Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Possible malware infection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Possible malware infection

Unread postby billetpete » April 16th, 2008, 10:04 pm

I too think that my pc has been hit by some sort of malware as I am having problems with extra windows opening when I start IE so I'm hoping that you guys can take a look at my HijackThis log file and advise me what to do next!! Also,you probably need to know that this pc has multiple user accounts.Thanks


Logfile of HijackThis v1.99.1
Scan saved at 10:01:23 PM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\virus protection\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Virus protection\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\program files\virus protection\eTrust EZ Antivirus\CAVRID.exe
C:\program files\virus protection\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\ROADRU~1\PHOTOS~1\data\Xtras\mssysmgr.exe
D:\Program Files\Proxomitron\Proxomitron.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\virus protection\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\My Documents\Downloads\hijackthis1991.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:2020
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3E9144D1-A39B-46D2-BF31-E6E7A992F59F} - C:\WINDOWS\system32\rqRIcywT.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {C3E15DFE-D990-4C3F-9BE2-4CF4E3E007CE} - C:\WINDOWS\system32\ddcAtTLc.dll (file missing)
O4 - HKLM\..\Run: [QOELOADER] "c:\Program Files\Virus protection\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "c:\program files\virus protection\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "c:\program files\virus protection\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [RegisterDropHandler] D:\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [InstantAccess] D:\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [b475a848] rundll32.exe "C:\WINDOWS\system32\lwnbbtny.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [hwazcokx] C:\WINDOWS\system32\tkhchkjs.exe
O4 - HKCU\..\Run: [Road Runner PhotoShow Media Manager] D:\PROGRA~1\ROADRU~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [kzdrlgwc] C:\WINDOWS\system32\alabofwr.exe
O4 - Startup: Proxomitron.lnk = D:\Program Files\Proxomitron\Proxomitron.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.cmt.com
O15 - Trusted Zone: http://pages.ebay.com
O15 - Trusted Zone: http://*.vintagesleds.com
O15 - Trusted Zone: http://www.youtube.com
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivillage.co.uk/save/makeover.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v47/sh ... Loader.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testge ... nstall.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pe ... stscan.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 0844104875
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005 ... scan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/Pe ... lAsst2.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: dsktbwfe - {9EB36178-7649-4F29-B8AD-A4E983832E93} - C:\WINDOWS\dsktbwfe.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - c:\program files\virus protection\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - c:\program files\virus protection\eTrust EZ Antivirus\VetMsg.exe
billetpete
Active Member
 
Posts: 11
Joined: April 15th, 2008, 7:29 am
Advertisement
Register to Remove

Re: Possible malware infection

Unread postby Shaba » April 19th, 2008, 6:02 am

Hi billetpete

Yes you are right.

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Possible malware infection

Unread postby billetpete » April 19th, 2008, 7:12 am

As per your instructions,here's the files !!!!

Logfile of HijackThis v1.99.1
Scan saved at 7:07:53 AM, on 4/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\virus protection\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\virus protection\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Virus protection\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\program files\virus protection\eTrust EZ Antivirus\CAVRID.exe
C:\program files\virus protection\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\ROADRU~1\PHOTOS~1\data\Xtras\mssysmgr.exe
D:\Program Files\Proxomitron\Proxomitron.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
D:\My Documents\Downloads\hijackthis1991.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:2020
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {52369F6D-A36C-446C-98B4-3242EE59ED64} - C:\WINDOWS\system32\rqRIcywT.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [QOELOADER] "c:\Program Files\Virus protection\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "c:\program files\virus protection\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "c:\program files\virus protection\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [RegisterDropHandler] D:\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [InstantAccess] D:\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [hwazcokx] C:\WINDOWS\system32\tkhchkjs.exe
O4 - HKCU\..\Run: [Road Runner PhotoShow Media Manager] D:\PROGRA~1\ROADRU~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [kzdrlgwc] C:\WINDOWS\system32\alabofwr.exe
O4 - Startup: Proxomitron.lnk = D:\Program Files\Proxomitron\Proxomitron.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.cmt.com
O15 - Trusted Zone: http://pages.ebay.com
O15 - Trusted Zone: http://*.vintagesleds.com
O15 - Trusted Zone: http://www.youtube.com
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivillage.co.uk/save/makeover.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v47/sh ... Loader.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testge ... nstall.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pe ... stscan.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 0844104875
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005 ... scan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/Pe ... lAsst2.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - c:\program files\virus protection\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - c:\program files\virus protection\eTrust EZ Antivirus\VetMsg.exe

ComboFix 08-04-18.3 - Dad 2008-04-19 6:37:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.86 [GMT -4:00]
Running from: C:\Documents and Settings\Dad\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Dad\Desktopblackbird.jpg
C:\Documents and Settings\Dad\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\Dad\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Dad\Desktopfilemanagerclient.exe
C:\Documents and Settings\Dad\Desktopfkwp1.5.exe
C:\Documents and Settings\Dad\Desktopfkwp2.0.exe
C:\Documents and Settings\Dad\Desktopfwebd.exe
C:\Documents and Settings\Dad\DesktopFWebdEditor.exe
C:\Documents and Settings\Dad\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\Dad\Desktopvirii
C:\Program Files\PC-Cleaner
C:\WINDOWS\a.bat
C:\WINDOWS\base64.tmp
C:\WINDOWS\bdn.com
C:\WINDOWS\cookies.ini
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\mssecu.exe
C:\WINDOWS\rs.txt
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\gwdkuhst.dll
C:\WINDOWS\system32\ljxqqwkk.ini
C:\WINDOWS\system32\nchgmfrs.ini
C:\WINDOWS\system32\nnbefqwh.ini
C:\WINDOWS\system32\pdcrxqmx.ini
C:\WINDOWS\system32\tshukdwg.ini
C:\WINDOWS\system32\TwycIRqr.ini
C:\WINDOWS\system32\TwycIRqr.ini2
C:\WINDOWS\system32\ylfnplfi.ini
C:\WINDOWS\system32\yntbbnwl.ini
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32smp
C:\WINDOWS\system32smp\msrc.exe
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\winsystem.exe
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.

2008-04-16 16:43 . 2008-04-16 16:50 250 --a------ C:\WINDOWS\gmer.ini
2008-04-16 15:55 . 2008-04-16 16:08 2,534 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-16 05:38 . 2008-04-18 18:05 <DIR> d-------- C:\qrnt
2008-04-15 15:35 . 2008-04-16 17:17 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-04-14 21:18 . 2008-04-14 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-14 20:33 . 2008-04-14 20:34 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\PC-Cleaner
2008-04-14 19:48 . 2008-04-14 19:48 25,992 --a------ C:\WINDOWS\system32\pgdfgsvc.exe
2008-04-12 18:19 . 2008-04-12 18:19 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\TmpRecentIcons
2008-04-12 16:15 . 2008-04-16 17:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\dcpmjgvw
2008-04-09 22:56 . 2008-04-09 23:03 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-04-04 21:02 . 2008-04-04 21:02 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-04 21:01 . 2008-04-04 21:01 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-04 21:01 . 2008-04-04 21:01 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-27 18:06 . 2008-03-27 18:06 743,621 --a------ C:\WINDOWS\system32\RPUpdates.zip
2008-03-27 17:12 . 2008-03-27 18:06 45 --a------ C:\WINDOWS\system32\RPVersion.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 01:16 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-05 15:54 --------- d-----w C:\Program Files\Yahoo!
2008-04-05 15:52 --------- d-----w C:\Documents and Settings\Dad\Application Data\Road Runner
2008-04-05 13:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-29 10:56 --------- d-----w C:\Program Files\Safer Networking
2008-03-29 10:54 --------- d-----w C:\Program Files\Yahoo! Games
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-16 15:46 --------- d-----w C:\Documents and Settings\Dad\Application Data\Apple Computer
2008-03-06 00:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-01 22:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-02-11 13:39 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
2008-02-11 13:39 237,568 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
2008-02-08 17:53 110,592 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
2008-02-05 12:48 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
2006-04-03 23:25 83 -c--a-w C:\Documents and Settings\Dad\Application Data\hexplorer.dat
2006-04-03 23:25 4 -c--a-w C:\Documents and Settings\Dad\Application Data\mclip.dat
2006-03-06 23:52 1,118,240 -c-ha-r C:\Documents and Settings\Dad\USER.DAT
2001-08-22 17:15 245,760 -c--a-w C:\WINDOWS\inf\i386\viceo.dll
2001-08-22 17:13 61,440 -c--a-w C:\WINDOWS\inf\i386\gl.dll
2001-08-22 17:13 32,768 -c--a-w C:\WINDOWS\inf\i386\Pmicro.dll
2001-08-03 22:29 13,824 -c--a-w C:\WINDOWS\inf\i386\Usbscan.sys
2001-04-19 13:00 15,716 ----a-w C:\WINDOWS\inf\i386\Pmxscan.sys
2006-11-01 23:58 848 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{52369F6D-A36C-446C-98B4-3242EE59ED64}]
C:\WINDOWS\system32\rqRIcywT.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"hwazcokx"="C:\WINDOWS\system32\tkhchkjs.exe" [ ]
"Road Runner PhotoShow Media Manager"="D:\PROGRA~1\ROADRU~1\PHOTOS~1\data\Xtras\mssysmgr.exe" [2007-06-22 17:08 357616]
"kzdrlgwc"="C:\WINDOWS\system32\alabofwr.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QOELOADER"="c:\Program Files\Virus protection\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe" [2006-03-06 20:32 6656]
"CAVRID"="c:\program files\virus protection\eTrust EZ Antivirus\CAVRID.exe" [2006-03-06 20:32 185456]
"CaAvTray"="c:\program files\virus protection\eTrust EZ Antivirus\CAVTray.exe" [2006-03-06 20:32 230512]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2004-01-30 08:44 1921024]
"RegisterDropHandler"="D:\TEXTBR~1.0\Bin\REGIST~1.EXE" [ ]
"InstantAccess"="D:\TEXTBR~1.0\Bin\INSTAN~1.exe" [ ]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 02:05 122939]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]

C:\Documents and Settings\Dad\Start Menu\Programs\Startup\
Proxomitron.lnk - D:\Program Files\Proxomitron\Proxomitron.exe [2006-03-16 19:47:28 295424]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"PmFVy0JL28"= C:\Documents and Settings\All Users\Application Data\dcpmjgvw\lshkpaho.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Outlook Express\\msimn.exe"=
"C:\\Program Files\\Virus protection\\eTrust EZ Antivirus\\autodown.exe"=
"C:\\Program Files\\ABBYY FineReader 5.0 Sprint\\Sprint.exe"=
"C:\\Program Files\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"\\\\Hallway\\c\\Program Files\\AIM95\\aim.exe"=

R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-04 01:29]
S3 ati2mpaa;ati2mpaa;C:\WINDOWS\system32\DRIVERS\ati2mpaa.sys [2001-08-17 16:48]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a72736fd-dd97-11dc-a68a-00042324241e}]
\Shell\AutoRun\command - F:\Autorun.exe /run
\Shell\Shell00\Command - F:\Autorun.exe /run
\Shell\Shell01\Command - F:\Autorun.exe /action
\Shell\Shell02\Command - F:\Autorun.exe /uninstall

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 06:59:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Virus protection\eTrust EZ Antivirus\iSafe.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Virus protection\eTrust EZ Antivirus\VetMsg.exe
.
**************************************************************************
.
Completion time: 2008-04-19 7:04:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-19 11:04:05

Pre-Run: 1,941,868,544 bytes free
Post-Run: 3,072,061,440 bytes free

214 --- E O F --- 2008-04-13 17:59:05
billetpete
Active Member
 
Posts: 11
Joined: April 15th, 2008, 7:29 am

Re: Possible malware infection

Unread postby Shaba » April 19th, 2008, 7:30 am

Hi

Your HijackThis is outdated.

Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Possible malware infection

Unread postby billetpete » April 19th, 2008, 7:37 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:36:01 AM, on 4/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\virus protection\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\virus protection\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Virus protection\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\program files\virus protection\eTrust EZ Antivirus\CAVRID.exe
C:\program files\virus protection\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\ROADRU~1\PHOTOS~1\data\Xtras\mssysmgr.exe
D:\Program Files\Proxomitron\Proxomitron.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Dad\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:2020
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {52369F6D-A36C-446C-98B4-3242EE59ED64} - C:\WINDOWS\system32\rqRIcywT.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [QOELOADER] "c:\Program Files\Virus protection\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "c:\program files\virus protection\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "c:\program files\virus protection\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [RegisterDropHandler] D:\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [InstantAccess] D:\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [hwazcokx] C:\WINDOWS\system32\tkhchkjs.exe
O4 - HKCU\..\Run: [Road Runner PhotoShow Media Manager] D:\PROGRA~1\ROADRU~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [kzdrlgwc] C:\WINDOWS\system32\alabofwr.exe
O4 - HKLM\..\Policies\Explorer\Run: [PmFVy0JL28] C:\Documents and Settings\All Users\Application Data\dcpmjgvw\lshkpaho.exe
O4 - Startup: Proxomitron.lnk = D:\Program Files\Proxomitron\Proxomitron.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://www.cmt.com
O15 - Trusted Zone: http://pages.ebay.com
O15 - Trusted Zone: http://*.vintagesleds.com
O15 - Trusted Zone: http://www.youtube.com
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivillage.co.uk/save/makeover.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v47/sh ... Loader.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testge ... nstall.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pe ... stscan.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 0844104875
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005 ... scan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/Pe ... lAsst2.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - c:\program files\virus protection\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - c:\program files\virus protection\eTrust EZ Antivirus\VetMsg.exe

--
End of file - 6102 bytes
billetpete
Active Member
 
Posts: 11
Joined: April 15th, 2008, 7:29 am

Re: Possible malware infection

Unread postby Shaba » April 19th, 2008, 7:49 am

Hi

Do you recognize this folder?

C:\qrnt
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Possible malware infection

Unread postby billetpete » April 19th, 2008, 7:55 am

No I don't,why do you ask? Is it maybe a quarratine folder?
billetpete
Active Member
 
Posts: 11
Joined: April 15th, 2008, 7:29 am

Re: Possible malware infection

Unread postby Shaba » April 19th, 2008, 8:01 am

Hi

I asked because it looks like a quarantine folder to me but I'm not sure. Let's find out what it is:

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
C:\WINDOWS\system32\pgdfgsvc.exe

Folder::
C:\Documents and Settings\Dad\Application Data\PC-Cleaner
C:\Documents and Settings\All Users\Application Data\dcpmjgvw

DirLook:
C:\qrnt

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{52369F6D-A36C-446C-98B4-3242EE59ED64}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hwazcokx"=-
"kzdrlgwc"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"PmFVy0JL28"=-


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Possible malware infection

Unread postby billetpete » April 19th, 2008, 8:28 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:23:16 AM, on 4/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\virus protection\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\virus protection\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Virus protection\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\program files\virus protection\eTrust EZ Antivirus\CAVRID.exe
C:\program files\virus protection\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\ROADRU~1\PHOTOS~1\data\Xtras\mssysmgr.exe
D:\Program Files\Proxomitron\Proxomitron.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dad\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:2020
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {52369F6D-A36C-446C-98B4-3242EE59ED64} - C:\WINDOWS\system32\rqRIcywT.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [QOELOADER] "c:\Program Files\Virus protection\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "c:\program files\virus protection\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "c:\program files\virus protection\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [RegisterDropHandler] D:\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [InstantAccess] D:\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [hwazcokx] C:\WINDOWS\system32\tkhchkjs.exe
O4 - HKCU\..\Run: [Road Runner PhotoShow Media Manager] D:\PROGRA~1\ROADRU~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [kzdrlgwc] C:\WINDOWS\system32\alabofwr.exe
O4 - HKLM\..\Policies\Explorer\Run: [PmFVy0JL28] C:\Documents and Settings\All Users\Application Data\dcpmjgvw\lshkpaho.exe
O4 - Startup: Proxomitron.lnk = D:\Program Files\Proxomitron\Proxomitron.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://www.cmt.com
O15 - Trusted Zone: http://pages.ebay.com
O15 - Trusted Zone: http://*.vintagesleds.com
O15 - Trusted Zone: http://www.youtube.com
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivillage.co.uk/save/makeover.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v47/sh ... Loader.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testge ... nstall.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pe ... stscan.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 0844104875
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005 ... scan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/Pe ... lAsst2.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - c:\program files\virus protection\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - c:\program files\virus protection\eTrust EZ Antivirus\VetMsg.exe

--
End of file - 6151 bytes


ComboFix 08-04-18.3 - Dad 2008-04-19 8:08:00.2 - NTFSx86
Running from: C:\Documents and Settings\Dad\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.

2008-04-16 16:43 . 2008-04-16 16:50 250 --a------ C:\WINDOWS\gmer.ini
2008-04-16 15:55 . 2008-04-16 16:08 2,534 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-16 05:38 . 2008-04-18 18:05 <DIR> d-------- C:\qrnt
2008-04-15 15:35 . 2008-04-16 17:17 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-04-14 21:18 . 2008-04-14 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-14 20:33 . 2008-04-14 20:34 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\PC-Cleaner
2008-04-14 19:48 . 2008-04-14 19:48 25,992 --a------ C:\WINDOWS\system32\pgdfgsvc.exe
2008-04-12 18:19 . 2008-04-12 18:19 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\TmpRecentIcons
2008-04-12 16:15 . 2008-04-16 17:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\dcpmjgvw
2008-04-09 22:56 . 2008-04-09 23:03 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-04-04 21:02 . 2008-04-04 21:02 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-04 21:01 . 2008-04-04 21:01 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-04 21:01 . 2008-04-04 21:01 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-27 18:06 . 2008-03-27 18:06 743,621 --a------ C:\WINDOWS\system32\RPUpdates.zip
2008-03-27 17:12 . 2008-03-27 18:06 45 --a------ C:\WINDOWS\system32\RPVersion.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 01:16 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-05 15:54 --------- d-----w C:\Program Files\Yahoo!
2008-04-05 15:52 --------- d-----w C:\Documents and Settings\Dad\Application Data\Road Runner
2008-04-05 13:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-29 10:56 --------- d-----w C:\Program Files\Safer Networking
2008-03-29 10:54 --------- d-----w C:\Program Files\Yahoo! Games
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-16 15:46 --------- d-----w C:\Documents and Settings\Dad\Application Data\Apple Computer
2008-03-06 00:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-01 22:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-02-11 13:39 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
2008-02-11 13:39 237,568 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
2008-02-08 17:53 110,592 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
2008-02-05 12:48 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
2006-04-03 23:25 83 -c--a-w C:\Documents and Settings\Dad\Application Data\hexplorer.dat
2006-04-03 23:25 4 -c--a-w C:\Documents and Settings\Dad\Application Data\mclip.dat
2006-03-06 23:52 1,118,240 -c-ha-r C:\Documents and Settings\Dad\USER.DAT
2001-08-22 17:15 245,760 -c--a-w C:\WINDOWS\inf\i386\viceo.dll
2001-08-22 17:13 61,440 -c--a-w C:\WINDOWS\inf\i386\gl.dll
2001-08-22 17:13 32,768 -c--a-w C:\WINDOWS\inf\i386\Pmicro.dll
2001-08-03 22:29 13,824 -c--a-w C:\WINDOWS\inf\i386\Usbscan.sys
2001-04-19 13:00 15,716 ----a-w C:\WINDOWS\inf\i386\Pmxscan.sys
2006-11-01 23:58 848 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{52369F6D-A36C-446C-98B4-3242EE59ED64}]
C:\WINDOWS\system32\rqRIcywT.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"hwazcokx"="C:\WINDOWS\system32\tkhchkjs.exe" [ ]
"Road Runner PhotoShow Media Manager"="D:\PROGRA~1\ROADRU~1\PHOTOS~1\data\Xtras\mssysmgr.exe" [2007-06-22 17:08 357616]
"kzdrlgwc"="C:\WINDOWS\system32\alabofwr.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QOELOADER"="c:\Program Files\Virus protection\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe" [2006-03-06 20:32 6656]
"CAVRID"="c:\program files\virus protection\eTrust EZ Antivirus\CAVRID.exe" [2006-03-06 20:32 185456]
"CaAvTray"="c:\program files\virus protection\eTrust EZ Antivirus\CAVTray.exe" [2006-03-06 20:32 230512]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2004-01-30 08:44 1921024]
"RegisterDropHandler"="D:\TEXTBR~1.0\Bin\REGIST~1.EXE" [ ]
"InstantAccess"="D:\TEXTBR~1.0\Bin\INSTAN~1.exe" [ ]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 02:05 122939]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]

C:\Documents and Settings\Dad\Start Menu\Programs\Startup\
Proxomitron.lnk - D:\Program Files\Proxomitron\Proxomitron.exe [2006-03-16 19:47:28 295424]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"PmFVy0JL28"= C:\Documents and Settings\All Users\Application Data\dcpmjgvw\lshkpaho.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Outlook Express\\msimn.exe"=
"C:\\Program Files\\Virus protection\\eTrust EZ Antivirus\\autodown.exe"=
"C:\\Program Files\\ABBYY FineReader 5.0 Sprint\\Sprint.exe"=
"C:\\Program Files\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"\\\\Hallway\\c\\Program Files\\AIM95\\aim.exe"=

R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-04 01:29]
S3 ati2mpaa;ati2mpaa;C:\WINDOWS\system32\DRIVERS\ati2mpaa.sys [2001-08-17 16:48]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a72736fd-dd97-11dc-a68a-00042324241e}]
\Shell\AutoRun\command - F:\Autorun.exe /run
\Shell\Shell00\Command - F:\Autorun.exe /run
\Shell\Shell01\Command - F:\Autorun.exe /action
\Shell\Shell02\Command - F:\Autorun.exe /uninstall

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 08:15:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-19 8:19:23
ComboFix-quarantined-files.txt 2008-04-19 12:18:38
ComboFix2.txt 2008-04-19 11:05:01

Pre-Run: 3,084,165,120 bytes free
Post-Run: 3,068,186,624 bytes free

115 --- E O F --- 2008-04-13 17:59:05
billetpete
Active Member
 
Posts: 11
Joined: April 15th, 2008, 7:29 am

Re: Possible malware infection

Unread postby Shaba » April 19th, 2008, 8:35 am

Hi

Unfortunately it didn't went right.

You are supposed to create file named CFScript which contains everything in code box and drag & drop it into ComboFix.exe.
So don't just doubleclick Combofix to run it.

Please try again :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Possible malware infection

Unread postby billetpete » April 19th, 2008, 8:59 am

Am I supposed to save it as CFScript.txt to my desktop and then drag and drop it into combofix? When I do that ,it does not start the combofix.exe.
billetpete
Active Member
 
Posts: 11
Joined: April 15th, 2008, 7:29 am

Re: Possible malware infection

Unread postby Shaba » April 19th, 2008, 9:05 am

Hi

Yes.

If it doesn't work, do this:

Go to start - run

Type this and click ok:

ComboFix "C:\Documents and Settings\Dad\Desktop\CFScript.txt"

And let me know if it works noe :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Possible malware infection

Unread postby billetpete » April 19th, 2008, 9:23 am

ComboFix 08-04-18.3 - Dad 2008-04-19 9:10:13.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.78 [GMT -4:00]
Running from: C:\Documents and Settings\Dad\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dad\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\pgdfgsvc.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\dcpmjgvw
C:\Documents and Settings\Dad\Application Data\PC-Cleaner
C:\Documents and Settings\Dad\Application Data\PC-Cleaner\log.dat
C:\Documents and Settings\Dad\Application Data\PC-Cleaner\settings.dat
C:\WINDOWS\system32\pgdfgsvc.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.

2008-04-16 16:43 . 2008-04-16 16:50 250 --a------ C:\WINDOWS\gmer.ini
2008-04-16 15:55 . 2008-04-16 16:08 2,534 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-16 05:38 . 2008-04-18 18:05 <DIR> d-------- C:\qrnt
2008-04-15 15:35 . 2008-04-16 17:17 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-04-14 21:18 . 2008-04-14 21:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-12 18:19 . 2008-04-12 18:19 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\TmpRecentIcons
2008-04-09 22:56 . 2008-04-09 23:03 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-04-04 21:02 . 2008-04-04 21:02 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-04 21:01 . 2008-04-04 21:01 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-04 21:01 . 2008-04-04 21:01 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-27 18:06 . 2008-03-27 18:06 743,621 --a------ C:\WINDOWS\system32\RPUpdates.zip
2008-03-27 17:12 . 2008-03-27 18:06 45 --a------ C:\WINDOWS\system32\RPVersion.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 01:16 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-05 15:54 --------- d-----w C:\Program Files\Yahoo!
2008-04-05 15:52 --------- d-----w C:\Documents and Settings\Dad\Application Data\Road Runner
2008-04-05 13:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-29 10:56 --------- d-----w C:\Program Files\Safer Networking
2008-03-29 10:54 --------- d-----w C:\Program Files\Yahoo! Games
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-16 15:46 --------- d-----w C:\Documents and Settings\Dad\Application Data\Apple Computer
2008-03-06 00:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-01 22:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-02-11 13:39 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
2008-02-11 13:39 237,568 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
2008-02-08 17:53 110,592 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
2008-02-05 12:48 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
2006-04-03 23:25 83 -c--a-w C:\Documents and Settings\Dad\Application Data\hexplorer.dat
2006-04-03 23:25 4 -c--a-w C:\Documents and Settings\Dad\Application Data\mclip.dat
2006-03-06 23:52 1,118,240 -c-ha-r C:\Documents and Settings\Dad\USER.DAT
2001-08-22 17:15 245,760 -c--a-w C:\WINDOWS\inf\i386\viceo.dll
2001-08-22 17:13 61,440 -c--a-w C:\WINDOWS\inf\i386\gl.dll
2001-08-22 17:13 32,768 -c--a-w C:\WINDOWS\inf\i386\Pmicro.dll
2001-08-03 22:29 13,824 -c--a-w C:\WINDOWS\inf\i386\Usbscan.sys
2001-04-19 13:00 15,716 ----a-w C:\WINDOWS\inf\i386\Pmxscan.sys
2006-11-01 23:58 848 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\qrnt ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"Road Runner PhotoShow Media Manager"="D:\PROGRA~1\ROADRU~1\PHOTOS~1\data\Xtras\mssysmgr.exe" [2007-06-22 17:08 357616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QOELOADER"="c:\Program Files\Virus protection\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe" [2006-03-06 20:32 6656]
"CAVRID"="c:\program files\virus protection\eTrust EZ Antivirus\CAVRID.exe" [2006-03-06 20:32 185456]
"CaAvTray"="c:\program files\virus protection\eTrust EZ Antivirus\CAVTray.exe" [2006-03-06 20:32 230512]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2004-01-30 08:44 1921024]
"RegisterDropHandler"="D:\TEXTBR~1.0\Bin\REGIST~1.EXE" [ ]
"InstantAccess"="D:\TEXTBR~1.0\Bin\INSTAN~1.exe" [ ]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 02:05 122939]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]

C:\Documents and Settings\Dad\Start Menu\Programs\Startup\
Proxomitron.lnk - D:\Program Files\Proxomitron\Proxomitron.exe [2006-03-16 19:47:28 295424]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Outlook Express\\msimn.exe"=
"C:\\Program Files\\Virus protection\\eTrust EZ Antivirus\\autodown.exe"=
"C:\\Program Files\\ABBYY FineReader 5.0 Sprint\\Sprint.exe"=
"C:\\Program Files\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"\\\\Hallway\\c\\Program Files\\AIM95\\aim.exe"=

R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-04 01:29]
S3 ati2mpaa;ati2mpaa;C:\WINDOWS\system32\DRIVERS\ati2mpaa.sys [2001-08-17 16:48]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a72736fd-dd97-11dc-a68a-00042324241e}]
\Shell\AutoRun\command - F:\Autorun.exe /run
\Shell\Shell00\Command - F:\Autorun.exe /run
\Shell\Shell01\Command - F:\Autorun.exe /action
\Shell\Shell02\Command - F:\Autorun.exe /uninstall

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 09:17:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-19 9:20:34
ComboFix-quarantined-files.txt 2008-04-19 13:20:10
ComboFix2.txt 2008-04-19 12:19:26
ComboFix3.txt 2008-04-19 11:05:01

Pre-Run: 3,050,590,208 bytes free
Post-Run: 3,034,980,352 bytes free

123 --- E O F --- 2008-04-13 17:59:05
billetpete
Active Member
 
Posts: 11
Joined: April 15th, 2008, 7:29 am

Re: Possible malware infection

Unread postby billetpete » April 19th, 2008, 11:02 am

Okay,Shaba,what's next?
billetpete
Active Member
 
Posts: 11
Joined: April 15th, 2008, 7:29 am

Re: Possible malware infection

Unread postby Shaba » April 19th, 2008, 11:34 am

Hi

Please post back also a fresh HijackThis log :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 484 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware