ALL programs closed until the scan is complete.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Another infected computer! Please assist

Unread postby makem » November 17th, 2007, 8:57 pm

Hi,

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, November 18, 2007 12:55:48 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/11/2007
Kaspersky Anti-Virus database records: 461012
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
J:\
K:\

Scan Statistics:
Total number of scanned objects: 114537
Number of viruses found: 12
Number of infected objects: 35
Number of suspicious objects: 0
Duration of the scan process: 02:12:34

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\Downloads\DCC\Sysreset\Ci2e\mIRC\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
D:\Downloads\DCC\Sysreset\Ci2e\mIRC\mirc616.exe mIRC: infected - 1 skipped
D:\Downloads\DCC\Sysreset\Ci2e\mIRC.rar/mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
D:\Downloads\DCC\Sysreset\Ci2e\mIRC.rar/mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
D:\Downloads\DCC\Sysreset\Ci2e\mIRC.rar RAR: infected - 2 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
F:\Documents and Settings\makem.HAL\Application Data\Mozilla\Firefox\Profiles\hmdx9pjg.default\cert8.db Object is locked skipped
F:\Documents and Settings\makem.HAL\Application Data\Mozilla\Firefox\Profiles\hmdx9pjg.default\history.dat Object is locked skipped
F:\Documents and Settings\makem.HAL\Application Data\Mozilla\Firefox\Profiles\hmdx9pjg.default\key3.db Object is locked skipped
F:\Documents and Settings\makem.HAL\Application Data\Mozilla\Firefox\Profiles\hmdx9pjg.default\parent.lock Object is locked skipped
F:\Documents and Settings\makem.HAL\Application Data\Mozilla\Firefox\Profiles\hmdx9pjg.default\search.sqlite Object is locked skipped
F:\Documents and Settings\makem.HAL\Application Data\Mozilla\Firefox\Profiles\hmdx9pjg.default\urlclassifier2.sqlite Object is locked skipped
F:\Documents and Settings\makem.HAL\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\makem.HAL\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\makem.HAL\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\makem.HAL\Local Settings\Application Data\Mozilla\Firefox\Profiles\hmdx9pjg.default\Cache\_CACHE_001_ Object is locked skipped
F:\Documents and Settings\makem.HAL\Local Settings\Application Data\Mozilla\Firefox\Profiles\hmdx9pjg.default\Cache\_CACHE_002_ Object is locked skipped
F:\Documents and Settings\makem.HAL\Local Settings\Application Data\Mozilla\Firefox\Profiles\hmdx9pjg.default\Cache\_CACHE_003_ Object is locked skipped
F:\Documents and Settings\makem.HAL\Local Settings\Application Data\Mozilla\Firefox\Profiles\hmdx9pjg.default\Cache\_CACHE_MAP_ Object is locked skipped
F:\Documents and Settings\makem.HAL\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\makem.HAL\Local Settings\History\History.IE5\MSHist012007111720071118\index.dat Object is locked skipped
F:\Documents and Settings\makem.HAL\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\makem.HAL\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\makem.HAL\NTUSER.DAT.LOG Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
F:\Program Files\Common Files\Microsoft Shared\MSInfo\WinKernelUpd.exe Infected: Trojan.Win32.Obfuscated.hf skipped
F:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
F:\Program Files\ESET\cache\FND0.NFI Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
F:\Program Files\ESET\infected\E1LPHVCA.NQF Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
F:\Program Files\ESET\infected\HNKNMXCA.NQF Infected: Trojan.Win32.Obfuscated.kp skipped
F:\Program Files\ESET\infected\OII0WSCA.NQF Infected: Trojan.Win32.Agent.bck skipped
F:\Program Files\ESET\infected\Q5VFK5DA.NQF Infected: Trojan.Win32.Agent.bck skipped
F:\Program Files\ESET\infected\XKJ43FAA.NQF Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
F:\Program Files\ESET\infected\YP10HUAA.NQF Infected: Trojan-Downloader.Win32.ConHook.hl skipped
F:\Program Files\ESET\logs\virlog.dat Object is locked skipped
F:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
F:\Program Files\geordies_mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
F:\Program Files\new_zone_mIRC\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped
F:\Program Files\new_zone_mIRC\mIRC\mirc.exe.bak Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped
F:\Program Files\tbsg_mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
F:\Program Files\tz_mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
F:\Program Files\zone_mIRC\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped
F:\Program Files\zone_mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
F:\qoobox\Quarantine\F\WINDOWS\system32\quygnenq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\WINDOWS\CSC\00000001 Object is locked skipped
F:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
F:\WINDOWS\SchedLgU.Txt Object is locked skipped
F:\WINDOWS\SoftwareDistribution\EventCache\{5EC78E37-07A7-4B05-95AE-BF94092F158E}.bin Object is locked skipped
F:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
F:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\default Object is locked skipped
F:\WINDOWS\system32\config\default.LOG Object is locked skipped
F:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
F:\WINDOWS\system32\config\OSession.evt Object is locked skipped
F:\WINDOWS\system32\config\SAM Object is locked skipped
F:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
F:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\SECURITY Object is locked skipped
F:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
F:\WINDOWS\system32\config\software Object is locked skipped
F:\WINDOWS\system32\config\software.LOG Object is locked skipped
F:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\system Object is locked skipped
F:\WINDOWS\system32\config\system.LOG Object is locked skipped
F:\WINDOWS\system32\h323log.txt Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
F:\WINDOWS\Temp\Perflib_Perfdata_450.dat Object is locked skipped
F:\WINDOWS\WindowsUpdate.log Object is locked skipped
G:\My Documents\warez info\tbsg setup\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
G:\My Documents\warez info\tbsg setup\mirc616.exe mIRC: infected - 1 skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\Archive\Communicate\IRC\3rdWave IRC Script\3rdWave[1.71-6.12].rar/3rdWave[1.71-6.12]/mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 skipped
H:\Archive\Communicate\IRC\3rdWave IRC Script\3rdWave[1.71-6.12].rar RAR: infected - 1 skipped
H:\Archive\Communicate\IRC\Keymakers\MIRC.v6.1.Incl.Keymaker.READ.NFO.REPACK-ACME.zip/MIRC.v6.1.Incl.Keymaker.READ.NFO.REPACK-ACME/ac-mrc61.zip/mirc61.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.61 skipped
H:\Archive\Communicate\IRC\Keymakers\MIRC.v6.1.Incl.Keymaker.READ.NFO.REPACK-ACME.zip/MIRC.v6.1.Incl.Keymaker.READ.NFO.REPACK-ACME/ac-mrc61.zip/mirc61.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.61 skipped
H:\Archive\Communicate\IRC\Keymakers\MIRC.v6.1.Incl.Keymaker.READ.NFO.REPACK-ACME.zip/MIRC.v6.1.Incl.Keymaker.READ.NFO.REPACK-ACME/ac-mrc61.zip Infected: not-a-virus:Client-IRC.Win32.mIRC.61 skipped
H:\Archive\Communicate\IRC\Keymakers\MIRC.v6.1.Incl.Keymaker.READ.NFO.REPACK-ACME.zip ZIP: infected - 3 skipped
H:\Archive\Communicate\IRC\mIRC\mIRC6.16 with ssl dlls\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
H:\Archive\Communicate\IRC\mIRC\mIRC6.16 with ssl dlls\mirc616.exe mIRC: infected - 1 skipped
H:\Archive\Communicate\IRC\mIRC\tbsg\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
H:\Archive\Communicate\IRC\mIRC\tbsg\mirc616.exe mIRC: infected - 1 skipped
H:\Archive\Communicate\IRC\TriviBot\trivbot2001v2_4.zip/trivbot2001v2/MIRC32.EXE Infected: not-a-virus:Client-IRC.Win32.mIRC.561 skipped
H:\Archive\Communicate\IRC\TriviBot\trivbot2001v2_4.zip ZIP: infected - 1 skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:56:34, on 18/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\Program Files\Eset\nod32krn.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\logonui.exe
F:\WINDOWS\system32\rdpclip.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Eset\nod32kui.exe
F:\WINDOWS\system32\ctfmon.exe
F:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\WINDOWS\system32\logon.scr
F:\Program Files\MSN Messenger\msnmsgr.exe
F:\Program Files\Trend Micro\HijackThis\iseeu.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - F:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - F:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - F:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [Cmaudio] -RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] -F:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] -F:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [SoundMan] -SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] -"F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] -"F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [nod32kui] "F:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DiskeeperSystray] "F:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ICQ Lite] -"F:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] -"F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MailWasher] F:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - F:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - F:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - F:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0175246499
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0177533779
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O23 - Service: Adobe LM Service - Unknown owner - -"F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - F:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - -F:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - -"F:\Program Files\MSN Messenger\usnsvc.exe" (file missing)

--
End of file - 6709 bytes
makem
Regular Member
 
Posts: 45
Joined: November 10th, 2007, 3:31 pm

Re: Another infected computer! Please assist

Unread postby Scotty » November 18th, 2007, 9:31 am

Hello makem

Open up the Eset Nod32 security centre. In the left pane, select Tools then Quarantine and delete all the files in there.


Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

Code: Select all
File::
F:\Program Files\Common Files\Microsoft Shared\MSInfo\WinKernelUpd.exe  

 


Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (excluding the quotes)
Save the file to your Desktop

Image


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log with a new HijackThis log.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: wannabeageek and 23 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware