Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Nasty Infection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Nasty Infection

Unread postby gman33 » May 24th, 2008, 3:39 am

I have just been infected with a virus that has disabled access to my task manager, control panel, my computer, regedit, and the run window. Also there are constant antivirus program popups, my clock has been changed and my windows validation icon is back in my systray. I've already run a full virus scan with AntiVir in safe mode with no detections, however it is periodically blocking a Vundo attack. I've also run VundoFix and nothing was detected.

Below is my log file. Any help will be much appreciated.

Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:03: VIRUS ALERT!, on 5/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\Glen\Desktop\HiJackThis.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm ... Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {613E416F-BCB6-43AD-B0FC-DF7B0D5A70BF} - C:\WINDOWS\system32\fcccbxvu.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: gktxaspm - {2890C98D-5959-4A94-A6C2-C59E85462152} - C:\WINDOWS\gktxaspm.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 2044452499
O16 - DPF: {66F7F252-3FE1-4650-B1E5-94B2A38271C5} (ActiveView Control) - http://unimart.dvrdns.org:3002/ActiveView.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 2046273627
O20 - Winlogon Notify: fcccbxvu - C:\WINDOWS\system32\fcccbxvu.dll
O21 - SSODL: pxgdslro - {DA10708E-BF18-4619-AC9A-8BB3925433EE} - C:\WINDOWS\pxgdslro.dll
O21 - SSODL: gnowmebk - {C12DF872-039F-42EF-832D-0F6D20C53AD9} - C:\WINDOWS\gnowmebk.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6932 bytes
gman33
Regular Member
 
Posts: 19
Joined: May 24th, 2008, 3:25 am
Advertisement
Register to Remove

Re: Nasty Infection

Unread postby dan12 » May 24th, 2008, 4:58 am

welcome to malwareremoval forums

My name is Dan, and I will be helping you to remove any infection(s) that you may have.

Please note! that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
If you can do these things, everything should go smoothly.
  • Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
  • Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.


It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

I'm presently looking over your log and hope not to be too long.
Will be back with you as soon as I can.
Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Nasty Infection

Unread postby dan12 » May 24th, 2008, 5:03 am

Highjackthis.exe needs a permanant folder of it's own in order to create backups
Create a folder on the desktop, right click on the desktop, select new folder,and name it HJT Now locate < path location >
copy and paste it into the new folder ( HJT ) you created on the desktop.
Do this before you continue.

__________________

Disable spybot search & destroy\SDHelper
Open up spybot search & destroy go to mode check advanced mode.
Go to bottom left of panel and click tools then click resident
uncheck resident
SDHelper
We will need to do this in reverse to enable when fix is done

Disable Spybot's TeaTimer. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.

Leave it disabled till I tell you it's ok to turn it back on.

______________________


We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Nasty Infection

Unread postby gman33 » May 25th, 2008, 10:24 am

Hi Dan,

Thanks for you help.

I've tried to follow your instructions as best I can. I do have multiple accounts on my machine. The infected account is "Glen" which has administrator rights. There is also an account "Dawn" with user only rights and of course the "Administrator" account with administrator rights. While the infected account limits my access to many functions, I have logged on under the Administrator account and can access the registry and the command prompt etc., but I have only done that under safe mode so far as for fear of infecting that account as well.

I have followed your instructions using the infected account in normal mode. After ComboFix rebooted, my anti-virus reloaded at startup. Hopefully, that was ok. ComboFix continued to create its log file and I have included it below. However, now when I run HiJackThis, it runs ok, but when I 'create log' the log does not show up anywhere so I can't include it here.

Note: I noticed after ComboFix finished, I have regained access to the Task Manager from the taskbar, but everything else seems to be the same. I'm now getting popups in Firefox where previously it was constantly trying to open popups in IE.

ComboFix 08-05-24.1 - Glen 2008-05-25 9:26:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.202 [GMT -4:00]
Running from: C:\Documents and Settings\Glen\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Glen\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Glen\Desktop\Error Cleaner.url
C:\Documents and Settings\Glen\Desktop\Privacy Protector.url
C:\Documents and Settings\Glen\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Glen\Favorites\Error Cleaner.url
C:\Documents and Settings\Glen\Favorites\Privacy Protector.url
C:\Documents and Settings\Glen\Favorites\Spyware&Malware Protection.url
C:\WINDOWS\gnowmebk.dll
C:\WINDOWS\system32\ddcDssQK.dll
C:\WINDOWS\system32\KQssDcdd.ini
C:\WINDOWS\system32\KQssDcdd.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.

2008-05-24 06:52 . 2008-05-24 06:52 135 --a------ C:\WINDOWS\wininit.ini
2008-05-24 02:03 . 2008-05-24 02:03 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-24 02:03 . 2008-05-24 02:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-23 23:00 . 2008-05-23 23:00 <DIR> d-------- C:\VundoFix Backups
2008-05-23 21:10 . 2008-05-23 21:10 <DIR> d-------- C:\Documents and Settings\Glen\Application Data\TmpRecentIcons
2008-05-23 20:17 . 2008-05-23 20:17 <DIR> d-------- C:\Program Files\Antivirus 2008 PRO
2008-05-23 19:37 . 2008-05-23 19:37 29,312 --a------ C:\WINDOWS\system32\fcccbxvu.dll
2008-05-23 19:36 . 2008-05-23 14:50 94,208 --a------ C:\WINDOWS\eope.exe
2008-05-23 19:36 . 2008-05-23 14:51 81,920 --a------ C:\WINDOWS\mdtgkswr.exe
2008-05-23 09:00 . 2008-02-12 13:45 45,568 --a------ C:\WINDOWS\system32\lmdimon.dll
2008-05-22 22:04 . 2008-05-22 22:05 <DIR> d-------- C:\Program Files\VASST
2008-05-14 22:54 . 2008-05-14 23:03 13,030 --a------ C:\PDOXUSRS.NET
2008-05-14 22:53 . 2008-05-14 22:53 <DIR> d-------- C:\Program Files\Enable Computing
2008-05-14 22:53 . 2008-05-14 22:53 <DIR> d-------- C:\Program Files\Common Files\Borland Shared
2008-05-14 22:53 . 2008-05-14 22:53 <DIR> d-------- C:\Program Files\Borland
2008-05-14 22:47 . 2008-05-14 22:47 <DIR> d-------- C:\Documents and Settings\Glen\Application Data\Free-backup.info
2008-05-14 22:47 . 2001-01-05 04:42 351,232 --a------ C:\WINDOWS\system32\ibmgr.cpl
2008-05-14 22:47 . 2001-01-05 04:41 346,624 --a------ C:\WINDOWS\system32\gds32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 12:50 --------- d-----w C:\Documents and Settings\Glen\Application Data\OpenOffice.org2
2008-05-24 21:49 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-05-23 23:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
2008-05-23 23:21 --------- d-----w C:\Program Files\Sony
2008-05-23 23:19 --------- d-----w C:\Program Files\Sony Setup
2008-05-22 18:09 --------- d-----w C:\Documents and Settings\Glen\Application Data\gtk-2.0
2008-05-15 21:21 --------- d-----w C:\Documents and Settings\Glen\Application Data\AdobeUM
2008-04-22 01:54 --------- d-----w C:\Program Files\Rental Property Manager 2
2008-04-22 00:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-17 19:33 --------- d-----w C:\Program Files\Opera
2008-04-08 21:45 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-04-08 21:44 --------- d-----w C:\Program Files\OpenOffice.org 2.2
2008-03-25 01:07 --------- d-----w C:\Program Files\PyQt4
2008-03-25 01:06 --------- d-----w C:\Program Files\Python 2.5.2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{613E416F-BCB6-43AD-B0FC-DF7B0D5A70BF}]
2008-05-23 19:37 29312 --a------ C:\WINDOWS\system32\fcccbxvu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-18 19:55 262401]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"MplSetUp"="C:\Program Files\RMClient\MplSetUp.exe" [2000-11-04 21:09 40960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]

C:\Documents and Settings\Glen\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 21:57:56 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 00:37:56 217194]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 00:37:56 217194]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-11 19:47:47 110592]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"= 1 (0x1)
"NoStartMenuMorePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{613E416F-BCB6-43AD-B0FC-DF7B0D5A70BF}"= C:\WINDOWS\system32\fcccbxvu.dll [2008-05-23 19:37 29312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcccbxvu]
fcccbxvu.dll 2008-05-23 19:37 29312 C:\WINDOWS\system32\fcccbxvu.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\opnnkjkh

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\eMule\\emule.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:eMule TCP
"4672:UDP"= 4672:UDP:eMule UDP

R0 Pnp680r;Silicon Image SiI 0680 Medley Raid Controller;C:\WINDOWS\system32\DRIVERS\pnp680r.sys [2002-05-31 16:35]
R2 InterBaseGuardian;InterBase Guardian;C:\Program Files\Borland\InterBase\bin\ibguard.exe [2001-01-05 04:41]
R2 NvNdis;NVIDIA NDIS IO Control Driver;C:\WINDOWS\system32\Drivers\NvNdis.sys [2004-12-13 09:44]
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 06:29]
R3 InterBaseServer;InterBase Server;C:\Program Files\Borland\InterBase\bin\ibserver.exe [2001-01-05 04:40]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 09:35:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\fcccbxvu.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.bin
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-05-25 9:43:47 - machine was rebooted [Glen]
ComboFix-quarantined-files.txt 2008-05-25 13:43:29

Pre-Run: 72,387,411,968 bytes free
Post-Run: 73,158,545,408 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

147 --- E O F --- 2008-05-16 22:44:24
gman33
Regular Member
 
Posts: 19
Joined: May 24th, 2008, 3:25 am

Re: Nasty Infection

Unread postby dan12 » May 25th, 2008, 11:35 am

1. Close any open browsers.

2. Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
http://malwareremoval.com/forum/viewtopic.php?p=302269#p302269
Collect::
C:\WINDOWS\system32\opnnkjkh[4]
File::
C:\WINDOWS\system32\fcccbxvu.dll
C:\WINDOWS\eope.exe
C:\WINDOWS\mdtgkswr.exe
C:\WINDOWS\system32\fcccbxvu.dll
Folder::
C:\VundoFix Backups
C:\Documents and Settings\Glen\Application Data\TmpRecentIcons
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{613E416F-BCB6-43AD-B0FC-DF7B0D5A70BF}]
[-hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcccbxvu]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00  


   


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


In addition, it will prompt you to submit some files for analyzing.

Image

Click OK.

Copy and paste the file path into the text box next to the Browse button (boxed up in red).

Image

Click on Send File.

Do not mouse click on Combofix while it is running. That may cause it to stall.

___________________


: Malwarebytes' Anti-Malware :

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt

Ok, to get a HJT log right click on HJT icon run as administrator

post the combo log
malwarebytes log
HJT log
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Nasty Infection

Unread postby gman33 » May 25th, 2008, 12:53 pm

I created the file CFScript.txt from your instructions and saved it to my desktop where ComboFix is located. When I drag it on top of ComboFix, the ComboFix window opens and says it is preparing to run, then a message box pops up titled "CFScript Name Error" and it says, "Were you trying to run CFScript? The name, CFScript appears to be incorrectly spelt." There is only an "OK" button to click or an "X" to close the message box.

My computer is sitting in this state right now waiting your response. I suspect this might be the virus trying to block what I am doing, so I don't want to click "Ok" until you tell me how to proceed. I am using a different computer to communicate with you right now.

Please advise how you would like me to continue.

Thanks,
Glen
gman33
Regular Member
 
Posts: 19
Joined: May 24th, 2008, 3:25 am

Re: Nasty Infection

Unread postby dan12 » May 25th, 2008, 1:01 pm

Ok, firstly did you use "notepad" as detailed? if it has to be notepad to work not any other editor.

Did you save it as "CFScript.txt" check that word wrap is unchecked > open notepad click format uncheck word wrap.

I'm here for a while so don't worry.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Nasty Infection

Unread postby gman33 » May 25th, 2008, 1:20 pm

I did use Notepad and Word wrap in unchecked. However, when I saved the file, I keyed in "CFScript" only as it was defaulting to save as a .txt file. Maybe I should have actually keyed the .txt as well. When I look at the saved file from File, Properties, it shows the filename as only "CFScript" and not "CFScript.txt". Should I click the "Ok" button and maybe ComboFix will recognize the file as is or should I "X" out and resave the file with the .txt extension?

Glen
gman33
Regular Member
 
Posts: 19
Joined: May 24th, 2008, 3:25 am

Re: Nasty Infection

Unread postby dan12 » May 25th, 2008, 1:23 pm

Just save it as "CFScript.txt" then drag and drop press ok.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Nasty Infection

Unread postby gman33 » May 25th, 2008, 1:59 pm

Okay, I re-ran ComboFix and it generated the log below. It never prompted me to submit any files for analyzing. Should I continue with the next two steps anyway?



ComboFix 08-05-24.1 - Glen 2008-05-25 13:39:14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.229 [GMT -4:00]
Running from: C:\Documents and Settings\Glen\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Glen\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\eope.exe
C:\WINDOWS\mdtgkswr.exe
C:\WINDOWS\system32\fcccbxvu.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Glen\Application Data\TmpRecentIcons
C:\Documents and Settings\Glen\Application Data\TmpRecentIcons\antivirus-2008pro.lnk
C:\VundoFix Backups
C:\WINDOWS\eope.exe
C:\WINDOWS\mdtgkswr.exe
C:\WINDOWS\system32\fcccbxvu.dll
C:\WINDOWS\system32\hkjknnpo.ini
C:\WINDOWS\system32\hkjknnpo.ini2
C:\WINDOWS\system32\opnnkjkh.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.

2008-05-24 06:52 . 2008-05-24 06:52 135 --a------ C:\WINDOWS\wininit.ini
2008-05-24 02:03 . 2008-05-24 02:03 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-24 02:03 . 2008-05-24 02:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-23 20:17 . 2008-05-23 20:17 <DIR> d-------- C:\Program Files\Antivirus 2008 PRO
2008-05-23 09:00 . 2008-02-12 13:45 45,568 --a------ C:\WINDOWS\system32\lmdimon.dll
2008-05-22 22:04 . 2008-05-22 22:05 <DIR> d-------- C:\Program Files\VASST
2008-05-14 22:54 . 2008-05-14 23:03 13,030 --a------ C:\PDOXUSRS.NET
2008-05-14 22:53 . 2008-05-14 22:53 <DIR> d-------- C:\Program Files\Enable Computing
2008-05-14 22:53 . 2008-05-14 22:53 <DIR> d-------- C:\Program Files\Common Files\Borland Shared
2008-05-14 22:53 . 2008-05-14 22:53 <DIR> d-------- C:\Program Files\Borland
2008-05-14 22:47 . 2008-05-14 22:47 <DIR> d-------- C:\Documents and Settings\Glen\Application Data\Free-backup.info
2008-05-14 22:47 . 2001-01-05 04:42 351,232 --a------ C:\WINDOWS\system32\ibmgr.cpl
2008-05-14 22:47 . 2001-01-05 04:41 346,624 --a------ C:\WINDOWS\system32\gds32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 13:40 --------- d-----w C:\Documents and Settings\Glen\Application Data\OpenOffice.org2
2008-05-24 21:49 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-05-23 23:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
2008-05-23 23:21 --------- d-----w C:\Program Files\Sony
2008-05-23 23:19 --------- d-----w C:\Program Files\Sony Setup
2008-05-22 18:09 --------- d-----w C:\Documents and Settings\Glen\Application Data\gtk-2.0
2008-05-15 21:21 --------- d-----w C:\Documents and Settings\Glen\Application Data\AdobeUM
2008-04-22 01:54 --------- d-----w C:\Program Files\Rental Property Manager 2
2008-04-22 00:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-17 19:33 --------- d-----w C:\Program Files\Opera
2008-04-08 21:45 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-04-08 21:44 --------- d-----w C:\Program Files\OpenOffice.org 2.2
2008-03-25 01:07 --------- d-----w C:\Program Files\PyQt4
2008-03-25 01:06 --------- d-----w C:\Program Files\Python 2.5.2
.

((((((((((((((((((((((((((((( snapshot@2008-05-25_ 9.42.36.16 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-25 13:33:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-25 17:47:25 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-18 19:55 262401]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"MplSetUp"="C:\Program Files\RMClient\MplSetUp.exe" [2000-11-04 21:09 40960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]

C:\Documents and Settings\Glen\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 21:57:56 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 00:37:56 217194]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 00:37:56 217194]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-11 19:47:47 110592]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"= 1 (0x1)
"NoStartMenuMorePrograms"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\eMule\\emule.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:eMule TCP
"4672:UDP"= 4672:UDP:eMule UDP

R0 Pnp680r;Silicon Image SiI 0680 Medley Raid Controller;C:\WINDOWS\system32\DRIVERS\pnp680r.sys [2002-05-31 16:35]
R2 InterBaseGuardian;InterBase Guardian;C:\Program Files\Borland\InterBase\bin\ibguard.exe [2001-01-05 04:41]
R2 NvNdis;NVIDIA NDIS IO Control Driver;C:\WINDOWS\system32\Drivers\NvNdis.sys [2004-12-13 09:44]
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 06:29]
R3 InterBaseServer;InterBase Server;C:\Program Files\Borland\InterBase\bin\ibserver.exe [2001-01-05 04:40]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 13:49:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2008-05-25 13:55:47 - machine was rebooted [Glen]
ComboFix-quarantined-files.txt 2008-05-25 17:55:41
ComboFix2.txt 2008-05-25 13:43:50

Pre-Run: 73,235,619,840 bytes free
Post-Run: 73,224,523,776 bytes free

131 --- E O F --- 2008-05-16 22:44:24
gman33
Regular Member
 
Posts: 19
Joined: May 24th, 2008, 3:25 am

Re: Nasty Infection

Unread postby dan12 » May 25th, 2008, 2:08 pm

I will go through your log soon.
you say your not able to submit the file? or the box didn't show as I had given in my example!

You can run malwarebytes and post that log also.
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Nasty Infection

Unread postby gman33 » May 25th, 2008, 2:28 pm

The box didn't show as in your example. ComboFix just ended and generated the report I included above. I've started the Malwarebyte scan, but it will likely take a good hour to complete. Once it's finished, I'll also try to create a new HJT log and repost the results.
gman33
Regular Member
 
Posts: 19
Joined: May 24th, 2008, 3:25 am

Re: Nasty Infection

Unread postby gman33 » May 25th, 2008, 3:59 pm

Okay, here are the logs from both Anti-Malware and HJT.


Malwarebytes' Anti-Malware 1.12
Database version: 786

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 136966
Time elapsed: 1 hour(s), 32 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\gktxaspm.bmbr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\gktxaspm.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Glen\Local Settings\Tempboome20.exe (Trojan.Agent) -> Quarantined and deleted successfully.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:59: VIRUS ALERT!, on 5/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Glen\Desktop\HJT\HiJackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 2044452499
O16 - DPF: {66F7F252-3FE1-4650-B1E5-94B2A38271C5} (ActiveView Control) - http://unimart.dvrdns.org:3002/ActiveView.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 2046273627
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5795 bytes
gman33
Regular Member
 
Posts: 19
Joined: May 24th, 2008, 3:25 am

Re: Nasty Infection

Unread postby dan12 » May 26th, 2008, 4:39 am

Hi, thanks for the returned logs.
Can you navigate to C:\Qoobox\Quarantine\Registry_backups and copy/paste the contents of the Registry_backups folder
Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Nasty Infection

Unread postby gman33 » May 26th, 2008, 9:51 am

The folder is there, but there is nothing in it.

It was difficult to even get there because just about everything on the right side of my "Start Menu" is gone, even the "Program Files" button is gone. The only way I was able to get to the C:/ directory was to open a Windows Explorer window by using a folder shortcut and then keying in the C:/ drive into the address bar. If I used the normal navigation buttons, it skips over the C:/ drive and goes to the "Desktop" folder. If I then click on "My Computer", everything is listed except the C:/ and D:/ drives.

Glen
gman33
Regular Member
 
Posts: 19
Joined: May 24th, 2008, 3:25 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 296 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware