Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

requesting help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: requesting help

Unread postby Bio-Hazard » May 25th, 2008, 4:04 pm

Hello!

Please follow my instructions and do not install any programs, because that will affect the fixes that i will give you. Also do not run programs unless i instruct you to do so.

Thank you.


You need to uninstall Ewido because it is outdated program. Here is how to do it:

Remove programs

  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present):

    Ewido

NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.



RECOVERY CONSOLE

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System


Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Image


Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

  • At the next prompt, click 'No' to exit ComboFix .

    Image




Run CFScript

Open Notepad and copy/paste the text in the box into the window:

Code: Select all
File::
C:\WINDOWS\ST6UNST.EXE
C:\WINDOWS\Setup1.exe
C:\WINDOWS\Web\OfficeUpdate.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At2.job


Save it to your desktop as CFScript.txt

Refering to the picture above drag CFScript.txt into ComboFix.exe Image This will let ComboFix runagain. Restart if you have to. Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Remove HijackThis entries

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    O4 - Global Startup: Office Update.lnk = C:\WINDOWS\Web\OfficeUpdate.exe
  • Close all open windows and browsers/email etc...
  • Click on the Fix Checked button
  • When completed close the application.



Kaspersky Online Scan

With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    o Scan using the following Anti-Virus database:
    + Extended (If available otherwise Standard)
    o Scan Options:
    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run.
  • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As... button (see red arrow below)

    Image
  • In the Save as... prompt, select Desktop
  • In the File name box, name the file KasScan-ddmmyy (or similar)
  • In the Save as type prompt, select Text file (see below)

    Image
  • Copy and paste the report in your next post.

Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and to speed up scan time.Please don't go surfing while your resident protection is disabled!Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.


REBOOT AFTER ALL THESE HAVE BEEN DONE


Logs/Information to Post in Reply

Please post the following logs/Information in your reply

  • Combofix Log
  • Kaspersky Log
  • A fresh HijackThis Log ( after all the above has been done)
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK
Advertisement
Register to Remove

Re: requesting help

Unread postby Bio-Hazard » May 28th, 2008, 2:10 am

Hello!


It has been few days since my last post.
  • Do you still need help with this?
  • Do you need more time?
  • Are you having problems following my instructions?

Note: If after 48hrs you have not replied to this thread then it will have to be CLOSED!


Bio-Hazard
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: requesting help

Unread postby hosein » May 28th, 2008, 12:43 pm

Hi sorry for delay. As u guided I loaded the kaspersky but at the end there is no save report as button. And so it could not delete the bad ware which it founded for me. anyway I post the rest for u. urs hosein
ComboFix 08-05-19.4 - baba 2008-05-27 10:29:28.6 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.465 [GMT 3.5:30]
Running from: C:\Documents and Settings\baba\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\baba\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\WINDOWS\Setup1.exe
C:\WINDOWS\ST6UNST.EXE
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Web\OfficeUpdate.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Setup1.exe
C:\WINDOWS\ST6UNST.EXE
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At2.job

.
((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-27 09:11 . 2008-05-27 09:11 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-05-20 22:15 . 2008-05-20 22:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-18 14:15 . 2008-05-18 14:16 <DIR> d-------- C:\Program Files\Wondershare
2008-05-15 15:46 . 2008-05-15 15:46 <DIR> d--hs---- C:\Documents and Settings\baba\Phone Browser
2008-05-14 16:53 . 2008-05-14 16:53 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-05-14 16:53 . 2008-05-14 16:53 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-05-14 16:53 . 2008-05-14 16:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-14 16:53 . 2006-12-19 15:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-05-14 16:53 . 2007-02-22 20:50 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-05-14 16:53 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-05-14 16:53 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-05-14 16:53 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-05-14 16:53 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-05-14 16:53 . 2006-12-19 15:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-05-13 19:43 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-13 19:43 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-05-13 19:43 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-13 19:43 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-05-13 19:43 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-05-13 19:43 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-05-13 19:34 . 2008-05-13 19:34 <DIR> d-------- C:\Documents and Settings\baba\Application Data\Lavasoft
2008-05-08 16:22 . 2008-05-08 16:22 <DIR> d--hs---- C:\FOUND.002
2008-05-06 14:53 . 2008-05-06 14:53 17 --a------ C:\WINDOWS\cdplayer.ini
2008-05-04 13:59 . 2008-05-04 13:59 <DIR> d-------- C:\Documents and Settings\hadi\Application Data\PC Suite
2008-05-04 13:59 . 2008-05-04 13:59 <DIR> d-------- C:\Documents and Settings\hadi
2008-05-04 13:59 . 2008-05-27 08:58 1,024 --ah----- C:\Documents and Settings\hadi\ntuser.dat.LOG
2008-04-30 20:42 . 2008-04-30 20:42 <DIR> d--hs---- C:\FOUND.001
2008-04-30 20:27 . 2008-04-30 20:27 <DIR> d-------- C:\Program Files\Combo-Fix
2008-04-28 13:43 . 2008-04-28 13:43 1,315 --a------ C:\WINDOWS\system32\Setup.lnk
2008-04-27 22:06 . 2008-04-27 22:06 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-25 06:19 --------- d-----w C:\Documents and Settings\baba\Application Data\Nokia Multimedia Player
2008-04-25 05:05 --------- d-----w C:\Documents and Settings\baba\Application Data\Nokia
2008-04-25 05:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-04-25 05:04 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-04-25 05:04 --------- d-----w C:\Program Files\Nokia
2008-04-25 05:04 --------- d-----w C:\Program Files\DIFX
2008-04-25 05:04 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-04-25 05:04 --------- d-----w C:\Program Files\Common Files\Nokia
2008-04-25 05:04 --------- d-----w C:\Documents and Settings\baba\Application Data\PC Suite
2008-04-25 05:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-04-22 04:51 276,320 ----a-w C:\Documents and Settings\baba\Application Data\GDIPFONTCACHEV1.DAT
2008-04-21 15:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-21 15:41 --------- d-----w C:\Program Files\Yahoo!
2008-04-21 14:53 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-21 14:53 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-04-21 14:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-04-21 14:49 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-21 14:37 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-21 14:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-21 14:28 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-21 14:28 --------- d-----w C:\Program Files\JetAudio
2008-04-21 14:27 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-21 14:26 --------- d-----w C:\Program Files\Common Files\L&H
2008-04-21 14:20 --------- d-----w C:\Documents and Settings\baba\Application Data\COWON
2008-04-21 14:19 --------- d-----w C:\Program Files\Real
2008-04-21 14:19 --------- d-----w C:\Program Files\Common Files\Real
.

((((((((((((((((((((((((((((( snapshot_2008-05-20_21.59.27.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-20 18:08:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-27 05:28:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-04-15 23:25 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe" [2008-04-21 17:49 146432]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 13:27 222208]
"ShStatEXE"="D:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50 112216]
"McAfeeUpdaterUI"="D:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27 136768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 17:15 1634304]

C:\Documents and Settings\baba\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.jxvd"= JetMPVx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"D:\\program files\\McAfee\\Common Framework\\FrameworkService.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8f3c410-21ce-11dd-b7fa-9a48bb3eb089}]
\Shell\AutoRun\command - 4sv.exe
\Shell\explore\Command - 4sv.exe
\Shell\open\Command - 4sv.exe

*Newly Created Service* - NTMSSVC
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 10:30:50
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-27 10:31:18
ComboFix-quarantined-files.txt 2008-05-27 07:01:16
ComboFix5.txt 2008-05-05 15:16:42
ComboFix4.txt 2008-05-05 18:28:12
ComboFix3.txt 2008-05-20 18:30:12
ComboFix2.txt 2008-05-20 18:36:50

Pre-Run: 13,431,111,680 bytes free
Post-Run: 13,507,870,720 bytes free

142
-------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:55:30 PM, on 5/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\McAfee\Common Framework\FrameworkService.exe
D:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
D:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - D:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - D:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - D:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - D:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 4815 bytes
hosein
Active Member
 
Posts: 13
Joined: April 27th, 2008, 10:00 am

Re: requesting help

Unread postby Bio-Hazard » May 30th, 2008, 3:26 am

You are getting infected from your flash drive/memory stick. Plug in the flash drive/memory stick NOW.

Run CFScript

Open Notepad and copy/paste the text in the box into the window:

Code: Select all
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8f3c410-21ce-11dd-b7fa-9a48bb3eb089}]


Save it to your desktop as CFScript.txt

Refering to the picture above drag CFScript.txt into ComboFix.exe Image This will let ComboFix runagain. Restart if you have to. Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall



KEEP YOUR FLASH DRIVE/MEMORY STICK PLUGGED IN



Flash Disinfector

  • Please download Flash_Disinfector and save it to your desktop.
  • Double click to run it.
  • You will be prompted to plug in your flash drive. Plug it in.
  • Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  • When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
  • Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.[/quote]



Delete files and folders

  • Using Start > Search > All Files and Folders
  • Click Advanced Options and make sure the following are ticked Search system folders, Search hidden files and folders, Search subfolders
  • Enter 4sv.exe in the 'All or part of file name' box
  • Select My computer in the 'Look in' dropdown box
  • Click Search Now
  • Right-click on file that was found and select Delete
  • Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.



As u guided I loaded the kaspersky but at the end there is no save report as button. And so it could not delete the bad ware which it founded for me. anyway I post the rest for u


Okay, Kaspersky doesnt clean any infections it founds it only tell where the infected files are. Lets try another scanner.


Panda Online Scan

Please go >here< to run Panda's ActiveScan
  • Once you are on the Panda site, click the Scan your PC now button
  • A new window will open...click the Scan Now button
  • Allow the ActiveX control to be installed. It will start downloading the files it requires for the scan. Note: This may take a couple of minutes
  • Run the ActiveX control, if requested. The screen will then show the scanning progress - the scan will take a while to finish. Please be patient.
  • When the scan has finished, click on Export To
  • Save the file as Activescan.txt to your Desktop
  • Close the Activescan window then go to your Desktop
  • Double-click on Activescan.txt and it will open in Notepad
  • In Notepad, click Edit > Select all, then Edit > Copy
  • Reply to this thread and click Ctrl+V to paste the log in your reply




Logs/Information to Post in Reply

Please post the following logs/Information in your reply

  • Combofix Log
  • Panda Log
  • A fresh HijackThis Log ( after all the above has been done)
  • How are things running now ?
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: requesting help

Unread postby hosein » May 31st, 2008, 2:27 am

hi,as you said i used my flash an put it in usb drive Unfortunately after run Flash Disinfector noticed that my flash went blank.
Last edited by hosein on May 31st, 2008, 10:21 am, edited 1 time in total.
hosein
Active Member
 
Posts: 13
Joined: April 27th, 2008, 10:00 am

Re: requesting help

Unread postby hosein » May 31st, 2008, 4:23 am

hi my flash is now ok,i repaired it.
hosein
Active Member
 
Posts: 13
Joined: April 27th, 2008, 10:00 am

Re: requesting help

Unread postby hosein » May 31st, 2008, 10:24 am

hi tnx for helping me .about 4sv.exe I searched it the same as you said ,but there was no sign of it. Urs hosein

ComboFix 08-05-29.1 - baba 2008-05-31 9:26:30.7 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.470 [GMT 3.5:30]
Running from: C:\Documents and Settings\baba\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\baba\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-31 )))))))))))))))))))))))))))))))
.

2008-05-30 23:01 . 2008-05-30 23:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-30 23:00 . 2008-05-30 23:00 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\{A9609760-A609-46DE-893D-55E123A7086F}
2008-05-30 22:16 . 2008-05-30 22:16 <DIR> d-------- C:\Program Files\MIKSOFT
2008-05-30 10:32 . 2005-07-03 21:05 <DIR> d-------- C:\Program Files\Lib
2008-05-30 10:32 . 2005-07-03 21:05 <DIR> d-------- C:\Program Files\DSFilter
2008-05-30 10:32 . 2005-07-03 21:05 <DIR> d-------- C:\Program Files\AudioPlugins
2008-05-27 19:39 . 2008-05-27 19:39 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-27 19:39 . 2008-05-27 19:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-27 09:11 . 2008-05-27 09:11 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-05-23 16:42 . 2008-05-23 16:42 323,584 --a------ C:\WINDOWS\system32\AudioGenie2.dll
2008-05-20 22:15 . 2008-05-20 22:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-18 14:15 . 2008-05-18 14:16 <DIR> d-------- C:\Program Files\Wondershare
2008-05-17 18:33 . 2008-05-17 18:33 450,560 --a------ C:\WINDOWS\system32\Asoedmms.ocx
2008-05-17 18:32 . 2008-05-17 18:32 1,122,304 --a------ C:\WINDOWS\system32\AdjMmsEng.dll
2008-05-15 15:46 . 2008-05-15 15:46 <DIR> d--hs---- C:\Documents and Settings\baba\Phone Browser
2008-05-14 16:53 . 2008-05-14 16:53 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-05-14 16:53 . 2008-05-14 16:53 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-05-14 16:53 . 2008-05-14 16:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-14 16:53 . 2006-12-19 15:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-05-14 16:53 . 2007-02-22 20:50 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-05-14 16:53 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-05-14 16:53 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-05-14 16:53 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-05-14 16:53 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-05-14 16:53 . 2006-12-19 15:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-05-13 19:43 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-13 19:43 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-05-13 19:43 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-13 19:43 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-05-13 19:43 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-05-13 19:43 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-05-13 19:34 . 2008-05-13 19:34 <DIR> d-------- C:\Documents and Settings\baba\Application Data\Lavasoft
2008-05-12 23:10 . 2008-05-12 23:10 544,768 --a------ C:\WINDOWS\system32\AudioConverter.dll
2008-05-08 16:22 . 2008-05-08 16:22 <DIR> d--hs---- C:\FOUND.002
2008-05-06 14:53 . 2008-05-06 14:53 17 --a------ C:\WINDOWS\cdplayer.ini
2008-05-04 13:59 . 2008-05-04 13:59 <DIR> d-------- C:\Documents and Settings\hadi\Application Data\PC Suite
2008-05-04 13:59 . 2008-05-04 13:59 <DIR> d-------- C:\Documents and Settings\hadi
2008-04-30 20:42 . 2008-04-30 20:42 <DIR> d--hs---- C:\FOUND.001
2008-04-30 20:27 . 2008-04-30 20:27 <DIR> d-------- C:\Program Files\Combo-Fix
2008-04-28 13:43 . 2008-04-28 13:43 1,315 --a------ C:\WINDOWS\system32\Setup.lnk
2008-04-27 22:06 . 2008-04-27 22:06 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-26 13:49 . 2008-05-13 19:26 537 --a------ C:\WINDOWS\wininit.ini
2008-04-26 08:19 . 2008-04-26 08:19 <DIR> d--hs---- C:\FOUND.000
2008-04-25 09:49 . 2008-04-25 09:49 <DIR> d-------- C:\Documents and Settings\baba\Application Data\Nokia Multimedia Player
2008-04-25 08:37 . 2008-04-25 08:37 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-25 08:37 . 2006-09-16 03:02 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-25 08:35 . 2008-04-25 08:35 <DIR> d-------- C:\Documents and Settings\baba\Application Data\Nokia
2008-04-25 08:35 . 2008-04-25 08:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\WINDOWS\system32\DRVSTORE
2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\Program Files\Nokia
2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\Program Files\DIFX
2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\Documents and Settings\baba\Application Data\PC Suite
2008-04-25 08:34 . 2006-10-10 08:54 138,240 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-04-25 08:34 . 2006-10-10 08:54 50,688 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-04-25 08:34 . 2006-10-10 08:54 30,720 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-04-25 08:34 . 2006-10-10 08:54 12,800 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-04-25 08:34 . 2006-10-10 08:54 12,800 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-04-25 08:34 . 2006-10-10 08:54 9,216 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-04-25 08:34 . 2006-10-10 08:54 4,608 --a------ C:\WINDOWS\system32\nmwcdlog.dll
2008-04-25 08:33 . 2008-04-25 08:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-04-22 08:21 . 2008-04-22 08:21 276,320 --a------ C:\Documents and Settings\baba\Application Data\GDIPFONTCACHEV1.DAT
2008-04-21 22:42 . 2001-08-23 16:30 19,456 --a------ C:\WINDOWS\system32\dllcache\agt040d.dll
2008-04-21 22:42 . 2001-08-23 16:30 19,456 --a------ C:\WINDOWS\system32\dllcache\agt0401.dll
2008-04-21 21:54 . 2004-08-03 23:08 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-21 19:14 . 2008-04-21 19:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-21 19:11 . 2008-04-21 19:11 <DIR> d-------- C:\Program Files\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 14:53 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-21 14:53 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-04-21 14:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-04-21 14:49 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-21 14:37 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-21 14:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-21 14:28 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-21 14:28 --------- d-----w C:\Program Files\JetAudio
2008-04-21 14:27 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-21 14:26 --------- d-----w C:\Program Files\Common Files\L&H
2008-04-21 14:20 --------- d-----w C:\Documents and Settings\baba\Application Data\COWON
2008-04-21 14:19 --------- d-----w C:\Program Files\Real
2008-04-21 14:19 --------- d-----w C:\Program Files\Common Files\Real
.

((((((((((((((((((((((((((((( snapshot_2008-05-20_21.59.27.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-20 18:08:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-31 05:12:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-02-10 04:26:20 86,016 ----a-w C:\WINDOWS\system32\ExControl.dll
+ 2005-05-17 20:37:10 76,800 ----a-w C:\WINDOWS\system32\Faac.exe
+ 2005-02-05 22:18:08 32,768 ----a-w C:\WINDOWS\system32\IsDRM.dll
+ 2005-05-24 08:57:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 12:17:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 12:19:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2005-11-05 23:34:50 145,408 ----a-w C:\WINDOWS\system32\Lame.exe
+ 2002-07-19 16:48:22 157,696 ----a-w C:\WINDOWS\system32\OggEnc.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-04-15 23:25 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe" [2008-04-21 17:49 146432]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 13:27 222208]
"ShStatEXE"="D:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50 112216]
"McAfeeUpdaterUI"="D:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27 136768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 17:15 1634304]

C:\Documents and Settings\baba\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.jxvd"= JetMPVx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"D:\\program files\\McAfee\\Common Framework\\FrameworkService.exe"=


.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 09:27:52
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-31 9:28:25
ComboFix-quarantined-files.txt 2008-05-31 05:58:22
ComboFix5.txt 2008-05-05 18:28:12
ComboFix4.txt 2008-05-20 18:30:12
ComboFix3.txt 2008-05-20 18:36:50
ComboFix2.txt 2008-05-27 07:01:20

Pre-Run: 13,200,687,104 bytes free
Post-Run: 13,279,723,520 bytes free

158
-----------------------------------------------------------------------------
;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-05-31 15:38:21
PROTECTIONS: 1
MALWARE: 24
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee VirusScan Enterprise 8.5.0.781 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\BABA\Cookies\baba@casalemedia[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\BABA\Cookies\baba@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\BABA\Cookies\baba@atdmt[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\BABA\Cookies\baba@fastclick[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\BABA\Cookies\baba@tribalfusion[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\BABA\Cookies\baba@mediaplex[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\BABA\Cookies\baba@com[1].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\BABA\Cookies\baba@xiti[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\BABA\Cookies\baba@statcounter[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\BABA\Cookies\baba@ad.yieldmanager[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\BABA\Cookies\baba@apmebf[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\BABA\Cookies\baba@serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\BABA\Cookies\baba@bs.serving-sys[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\BABA\Cookies\baba@advertising[1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\BABA\Cookies\baba@ads.pointroll[1].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\BABA\Cookies\baba@overture[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\BABA\Cookies\baba@questionmarket[1].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\BABA\Cookies\baba@bluestreak[1].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\BABA\Cookies\baba@adrevolver[2].txt
00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\BABA\Cookies\baba@bravenet[1].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\BABA\Cookies\baba@ads.addynamix[1].txt
00366244 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\BABA\Desktop\Flash_Disinfector.exe[nircmd.exe]
00366244 Application/NirCmd.A HackTools No 0 Yes No C:\Documents and Settings\BABA\Local Settings\Temp\NIRCMD.EXE
00366244 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\BABA\Local Settings\Temporary Internet Files\Content.IE5\79YQR6Z5\Flash_Disinfector[1].exe[nircmd.exe]
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\Documents and Settings\BABA\Desktop\ComboFix.exe[327882R2FWJFW\NirCmdC.cfexe]
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\Documents and Settings\BABA\Desktop\MALWARE\Combo-Fix.exe[327882R2FWJFW\NirCmdC.cfexe]
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\System Volume Information\_restore{25FAE106-D99B-43B7-A815-A59CFCACEF60}\RP11\A0001588.EXE[327882R2FWJFW\NirCmdC.cfexe]
02901106 W32/Autorun.PO.worm Virus/Worm No 0 Yes No C:\Documents and Settings\BABA\Label1autorun.inf
02901106 W32/Autorun.PO.worm Virus/Worm No 0 Yes No C:\Documents and Settings\HADI\Label1autorun.inf
;===================================================================================================================================================================================
SUSPECTS
Sent Location V
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description V
;===================================================================================================================================================================================
184380 MEDIUM MS08-002 V
184379 MEDIUM MS08-001 V
182048 HIGH MS07-069 V
182046 HIGH MS07-067 V
182043 HIGH MS07-064 V
179553 HIGH MS07-061 V
176382 HIGH MS07-057 V
176383 HIGH MS07-058 V
170911 HIGH MS07-050 V
170907 HIGH MS07-046 V
170906 HIGH MS07-045 V
170904 HIGH MS07-043 V
164915 HIGH MS07-035 V
164913 HIGH MS07-033 V
164911 HIGH MS07-031 V
160623 HIGH MS07-027 V
150243 HIGH MS07-008 V
126093 HIGH MS06-051 V
126087 HIGH MS06-046 V
120825 MEDIUM MS06-032 V
120823 MEDIUM MS06-030 V
108743 MEDIUM MS06-007 V
93394 HIGH MS05-050 V
93454 MEDIUM MS05-049 V
;===================================================================================================================================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:41:07 PM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\McAfee\Common Framework\FrameworkService.exe
D:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
D:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
D:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\JetAudio\JetAudio.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.modares.ac.ir:80
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - D:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - D:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - D:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - D:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 5124 bytes
hosein
Active Member
 
Posts: 13
Joined: April 27th, 2008, 10:00 am

Re: requesting help

Unread postby Bio-Hazard » June 1st, 2008, 3:27 pm

Hello!

Do you know anything about this entry?

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.modares.ac.ir:80




Run CFScript

Open Notepad and copy/paste the text in the box into the window:

Code: Select all
File::
C:\Documents and Settings\BABA\Label1autorun.inf
C:\Documents and Settings\HADI\Label1autorun.inf
DirLook::
C:\Documents and Settings\All Users\Application Data\{A9609760-A609-46DE-893D-55E123A7086F}



Save it to your desktop as CFScript.txt

Refering to the picture above drag CFScript.txt into ComboFix.exe Image This will let ComboFix runagain. Restart if you have to. Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Remove HijackThis entries

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')


  • Close all open windows and browsers/email etc...
  • Click on the Fix Checked button
  • When completed close the application.




CCleaner

Download CCleaner Slim from >here< and save it to your Desktop. When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

Complete the installation then
  • Make sure that ALL browser windows are closed
  • Double-click the CCleaner shortcut on the desktop to start the program.
  • Click on the Options block on the left, then choose Cookies.
    • Under Cookies to Delete, highlight any cookies you would like to retain permanently
    • Click the right arrow > to move them to the Cookies to Keep window.
  • Go into Options > Advanced deselect/uncheck 'Only delete files in Windows Temp folders older than 48 hours'
  • Click Run Cleaner to run the program.
  • Caution: It is not recommended that you use the 'Registry' feature unless you are very familiar with the registry.
  • After CCleaner has completed its process, click Exit.


Malwarebytes' Anti-Malware

  • Please download Malwarebytes' Anti-Malware and save it to a convenient location.
  • Double click on mbam-setup.exe to install it.
  • Before clicking the Finish button, make sure that these 2 boxes are checked (ticked):
      Update Malwarebytes' Anti-Malware
      Launch Malwarebytes' Anti-Malware
  • Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
  • Select the Scanner tab. Click on Perform full scan, then click on Scan.
  • Leave the default options as it is and click on Start Scan.
  • When done, you will be prompted. Click OK, then click on Show Results.
  • Checked (ticked) all items and click on Remove Selected.
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.




Logs/Information to Post in Reply

Please post the following logs/Information in your reply

  • Combofix Log
  • Malwarebytes' Anti-Malware
  • A fresh HijackThis Log ( after all the above has been done)
  • How is your computer running now?
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: requesting help

Unread postby hosein » June 3rd, 2008, 12:15 pm

hi modares.ac.ir is my domain.

ComboFix 08-05-29.1 - baba 2008-06-03 17:56:36.8 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.457 [GMT 3.5:30]
Running from: C:\Documents and Settings\baba\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\baba\Desktop\cfscript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\Documents and Settings\BABA\Label1autorun.inf
C:\Documents and Settings\HADI\Label1autorun.inf
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\BABA\Label1autorun.inf
C:\Documents and Settings\HADI\Label1autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-03 to 2008-06-03 )))))))))))))))))))))))))))))))
.

2008-06-01 16:16 . 2008-06-03 15:14 231 --a------ C:\WINDOWS\RtlRack.ini
2008-05-31 09:58 . 2008-05-31 09:58 <DIR> d-------- C:\Program Files\Panda Security
2008-05-30 23:01 . 2008-05-30 23:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-30 23:00 . 2008-05-30 23:00 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\{A9609760-A609-46DE-893D-55E123A7086F}
2008-05-30 22:16 . 2008-05-30 22:16 <DIR> d-------- C:\Program Files\MIKSOFT
2008-05-30 10:32 . 2005-07-03 21:05 <DIR> d-------- C:\Program Files\Lib
2008-05-30 10:32 . 2005-07-03 21:05 <DIR> d-------- C:\Program Files\DSFilter
2008-05-30 10:32 . 2005-07-03 21:05 <DIR> d-------- C:\Program Files\AudioPlugins
2008-05-27 09:11 . 2008-05-27 09:11 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-05-23 16:42 . 2008-05-23 16:42 323,584 --a------ C:\WINDOWS\system32\AudioGenie2.dll
2008-05-20 22:15 . 2008-05-20 22:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-18 14:15 . 2008-05-18 14:16 <DIR> d-------- C:\Program Files\Wondershare
2008-05-17 18:33 . 2008-05-17 18:33 450,560 --a------ C:\WINDOWS\system32\Asoedmms.ocx
2008-05-17 18:32 . 2008-05-17 18:32 1,122,304 --a------ C:\WINDOWS\system32\AdjMmsEng.dll
2008-05-15 15:46 . 2008-05-15 15:46 <DIR> d--hs---- C:\Documents and Settings\baba\Phone Browser
2008-05-14 16:53 . 2008-05-14 16:53 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-05-14 16:53 . 2008-05-14 16:53 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-05-14 16:53 . 2008-05-14 16:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-14 16:53 . 2006-12-19 15:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-05-14 16:53 . 2007-02-22 20:50 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-05-14 16:53 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-05-14 16:53 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-05-14 16:53 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-05-14 16:53 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-05-14 16:53 . 2006-12-19 15:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-05-13 19:43 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-13 19:43 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-05-13 19:43 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-13 19:43 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-05-13 19:43 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-05-13 19:43 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-05-13 19:34 . 2008-05-13 19:34 <DIR> d-------- C:\Documents and Settings\baba\Application Data\Lavasoft
2008-05-12 23:10 . 2008-05-12 23:10 544,768 --a------ C:\WINDOWS\system32\AudioConverter.dll
2008-05-08 16:22 . 2008-05-08 16:22 <DIR> d--hs---- C:\FOUND.002
2008-05-06 14:53 . 2008-05-06 14:53 17 --a------ C:\WINDOWS\cdplayer.ini
2008-05-04 13:59 . 2008-05-04 13:59 <DIR> d-------- C:\Documents and Settings\hadi\Application Data\PC Suite
2008-05-04 13:59 . 2008-05-04 13:59 <DIR> d-------- C:\Documents and Settings\hadi

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-30 16:57 --------- d-----w C:\Program Files\Combo-Fix
2008-04-25 06:19 --------- d-----w C:\Documents and Settings\baba\Application Data\Nokia Multimedia Player
2008-04-25 05:05 --------- d-----w C:\Documents and Settings\baba\Application Data\Nokia
2008-04-25 05:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-04-25 05:04 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-04-25 05:04 --------- d-----w C:\Program Files\Nokia
2008-04-25 05:04 --------- d-----w C:\Program Files\DIFX
2008-04-25 05:04 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-04-25 05:04 --------- d-----w C:\Program Files\Common Files\Nokia
2008-04-25 05:04 --------- d-----w C:\Documents and Settings\baba\Application Data\PC Suite
2008-04-25 05:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-04-22 04:51 276,320 ----a-w C:\Documents and Settings\baba\Application Data\GDIPFONTCACHEV1.DAT
2008-04-21 15:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-21 15:41 --------- d-----w C:\Program Files\Yahoo!
2008-04-21 14:53 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-21 14:53 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-04-21 14:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-04-21 14:49 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-21 14:37 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-21 14:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-21 14:28 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-21 14:28 --------- d-----w C:\Program Files\JetAudio
2008-04-21 14:27 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-21 14:26 --------- d-----w C:\Program Files\Common Files\L&H
2008-04-21 14:20 --------- d-----w C:\Documents and Settings\baba\Application Data\COWON
2008-04-21 14:19 --------- d-----w C:\Program Files\Real
2008-04-21 14:19 --------- d-----w C:\Program Files\Common Files\Real
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\All Users\Application Data\{A9609760-A609-46DE-893D-55E123A7086F} ----

2008-06-02 17:57 96 --a------ C:\Documents and Settings\All Users\Application Data\{A9609760-A609-46DE-893D-55E123A7086F}\instance.dat
2008-06-02 17:57 4496 --a------ C:\Documents and Settings\All Users\Application Data\{A9609760-A609-46DE-893D-55E123A7086F}\setup_ac.par
2008-06-02 17:57 225 --a------ C:\Documents and Settings\All Users\Application Data\{A9609760-A609-46DE-893D-55E123A7086F}\setup_ac.dat
2008-06-02 17:57 0 --a------ C:\Documents and Settings\All Users\Application Data\{A9609760-A609-46DE-893D-55E123A7086F}\{A0F43BC6-E685-49CB-BF91-851F62628343}
2008-05-30 23:00 0 --a------ C:\Documents and Settings\All Users\Application Data\{A9609760-A609-46DE-893D-55E123A7086F}\offline\{A9609760-A609-46DE-893D-55E123A7086F}
2008-05-26 01:23 579156 --a------ C:\Documents and Settings\All Users\Application Data\{A9609760-A609-46DE-893D-55E123A7086F}\mia.lib
2008-05-26 01:23 3443059 --a------ C:\Documents and Settings\All Users\Application Data\{A9609760-A609-46DE-893D-55E123A7086F}\setup_ac.res
2008-05-26 01:23 271360 --a------ C:\Documents and Settings\All Users\Application Data\{A9609760-A609-46DE-893D-55E123A7086F}\setup_ac.msi
2008-05-26 01:23 2331320 --a------ C:\Documents and Settings\All Users\Application Data\{A9609760-A609-46DE-893D-55E123A7086F}\setup_ac.exe
2008-05-26 01:22 872448 --a------ C:\Documents and Settings\All Users\Application Data\{A9609760-A609-46DE-893D-55E123A7086F}\offline\C0FE1718\F2AF3283\AudioCommander.exe
2008-05-23 16:42 323584 --a------ C:\Documents and Settings\All Users\Application Data\{A9609760-A609-46DE-893D-55E123A7086F}\offline\1B709323\AF8C2D79\AudioGenie2.dll
2008-05-17 18:33 450560 --a------ C:\Documents and Settings\All Users\Application Data\{A9609760-A609-46DE-893D-55E123A7086F}\offline\71C45995\32F7A4D1\Asoedmms.ocx
2008-05-17 18:32 1122304 --a------ C:\Documents and Settings\All Users\Application Data\{A9609760-A609-46DE-893D-55E123A7086F}\offline\C283212E\32F7A4D1\AdjMmsEng.dll
2008-05-12 23:10 544768 --a------ C:\Documents and Settings\All Users\Application Data\{A9609760-A609-46DE-893D-55E123A7086F}\offline\A08C3EFF\4779A637\AudioConverter.dll
2008-05-12 21:47 89246 --a------ C:\Documents and Settings\All Users\Application Data\{A9609760-A609-46DE-893D-55E123A7086F}\offline\E858102C\F2AF3283\AudioCommander.chm
2005-11-06 03:04 145408 --a------ C:\Documents and Settings\All Users\Application Data\{A9609760-A609-46DE-893D-55E123A7086F}\offline\46DCAF14\431AE4FA\Lame.exe
2005-06-10 22:01 643 --a------ C:\Documents and Settings\All Users\Application Data\{A9609760-A609-46DE-893D-55E123A7086F}\offline\D45CC34F\AF8C2D79\AudioGenie2.exe.manifest
2005-05-18 00:07 76800 --a------ C:\Documents and Settings\All Users\Application Data\{A9609760-A609-46DE-893D-55E123A7086F}\offline\1F3C49AE\8FD17A8B\Faac.exe
2005-02-10 07:56 86016 --a------ C:\Documents and Settings\All Users\Application Data\{A9609760-A609-46DE-893D-55E123A7086F}\offline\A6B62C87\F62D5284\ExControl.dll
2005-02-10 07:56 86016 --a------ C:\Documents and Settings\All Users\Application Data\{A9609760-A609-46DE-893D-55E123A7086F}\offline\6E5E09DF\F62D5284\ExControl.dll
2005-02-06 01:48 32768 --a------ C:\Documents and Settings\All Users\Application Data\{A9609760-A609-46DE-893D-55E123A7086F}\offline\ACF70AF1\387EEA1E\IsDRM.dll
2005-02-06 01:48 32768 --a------ C:\Documents and Settings\All Users\Application Data\{A9609760-A609-46DE-893D-55E123A7086F}\offline\23A27872\387EEA1E\IsDRM.dll
2004-03-09 08:30 152848 --a------ C:\Documents and Settings\All Users\Application Data\{A9609760-A609-46DE-893D-55E123A7086F}\offline\6A023CFF\431AE4FA\COMDLG32.OCX
2003-05-14 03:50 24576 --a------ C:\Documents and Settings\All Users\Application Data\{A9609760-A609-46DE-893D-55E123A7086F}\offline\1EB8D3D\5D8C36FC\AffCreatorDLL.dll
2002-07-19 20:18 157696 --a------ C:\Documents and Settings\All Users\Application Data\{A9609760-A609-46DE-893D-55E123A7086F}\offline\63E85F6B\431AE4FA\OggEnc.exe
2001-12-07 17:15 448192 --a------ C:\Documents and Settings\All Users\Application Data\{A9609760-A609-46DE-893D-55E123A7086F}\offline\9CE35685\1D139F4\Tab32x30.ocx


((((((((((((((((((((((((((((( snapshot_2008-05-20_21.59.27.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-20 18:08:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-03 09:05:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 09:26:08 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
+ 2007-07-18 11:19:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
+ 2005-02-10 04:26:20 86,016 ----a-w C:\WINDOWS\system32\ExControl.dll
+ 2005-05-17 20:37:10 76,800 ----a-w C:\WINDOWS\system32\Faac.exe
+ 2005-02-05 22:18:08 32,768 ----a-w C:\WINDOWS\system32\IsDRM.dll
+ 2005-11-05 23:34:50 145,408 ----a-w C:\WINDOWS\system32\Lame.exe
+ 2002-07-19 16:48:22 157,696 ----a-w C:\WINDOWS\system32\OggEnc.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-04-15 23:25 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe" [2008-04-21 17:49 146432]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 13:27 222208]
"ShStatEXE"="D:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50 112216]
"McAfeeUpdaterUI"="D:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27 136768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 17:15 1634304]

C:\Documents and Settings\baba\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.jxvd"= JetMPVx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"D:\\program files\\McAfee\\Common Framework\\FrameworkService.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8f3c410-21ce-11dd-b7fa-9a48bb3eb089}]
\Shell\AutoRun\command - 4sv.exe
\Shell\explore\Command - 4sv.exe
\Shell\open\Command - 4sv.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-03 17:57:57
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-03 17:58:28
ComboFix-quarantined-files.txt 2008-06-03 14:28:26
ComboFix5.txt 2008-05-20 18:30:12
ComboFix4.txt 2008-05-20 18:36:50
ComboFix3.txt 2008-05-27 07:01:20
ComboFix2.txt 2008-05-31 05:58:28

Pre-Run: 11,389,599,744 bytes free
Post-Run: 11,466,014,720 bytes free

180
------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.14
Database version: 817

8:37:45 PM 6/3/2008
mbam-log-6-3-2008 (20-37-45).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 96788
Time elapsed: 34 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
-------------------------------------------------------------------Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:08:57 PM, on 6/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\McAfee\Common Framework\FrameworkService.exe
D:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
D:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
D:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\JetAudio\JetAudio.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.modares.ac.ir:80
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - D:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - D:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - D:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - D:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 5010 bytes
hosein
Active Member
 
Posts: 13
Joined: April 27th, 2008, 10:00 am

Re: requesting help

Unread postby Bio-Hazard » June 6th, 2008, 2:14 am

Hello!

How is your computer running now?



You are getting infected from your flash drive/memory stick. Plug in the flash drive/memory stick NOW.

Run CFScript

Open Notepad and copy/paste the text in the box into the window:

Code: Select all
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8f3c410-21ce-11dd-b7fa-9a48bb3eb089}]


Save it to your desktop as CFScript.txt

Refering to the picture above drag CFScript.txt into ComboFix.exe Image This will let ComboFix runagain. Restart if you have to. Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall


KEEP YOUR FLASH DRIVE/MEMORY STICK PLUGGED IN


Delete files and folders

  • Using Start > Search > All Files and Folders
  • Click Advanced Options and make sure the following are ticked Search system folders, Search hidden files and folders, Search subfolders
  • Enter 4sv.exe in the 'All or part of file name' box
  • Select My computer in the 'Look in' dropdown box
  • Click Search Now
  • Right-click on file that was found and select Delete
  • Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.



Logs/Information to Post in Reply

Please post the following logs/Information in your reply

  • Combofix Log
  • A fresh HijackThis Log ( after all the above has been done)
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: requesting help

Unread postby hosein » June 7th, 2008, 11:35 am

Hi tnx for helping me .my computer is running well now.
About 4sv.exe I searched it the same as you said, but there was no sign of it. urs Hosein

ComboFix 08-05-29.1 - baba 2008-06-07 17:43:53.9 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.442 [GMT 3.5:30]
Running from: C:\Documents and Settings\baba\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\baba\Desktop\cfscript.txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-05-07 to 2008-06-07 )))))))))))))))))))))))))))))))
.

2008-06-06 16:33 . 2008-06-07 17:11 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-06-06 16:28 . 2008-06-06 16:28 <DIR> d-------- C:\Documents and Settings\baba\Application Data\Ahead
2008-06-06 16:25 . 2008-06-06 16:25 <DIR> d-------- C:\Program Files\Nero
2008-06-06 16:25 . 2008-06-06 16:25 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-06-06 16:25 . 2008-06-06 16:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-06-03 19:30 . 2008-06-03 19:30 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-03 19:30 . 2008-06-03 19:30 <DIR> d-------- C:\Documents and Settings\baba\Application Data\Malwarebytes
2008-06-03 19:30 . 2008-06-03 19:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-03 19:30 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-03 19:30 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-03 18:25 . 2008-06-03 18:25 <DIR> d-------- C:\Program Files\CCleaner
2008-06-01 16:16 . 2008-06-03 15:14 231 --a------ C:\WINDOWS\RtlRack.ini
2008-05-31 09:58 . 2008-05-31 09:58 <DIR> d-------- C:\Program Files\Panda Security
2008-05-30 23:01 . 2008-05-30 23:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-30 23:00 . 2008-05-30 23:00 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\{A9609760-A609-46DE-893D-55E123A7086F}
2008-05-30 22:16 . 2008-05-30 22:16 <DIR> d-------- C:\Program Files\MIKSOFT
2008-05-30 10:32 . 2005-07-03 21:05 <DIR> d-------- C:\Program Files\Lib
2008-05-30 10:32 . 2005-07-03 21:05 <DIR> d-------- C:\Program Files\DSFilter
2008-05-30 10:32 . 2005-07-03 21:05 <DIR> d-------- C:\Program Files\AudioPlugins
2008-05-27 09:11 . 2008-05-27 09:11 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-05-23 16:42 . 2008-05-23 16:42 323,584 --a------ C:\WINDOWS\system32\AudioGenie2.dll
2008-05-20 22:15 . 2008-05-20 22:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-18 14:15 . 2008-05-18 14:16 <DIR> d-------- C:\Program Files\Wondershare
2008-05-17 18:33 . 2008-05-17 18:33 450,560 --a------ C:\WINDOWS\system32\Asoedmms.ocx
2008-05-17 18:32 . 2008-05-17 18:32 1,122,304 --a------ C:\WINDOWS\system32\AdjMmsEng.dll
2008-05-15 15:46 . 2008-05-15 15:46 <DIR> d--hs---- C:\Documents and Settings\baba\Phone Browser
2008-05-14 16:53 . 2008-05-14 16:53 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-05-14 16:53 . 2008-05-14 16:53 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-05-14 16:53 . 2008-05-14 16:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-14 16:53 . 2006-12-19 15:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-05-14 16:53 . 2007-02-22 20:50 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-05-14 16:53 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-05-14 16:53 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-05-14 16:53 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-05-14 16:53 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-05-14 16:53 . 2006-12-19 15:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-05-13 19:43 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-13 19:43 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-05-13 19:43 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-13 19:43 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-05-13 19:43 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-05-13 19:43 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-05-13 19:34 . 2008-05-13 19:34 <DIR> d-------- C:\Documents and Settings\baba\Application Data\Lavasoft
2008-05-12 23:10 . 2008-05-12 23:10 544,768 --a------ C:\WINDOWS\system32\AudioConverter.dll
2008-05-08 16:22 . 2008-05-08 16:22 <DIR> d--hs---- C:\FOUND.002

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 10:29 --------- d-----w C:\Documents and Settings\hadi\Application Data\PC Suite
2008-04-30 16:57 --------- d-----w C:\Program Files\Combo-Fix
2008-04-25 06:19 --------- d-----w C:\Documents and Settings\baba\Application Data\Nokia Multimedia Player
2008-04-25 05:05 --------- d-----w C:\Documents and Settings\baba\Application Data\Nokia
2008-04-25 05:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-04-25 05:04 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-04-25 05:04 --------- d-----w C:\Program Files\Nokia
2008-04-25 05:04 --------- d-----w C:\Program Files\DIFX
2008-04-25 05:04 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-04-25 05:04 --------- d-----w C:\Program Files\Common Files\Nokia
2008-04-25 05:04 --------- d-----w C:\Documents and Settings\baba\Application Data\PC Suite
2008-04-25 05:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-04-22 04:51 276,320 ----a-w C:\Documents and Settings\baba\Application Data\GDIPFONTCACHEV1.DAT
2008-04-21 15:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-21 15:41 --------- d-----w C:\Program Files\Yahoo!
2008-04-21 14:53 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-21 14:53 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-04-21 14:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-04-21 14:49 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-21 14:37 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-21 14:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-21 14:28 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-21 14:28 --------- d-----w C:\Program Files\JetAudio
2008-04-21 14:27 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-21 14:26 --------- d-----w C:\Program Files\Common Files\L&H
2008-04-21 14:20 --------- d-----w C:\Documents and Settings\baba\Application Data\COWON
2008-04-21 14:19 --------- d-----w C:\Program Files\Real
2008-04-21 14:19 --------- d-----w C:\Program Files\Common Files\Real
.

((((((((((((((((((((((((((((( snapshot_2008-05-20_21.59.27.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-20 18:08:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-07 07:26:18 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 09:26:08 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
+ 2007-07-18 11:19:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
+ 2008-06-06 12:57:34 25,214 ----a-r C:\WINDOWS\Installer\{2E1A6A90-62A6-4862-9962-81DBFD001033}\ARPPRODUCTICON.exe
+ 2005-02-10 04:26:20 86,016 ----a-w C:\WINDOWS\system32\ExControl.dll
+ 2005-05-17 20:37:10 76,800 ----a-w C:\WINDOWS\system32\Faac.exe
+ 2004-07-26 13:46:10 1,568,768 ----a-w C:\WINDOWS\system32\imagX7.dll
+ 2004-07-26 13:46:10 476,320 ----a-w C:\WINDOWS\system32\imagXpr7.dll
+ 2004-07-26 13:46:10 262,144 ----a-w C:\WINDOWS\system32\imagXR7.dll
+ 2004-07-26 13:46:10 471,040 ----a-w C:\WINDOWS\system32\imagXRA7.dll
+ 2005-02-05 22:18:08 32,768 ----a-w C:\WINDOWS\system32\IsDRM.dll
+ 2005-11-05 23:34:50 145,408 ----a-w C:\WINDOWS\system32\Lame.exe
+ 2007-04-24 10:53:08 95,864 ----a-w C:\WINDOWS\system32\NeroCo.dll
+ 2002-07-19 16:48:22 157,696 ----a-w C:\WINDOWS\system32\OggEnc.exe
+ 2004-07-09 06:13:56 364,544 ----a-w C:\WINDOWS\system32\TwnLib4.dll
+ 2007-04-24 10:57:22 972,336 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
+ 2007-04-11 08:57:46 972,336 ----a-w C:\WINDOWS\UNNeroShowTime.exe
+ 2007-04-24 11:16:40 972,336 ----a-w C:\WINDOWS\UNNeroVision.exe
+ 2008-06-06 13:00:28 1,233,920 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d\msxml4.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-04-15 23:25 1694208]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-04-24 14:25 149040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe" [2008-04-21 17:49 146432]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 13:27 222208]
"ShStatEXE"="D:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50 112216]
"McAfeeUpdaterUI"="D:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27 136768]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-15 21:02 153136]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [2007-04-16 01:52 169984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 17:15 1634304]

C:\Documents and Settings\baba\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.jxvd"= JetMPVx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"WmiApSrv"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"D:\\program files\\McAfee\\Common Framework\\FrameworkService.exe"=


.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-07 17:45:17
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-07 17:45:49
ComboFix-quarantined-files.txt 2008-06-07 14:15:46
ComboFix5.txt 2008-05-20 18:36:50
ComboFix4.txt 2008-05-27 07:01:20
ComboFix3.txt 2008-05-31 05:58:28
ComboFix2.txt 2008-06-03 14:28:30

Pre-Run: 10,568,171,520 bytes free
Post-Run: 10,654,515,200 bytes free

163
-----------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:50:26 PM, on 6/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\McAfee\Common Framework\FrameworkService.exe
D:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
D:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
D:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
D:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.modares.ac.ir:80
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - D:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - D:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - D:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - D:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 5335 bytes
hosein
Active Member
 
Posts: 13
Joined: April 27th, 2008, 10:00 am

Re: requesting help

Unread postby Bio-Hazard » June 8th, 2008, 9:31 am

Your log now appears to be clean. Congratulations!

You can get rid of the tools we used:
  • Flash Disinfector (You can delete the exe file from your desktop)
  • CCleaner (I would recommed to keep this program)
  • Malwarebytes' Anti-Malware (I would recommed to keep this program)

This is how you can uninstall it/them:

  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present):

    Malwarebytes' Anti-Malware
    CCleaner

NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.


Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints. You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.

    Delete ComboFix and Clean Up
    Click Start > Run > type combofix /u > OK (Note the space between combofix and /u)
    Image
    Please advise if this step is missed for any reason as it performs some important actions.

    Protection Programs
    Don't forget to re-enable any protection programs we disabled during your fix.

    General Security and Computer Health
    Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.

    • Clear Infected System Restore Points
      • Turn System Restore off
      • On the Desktop, right click on the My Computer icon.
      • Click Properties.
      • Click the System Restore tab.
      • Check Turn off System Restore.
      • Click Apply, and then click OK.
        Restart your computer
      • Turn System Restore on
      • On the Desktop, right click on the My Computer icon.
      • Click Properties.
      • Click the System Restore tab.
      • Uncheck *Turn off System Restore*.
      • Click Apply, and then click OK.
      Note: only do this once,and not on a regular basis

    • Set correct settings for files
      • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
      • Under Hidden files and folders if necessary select Do not show hidden files and folders.
      • If unchecked please check Hide protected operating system files (Recommended)
      • If necessary check Display content of system folders
      • If necessary Uncheck Hide file extensions for known file types.
      • Click OK

    • Make sure that you keep your antivirus updated
      New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
      Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
    • Install and use a firewall with outbound protection
      The Windows firewall only monitors incoming traffic, NOT outgoing. Using a software firewall in its default configuration to replace the Windows firewall greatly reduces the risk of your computer being hacked. Make sure your firewall is always enabled while your computer is connected to the internet.
      Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
    • Security Updates for Windows, Internet Explorer & Microsoft Office
      Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
      Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
    • Update Non-Microsoft Programs
      Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.
    • Make Internet Explorer More Secure
      You are using Internet Explorer v. 7. Therefore please read and follow the recommendations at this SITE


    Recommended Programs

    I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

    • WinPatrol
      As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
    • SpywareBlaster
      SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE. You can download SpywareBlaster from HERE.
    • Hosts File
      For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.
    • Use an alternative Internet Browser
      Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
      Firefox
      Opera


Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!

Bio-Hazard
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: requesting help

Unread postby Vino Rosso » June 11th, 2008, 6:17 am

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link: >Donations For Malware Removal<

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 58 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware