Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

requesting help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

requesting help

Unread postby hosein » April 27th, 2008, 3:02 pm

hi everybody,my computer has virusis & i've got this log after hijackthis. so would u plz help me to solve this problem,urs hosein

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:02 PM, on 4/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Downloaded Program Files\SVCHOST.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\DOCUME~1\baba\LOCALS~1\Temp\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\baba\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis1.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.goolge.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\Downloaded Program Files\SVCHOST.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SoundMax] C:\Documents and Settings\baba\userinit.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA219] command /c del "C:\Documents and Settings\baba\Local Settings\Temp\svchost.exe_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC997] cmd /c del "C:\Documents and Settings\baba\Local Settings\Temp\svchost.exe_tobedeleted_old"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [SpybotDeletingB4527] command /c del "C:\Documents and Settings\baba\Local Settings\Temp\svchost.exe_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6759] cmd /c del "C:\Documents and Settings\baba\Local Settings\Temp\svchost.exe_tobedeleted_old"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office Update.lnk = C:\WINDOWS\Web\OfficeUpdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBFA27EC-83A0-452D-B81A-D66F4A201B98}: NameServer = 192.168.254.44 212.19.192.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BHCP Service (BHsrv) - Unknown owner - C:\WINDOWS\system32\Bhsrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 5065 bytes
hosein
Active Member
 
Posts: 13
Joined: April 27th, 2008, 10:00 am
Advertisement
Register to Remove

Re: requesting help

Unread postby Bio-Hazard » April 27th, 2008, 4:58 pm

Welcome to the MWR forums. My name is Bio-Hazard. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research. Please be patient and I'd be grateful if you would note the following:

  • I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know or understand something please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • It is important that you reply to this thread. Do not start a new topic.

Note: I am still in training here at Malware Removal, however I will be working under the direct supervision of one of our Malware Experts. Any recommendations will first be approved before being given to you. Because of this, there may be a short delay in getting our responses to you, however be assured that we will be working diligently on your problem.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: requesting help

Unread postby Bio-Hazard » April 27th, 2008, 6:05 pm

Running HijackThis from temporary zip file

You are running HijackThis from temporary zip file. Order us to make some changes you have HijackThis in its own folder. Disgard the zip HijackThis file and download a new HijackThis installer.

  • Click here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Doubleclick on the HijackThis Installer icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.

DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even require



Uninstall list

Make an uninstall list using HijackThis. To access the Uninstall Manager you would do the following:

  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.


Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: requesting help

Unread postby hosein » April 28th, 2008, 12:42 pm

hi tnx for kind response to my request.however due to this error message: c:\documents and settings\baba\desktop\HJTInstall.exe is not a valid Win32 application. ,i couldn't install,HJTInstall to my computer. wld u plz help me to solve this problem as well.urs hosein.
hosein
Active Member
 
Posts: 13
Joined: April 27th, 2008, 10:00 am

Re: requesting help

Unread postby Bio-Hazard » April 29th, 2008, 4:00 pm

Running HijackThis from temporary zip file

You are running HijackThis from temporary zip file. Order us to make some changes you have HijackThis in its own folder. Disgard the zip HijackThis file and download a new HijackThis.

  • Click here to download HijackThis
  • Click the Save button, click My Computer button on the left
  • Double click C Drive, double click Program Files
  • Click the Create a new folder button (3rd from the left of the 4 buttons next to the Save in dialog box)
  • Name the folder hosein and double click to open it
  • When the new folder opens click Save button bottom right
  • Right click on HiJackThis.exe - click Rename
  • Type into the name box: goodscanner.exe
  • Press Enter
  • Double click on goodscanner.exe to open it
  • Select Do a system scan and save a logfile

DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even require



Uninstall list

Make an uninstall list using HijackThis. To access the Uninstall Manager you would do the following:

  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.


Download and Run ComboFix

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Image


Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Next Reply

Please reply with:
  • ComboFix log (found at C:\Combofix.txt)
  • New HijackThis log
  • HijackThis Unisntall list
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: requesting help

Unread postby hosein » April 30th, 2008, 2:28 pm

hi tnx for helping me.u will find enc.all u guide for.urs hosein.
Logfile of HijackThis v1.99.1
Scan saved at 12:48:19 PM, on 4/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Downloaded Program Files\SVCHOST.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\DOCUME~1\baba\LOCALS~1\Temp\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\JetAudio\JetAudio.exe
C:\DOCUME~1\baba\LOCALS~1\Temp\Temporary Directory 1 for hijackthis1991.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.goolge.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\Downloaded Program Files\SVCHOST.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SoundMax] C:\Documents and Settings\baba\userinit.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office Update.lnk = C:\WINDOWS\Web\OfficeUpdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBFA27EC-83A0-452D-B81A-D66F4A201B98}: NameServer = 192.168.254.44 212.19.192.1
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BHCP Service (BHsrv) - Unknown owner - C:\WINDOWS\system32\Bhsrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

-----------------------------------------------------------
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Stock Photos 1.0
HijackThis 1.99.1
jetAudio Basic
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.5
Nokia Connectivity Cable Driver
Nokia PC Suite
PC Connectivity Solution
RealOne Player
SaebSoft dictionary1 (version 1.16)
Windows Driver Package - Nokia (WUDFRd) WPD (11/03/2006 6.82.26.2)
Windows Driver Package - Nokia Modem (11/03/2006 6.82.0.1)

--------------------------------------------------------------

pushd "C:\327882R2FWJFW\"

=============================================

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\baba\Application Data
cfldr=327882R2FWJFW
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HAPPY-1C705D744
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\baba
kmd=CF2671.exe
LOGONSERVER=\\HAPPY-1C705D744
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\327882R2FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\PC Connectivity Solution;C:\Program Files\Common Files\Adobe\AGL
PATHEXT=.cfexe;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$
SESSIONNAME=Console
sfxname=C:\Documents and Settings\baba\Desktop\Combo-Fix.exe
system=C:\WINDOWS\system32
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\baba\LOCALS~1\Temp
TMP=C:\DOCUME~1\baba\LOCALS~1\Temp
USERDOMAIN=HAPPY-1C705D744
USERNAME=baba
USERPROFILE=C:\Documents and Settings\baba
windir=C:\WINDOWS

=============================================


if not defined sfxname goto END

Nircmd win close ititle "ComboFix"

If [] == [] Set "SfxCmd="

if /I "C:\327882R2FWJFW" NEQ "C:\327882R2FWJFW" goto Abort

if exist "C:\DOCUME~1\baba\LOCALS~1\Temp\327882R2FWJFW327882R2FWJFW.log" del "C:\DOCUME~1\baba\LOCALS~1\Temp\327882R2FWJFW327882R2FWJFW.log"
SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 (C)

Volume: C:\ does not support Access Control Lists


copy /y "C:\WINDOWS\system32\cmd.exe" "C:\WINDOWS\system32\CF2671.exe"
1 file(s) copied.

if not exist "C:\WINDOWS\system32\CF2671.exe" catchme -l nul -c "C:\WINDOWS\system32\cmd.exe" "C:\WINDOWS\system32\CF2671.exe"

For /F "tokens=*" %g in ("C:\Documents and Settings\baba\Desktop\Combo-Fix.exe") do @(
set "FileName=%~ng"
set "FilePath=%~dpg"
)

Set FileName 2>nul | GREP -Gisqx "FileName=[-[:alnum:]@.]*" || (
nircmd infobox "You cannot rename ComboFix as Combo-Fix~n~nPlease use another name, preferbaly made up of alphanumeric characters" ""
goto END
)

DIR /AD/B C:\* | FindStr.exe -IVX ComboFix 1>dirname00

FindStr.exe -LIXC:"Combo-Fix" dirname00 1>nul && call :NameChk

FindStr.exe -LIXC:"Combo-Fix" dirname03 1>nul 2>&1 && goto AbortB

if exist "\Combo-Fix\*.cfexe" goto :eof

if exist "\Combo-Fix\Combo-Fix.sys" goto :eof

if exist "\Combo-Fix\Creg.dat" goto :eof

VFind -tf "\Combo-Fix\*" | FindStr.exe . || goto :eof
\Combo-Fix\nircmd.com

del /Q dirname0? 2>nul

nircmd infobox "You cannot rename ComboFix as Combo-Fix~n~nPlease use another name, preferbaly made up of alphanumeric characters" ""

goto END

CD ..

if defined cfldr rd /s/q "327882R2FWJFW"
hosein
Active Member
 
Posts: 13
Joined: April 27th, 2008, 10:00 am

Re: requesting help

Unread postby Bio-Hazard » April 30th, 2008, 7:19 pm

Post Combofix log
Click Start > Run > type notepad C:\combofix.txt > OK

When Notepad opens, click Edit > Select all then Edit > Copy

Reply to this post and press Ctrl+V to paste the log in your reply.

Note: Please let me know if you get an error, and what is says, after typing the command in the Run box.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: requesting help

Unread postby hosein » May 3rd, 2008, 10:19 am

Hi.tnx for ur post of 1st may. Unfortunately I couldn’t do as u said, because there come an error which says:” You cannot rename combofix as combo-fix
Please use another name, preferably made up of alphanumeric characters”
and due to this, then RUN could not find combofix.txt and asked me if it is allowed to make the requested file for me! Urs hosein
hosein
Active Member
 
Posts: 13
Joined: April 27th, 2008, 10:00 am

Re: requesting help

Unread postby Bio-Hazard » May 3rd, 2008, 12:35 pm

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Image


Rename it to: h1o2s3e4i5n
--------------------------------------------------------------------

Double click on h1o2s3e4i5n.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Note:Do not mouseclick combofix's window while it's running. That may cause it to stall
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: requesting help

Unread postby hosein » May 5th, 2008, 10:26 am

hi tnx for helping me.u will find enc.all u guide for.urs hosein
ComboFix 08-05-01.3 - baba 2008-05-05 18:45:35.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.546 [GMT 3.5:30]
Running from: C:\Documents and Settings\baba\Desktop\h1o2s3e4i5n.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-05 to 2008-05-05 )))))))))))))))))))))))))))))))
.

2008-05-04 13:59 . 2008-05-04 13:59 <DIR> d-------- C:\Documents and Settings\hadi\Application Data\PC Suite
2008-05-04 13:59 . 2008-05-04 13:59 <DIR> d-------- C:\Documents and Settings\hadi
2008-05-04 13:59 . 2007-09-20 11:41 135,168 --a------ C:\Documents and Settings\hadi\userinit.exe
2008-05-04 13:59 . 2008-05-05 18:45 1,024 --ah----- C:\Documents and Settings\hadi\ntuser.dat.LOG
2008-04-30 20:42 . 2008-04-30 20:42 <DIR> d--hs---- C:\FOUND.001
2008-04-30 20:27 . 2008-04-30 20:27 <DIR> d-------- C:\Combo-Fix
2008-04-30 12:42 . 2008-04-30 12:43 <DIR> d-------- C:\Program Files\hosien
2008-04-28 13:43 . 2008-04-28 13:43 1,315 --a------ C:\WINDOWS\system32\Setup.lnk
2008-04-27 22:06 . 2008-04-27 22:06 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-26 13:49 . 2008-05-03 12:41 437 --a------ C:\WINDOWS\wininit.ini
2008-04-26 08:27 . 2008-04-26 08:27 <DIR> d-------- C:\Program Files\XPCode
2008-04-26 08:19 . 2008-04-26 08:19 <DIR> d--hs---- C:\FOUND.000
2008-04-26 08:16 . 2007-09-20 11:41 135,168 --a------ C:\Documents and Settings\baba\userinit.exe
2008-04-26 08:16 . 2007-09-20 11:41 135,168 -r-h----- C:\autoply.exe
2008-04-25 09:49 . 2008-04-25 09:49 <DIR> d-------- C:\Documents and Settings\baba\Application Data\Nokia Multimedia Player
2008-04-25 08:37 . 2008-04-25 08:37 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-25 08:37 . 2006-09-16 03:02 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-25 08:35 . 2008-04-25 08:35 <DIR> d-------- C:\Documents and Settings\baba\Application Data\Nokia
2008-04-25 08:35 . 2008-04-25 08:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\WINDOWS\system32\DRVSTORE
2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\Program Files\Nokia
2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\Program Files\DIFX
2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\Documents and Settings\baba\Application Data\PC Suite
2008-04-25 08:34 . 2006-10-10 08:54 138,240 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-04-25 08:34 . 2006-10-10 08:54 50,688 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-04-25 08:34 . 2006-10-10 08:54 30,720 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-04-25 08:34 . 2006-10-10 08:54 12,800 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-04-25 08:34 . 2006-10-10 08:54 12,800 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-04-25 08:34 . 2006-10-10 08:54 9,216 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-04-25 08:34 . 2006-10-10 08:54 4,608 --a------ C:\WINDOWS\system32\nmwcdlog.dll
2008-04-25 08:33 . 2008-04-25 08:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-04-22 09:44 . 2008-04-22 09:44 0 ---h----- C:\sv
2008-04-22 08:21 . 2008-04-22 08:21 276,320 --a------ C:\Documents and Settings\baba\Application Data\GDIPFONTCACHEV1.DAT
2008-04-21 22:58 . 2008-04-21 22:58 2 -rahs---- C:\WINDOWS\winstart.bat
2008-04-21 22:42 . 2001-08-23 16:30 19,456 --a------ C:\WINDOWS\system32\dllcache\agt040d.dll
2008-04-21 22:42 . 2001-08-23 16:30 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0401.dll
2008-04-21 21:55 . 2007-08-30 01:51 281,088 --------- C:\WINDOWS\system32\Bhsrv.exe
2008-04-21 21:54 . 2004-08-03 23:08 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-21 19:14 . 2008-04-21 19:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-21 19:12 . 2008-04-21 20:09 286,720 --------- C:\WINDOWS\Setup1.exe
2008-04-21 19:12 . 2008-04-21 20:09 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-04-21 19:11 . 2008-04-21 19:11 <DIR> d-------- C:\Program Files\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 14:53 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-21 14:53 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-04-21 14:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-04-21 14:49 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-21 14:37 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-21 14:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-21 14:28 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-21 14:28 --------- d-----w C:\Program Files\JetAudio
2008-04-21 14:27 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-21 14:26 --------- d-----w C:\Program Files\Common Files\L&H
2008-04-21 14:20 --------- d-----w C:\Documents and Settings\baba\Application Data\COWON
2008-04-21 14:19 --------- d-----w C:\Program Files\Real
2008-04-21 14:19 --------- d-----w C:\Program Files\Common Files\xing shared
2008-04-21 14:19 --------- d-----w C:\Program Files\Common Files\Real
2007-10-01 23:40 217,088 --sh--w C:\Documents and Settings\hadi\Label14sv.exe
2007-10-01 23:40 217,088 --sh--w C:\Documents and Settings\baba\Label14sv.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-04-15 23:25 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe" [2008-04-21 17:49 146432]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 13:27 222208]
"SoundMax"="C:\Documents and Settings\baba\userinit.exe" [2007-09-20 11:41 135168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 17:15 1634304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []

C:\Documents and Settings\baba\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Office Update.lnk - C:\WINDOWS\Web\OfficeUpdate.exe [2008-04-26 08:16:52 135168]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.jxvd"= JetMPVx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

S2 BHsrv;BHCP Service;C:\WINDOWS\system32\Bhsrv.exe [2007-08-30 01:51]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30cd1506-0fd0-11dd-b79a-d463b9a7e6e7}]
\Shell\AutoPlay\Command - J:\autoply.exe OPEN
\Shell\AutoRun\command - J:\autoply.exe OPEN
\Shell\explore\Command - J:\autoply.exe EXPLORE
\Shell\open\Command - J:\autoply.exe OPEN

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bb39af9c-1340-11dd-b7a7-bc89f214ae89}]
\Shell\Auto\command - J:\Bhsrv.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Bhsrv.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-05 15:02:08 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\Web\OfficeUpdate.exe
"2008-05-05 15:02:08 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\Web\OfficeUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-05 18:46:21
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

C:\WINDOWS\SYSTEM32\CALC.EXE [1428] 0x82E182F8
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE [1436] 0x82E12DA0
scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-05 18:46:39
ComboFix-quarantined-files.txt 2008-05-05 15:16:38

Pre-Run: 13,891,764,224 bytes free
Post-Run: 14,029,406,208 bytes free

136
------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 6:53:32 PM, on 5/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\JetAudio\JetAudio.exe
C:\DOCUME~1\baba\LOCALS~1\Temp\Temporary Directory 1 for hijackthis1991.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SoundMax] C:\Documents and Settings\baba\userinit.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office Update.lnk = C:\WINDOWS\Web\OfficeUpdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBFA27EC-83A0-452D-B81A-D66F4A201B98}: NameServer = 192.168.254.44 212.19.192.1
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BHCP Service (BHsrv) - Unknown owner - C:\WINDOWS\system32\Bhsrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
hosein
Active Member
 
Posts: 13
Joined: April 27th, 2008, 10:00 am

Re: requesting help

Unread postby Bio-Hazard » May 6th, 2008, 1:49 pm

Flash Disinfector

  • Please download Flash_Disinfector and save it to your desktop.
  • Double click to run it.
  • You will be prompted to plug in your flash drive. Plug it in.
  • Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  • When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
  • Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.



Run CFScript

Open Notepad and copy/paste the text in the box into the window:

Code: Select all
http://www.malwareremoval.com/forum/viewtopic.php?p=295584#p295584
Collect::
C:\WINDOWS\system32\Bhsrv.exe
C:\Documents and Settings\baba\userinit.exe
File::
C:\Documents and Settings\hadi\userinit.exe
C:\autoply.exe
C:\sv
C:\WINDOWS\winstart.bat
C:\Documents and Settings\baba\Label14sv.exe
C:\Documents and Settings\hadi\Label14sv.exe
C:\WINDOWS\Web\OfficeUpdate.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Update.lnk
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At2.job
Folder::
C:\Program Files\XPCode
Suspect::
C:\WINDOWS\Setup1.exe
Driver::
BHsrv
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMax"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30cd1506-0fd0-11dd-b79a-d463b9a7e6e7}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bb39af9c-1340-11dd-b7a7-bc89f214ae89}]


Save it to your desktop as CFScript.txt

Refering to the picture above drag CFScript.txt into h1o2s3e4i5n.exe Image This will let ComboFix runagain. Restart if you have to. Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Download HijackThis

Lets try again to install HijackThis.

  • Click here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Doubleclick on the HijackThis Installer icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.

DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.




Logs/Information to Post in Reply

Please post the following logs/Information in your reply

  • ComboFix Log
  • A fresh HijackThis Log ( after all the above has been done)
  • How are things running now ?
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: requesting help

Unread postby Bio-Hazard » May 9th, 2008, 11:17 am

Hello!


It has been few days since my last post.
  • Do you still need help with this?
  • Do you need more time?
  • Are you having problems following my instructions?

Note: If after 48hrs you have not replied to this thread then it will have to be CLOSED!


Bio-Hazard
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: requesting help

Unread postby hosein » May 11th, 2008, 5:50 am

hi tnx for kind response to my request.because of my exams i couldn't reply you soon.
1.however due to this error message: c:\documents and settings\baba\desktop\HJTInstall.exe is not a valid Win32 application. ,i couldn't install,HJTInstall to my computer.
2.when "combofix" run i could see "folder options"( address: in control panel)but after i restart my computer the "folder options" disappear.also i can see " autorun.inf" in all my drives sush as c:,d:,e:,f:,g: .
urs hosein
-------------------------------------------------------------
ComboFix 08-05-01.3 - baba 2008-05-07 18:21:40.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.548 [GMT 3.5:30]
Running from: C:\Documents and Settings\baba\Desktop\h1o2s3e4i5n.exe
Command switches used :: C:\Documents and Settings\baba\Desktop\cfscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\autoply.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Update.lnk
C:\Documents and Settings\baba\Label14sv.exe
C:\Documents and Settings\hadi\Label14sv.exe
C:\Documents and Settings\hadi\userinit.exe
C:\sv
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Web\OfficeUpdate.exe
C:\WINDOWS\winstart.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autoply.exe
C:\Autorun.inf
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Update.lnk
C:\Documents and Settings\baba\Label14sv.exe
C:\Documents and Settings\baba\userinit.exe
C:\Documents and Settings\hadi\Label14sv.exe
C:\Documents and Settings\hadi\userinit.exe
C:\Program Files\XPCode
C:\Program Files\XPCode\Games.lnk
C:\Program Files\XPCode\SexGame.exe
C:\Program Files\XPCode\SexGameList.pif
C:\Program Files\XPCode\SexScreenSaver.scr
C:\sv
C:\WINDOWS\system32\Bhsrv.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Web\OfficeUpdate.exe
C:\WINDOWS\winstart.bat
D:\Autorun.inf
E:\Autorun.inf
F:\Autorun.inf
G:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BHSRV
-------\Service_BHsrv


((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 )))))))))))))))))))))))))))))))
.

2008-05-06 14:53 . 2008-05-06 14:53 17 --a------ C:\WINDOWS\cdplayer.ini
2008-05-05 18:52 . 2008-05-05 18:52 <DIR> d-------- C:\Program Files\hosein2
2008-05-04 13:59 . 2008-05-04 13:59 <DIR> d-------- C:\Documents and Settings\hadi\Application Data\PC Suite
2008-05-04 13:59 . 2008-05-04 13:59 <DIR> d-------- C:\Documents and Settings\hadi
2008-05-04 13:59 . 2008-05-07 18:23 1,024 --ah----- C:\Documents and Settings\hadi\ntuser.dat.LOG
2008-04-30 20:42 . 2008-04-30 20:42 <DIR> d--hs---- C:\FOUND.001
2008-04-30 20:27 . 2008-04-30 20:27 <DIR> d-------- C:\Combo-Fix
2008-04-30 12:42 . 2008-04-30 12:43 <DIR> d-------- C:\Program Files\hosien
2008-04-28 13:43 . 2008-04-28 13:43 1,315 --a------ C:\WINDOWS\system32\Setup.lnk
2008-04-27 22:06 . 2008-04-27 22:06 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-26 13:49 . 2008-05-03 12:41 437 --a------ C:\WINDOWS\wininit.ini
2008-04-26 08:19 . 2008-04-26 08:19 <DIR> d--hs---- C:\FOUND.000
2008-04-25 09:49 . 2008-04-25 09:49 <DIR> d-------- C:\Documents and Settings\baba\Application Data\Nokia Multimedia Player
2008-04-25 08:37 . 2008-04-25 08:37 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-25 08:37 . 2006-09-16 03:02 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-25 08:35 . 2008-04-25 08:35 <DIR> d-------- C:\Documents and Settings\baba\Application Data\Nokia
2008-04-25 08:35 . 2008-04-25 08:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\WINDOWS\system32\DRVSTORE
2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\Program Files\Nokia
2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\Program Files\DIFX
2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\Documents and Settings\baba\Application Data\PC Suite
2008-04-25 08:34 . 2006-10-10 08:54 138,240 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-04-25 08:34 . 2006-10-10 08:54 50,688 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-04-25 08:34 . 2006-10-10 08:54 30,720 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-04-25 08:34 . 2006-10-10 08:54 12,800 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-04-25 08:34 . 2006-10-10 08:54 12,800 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-04-25 08:34 . 2006-10-10 08:54 9,216 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-04-25 08:34 . 2006-10-10 08:54 4,608 --a------ C:\WINDOWS\system32\nmwcdlog.dll
2008-04-25 08:33 . 2008-04-25 08:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-04-22 08:21 . 2008-04-22 08:21 276,320 --a------ C:\Documents and Settings\baba\Application Data\GDIPFONTCACHEV1.DAT
2008-04-21 22:42 . 2001-08-23 16:30 19,456 --a------ C:\WINDOWS\system32\dllcache\agt040d.dll
2008-04-21 22:42 . 2001-08-23 16:30 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0401.dll
2008-04-21 21:54 . 2004-08-03 23:08 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-21 19:14 . 2008-04-21 19:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-21 19:12 . 2008-04-21 20:09 286,720 --------- C:\WINDOWS\Setup1.exe
2008-04-21 19:12 . 2008-04-21 20:09 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-04-21 19:11 . 2008-04-21 19:11 <DIR> d-------- C:\Program Files\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 14:53 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-21 14:53 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-04-21 14:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-04-21 14:49 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-21 14:37 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-21 14:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-21 14:28 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-21 14:28 --------- d-----w C:\Program Files\JetAudio
2008-04-21 14:27 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-21 14:26 --------- d-----w C:\Program Files\Common Files\L&H
2008-04-21 14:20 --------- d-----w C:\Documents and Settings\baba\Application Data\COWON
2008-04-21 14:19 --------- d-----w C:\Program Files\Real
2008-04-21 14:19 --------- d-----w C:\Program Files\Common Files\xing shared
2008-04-21 14:19 --------- d-----w C:\Program Files\Common Files\Real
.

((((((((((((((((((((((((((((( snapshot@2008-05-05_18.46.30.73 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-05 15:01:56 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-07 14:53:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-20 16:32:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-04-15 23:25 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe" [2008-04-21 17:49 146432]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 13:27 222208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 17:15 1634304]

C:\Documents and Settings\baba\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.jxvd"= JetMPVx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7f87582-18ea-11dd-b7ca-b8319c767389}]
\Shell\Auto\command - J:\Bhsrv.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Bhsrv.exe

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 18:23:42
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM32\WSCNTFY.EXE
C:\PROGRAM FILES\PC CONNECTIVITY SOLUTION\SERVICELAYER.EXE
.
**************************************************************************
.
Completion time: 2008-05-07 18:24:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-07 14:54:12
ComboFix3.txt 2008-05-05 15:16:42
ComboFix2.txt 2008-05-05 18:28:12

Pre-Run: 13,962,182,656 bytes free
Post-Run: 13,974,700,032 bytes free

167
hosein
Active Member
 
Posts: 13
Joined: April 27th, 2008, 10:00 am

Re: requesting help

Unread postby Bio-Hazard » May 18th, 2008, 9:39 am

Hello!

Sorry for the delay. I have just moved house.

The autorun.inf files are protecting your drives. So there is no need to delete them.

We need to uninstall Spybot for now. It is interfering with our fix.

Remove programs

  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present):

    Spybot S&D

NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.


Upload a File to Jotti

  • Please visit http://virusscan.jotti.org/
  • Click on Browse... and navigate to the following file: C:\WINDOWS\Setup1.exe
  • Click Open and submit the file.
  • Please let me know the results.


Delete ComboFix
Next we need to delete the older version of Combofix. You can just delete h1o2s3e4i5n.exe from your desktop. Right-click on the file name and select Delete.

Download ComboFix
SAVE a fresh copy of ComboFix from >Bleeping Computer< or >Geeks To Go< to your Desktop
For information regarding this download, please visit >this webpage< at Bleeping Computer.

IMPORTANT: combofix.exe MUST be on your Desktop for us to proceed.




You have a infection on your J: Drive could you please insert the usb stick or what ever the device is on to the computer now.



Run CFScript

Open Notepad and copy/paste the text in the box into the window:

Code: Select all
http://www.malwareremoval.com/forum/viewtopic.php?p=295584#p295584
Collect::
J:\Bhsrv.exe
Suspect::
C:\WINDOWS\Setup1.exe
Driver::
BHsrv
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7f87582-18ea-11dd-b7ca-b8319c767389}]


Save it to your desktop as CFScript.txt

Refering to the picture above drag CFScript.txt into ComboFix.exe Image This will let ComboFix runagain. Restart if you have to. Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Flash Disinfector

  • Please download Flash_Disinfector and save it to your desktop.
  • Double click to run it.
  • You will be prompted to plug in your flash drive. Plug it in.
  • Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  • When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
  • Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.


Logs/Information to Post in Reply

Please post the following logs/Information in your reply

  • Combofix Log
  • A fresh HijackThis Log ( after all the above has been done)
  • How are things running now ?
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: requesting help

Unread postby hosein » May 20th, 2008, 2:54 pm

hi tnx for ur help.during these two weeks i tried ewido & McAfee free ware eds & they picked up "new folder" and also "folder options" resume again.is it righ to uninstall these two as well?urs hosein.


Scanner results(http://virusscan.jotti.org)
Scan taken on 20 May 2008 18:16:01 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


------------------------------------------------------------------

ComboFix 08-05-19.4 - baba 2008-05-20 22:03:57.5 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.459 [GMT 3.5:30]
Running from: C:\Documents and Settings\baba\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\baba\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))
.

2008-05-18 14:15 . 2008-05-18 14:16 <DIR> d-------- C:\Program Files\Wondershare
2008-05-15 15:46 . 2008-05-15 15:46 <DIR> d--hs---- C:\Documents and Settings\baba\Phone Browser
2008-05-14 16:53 . 2008-05-14 16:53 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-05-14 16:53 . 2008-05-14 16:53 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-05-14 16:53 . 2008-05-14 16:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-14 16:53 . 2006-12-19 15:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-05-14 16:53 . 2007-02-22 20:50 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-05-14 16:53 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-05-14 16:53 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-05-14 16:53 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-05-14 16:53 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-05-14 16:53 . 2006-12-19 15:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-05-13 19:43 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-13 19:43 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-05-13 19:43 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-13 19:43 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-05-13 19:43 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-05-13 19:43 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-05-13 19:34 . 2008-05-13 19:34 <DIR> d-------- C:\Documents and Settings\baba\Application Data\Lavasoft
2008-05-08 16:22 . 2008-05-08 16:22 <DIR> d--hs---- C:\FOUND.002
2008-05-06 14:53 . 2008-05-06 14:53 17 --a------ C:\WINDOWS\cdplayer.ini
2008-05-04 13:59 . 2008-05-04 13:59 <DIR> d-------- C:\Documents and Settings\hadi\Application Data\PC Suite
2008-05-04 13:59 . 2008-05-04 13:59 <DIR> d-------- C:\Documents and Settings\hadi
2008-05-04 13:59 . 2008-05-20 21:56 1,024 --ah----- C:\Documents and Settings\hadi\ntuser.dat.LOG
2008-04-30 20:42 . 2008-04-30 20:42 <DIR> d--hs---- C:\FOUND.001
2008-04-30 20:27 . 2008-04-30 20:27 <DIR> d-------- C:\Program Files\Combo-Fix
2008-04-28 13:43 . 2008-04-28 13:43 1,315 --a------ C:\WINDOWS\system32\Setup.lnk
2008-04-27 22:06 . 2008-04-27 22:06 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-26 13:49 . 2008-05-13 19:26 537 --a------ C:\WINDOWS\wininit.ini
2008-04-26 08:19 . 2008-04-26 08:19 <DIR> d--hs---- C:\FOUND.000
2008-04-25 09:49 . 2008-04-25 09:49 <DIR> d-------- C:\Documents and Settings\baba\Application Data\Nokia Multimedia Player
2008-04-25 08:37 . 2008-04-25 08:37 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-25 08:37 . 2006-09-16 03:02 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-25 08:35 . 2008-04-25 08:35 <DIR> d-------- C:\Documents and Settings\baba\Application Data\Nokia
2008-04-25 08:35 . 2008-04-25 08:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\WINDOWS\system32\DRVSTORE
2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\Program Files\Nokia
2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\Program Files\DIFX
2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\Documents and Settings\baba\Application Data\PC Suite
2008-04-25 08:34 . 2006-10-10 08:54 138,240 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-04-25 08:34 . 2006-10-10 08:54 50,688 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-04-25 08:34 . 2006-10-10 08:54 30,720 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-04-25 08:34 . 2006-10-10 08:54 12,800 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-04-25 08:34 . 2006-10-10 08:54 12,800 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-04-25 08:34 . 2006-10-10 08:54 9,216 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-04-25 08:34 . 2006-10-10 08:54 4,608 --a------ C:\WINDOWS\system32\nmwcdlog.dll
2008-04-25 08:33 . 2008-04-25 08:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-04-22 08:21 . 2008-04-22 08:21 276,320 --a------ C:\Documents and Settings\baba\Application Data\GDIPFONTCACHEV1.DAT
2008-04-21 22:42 . 2001-08-23 16:30 19,456 --a------ C:\WINDOWS\system32\dllcache\agt040d.dll
2008-04-21 22:42 . 2001-08-23 16:30 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0401.dll
2008-04-21 21:54 . 2004-08-03 23:08 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-21 19:14 . 2008-04-21 19:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-21 19:12 . 2008-04-21 20:09 286,720 --------- C:\WINDOWS\Setup1.exe
2008-04-21 19:12 . 2008-04-21 20:09 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-04-21 19:11 . 2008-04-21 19:11 <DIR> d-------- C:\Program Files\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 14:53 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-21 14:53 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-04-21 14:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-04-21 14:49 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-21 14:37 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-21 14:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-21 14:28 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-21 14:28 --------- d-----w C:\Program Files\JetAudio
2008-04-21 14:27 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-21 14:26 --------- d-----w C:\Program Files\Common Files\L&H
2008-04-21 14:20 --------- d-----w C:\Documents and Settings\baba\Application Data\COWON
2008-04-21 14:19 --------- d-----w C:\Program Files\Real
2008-04-21 14:19 --------- d-----w C:\Program Files\Common Files\Real
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-04-15 23:25 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe" [2008-04-21 17:49 146432]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 13:27 222208]
"ShStatEXE"="D:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50 112216]
"McAfeeUpdaterUI"="D:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27 136768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 17:15 1634304]

C:\Documents and Settings\baba\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.jxvd"= JetMPVx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"D:\\program files\\McAfee\\Common Framework\\FrameworkService.exe"=

R1 ewido security suite driver;ewido security suite driver;d:\Program Files\ewido anti-malware\guard.sys [2005-12-30 14:42]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-20 17:00:02 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\Web\OfficeUpdate.exe
"2008-05-20 08:00:02 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\Web\OfficeUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 22:05:52
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-20 22:06:47
ComboFix-quarantined-files.txt 2008-05-20 18:36:42
ComboFix4.txt 2008-05-05 15:16:42
ComboFix3.txt 2008-05-05 18:28:12
ComboFix2.txt 2008-05-20 18:30:12

Pre-Run: 13,595,230,208 bytes free
Post-Run: 13,587,103,744 bytes free

142
------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:29 PM, on 5/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
d:\Program Files\ewido anti-malware\ewidoctrl.exe
d:\Program Files\ewido anti-malware\ewidoguard.exe
D:\Program Files\McAfee\Common Framework\FrameworkService.exe
D:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
D:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
D:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - D:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office Update.lnk = C:\WINDOWS\Web\OfficeUpdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBFA27EC-83A0-452D-B81A-D66F4A201B98}: NameServer = 213.217.60.170 213.217.60.202
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - D:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - D:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - D:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 5181 bytes
hosein
Active Member
 
Posts: 13
Joined: April 27th, 2008, 10:00 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 67 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware