Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

My Log for my infected computer

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

My Log for my infected computer

Unread postby jdenelle » February 1st, 2008, 6:58 pm

Below is the log from combofix. I'd appreciate some help with getting rid 'Malaware' and 'Storage Protecor' icons, & extremely irritating fake warning messages. I've ran Adaware and Spybot to no avail. Thanks.


ComboFix 08-02.01.6 - Administrator 2008-02-01 15:59:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.86 [GMT -6:00]Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\jkkjghg.dll
C:\WINDOWS\system32\pmkhe.dll
C:\WINDOWS\system32\zvfnjbfc.dll
C:\Documents and Settings\Administrator\Application Data\install.dat
C:\Documents and Settings\Administrator\Start Menu\Programs\MalwareAlarm
C:\Documents and Settings\Administrator\Start Menu\Programs\MalwareAlarm\MalwareAlarm.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\MalwareAlarm\Uninstall.lnk
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\ehkmp.ini
C:\WINDOWS\system32\ehkmp.ini2
C:\WINDOWS\system32\jkkjghg.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\otdzmhkz.dllbox
C:\WINDOWS\system32\pmkhe.dll
C:\WINDOWS\system32\rbxdmdle.dll
C:\WINDOWS\system32\rvpmobwv.dll
C:\WINDOWS\system32\vwbompvr.ini
C:\WINDOWS\system32\wxavfupj.ini
C:\WINDOWS\system32\xeczobrk.dllbox
C:\WINDOWS\system32\ynklqyyh.dll
C:\WINDOWS\system32\zvfnjbfc.dll
C:\WINDOWS\system32\zvfnjbfc.dllbox
C:\windows\xpupdate.exe

----- BITS: Possible infected sites -----

hxxp://javadl.sun.com
hxxp://ssbuetymom01
.
((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-02-01 15:42 . 2002-08-29 01:05
2008-02-01 15:42 . 2004-03-29 17:19
2008-02-01 15:25 . 2008-02-01 15:26
2008-01-31 10:32 . 2008-01-31 10:32
2008-01-31 10:32 . 2008-01-31 10:33
2008-01-31 10:30 . 2008-01-31 10:30

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
1/14/2008 15:25
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS="C:\Program Files\Messenger\msmsgs.exe" [ ]
ctfmon.exe="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 04:41 13312]
swg="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-30 17:47 68856]
ISUSPM="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 04:40 218032]
MalwareAlarm="C:\Program Files\MalwareAlarm\MalwareAlarm.exe" [2008-02-01 15:25 439808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ShStatEXE="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-09-29 07:10 81990]
McAfeeUpdaterUI="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [ ]
nwiz="nwiz.exe" [2003-07-28 15:19 323584 C:\WINDOWS\system32\nwiz.exe]
RoxioEngineUtility="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [ ]
RoxioDragToDisc="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [ ]
RoxioAudioCentral="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [ ]
SunJavaUpdateSched="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193]
Printkey2000.lnk - C:\Program Files\PrintKey2000\Printkey2000.exe [2004-05-07 09:45:32 869376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
AppInit_DLLs=

S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe [2001-08-23 06:00]

.
Contents of the 'Scheduled Tasks' folder
2008-02-01 06:00:00 C:\WINDOWS\Tasks\At1.job
#NAME?
2008-02-01 15:00:00 C:\WINDOWS\Tasks\At10.job
#NAME?
2008-02-01 16:00:00 C:\WINDOWS\Tasks\At11.job
#NAME?
2008-02-01 17:00:00 C:\WINDOWS\Tasks\At12.job
#NAME?
2008-02-01 18:00:00 C:\WINDOWS\Tasks\At13.job
#NAME?
2008-02-01 19:00:00 C:\WINDOWS\Tasks\At14.job
#NAME?
2008-02-01 20:00:00 C:\WINDOWS\Tasks\At15.job
#NAME?
2008-02-01 21:00:00 C:\WINDOWS\Tasks\At16.job
#NAME?
2008-02-01 22:00:01 C:\WINDOWS\Tasks\At17.job
#NAME?
2008-01-31 23:00:05 C:\WINDOWS\Tasks\At18.job
#NAME?
2008-02-01 00:00:00 C:\WINDOWS\Tasks\At19.job
#NAME?
2008-02-01 07:00:00 C:\WINDOWS\Tasks\At2.job
#NAME?
2008-02-01 01:00:00 C:\WINDOWS\Tasks\At20.job
#NAME?
2008-02-01 02:00:00 C:\WINDOWS\Tasks\At21.job
#NAME?
2008-02-01 03:00:00 C:\WINDOWS\Tasks\At22.job
#NAME?
2008-02-01 04:00:00 C:\WINDOWS\Tasks\At23.job
#NAME?
2008-02-01 05:00:00 C:\WINDOWS\Tasks\At24.job
#NAME?
2008-02-01 08:00:00 C:\WINDOWS\Tasks\At3.job
#NAME?
2008-02-01 09:00:00 C:\WINDOWS\Tasks\At4.job
#NAME?
2008-02-01 10:00:00 C:\WINDOWS\Tasks\At5.job
#NAME?
2008-02-01 11:00:00 C:\WINDOWS\Tasks\At6.job
#NAME?
2008-02-01 12:00:00 C:\WINDOWS\Tasks\At7.job
#NAME?
2008-02-01 13:00:00 C:\WINDOWS\Tasks\At8.job
#NAME?
2008-02-01 14:00:00 C:\WINDOWS\Tasks\At9.job
#NAME?
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 16:09:19
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
.
**************************************************************************
.
Completion time: 2008-02-01 16:11:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-01 22:11:36
jdenelle
Active Member
 
Posts: 11
Joined: February 1st, 2008, 6:13 pm
Advertisement
Register to Remove

Re: My Log for my infected computer

Unread postby Katana » February 9th, 2008, 9:07 am

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

I apologize for the delay in responding, but as you can probably see the forums are quite busy
and sometimes a post manages to slip by us.
Unfortunately there are far more people needing help than there are helpers.

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.


Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.



Click here to download HJTinstall.exe
  • Save HJTinstall.exe to your desktop.
  • Double click on the HJTinstall.exe icon on your desktop.
  • By default it will install to C:\\Program Files\\Trend Micro\\Hijack This.
  • Click I accept
  • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
  • Click Save to save the log file and then the log will open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


Installed Programs
Please could you give me a list of the programs that are installed.
  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: My Log for my infected computer

Unread postby jdenelle » February 11th, 2008, 10:24 am

I'll do these steps this week and post results. thanks
jdenelle
Active Member
 
Posts: 11
Joined: February 1st, 2008, 6:13 pm

Re: My Log for my infected computer

Unread postby jdenelle » February 15th, 2008, 6:20 pm

Here's my Hijack file and below it are the installed programs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:18:57 PM, on 2/15/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.tagged.com/online/online2/ ... der_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = la.gr.repsolypf.com
O17 - HKLM\Software\..\Telephony: DomainName = la.gr.repsolypf.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = la.gr.repsolypf.com
O20 - AppInit_DLLs:
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 6453 bytes


Ad-Aware 2007
Adobe Acrobat 6.0 Professional
Adobe Flash Player ActiveX
Advanced Networking Pack for Windows XP
BNASTF
Dell Printer Software Uninstall
Easy CD & DVD Creator 6
Google Earth
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Intel(R) PRO Network Adapters and Drivers
J2SE Runtime Environment 5.0 Update 11
Java 2 Runtime Environment, SE v1.4.2_13
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1
Macromedia Shockwave Player
McAfee VirusScan Enterprise
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft Office Professional Edition 2003
Microsoft Windows Journal Viewer
MSN Music Assistant
NVIDIA Windows 2000/XP Display Drivers
Pdf995
PdfEdit995
PrintKey2000
Spybot - Search & Destroy 1.4
TaxCut Basic 2006
VideoEgg Publisher
Wal-Mart Music Downloads Store
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See KB837272 for more information]
Windows Media Player Hotfix [See Q828026 for more information]
Windows XP Hotfix - KB820291
Windows XP Hotfix - KB821253
Windows XP Hotfix - KB822603
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB826942
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833407
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB833998
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873376
Windows XP Hotfix (SP2) Q322011
Windows XP Hotfix (SP2) Q327979
Windows XP Hotfix (SP2) Q814995
Windows XP Hotfix (SP2) Q819696
jdenelle
Active Member
 
Posts: 11
Joined: February 1st, 2008, 6:13 pm

Re: My Log for my infected computer

Unread postby Katana » February 15th, 2008, 6:41 pm

Fix With HJT
Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines IF still present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.tagged.com/online/online2/ ... der_v6.cab

O20 - AppInit_DLLs:

- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u4
http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The Java Runtime Environment (JRE) 6 update 4 allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check for any item with Java Runtime Environment (JRE or J2SE) in the name.
    J2SE Runtime Environment 5.0 Update 11
    Java 2 Runtime Environment, SE v1.4.2_13
    Java(TM) 6 Update 3
    Java(TM) SE Runtime Environment 6 Update 1
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.

Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.




Download and Run ComboFix (by sUBs)
Please delete the copy of ComboFix that you have, and use the instuctions below to download and run the latest version.
Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofi ... e-combofix




Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Go Here http://www.kaspersky.com/kos/eng/partne ... bscan.html

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


Please post the Kaspersky log along with the ComboFix log in your reply.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: My Log for my infected computer

Unread postby jdenelle » February 17th, 2008, 9:53 am

I did what you requested and my combo & kasperky logs are below. I did get an error message when installing Java...."system no supported by an operating system" But I clicked 'continue' anyway.

New Combofix log:

ComboFix 08-02-17.2 - Administrator 2008-02-16 18:01:50.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.128 [GMT -6:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-01-17 to 2008-02-17 )))))))))))))))))))))))))))))))
.

2008-02-16 17:44 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-16 17:41 . 2008-02-16 17:44 <DIR> d-------- C:\Program Files\Java
2008-02-16 17:40 . 2008-02-16 17:40 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-15 16:16 . 2008-02-15 16:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-06 16:47 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-02-06 16:47 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-02-06 16:47 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-02-06 16:47 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-01-31 10:32 . 2008-01-31 10:32 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-31 10:32 . 2008-01-31 10:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-31 10:30 . 2008-01-31 10:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
1/23/2008 19:55 --------- d-----w C:\Program Files\Spybot - Search & Destroy
12/14/2007 17:32 12,632 #NAME? C:\WINDOWS\system32\lsdelete.exe
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
-c--a-w 69,632 2003-02-27 10:31:24 C:\Program Files\Common Files\Roxio Shared\System\bak\EngUtil.exe

-c--a-w 1,498,032 2003-04-15 01:05:20 C:\Program Files\Messenger\bak\msmsgs.exe

-c--a-w 135,224 2004-06-15 08:12:00 C:\Program Files\Network Associates\Common Framework\bak\UpdaterUI.exe

-c--a-w 253,952 2003-02-26 21:50:08 C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\bak\RxMon.exe

-c--a-w 757,760 2003-02-27 09:36:06 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\bak\DrgToDsc.exe

-c--a-w 13,312 2002-08-29 10:41:22 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 13,312 2002-08-29 10:41:22 C:\WINDOWS\system32\ctfmon.exe

-c--a-w 155,648 2001-07-09 16:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS="C:\Program Files\Messenger\msmsgs.exe" [ ]
ctfmon.exe="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 04:41 13312]
swg="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-30 17:47 68856]
ISUSPM="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 04:40 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ShStatEXE="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-09-29 07:10 81990]
McAfeeUpdaterUI="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [ ]
nwiz="nwiz.exe" [2003-07-28 15:19 323584 C:\WINDOWS\system32\nwiz.exe]
RoxioEngineUtility="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [ ]
RoxioDragToDisc="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [ ]
RoxioAudioCentral="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [ ]
SunJavaUpdateSched="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193]
Printkey2000.lnk - C:\Program Files\PrintKey2000\Printkey2000.exe [2004-05-07 09:45:32 869376]

S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe [2001-08-23 06:00]

.
Contents of the 'Scheduled Tasks' folder
2008-02-16 06:00:00 C:\WINDOWS\Tasks\At1.job
#NAME?
2008-02-16 15:00:00 C:\WINDOWS\Tasks\At10.job
#NAME?
2008-02-16 16:00:00 C:\WINDOWS\Tasks\At11.job
#NAME?
2008-02-16 17:00:00 C:\WINDOWS\Tasks\At12.job
#NAME?
2008-02-16 18:00:00 C:\WINDOWS\Tasks\At13.job
#NAME?
2008-02-16 19:00:00 C:\WINDOWS\Tasks\At14.job
#NAME?
2008-02-16 20:00:00 C:\WINDOWS\Tasks\At15.job
#NAME?
2008-02-16 21:00:00 C:\WINDOWS\Tasks\At16.job
#NAME?
2008-02-16 22:00:00 C:\WINDOWS\Tasks\At17.job
#NAME?
2008-02-16 23:00:00 C:\WINDOWS\Tasks\At18.job
#NAME?
2008-02-17 00:00:00 C:\WINDOWS\Tasks\At19.job
#NAME?
2008-02-16 07:00:00 C:\WINDOWS\Tasks\At2.job
#NAME?
2008-02-16 01:00:00 C:\WINDOWS\Tasks\At20.job
#NAME?
2008-02-16 02:00:00 C:\WINDOWS\Tasks\At21.job
#NAME?
2008-02-16 03:00:00 C:\WINDOWS\Tasks\At22.job
#NAME?
2008-02-16 04:00:00 C:\WINDOWS\Tasks\At23.job
#NAME?
2008-02-16 05:00:00 C:\WINDOWS\Tasks\At24.job
#NAME?
2008-02-16 08:00:00 C:\WINDOWS\Tasks\At3.job
#NAME?
2008-02-16 09:00:00 C:\WINDOWS\Tasks\At4.job
#NAME?
2008-02-16 10:00:00 C:\WINDOWS\Tasks\At5.job
#NAME?
2008-02-16 11:00:00 C:\WINDOWS\Tasks\At6.job
#NAME?
2008-02-16 12:00:00 C:\WINDOWS\Tasks\At7.job
#NAME?
2008-02-16 13:00:00 C:\WINDOWS\Tasks\At8.job
#NAME?
2008-02-16 14:00:00 C:\WINDOWS\Tasks\At9.job
#NAME?
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-16 18:04:36
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-16 18:05:41
ComboFix-quarantined-files.txt 2008-02-17 00:05:37
ComboFix2.txt 2008-02-02 21:23:29
ComboFix3.txt 2008-02-01 22:11:51


Kasperky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, February 17, 2008 7:49:40 AM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/02/2008
Kaspersky Anti-Virus database records: 569957
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
H:\

Scan Statistics:
Total number of scanned objects: 46194
Number of viruses found: 9
Number of infected objects: 18
Number of suspicious objects: 0
Duration of the scan process: 02:23:33

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008021620080217\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_S309042.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_S309042.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\hbinst\Hbinst.exe Infected: not-a-virus:AdWare.Win32.Hotbar.e skipped
C:\Program Files\Network Associates\VirusScan\VSHLog.txt Object is locked skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080216-170731-736.dll Infected: not-a-virus:Downloader.Win32.PopCap.a skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rvpmobwv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ynklqyyh.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP315\A0081157.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP315\A0081159.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP315\A0081159.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP318\A0082221.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP318\A0082222.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP318\A0082223.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP318\A0082223.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP318\A0082223.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP318\A0082223.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP319\A0082258.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP319\A0082258.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP325\A0083465.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP325\A0083466.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP325\A0083583.exe Infected: not-a-virus:FraudTool.Win32.DrAntispy.ag skipped
C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP346\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hh.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\osk.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\sysmain.sdb Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\zipfldr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\dhcpcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndis.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndisuio.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\netshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcdlg.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsapi.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828028$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB833407$\bssym7.ttf Object is locked skipped
C:\WINDOWS\$NtUninstallKB833998$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB833998$\sxs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\xpsp2res.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\expsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexch40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjint40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjter40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msltus40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrd2x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrd3x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mswdat10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mswstr10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\vbajet32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\fldrclnr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\sxs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\xpsp2res.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
jdenelle
Active Member
 
Posts: 11
Joined: February 1st, 2008, 6:13 pm

Re: My Log for my infected computer

Unread postby Katana » February 17th, 2008, 12:45 pm

OK, it looks like there are remains of several infections there so this may take a few goes.

Fix AWF
Click here to download FindAWF.exe and save it to your desktop.
Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\Program Files\Common Files\Roxio Shared\System\bak\EngUtil.exe
C:\Program Files\Messenger\bak\msmsgs.exe
C:\Program Files\Network Associates\Common Framework\bak\UpdaterUI.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\bak\RxMon.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\bak\DrgToDsc.exe
C:\WINDOWS\system32\bak\NeroCheck.exe

  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • Press 2 then Enter
  • Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
  • Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
  • The program will proceed to move the legit files and will perform another scan for bak folders.
  • It may take a few minutes to complete, so please be patient.
  • When it is complete, it will open a text file in Notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.


NoLop
Please Download NoLop to your desktop from one of the links below...
Link 1
Link 2
Link 3
  • First close any other programs you have running as this will require a reboot
  • Double click NoLop.exe to run it
  • Now click the button labelled "Search and Destroy"
    <<your computer will now be scanned for infected files>>
  • When scanning is finished you will be prompted to reboot only if infected, Click OK
  • Now click the "REBOOT" Button.
  • A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh HijackThis log
--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.--
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: My Log for my infected computer

Unread postby jdenelle » February 17th, 2008, 4:11 pm

New Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:09:39 PM, on 2/17/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = la.gr.repsolypf.com
O17 - HKLM\Software\..\Telephony: DomainName = la.gr.repsolypf.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = la.gr.repsolypf.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 5980 bytes

NoLop Log:
NoLop! Log by Skate_Punk_21

Please Note: any existing old logs will have now been renamed to NoLop!OLD.log

Fix running from: C:\Documents and Settings\Administrator\Desktop
[2/17/2008]
[2:06:02 PM]

---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.

---Listing AppData sub directories---

C:\Documents and Settings\Administrator\Application Data\Adobe
C:\Documents and Settings\Administrator\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Administrator\Application Data\Fileopen
C:\Documents and Settings\Administrator\Application Data\Google
C:\Documents and Settings\Administrator\Application Data\Icaclient
C:\Documents and Settings\Administrator\Application Data\Identities
C:\Documents and Settings\Administrator\Application Data\Installshield
C:\Documents and Settings\Administrator\Application Data\Macromedia
C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\Administrator\Application Data\Msn6
C:\Documents and Settings\Administrator\Application Data\Roxio
C:\Documents and Settings\Administrator\Application Data\Sun
C:\Documents and Settings\Administrator\Application Data\Videoegg
C:\Documents and Settings\Administrator\Application Data\Wal-mart Digital Photo Viewer
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Google
C:\Documents and Settings\All Users\Application Data\Installshield
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
C:\Documents and Settings\All Users\Application Data\Lavasoft
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Network Associates
C:\Documents and Settings\All Users\Application Data\Pdf995
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Videoegg
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft

AWF log

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Sun 02/17/2008
The current time is: 13:59:21.45


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

04/14/2003 07:05 PM 1,498,032 msmsgs.exe
1 File(s) 1,498,032 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/29/2002 04:41 AM 13,312 ctfmon.exe
07/09/2001 10:50 AM 155,648 NeroCheck.exe
2 File(s) 168,960 bytes

Directory of C:\PROGRA~1\NETWOR~1\COMMON~1\BAK

06/15/2004 02:12 AM 135,224 UpdaterUI.exe
1 File(s) 135,224 bytes

Directory of C:\PROGRA~1\NETWOR~1\VIRUSS~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\ROXIOS~1\SYSTEM\BAK

02/27/2003 04:31 AM 69,632 EngUtil.exe
1 File(s) 69,632 bytes

Directory of C:\PROGRA~1\ROXIO\EASYCD~1\AUDIOC~1\BAK

02/26/2003 03:50 PM 253,952 RxMon.exe
1 File(s) 253,952 bytes

Directory of C:\PROGRA~1\ROXIO\EASYCD~1\DRAGTO~1\BAK

02/27/2003 03:36 AM 757,760 DrgToDsc.exe
1 File(s) 757,760 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

1498032 Apr 14 2003 "C:\Program Files\Messenger\bak\msmsgs.exe"
1077277 Aug 2 2001 "D:\Program Files\Messenger\msmsgs.exe"
13312 Aug 29 2002 "C:\WINDOWS\system32\ctfmon.exe"
13312 Aug 29 2002 "C:\WINDOWS\system32\bak\ctfmon.exe"
13312 Aug 23 2001 "D:\WINDOWS\system32\ctfmon.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
135224 Jun 15 2004 "C:\Program Files\Network Associates\Common Framework\bak\UpdaterUI.exe"
69632 Feb 27 2003 "C:\Program Files\Common Files\Roxio Shared\System\bak\EngUtil.exe"
253952 Feb 26 2003 "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\bak\RxMon.exe"
757760 Feb 27 2003 "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\bak\DrgToDsc.exe"


end of report
jdenelle
Active Member
 
Posts: 11
Joined: February 1st, 2008, 6:13 pm

Re: My Log for my infected computer

Unread postby Katana » February 17th, 2008, 5:17 pm

Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File::
    C:\WINDOWS\Tasks\At1.job
    C:\WINDOWS\Tasks\At10.job
    C:\WINDOWS\Tasks\At11.job
    C:\WINDOWS\Tasks\At12.job
    C:\WINDOWS\Tasks\At13.job
    C:\WINDOWS\Tasks\At14.job
    C:\WINDOWS\Tasks\At15.job
    C:\WINDOWS\Tasks\At16.job
    C:\WINDOWS\Tasks\At17.job
    C:\WINDOWS\Tasks\At18.job
    C:\WINDOWS\Tasks\At19.job
    C:\WINDOWS\Tasks\At2.job
    C:\WINDOWS\Tasks\At20.job
    C:\WINDOWS\Tasks\At21.job
    C:\WINDOWS\Tasks\At22.job
    C:\WINDOWS\Tasks\At23.job
    C:\WINDOWS\Tasks\At24.job
    C:\WINDOWS\Tasks\At3.job
    C:\WINDOWS\Tasks\At4.job
    C:\WINDOWS\Tasks\At5.job
    C:\WINDOWS\Tasks\At6.job
    C:\WINDOWS\Tasks\At7.job
    C:\WINDOWS\Tasks\At8.job
    C:\WINDOWS\Tasks\At9.job
    Folder::
    C:\Program Files\Common Files\Roxio Shared\System\bak
    C:\Program Files\Messenger\bak
    C:\Program Files\Network Associates\Common Framework\bak
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\bak
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\bak
    C:\WINDOWS\system32\bak
    C:\Program Files\hbinst
    

  • Save this as CFScript.txt and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

TotalScan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Please go to this site Link >> TotalScan << LINK
  • Under Scan Now click the Full Scan button
  • Follow the prompts to install the Active X if necessary
  • Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
  • When the scan is finished, a report will be generated
  • Next to Scan Details click the small Save button and save the report to your desktop.
  • Please post the report in your reply.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: My Log for my infected computer

Unread postby jdenelle » February 17th, 2008, 9:52 pm

CFScipt log
ComboFix 08-02-17.2 - Administrator 2008-02-17 17:08:01.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.125 [GMT -6:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\Roxio Shared\System\bak
C:\Program Files\Common Files\Roxio Shared\System\bak\EngUtil.exe
C:\Program Files\hbinst
C:\Program Files\hbinst\Hbinst.exe
C:\Program Files\Messenger\bak
C:\Program Files\Messenger\bak\msmsgs.exe
C:\Program Files\Network Associates\Common Framework\bak
C:\Program Files\Network Associates\Common Framework\bak\UpdaterUI.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\bak
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\bak\RxMon.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\bak
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\bak\DrgToDsc.exe
C:\WINDOWS\system32\bak
C:\WINDOWS\system32\bak\ctfmon.exe
C:\WINDOWS\system32\bak\NeroCheck.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-17 to 2008-02-17 )))))))))))))))))))))))))))))))
.

2008-02-17 14:03 . 2008-02-17 14:06 212 --a------ C:\delete.bat
2008-02-16 18:14 . 2008-02-16 18:14 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-16 18:14 . 2008-02-16 18:14 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-16 18:14 . 2008-02-16 18:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-16 17:44 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-16 17:41 . 2008-02-16 17:44 <DIR> d-------- C:\Program Files\Java
2008-02-16 17:40 . 2008-02-16 17:40 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-15 16:16 . 2008-02-15 16:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-06 16:47 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-02-06 16:47 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-02-06 16:47 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-02-06 16:47 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-01-31 10:32 . 2008-01-31 10:32 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-31 10:32 . 2008-01-31 10:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-31 10:30 . 2008-01-31 10:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-23 19:55 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 04:41 13312]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-30 17:47 68856]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 04:40 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-09-29 07:10 81990]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [ ]
"nwiz"="nwiz.exe" [2003-07-28 15:19 323584 C:\WINDOWS\system32\nwiz.exe]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [ ]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [ ]
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193]
Printkey2000.lnk - C:\Program Files\PrintKey2000\Printkey2000.exe [2004-05-07 09:45:32 869376]

S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe [2001-08-23 06:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-17 06:00:01 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\System32\715RAsy4.exe
"2008-02-17 15:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\System32\715RAsy4.exe
"2008-02-17 16:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\System32\715RAsy4.exe
"2008-02-17 17:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\System32\715RAsy4.exe
"2008-02-17 18:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\System32\715RAsy4.exe
"2008-02-17 19:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\System32\715RAsy4.exe
"2008-02-17 20:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\System32\715RAsy4.exe
"2008-02-17 21:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\System32\715RAsy4.exe
"2008-02-17 22:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\System32\715RAsy4.exe
"2008-02-17 23:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\System32\715RAsy4.exe
"2008-02-17 00:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\System32\715RAsy4.exe
"2008-02-17 07:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\System32\715RAsy4.exe
"2008-02-17 01:00:01 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\System32\715RAsy4.exe
"2008-02-17 02:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\System32\715RAsy4.exe
"2008-02-17 03:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\System32\715RAsy4.exe
"2008-02-17 04:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\System32\715RAsy4.exe
"2008-02-17 05:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\System32\715RAsy4.exe
"2008-02-17 08:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\System32\715RAsy4.exe
"2008-02-17 09:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\System32\715RAsy4.exe
"2008-02-17 10:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\System32\715RAsy4.exe
"2008-02-17 11:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\System32\715RAsy4.exe
"2008-02-17 12:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\System32\715RAsy4.exe
"2008-02-17 13:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\System32\715RAsy4.exe
"2008-02-17 14:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\System32\715RAsy4.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 17:09:33
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-17 17:10:17
ComboFix-quarantined-files.txt 2008-02-17 23:10:08
ComboFix2.txt 2008-02-17 00:05:42
ComboFix3.txt 2008-02-02 21:23:29
ComboFix4.txt 2008-02-01 22:11:51

TotalScan log
;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-02-17 19:54:59
PROTECTIONS: 1
MALWARE: 22
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee VirusScan Enterprise 7.1.0.187 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00027660 adware/savenow Adware No 0 Yes No c:\windows\downloaded program files\wuinst.inf
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\RECYCLER\S-1-5-21-430456631-1236736482-5522801-64994\Dc2\Cookies\ho00016@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[3].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@advertising[2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@zedo[2].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@go[1].txt
00219235 Adware/CommAd Adware No 0 Yes No C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP318\A0082222.dll
00219238 Adware/CommAd Adware No 0 Yes No C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP318\A0082221.exe
00242884 Adware/SearchAid Adware No 0 Yes No C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP315\A0081157.exe
00250251 Adware/ISearch Adware No 0 No No C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP318\A0082223.exe[MTE3MTk6ODoxNg.exe]
00251146 Adware/SearchAid Adware No 0 Yes No C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP315\A0081156.vbs
00262492 Adware/CommAd Adware No 0 Yes No C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP318\A0082220.vbs
00332832 Adware/DollarRevenue Adware No 1 Yes No C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP317\A0082180.dll
00332832 Adware/DollarRevenue Adware No 1 Yes No C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP316\A0081188.dll
00332832 Adware/DollarRevenue Adware No 1 Yes No C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP315\A0081155.dll
00392623 Adware/ActiveSearch Adware No 0 No No C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP318\A0082223.exe[²ÜÇ\Services.dll]
00463502 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP318\A0082223.exe
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP345\A0085418.exe[327882R2FWJFW\nircmd.com]
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Administrator\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Administrator\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.com]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP347\A0085584.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP323\A0083416.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP324\A0083458.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP346\A0085550.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP325\A0083562.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP346\A0085488.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP329\A0083697.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP329\A0083722.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\WINDOWS\Nircmd.exe
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP345\A0085418.exe[327882R2FWJFW\nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP345\A0085422.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP346\A0085445.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP346\A0085463.exe
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP346\A0085467.exe[327882R2FWJFW\nircmd.com]
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP346\A0085467.exe[327882R2FWJFW\nircmd.cfexe]
02688464 Adware/DnsInsider Adware No 0 Yes No C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP319\A0082258.exe
02688464 Adware/DnsInsider Adware No 0 Yes No C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP315\A0081159.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP325\A0083487.sys
02887789 Adware/MalwareAlarm Adware No 1 Yes No C:\System Volume Information\_restore{A05F8E01-DAA5-4453-BC47-08008E5AD678}\RP325\A0083583.exe
;===================================================================================================================================================================================
SUSPECTS
Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
jdenelle
Active Member
 
Posts: 11
Joined: February 1st, 2008, 6:13 pm

Re: My Log for my infected computer

Unread postby Katana » February 19th, 2008, 6:13 am

Create A Batch File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it fix.bat Please save it on your desktop.

@echo off
if exist log.txt del log.txt
set origin=C:\Qoobox\Quarantine\c
pushd %origin%
For %%g in (
"Program Files\Common Files\Roxio Shared\System"
"Program Files\Messenger"
"Program Files\Network Associates\Common Framework"
"Program Files\Roxio\Easy CD Creator 6\AudioCentral"
"Program Files\Roxio\Easy CD Creator 6\DragToDisc"
"WINDOWS\system32"
) do (
if not exist \%%g md \%%g
for /f "tokens=*" %%h in ('vfind -tf "%%~g\bak\*.exe.vir"') do (
nircmd killprocess "C:\%%~g\%%~nh"
move /y "%%~h" "\%%~g\%%~nh"
if not exist "%%~h" echo."%origin%\%%~h" moved successfully>>"%~dp0log.txt"
)
)
popd
start notepad log.txt
del /q "c:\windows\downloaded program files\wuinst.inf"
del /q "C:\WINDOWS\Tasks\At*.job"
del /q fix.bat
exit


Double click on fix.bat

Notepad will open, please copy/paste the contents here
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: My Log for my infected computer

Unread postby jdenelle » February 19th, 2008, 9:37 pm

Fix.bat files:

"C:\Qoobox\Quarantine\c\Program Files\Common Files\Roxio Shared\System\bak\EngUtil.exe.vir" moved successfully
"C:\Qoobox\Quarantine\c\Program Files\Messenger\bak\msmsgs.exe.vir" moved successfully
"C:\Qoobox\Quarantine\c\Program Files\Network Associates\Common Framework\bak\UpdaterUI.exe.vir" moved successfully
"C:\Qoobox\Quarantine\c\Program Files\Roxio\Easy CD Creator 6\AudioCentral\bak\RxMon.exe.vir" moved successfully
"C:\Qoobox\Quarantine\c\Program Files\Roxio\Easy CD Creator 6\DragToDisc\bak\DrgToDsc.exe.vir" moved successfully
"C:\Qoobox\Quarantine\c\WINDOWS\system32\bak\ctfmon.exe.vir" moved successfully
"C:\Qoobox\Quarantine\c\WINDOWS\system32\bak\NeroCheck.exe.vir" moved successfully
jdenelle
Active Member
 
Posts: 11
Joined: February 1st, 2008, 6:13 pm

Re: My Log for my infected computer

Unread postby Katana » February 20th, 2008, 6:33 am

That looks great :)

Please can you run ComboFix one last time, and post the log along with a final HJT log

How are things running now ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: My Log for my infected computer

Unread postby jdenelle » February 20th, 2008, 10:24 am

Computer's better...no more popups and fake warning messages. I'm at work now, so I'll do the Combo and HJT logs when I get home. Thanks for your help. :)
jdenelle
Active Member
 
Posts: 11
Joined: February 1st, 2008, 6:13 pm

Re: My Log for my infected computer

Unread postby jdenelle » February 21st, 2008, 8:35 pm

Question-When I ran Totalscan, why didn't I select to 'disinfect files'?

Combolog
ComboFix 08-02-17.2 - Administrator 2008-02-21 18:20:20.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.97 [GMT -6:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-01-22 to 2008-02-22 )))))))))))))))))))))))))))))))
.

2008-02-17 17:16 . 2008-02-17 17:17 <DIR> d-------- C:\Program Files\Panda Security
2008-02-17 14:03 . 2008-02-17 14:06 212 --a------ C:\delete.bat
2008-02-16 18:14 . 2008-02-16 18:14 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-16 18:14 . 2008-02-16 18:14 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-16 18:14 . 2008-02-16 18:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-16 17:44 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-16 17:41 . 2008-02-16 17:44 <DIR> d-------- C:\Program Files\Java
2008-02-16 17:40 . 2008-02-16 17:40 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-15 16:16 . 2008-02-15 16:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-06 16:47 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-02-06 16:47 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-02-06 16:47 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-02-06 16:47 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-01-31 10:32 . 2008-01-31 10:32 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-31 10:32 . 2008-01-31 10:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-31 10:30 . 2008-01-31 10:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-23 19:55 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 04:41 13312]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-30 17:47 68856]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 04:40 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-09-29 07:10 81990]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-06-15 02:12 135224]
"nwiz"="nwiz.exe" [2003-07-28 15:19 323584 C:\WINDOWS\system32\nwiz.exe]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-02-27 04:31 69632]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-02-27 03:36 757760]
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-02-26 15:50 253952]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193]
Printkey2000.lnk - C:\Program Files\PrintKey2000\Printkey2000.exe [2004-05-07 09:45:32 869376]

S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe [2001-08-23 06:00]

*Newly Created Service* - RKPAVPROC
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-21 18:22:31
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-21 18:23:21
ComboFix-quarantined-files.txt 2008-02-22 00:23:08
ComboFix2.txt 2008-02-17 23:10:19
ComboFix3.txt 2008-02-17 00:05:42
ComboFix4.txt 2008-02-02 21:23:29
ComboFix5.txt 2008-02-01 22:11:51


Hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:27:57 PM, on 2/21/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/cabs/ascstubie.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = la.gr.repsolypf.com
O17 - HKLM\Software\..\Telephony: DomainName = la.gr.repsolypf.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = la.gr.repsolypf.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 6311 bytes
jdenelle
Active Member
 
Posts: 11
Joined: February 1st, 2008, 6:13 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 44 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware