Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Another infected computer! Please assist

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Another infected computer! Please assist

Unread postby makem » November 18th, 2007, 10:00 am

Hi,

ComboFix 07-11-08.3 - makem 2007-11-18 13:54:48.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.636 [GMT 0:00]
Running from: F:\Documents and Settings\makem.HAL\Desktop\ComboFix.exe
Command switches used :: F:\Documents and Settings\makem.HAL\Desktop\CFScript.txt
* Created a new restore point

FILE
F:\Program Files\Common Files\Microsoft Shared\MSInfo\WinKernelUpd.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\Program Files\Common Files\Microsoft Shared\MSInfo\WinKernelUpd.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-18 to 2007-11-18 )))))))))))))))))))))))))))))))
.

2007-11-17 01:45 <DIR> d-------- F:\WINDOWS\system32\Kaspersky Lab
2007-11-17 01:45 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-17 01:43 <DIR> d---s---- F:\Documents and Settings\makem.HAL\UserData
2007-11-15 23:29 51,200 --a------ F:\WINDOWS\NirCmd.exe
2007-11-13 13:10 <DIR> d-------- F:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-18 13:48 --------- d-----w F:\Documents and Settings\makem.HAL\Application Data\MailWasherPro
2007-11-15 14:52 --------- d-----w F:\Program Files\Steam
2007-10-23 13:32 --------- d-----w F:\Program Files\FlashFXP.v3.3.5.1110.BETA5
2007-10-16 11:24 --------- d-----w F:\Program Files\FlashGet
2007-10-16 11:02 1,422 ----a-w F:\Documents and Settings\makem.HAL\clean.reg
2007-10-16 10:24 --------- d-----w F:\Program Files\Executive Software
2007-10-16 10:24 --------- d-----w F:\Program Files\Diskeeper Corporation
2007-10-16 10:24 --------- d-----w F:\Documents and Settings\makem.HAL\Application Data\Leadertech
2007-10-16 10:19 --------- d-----w F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-15 23:45 --------- d-----w F:\Program Files\Dealio
2007-10-15 23:42 --------- d-----w F:\Program Files\Common Files\SWF Studio
2007-10-15 23:33 512,096 ----a-w F:\WINDOWS\system32\drivers\amon.sys
2007-10-15 23:33 298,104 ----a-w F:\WINDOWS\system32\imon.dll
2007-10-15 23:33 15,424 ----a-w F:\WINDOWS\system32\drivers\nod32drv.sys
2007-10-15 22:57 --------- d-----w F:\Documents and Settings\All Users\Application Data\Avg7
2007-10-15 22:55 --------- d-----w F:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-05 20:45 --------- d-----w F:\Program Files\Microsoft Works
2007-10-04 22:10 --------- d-----w F:\Program Files\tz_mIRC
2007-10-04 22:10 --------- d-----w F:\Program Files\geordies_mIRC
2007-10-04 21:36 --------- d-----w F:\Program Files\GuildFTPd
2007-09-29 20:43 --------- d-----w F:\Program Files\Common Files\L&H
2007-09-27 09:07 --------- d-----w F:\Program Files\DigiGuide TV Guide
2007-09-27 09:00 --------- d-----w F:\Program Files\zone_mIRC
2007-09-25 21:19 --------- d-----w F:\Documents and Settings\makem.HAL\Application Data\Lavasoft
2007-09-24 16:53 --------- d-----w F:\Documents and Settings\makem.HAL\Application Data\FlashFXP
2007-09-23 10:53 --------- d-----w F:\Program Files\tbsg_mIRC
2007-09-23 10:51 --------- d-----w F:\Documents and Settings\makem.HAL\Application Data\mIRC
2007-09-23 10:49 --------- d-----w F:\Program Files\new_zone_mIRC
2007-09-21 18:01 --------- d-----w F:\Documents and Settings\makem.HAL\Application Data\ACD Systems
2007-09-21 14:07 --------- d-----w F:\Documents and Settings\makem.HAL\Application Data\.BitTornado
2007-08-21 06:15 683,520 ----a-w F:\WINDOWS\system32\inetcomm.dll
2006-03-11 17:55 457 ----a-w F:\Program Files\INSTALL.LOG
2001-11-23 12:08 712,704 ----a-w F:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

((((((((((((((((((((((((((((( snapshot_2007-11-17_ 1.35.52.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 12:27:16 213,048 ----a-w F:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 15:47:20 94,208 ----a-w F:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 15:49:54 950,272 ----a-w F:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="-cmicnfg.cpl" []
"NeroFilterCheck"="-F:\WINDOWS\System32\NeroCheck.exe" []
"IMEKRMIG6.1"="-F:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" []
"SoundMan"="-SOUNDMAN.EXE" []
"QuickTime Task"="-F:\Program Files\QuickTime\qttask.exe" []
"!AVG Anti-Spyware"="-F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" []
"nod32kui"="F:\Program Files\Eset\nod32kui.exe" [2007-10-15 23:33]
"DiskeeperSystray"="F:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 16:38]
"ICQ Lite"="-F:\Program Files\ICQLite\ICQLite.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"msnmsgr"="-F:\Program Files\MSN Messenger\msnmsgr.exe" []
"MailWasher"="F:\PROGRA~1\MAILWA~1\MAILWA~1.EXE" [2003-11-10 13:25]

F:\Documents and Settings\makem\Start Menu\Programs\Startup\
DigiGuide.lnk - F:\Program Files\DigiGuide TV Guide\Client.exe [2005-10-30 22:55:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"Norun"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"DisableReistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli scecli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Acronis Scheduler2 Service"="F:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
"SunJavaUpdateSched"=F:\Program Files\Java\jre1.5.0_05\bin\jusched.exe

R2 AsProbe;AsProbe;\??\F:\WINDOWS\System32\drivers\AsProbe.sys
R2 UxTuneUp;TuneUp Design Expansion;F:\WINDOWS\System32\svchost.exe -k netsvcs
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;F:\WINDOWS\system32\DRIVERS\AN983.sys
R3 HCW848NT;Hauppauge Win/TV;F:\WINDOWS\system32\DRIVERS\hcw848nt.sys
S3 AvFlt;Antivirus Filter Driver;F:\WINDOWS\system32\drivers\av5flt.sys
S3 HWACCESS;HWACCESS;\??\F:\WINDOWS\system32\HWACCESS.SYS
S3 LMImirr;LMImirr;F:\WINDOWS\system32\DRIVERS\LMImirr.sys
S3 mirrorv3;mirrorv3;F:\WINDOWS\system32\DRIVERS\rminiv3.sys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2007-10-26 16:15:00 F:\WINDOWS\Tasks\1-Click Maintenance.job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-18 13:56:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MailWasher = F:\PROGRA~1\MAILWA~1\MAILWA~1.EXE?

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-18 13:57:30
F:\ComboFix2.txt ... 2007-11-17 01:36
F:\ComboFix3.txt ... 2007-11-15 23:41
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:00:18, on 18/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\Program Files\Eset\nod32krn.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\Eset\nod32.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\logonui.exe
F:\WINDOWS\system32\rdpclip.exe
F:\Program Files\Eset\nod32kui.exe
F:\WINDOWS\system32\ctfmon.exe
F:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
F:\WINDOWS\explorer.exe
F:\WINDOWS\system32\notepad.exe
F:\WINDOWS\system32\logon.scr
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Trend Micro\HijackThis\iseeu.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - F:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - F:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - F:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [Cmaudio] -RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] -F:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] -F:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [SoundMan] -SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] -"F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] -"F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [nod32kui] "F:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DiskeeperSystray] "F:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ICQ Lite] -"F:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] -"F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MailWasher] F:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - F:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - F:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - F:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0175246499
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0177533779
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O23 - Service: Adobe LM Service - Unknown owner - -"F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - F:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - -F:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - -"F:\Program Files\MSN Messenger\usnsvc.exe" (file missing)

--
End of file - 6682 bytes
makem
Regular Member
 
Posts: 45
Joined: November 10th, 2007, 3:31 pm
Advertisement
Register to Remove

Re: Another infected computer! Please assist

Unread postby Scotty » November 18th, 2007, 11:31 am

Hello

Congrats, you appear to be clean. :)

If you do not wish to keep Kaspersky Online Scanner as an on-demand virus scanner, it can be removed through Add/Remove Programs.


Time for some housekeeping

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

    Image
  • When shown the disclaimer, Select "2"


Here are some free programs I recommend, although you will not need them all or perhaps have them already.

Spybot Search and Destroy
Download it from here . Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

Install Spyware Guard
Download it from here
Find here the tutorial on how to use Spyware Guard here

Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here


Make sure your Windows is ALWAYS up to date!

An unpatched Windows is vulnerable and even with the "best" Antivirus and Firewall installed, malware will find its way through.
So visit http://windowsupdate.microsoft.com/ to download and install the latest updates.


Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"


Follow this list and your potential for being infected again will reduce dramatically.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Another infected computer! Please assist

Unread postby makem » November 18th, 2007, 12:31 pm

I will carry out your suggestions. Thank you for your professional asistance. I do not have any further questions.
makem
Regular Member
 
Posts: 45
Joined: November 10th, 2007, 3:31 pm

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 292 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware