Free Malware Removal Forum

[dan12]

Ineed to do a bit more research on those files

[dan12]

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all

    File::
C:\Documents and Settings\Derek\Desktop\Derek's Stuff\New Downloaded\setup.exe
C:\Documents and Settings\Derek\Local Settings\Temp\Av-test.txt
C:\Documents and Settings\Derek\Local Settings\Temp\RCX4.tmp
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\HijackThis\backups\backup-20071225-202636-925-source.html

  
  

    

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

post the combo log.

=======================================

Does your version of Spyware Doctor come with a\v and firewall if not use links provided to get one of each

You only need one anti virus and one fierewall running together.


You aren't running Anti Virus Software

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network.
Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition
-Anti-virus program for Windows.
-The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition
-Free edition of the AVG anti-virus program for Windows.



There is no sign of a Third Party Firewall installed on your system.
As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

There are several possible reasons for the Firewall not showing.

1. You are using Windows Firewall. This is not recommended as it will only stop incoming material. It permits all outgoing traffic.
   
2. You are using a hardware firewall. It should be complemented with a Third Party Software Firewall
   
3. You have a firewall, but you disabled it. Please re-enable it.
   
4. You don't have a firewall at all.

If you don't have a third party firewall, please get ONE firewall and install it. Restart the computer for changes to take effect.

Online Armor
Comodo Personal Firewall

Please post back a new HijackThis log after installing the firewall.

Thanks dan

[dab6181]

Thanks again, I can say that my system is performing much faster than before.

Here are the logs:

ComboFix 08-03-27.2 - Derek 2008-03-31 21:06:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1627 [GMT -6:00]
Running from: C:\Documents and Settings\Derek\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Derek\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Derek\Desktop\Derek's Stuff\New Downloaded\setup.exe
C:\Documents and Settings\Derek\Local Settings\Temp\Av-test.txt
C:\Documents and Settings\Derek\Local Settings\Temp\RCX4.tmp
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\HijackThis\backups\backup-20071225-202636-925-source.html
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Derek\Desktop\Derek's Stuff\New Downloaded\setup.exe
C:\Documents and Settings\Derek\Local Settings\Temp\Av-test.txt
C:\Documents and Settings\Derek\Local Settings\Temp\RCX4.tmp
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\HijackThis\backups\backup-20071225-202636-925-source.html
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\asxdaqrb.ini
C:\WINDOWS\system32\btsebbsb.ini
C:\WINDOWS\system32\byysmdyc.ini
C:\WINDOWS\system32\ceayejlx.dll
C:\WINDOWS\system32\gdfuhmju.exe
C:\WINDOWS\system32\gebyv.dll
C:\WINDOWS\system32\gebyv.exe
C:\WINDOWS\system32\grojhueo.ini
C:\WINDOWS\system32\ikhcore.cfg
C:\WINDOWS\system32\iswujybt.ini
C:\WINDOWS\system32\mbjpbytn.ini
C:\WINDOWS\system32\mkgcdmog.ini
C:\WINDOWS\system32\ogqyfako.dll
C:\WINDOWS\system32\okafyqgo.ini
C:\WINDOWS\system32\oyilybew.ini
C:\WINDOWS\system32\ppnst.dll
C:\WINDOWS\system32\qwphsrnx.ini
C:\WINDOWS\system32\RCX10.tmp
C:\WINDOWS\system32\RCX11.tmp
C:\WINDOWS\system32\RCX1E.tmp
C:\WINDOWS\system32\RCXA.tmp
C:\WINDOWS\system32\RCXF.tmp
C:\WINDOWS\system32\tehqgyey.ini
C:\WINDOWS\system32\tmjgkjce.ini
C:\WINDOWS\system32\ujdanjwu.ini
C:\WINDOWS\system32\urpejwlu.ini
C:\WINDOWS\system32\vnjewtkx.ini
C:\WINDOWS\system32\vswifcts.ini
C:\WINDOWS\system32\vybeg.ini
C:\WINDOWS\system32\vybeg.ini2
C:\WINDOWS\system32\wrvoqifa.ini
C:\WINDOWS\system32\ymuhuxvq.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_npf
-------\Service_npf


((((((((((((((((((((((((( Files Created from 2008-03-01 to 2008-04-01 )))))))))))))))))))))))))))))))
.

2008-03-29 17:47 . 2008-03-29 17:47 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-29 17:47 . 2008-03-29 17:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-29 13:42 . 2008-03-29 13:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-29 13:42 . 2008-03-29 13:42 <DIR> d-------- C:\Documents and Settings\Derek\Application Data\Malwarebytes
2008-03-29 13:42 . 2008-03-29 13:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-28 23:15 . 2008-03-29 13:21 0 --ah----- C:\BIT6.tmp
2008-03-27 18:40 . 2008-03-29 13:31 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-03-27 18:40 . 2008-03-27 18:40 <DIR> d-------- C:\Documents and Settings\Derek\Application Data\PC Tools
2008-03-27 18:40 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-03-27 18:40 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-03-27 18:40 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-03-27 18:40 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-03-27 16:48 . 2008-03-27 16:48 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-27 16:46 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-03-27 16:46 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-27 16:46 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-27 16:46 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-27 16:46 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-03-25 16:25 . 2008-03-25 16:25 <DIR> d-------- C:\Logs
2008-03-23 17:59 . 2008-03-23 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-20 19:46 . 2008-03-27 07:15 920 --a------ C:\WINDOWS\wininit.ini
2008-03-20 19:30 . 2008-03-29 13:29 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-20 19:30 . 2008-03-27 17:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-15 13:35 . 2008-03-28 23:02 0 --ah----- C:\BIT126.tmp
2008-03-12 12:33 . 2008-03-12 12:33 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-01 03:06 --------- d-----w C:\Program Files\iTunes
2008-03-29 19:40 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-29 19:40 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-29 19:29 --------- d-----w C:\Program Files\Lexmark 4300 Series
2008-03-29 19:29 --------- d-----w C:\Program Files\Curse
2008-03-28 02:44 158,208 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig.exe
2008-03-27 06:34 --------- d-----w C:\Program Files\Winamp
2008-03-25 21:56 --------- d-----w C:\Program Files\World of Warcraft
2008-03-21 00:47 --------- d-----w C:\Documents and Settings\Derek\Application Data\LimeWire
2008-02-25 03:37 --------- d-----w C:\Documents and Settings\Derek\Application Data\GetRightToGo
2008-02-25 03:17 --------- d-----w C:\Documents and Settings\Derek\Application Data\Turbine
2008-02-25 02:51 --------- d-----w C:\Program Files\Turbine
2008-02-13 04:24 --------- d-----w C:\Documents and Settings\Derek\Application Data\IGN_DLM
2008-02-08 17:47 --------- d-----w C:\Program Files\Google
2008-02-02 04:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-02 04:52 --------- d-----w C:\Program Files\Sony
2007-12-18 17:08 4,346,084 ----a-w C:\Documents and Settings\Derek\WoW-2.3.0.7561-to-0.3.2.7627-enUS-patch.exe
2007-08-30 01:06 17,528 ----a-w C:\Documents and Settings\Derek\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-03-29_13.37.34.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 18:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 21:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 21:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Derek^Start Menu^Programs^Startup^Spruce - Auto Update.lnk]
path=C:\Documents and Settings\Derek\Start Menu\Programs\Startup\Spruce - Auto Update.lnk
backup=C:\WINDOWS\pss\Spruce - Auto Update.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Derek^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Derek\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 02:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-03-13 09:51 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-06-27 18:03 152872 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bssa]
C:\WINDOWS\system32\ECURIT~1\notepad.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2007-12-25 20:04 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CurseClient]
--a------ 2008-03-25 18:02 477696 C:\Program Files\Curse\CurseClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
--a------ 2008-03-13 09:51 1103480 C:\Program Files\FilePlanet\Download Manager\dlm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
--a------ 2008-03-28 23:44 1103240 C:\Program Files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 14:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-14 23:43 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2008-03-20 21:08 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSnD]
--a------ 2008-03-27 17:44 5146448 C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 02:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-01-15 16:54 37376 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=

[HKLM\~\Services\\mlnet.exe"=]


.
Contents of the 'Scheduled Tasks' folder
"2008-03-29 02:58:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 21:09:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-03-31 21:12:04 - machine was rebooted [Derek]
ComboFix-quarantined-files.txt 2008-04-01 03:12:02
ComboFix2.txt 2008-03-29 05:12:10
ComboFix3.txt 2007-12-26 02:49:34
Pre-Run: 63,648,145,408 bytes free
Post-Run: 63,633,424,384 bytes free

And:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:20:40 PM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\Removal.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 6657940390
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 2671 bytes

[dan12]

Hi, pleased it's running ok.
Have you removed spyware doctor?
I see you have yourself a firewall however you still don't have an antivirus program running.
Please choose one from the links I gave you.


We need to reveal system folders

• Close all programs so that you are at your desktop.
• Double-click on the My Computer icon.
• Select the Tools menu and click Folder Options
• After the new window appears select the View tab.
• Place a checkmark in the checkbox labeled Display the contents of system folders
• Under the Hidden files and folders section select the radio button labeled Show hidden files and folders
• Remove the checkmark from the checkbox labeled Hide file extensions for known file types
• Remove the checkmark from the checkbox labeled Hide protected operating system files
• Press the Apply and then the ok button and shut down my computer
• Now your computer is configured to show all hidden files.
• For you and the tools to be able to see appropriate files we need to Show Hidden Files

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all

   
    FileLook::
C:\BIT126.tmp
C:\BIT6.tmp

    

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please include in your next post:

• Combofix log txt

Thanks dan

[dan12]

How we doing?

[dab6181]

Everything seems to be working fine.

Does spyware doctor count as an antivirus? I just have it totally disabled during this whole process so it doesn't turn back on during bootup and screw up the combo fix.

Here are my new logs:

ComboFix 08-03-27.2 - Derek 2008-04-01 16:50:13.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1665 [GMT -6:00]
Running from: C:\Documents and Settings\Derek\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Derek\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-03-01 to 2008-04-01 )))))))))))))))))))))))))))))))
.

2008-03-31 21:12 . 2008-03-31 21:12 <DIR> d-------- C:\Program Files\Tall Emu
2008-03-31 21:12 . 2008-04-01 16:53 <DIR> d-------- C:\Documents and Settings\Derek\Application Data\OnlineArmor
2008-03-31 21:12 . 2008-03-31 21:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OnlineArmor
2008-03-31 21:12 . 2008-03-23 10:21 80,072 --a------ C:\WINDOWS\system32\drivers\OADriver.sys
2008-03-31 21:12 . 2008-03-23 10:21 32,456 --a------ C:\WINDOWS\system32\drivers\OAmon.sys
2008-03-31 21:12 . 2008-03-23 10:21 28,872 --a------ C:\WINDOWS\system32\drivers\oanet.sys
2008-03-29 13:42 . 2008-03-29 13:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-29 13:42 . 2008-03-29 13:42 <DIR> d-------- C:\Documents and Settings\Derek\Application Data\Malwarebytes
2008-03-29 13:42 . 2008-03-29 13:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-28 23:15 . 2008-03-29 13:21 0 --ah----- C:\BIT6.tmp
2008-03-27 18:40 . 2008-03-29 13:31 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-03-27 18:40 . 2008-03-27 18:40 <DIR> d-------- C:\Documents and Settings\Derek\Application Data\PC Tools
2008-03-27 18:40 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-03-27 18:40 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-03-27 18:40 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-03-27 18:40 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-03-27 16:48 . 2008-03-27 16:48 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-27 16:46 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-03-27 16:46 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-27 16:46 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-27 16:46 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-27 16:46 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-03-25 16:25 . 2008-03-25 16:25 <DIR> d-------- C:\Logs
2008-03-23 17:59 . 2008-03-23 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-20 19:46 . 2008-03-27 07:15 920 --a------ C:\WINDOWS\wininit.ini
2008-03-20 19:30 . 2008-03-29 13:29 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-20 19:30 . 2008-03-27 17:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-15 13:35 . 2008-03-28 23:02 0 --ah----- C:\BIT126.tmp
2008-03-12 12:33 . 2008-03-12 12:33 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-01 03:06 --------- d-----w C:\Program Files\iTunes
2008-03-29 19:40 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-29 19:40 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-29 19:29 --------- d-----w C:\Program Files\Lexmark 4300 Series
2008-03-29 19:29 --------- d-----w C:\Program Files\Curse
2008-03-28 02:44 158,208 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig.exe
2008-03-27 06:34 --------- d-----w C:\Program Files\Winamp
2008-03-25 21:56 --------- d-----w C:\Program Files\World of Warcraft
2008-03-21 00:47 --------- d-----w C:\Documents and Settings\Derek\Application Data\LimeWire
2008-02-25 03:37 --------- d-----w C:\Documents and Settings\Derek\Application Data\GetRightToGo
2008-02-25 03:17 --------- d-----w C:\Documents and Settings\Derek\Application Data\Turbine
2008-02-25 02:51 --------- d-----w C:\Program Files\Turbine
2008-02-13 04:24 --------- d-----w C:\Documents and Settings\Derek\Application Data\IGN_DLM
2008-02-08 17:47 --------- d-----w C:\Program Files\Google
2008-02-02 04:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-02 04:52 --------- d-----w C:\Program Files\Sony
2007-12-18 17:08 4,346,084 ----a-w C:\Documents and Settings\Derek\WoW-2.3.0.7561-to-0.3.2.7627-enUS-patch.exe
2007-08-30 01:06 17,528 ----a-w C:\Documents and Settings\Derek\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OnlineArmor GUI"="C:\Program Files\Tall Emu\Online Armor\oaui.exe" [2008-03-23 10:21 5519424]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll [2008-03-23 10:21 671432]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Derek^Start Menu^Programs^Startup^Spruce - Auto Update.lnk]
path=C:\Documents and Settings\Derek\Start Menu\Programs\Startup\Spruce - Auto Update.lnk
backup=C:\WINDOWS\pss\Spruce - Auto Update.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Derek^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Derek\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 02:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-03-13 09:51 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-06-27 18:03 152872 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bssa]
C:\WINDOWS\system32\ECURIT~1\notepad.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2007-12-25 20:04 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CurseClient]
--a------ 2008-03-25 18:02 477696 C:\Program Files\Curse\CurseClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
--a------ 2008-03-13 09:51 1103480 C:\Program Files\FilePlanet\Download Manager\dlm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
--a------ 2008-03-28 23:44 1103240 C:\Program Files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 14:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-14 23:43 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2008-03-20 21:08 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSnD]
--a------ 2008-03-27 17:44 5146448 C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 02:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-01-15 16:54 37376 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=

[HKLM\~\Services\\mlnet.exe"=]

R1 OADevice;OADriver;C:\WINDOWS\system32\drivers\OADriver.sys [2008-03-23 10:21]
R1 OAmon;OAmon;C:\WINDOWS\system32\drivers\OAmon.sys [2008-03-23 10:21]
R1 OAnet;OAnet;C:\WINDOWS\system32\drivers\OAnet.sys [2008-03-23 10:21]
R2 SvcOnlineArmor;Online Armor;"C:\Program Files\Tall Emu\Online Armor\oasrv.exe" [2008-03-23 10:21]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-29 02:58:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-01 16:53:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\C:\WINDOWS\TEMP\mc22.tmp"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-04-01 16:56:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-01 22:55:57
ComboFix2.txt 2008-04-01 03:12:05
ComboFix3.txt 2008-03-29 05:12:10
ComboFix4.txt 2007-12-26 02:49:34
Pre-Run: 63,639,015,424 bytes free
Post-Run: 63,628,554,240 bytes free

[dan12]

It's a good idea to have it disabled whilst the scans are running
I'm not sure if your version comes bundled with a security suite, is it the free version?

[dab6181]

Nada, I actually have the paid version thinking it would solve this Virtumonde problem.

[dan12]

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all

    File::
C:\BIT126.tmp
C:\BIT6.tmp
  

    

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

post me a combo log and a fresh HJT log
dan

[dan12]

how we doing?

[Gary R]

Due to lack of response this topic is now closed.

If you still need help open a new thread in the Malware Removal forum and wait for a new helper.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal

Gary R