WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93125 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] Need to get rid of Virtumonde and Win32.TDSS.rtk.

Started by Neo , Mar 09 2009 04:15 PM

Page 4 of 10
2
3
4
5
6

This topic is locked

139 replies to this topic

#46 Neo

Silver Member

Guests
374 posts

Posted 15 March 2009 - 10:08 AM

Tomk, the DrWeb.csv file I save to my desktop will not let me open it . Windows does not identify the file type . Which program should I use to open it? newbe17

Best
Wishes,

Neo

Posted Image

Advertisements

Register to Remove

#47 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 15 March 2009 - 10:58 AM

newbe17, Excel should open it. It also can be read with notepad. Please attach it for me to look over.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

#48 Neo

Silver Member

Guests
374 posts

Posted 15 March 2009 - 11:27 AM

Tomk,
Just got back from a reboot to see ur message tellin me to use notepad, I already did,lol, figured it out on my own, aren't I brilliant? :popcorn:

KillWind.exe;C:\hp\bin;Tool.ProcessKill;Incurable.Moved.;
mbam.exe;C:\Program Files\Malwarebytes' Anti-Malware;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0000019.exe;C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP1;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0001606.exe;C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP5;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0001682.bat;C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP8;Probably BATCH.Virus;Incurable.Moved.;
firstopt.js;D:\I386\Apps\APP12271\firstboot;Probably SCRIPT.Virus;Incurable.Moved.;

By the way, the 2 files I uploaded last night... How did they turn out?

here's the hjt log u requested also

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:22:35 PM, on 3/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Documents and Settings\Compaq_Owner\Desktop\cureit.exe
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\RarSFX0\_start.exe
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\RarSFX0\cureit.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...arm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{0064A5F4-20F9-40DD-8516-C7C7B21E6882}: NameServer = 207.65.4.25 216.153.94.101
O17 - HKLM\System\CS1\Services\Tcpip\..\{0064A5F4-20F9-40DD-8516-C7C7B21E6882}: NameServer = 207.65.4.25 216.153.94.101
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4568 bytes

Best
Wishes,

Neo

Posted Image

#49 Neo

Silver Member

Guests
374 posts

Posted 15 March 2009 - 11:54 AM

Tomk, I know u haven't requested this but i thaught u might like to see it, it's a scan i ran with drcurit after the reboot: A0002085.exe;C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP13;Tool.ProcessKill;Incurable.Moved.; A0002086.exe;C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP13;Probably BACKDOOR.Trojan;Incurable.Moved.; I just ran combofix again and as soon as i finished the asked if I wanted to update to a newer version and I clicked yes so it's updating now. Do u want me to run it again when it's finished updating? newbe17

Best
Wishes,

Neo

Posted Image

#50 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 15 March 2009 - 12:01 PM

newbe17, Don't worry about those entries. They are in an old restore point. Yes. Please update ane run ComboFix.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

#51 Neo

Silver Member

Guests
374 posts

Posted 15 March 2009 - 12:54 PM

Tomk,
Here is the ComboFix log u requested:

ComboFix 09-03-14.01 - Compaq_Owner 2009-03-15 13:20:20.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.222.24 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\Unused Desktop Shortcuts\Worknow.com
AV: avast! antivirus 4.8.1229 [VPS 090314-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-15 to 2009-03-15 )))))))))))))))))))))))))))))))
.

2009-03-15 09:41 . 2009-03-15 09:41 <DIR> d-------- c:\documents and settings\Compaq_Owner\DoctorWeb
2009-03-14 23:54 . 2009-03-14 23:54 <DIR> d--h----- c:\windows\$hf_mig$
2009-03-14 22:32 . 2009-03-14 22:32 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-14 16:12 . 2009-03-14 16:12 <DIR> d--h----- c:\windows\PIF
2009-03-13 23:50 . 2009-03-14 11:56 <DIR> d-------- C:\Lop SD
2009-03-13 00:59 . 2009-03-13 01:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-13 00:59 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-13 00:59 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-12 22:34 . 2009-03-12 22:34 <DIR> d-------- c:\windows\Sun
2009-03-12 02:36 . 2009-03-12 02:37 <DIR> d-------- C:\Rooter$
2009-03-09 23:49 . 2009-03-09 23:49 61,440 --a------ c:\windows\system32\drivers\zkfus.sys
2009-03-09 17:12 . 2009-03-09 17:12 <DIR> d-------- c:\program files\Trend Micro
2009-03-05 19:00 . 2009-03-05 19:00 <DIR> d-------- c:\windows\Speeditup Free

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-15 03:32 --------- d-----w c:\program files\Java
2009-03-14 16:56 8,704 --sha-w c:\program files\Thumbs.db
2009-03-13 23:21 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-13 06:17 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-10 04:49 108 ----a-w c:\program files\lphinlz.txt
2009-03-09 21:31 4,622 ----a-w c:\program files\startuplist.txt
2009-03-09 19:25 6,211 ----a-w c:\program files\hijackthis.log
2009-03-05 23:41 --------- d-----w c:\program files\CCleaner
2009-01-29 10:10 --------- d-----w c:\program files\Spybot - Search & Destroy
2006-09-04 23:02 11,682,968 ----a-w c:\program files\setupeng.exe
2006-09-03 20:37 11,746,992 ----a-w c:\program files\antivir_workstation_win7u_en_h.exe
2006-08-25 17:23 56,742 ----a-w c:\program files\vdl.dat
2006-08-25 15:30 452,719 ----a-w c:\program files\sarman.pdf
2006-07-31 08:03 0 ----a-w c:\program files\xveiih.exe
2005-02-16 17:06 218,112 ----a-w c:\program files\HijackThis.exe
2007-04-16 15:52 162,155 --sha-r c:\windows\system32\jfxfwse.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-03-12_13.07.20.61 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-15 05:03:01 9,888 ----a-w c:\windows\SoftwareDistribution\EventCache\{D3FDF6C5-D6E0-412C-93D8-7C6CEFE1E2C6}.bin
- 2008-03-25 06:28:39 135,168 ----a-w c:\windows\system32\java.exe
+ 2009-03-15 03:32:19 144,792 ----a-w c:\windows\system32\java.exe
- 2008-03-25 06:28:43 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2009-03-15 03:32:19 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-03-25 07:37:01 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2009-03-15 03:32:19 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-03-13 17:11:19 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_420.dat
+ 2009-03-15 15:41:45 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6f0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-08-08 180269]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-14 148888]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4918:TCP"= 4918:TCP:qgjprs

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-06-13 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-06-13 20560]
S0 szkg5;szkg;c:\windows\system32\DRIVERS\szkg.sys --> c:\windows\system32\DRIVERS\szkg.sys [?]
S2 dbthee;Center Time;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]
S3 PCD5SRVC;PCD5SRVC - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [2005-05-10 20224]
S3 swxkwfr;swxkwfr;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 wsozq;wsozq;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
dbthee

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
TCP: {0064A5F4-20F9-40DD-8516-C7C7B21E6882} = 207.65.4.25 216.153.94.101
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\evspears@hifo.net\
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?.intl=us&.src=ym
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-15 13:22:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCD5SRVC]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swxkwfr]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wsozq]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dbthee]
"ServiceDll"="c:\windows\system32\jfxfwse.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(364)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-03-15 13:25:16
ComboFix-quarantined-files.txt 2009-03-15 18:25:09
ComboFix2.txt 2009-03-12 18:08:46

Pre-Run: 65,778,622,464 bytes free
Post-Run: 65,765,474,304 bytes free

Current=1 Default=1 Failed=4 LastKnownGood=5 Sets=,1,2,4,5
124 --- E O F --- 2008-06-13 23:12:36

Tomk? what about the 2 files i uploaded last night?

newbe17

Best
Wishes,

Neo

Posted Image

#52 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 15 March 2009 - 01:43 PM

newbe17,

The files were fine. No Virut. :woot:

COMBOFIX-Script

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

File::
c:\windows\system32\drivers\zkfus.sys
c:\program files\lphinlz.txt
c:\program files\startuplist.txt
c:\program files\hijackthis.log
c:\program files\xveiih.exe
c:\windows\system32\jfxfwse.dll
c:\windows\system32\01.tmp

NetSvc::
dbthee

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4918:TCP"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swxkwfr]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wsozq]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dbthee]

Driver::
swxkwfr
wsozq

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Then please see if you can get Kaspersky online to run.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

#53 Neo

Silver Member

Guests
374 posts

Posted 15 March 2009 - 02:44 PM

Tomk,
Can u say no virut? :woot:

I knew u could

Here ya go, Pal..... hope this worked:

ComboFix 09-03-14.02 - Compaq_Owner 2009-03-15 15:29:27.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.222.71 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\Unused Desktop Shortcuts\Worknow.com
AV: avast! antivirus 4.8.1229 [VPS 090314-0] *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-02-15 to 2009-03-15 )))))))))))))))))))))))))))))))
.

2009-03-15 09:41 . 2009-03-15 09:41 <DIR> d-------- c:\documents and settings\Compaq_Owner\DoctorWeb
2009-03-14 23:54 . 2009-03-14 23:54 <DIR> d--h----- c:\windows\$hf_mig$
2009-03-14 22:32 . 2009-03-14 22:32 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-14 16:12 . 2009-03-14 16:12 <DIR> d--h----- c:\windows\PIF
2009-03-13 23:50 . 2009-03-14 11:56 <DIR> d-------- C:\Lop SD
2009-03-13 00:59 . 2009-03-13 01:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-13 00:59 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-13 00:59 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-12 22:34 . 2009-03-12 22:34 <DIR> d-------- c:\windows\Sun
2009-03-12 02:36 . 2009-03-12 02:37 <DIR> d-------- C:\Rooter$
2009-03-09 23:49 . 2009-03-09 23:49 61,440 --a------ c:\windows\system32\drivers\zkfus.sys
2009-03-09 17:12 . 2009-03-09 17:12 <DIR> d-------- c:\program files\Trend Micro
2009-03-05 19:00 . 2009-03-05 19:00 <DIR> d-------- c:\windows\Speeditup Free

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-15 03:32 --------- d-----w c:\program files\Java
2009-03-14 16:56 8,704 --sha-w c:\program files\Thumbs.db
2009-03-13 23:21 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-13 06:17 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-10 04:49 108 ----a-w c:\program files\lphinlz.txt
2009-03-09 21:31 4,622 ----a-w c:\program files\startuplist.txt
2009-03-09 19:25 6,211 ----a-w c:\program files\hijackthis.log
2009-03-05 23:41 --------- d-----w c:\program files\CCleaner
2009-01-29 10:10 --------- d-----w c:\program files\Spybot - Search & Destroy
2006-09-04 23:02 11,682,968 ----a-w c:\program files\setupeng.exe
2006-09-03 20:37 11,746,992 ----a-w c:\program files\antivir_workstation_win7u_en_h.exe
2006-08-25 17:23 56,742 ----a-w c:\program files\vdl.dat
2006-08-25 15:30 452,719 ----a-w c:\program files\sarman.pdf
2006-07-31 08:03 0 ----a-w c:\program files\xveiih.exe
2005-02-16 17:06 218,112 ----a-w c:\program files\HijackThis.exe
2007-04-16 15:52 162,155 --sha-r c:\windows\system32\jfxfwse.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-03-12_13.07.20.61 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-15 05:03:01 9,888 ----a-w c:\windows\SoftwareDistribution\EventCache\{D3FDF6C5-D6E0-412C-93D8-7C6CEFE1E2C6}.bin
- 2008-03-25 06:28:39 135,168 ----a-w c:\windows\system32\java.exe
+ 2009-03-15 03:32:19 144,792 ----a-w c:\windows\system32\java.exe
- 2008-03-25 06:28:43 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2009-03-15 03:32:19 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-03-25 07:37:01 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2009-03-15 03:32:19 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-03-13 17:11:19 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_420.dat
+ 2009-03-15 15:41:45 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6f0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-08-08 180269]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-14 148888]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4918:TCP"= 4918:TCP:qgjprs

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-06-13 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-06-13 20560]
S0 szkg5;szkg;c:\windows\system32\DRIVERS\szkg.sys --> c:\windows\system32\DRIVERS\szkg.sys [?]
S2 dbthee;Center Time;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]
S3 PCD5SRVC;PCD5SRVC - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [2005-05-10 20224]
S3 swxkwfr;swxkwfr;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 wsozq;wsozq;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
dbthee

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
TCP: {0064A5F4-20F9-40DD-8516-C7C7B21E6882} = 207.65.4.25 216.153.94.101
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\evspears@hifo.net\
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?.intl=us&.src=ym
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-15 15:31:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCD5SRVC]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swxkwfr]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wsozq]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dbthee]
"ServiceDll"="c:\windows\system32\jfxfwse.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(364)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-03-15 15:34:22
ComboFix-quarantined-files.txt 2009-03-15 20:34:16
ComboFix2.txt 2009-03-15 18:25:19
ComboFix3.txt 2009-03-12 18:08:46

Pre-Run: 65,751,351,296 bytes free
Post-Run: 65,736,560,640 bytes free

Current=1 Default=1 Failed=4 LastKnownGood=5 Sets=,1,2,4,5
124 --- E O F --- 2008-06-13 23:12:36

newbe17 :yeah:

Best
Wishes,

Neo

Posted Image

#54 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 15 March 2009 - 03:00 PM

newbe17,

Nope. Didn't work. Combofix must be on your desktop. Then you must drag the script per the picture.

c:\documents and settings\Compaq_Owner\Desktop\Unused Desktop Shortcuts\Worknow.com

is in a folder on your desktop.

c:\documents and settings\Compaq_Owner\Desktop\Worknow.com

this was on your desktop.

You need to delete the your copy, and redownload to your desktop.

Then please try the script again per the earlier instructions.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

#55 Neo

Silver Member

Guests
374 posts

Posted 15 March 2009 - 03:30 PM

Tomk, ok, but i'm downloading Kaspersky from tucows right now and it should b a while, is that ok? (I couldnt get to the site u gave me, dern thing still only goes where it wants to :pullhair:

) And what if I just put it back on my desktop (where i origionally downloaded it to, and give it back its origional name, would that work? newbe17 :popcorn:

Best
Wishes,

Neo

Posted Image

Advertisements

Register to Remove

#56 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 15 March 2009 - 03:38 PM

newbe17,

You can give it a try. If it doesn't work, you will have to redownload. It isn't available on Tucows. Combofix download link:

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Don't mess with Kaspersky until after we get the script to run. Kaspersky will take a couple hours to run and will be mostly worhthless until after you run the CFScript. However, it is an online scanner. It isn't available for download. You must go to the site given.

Please go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

#57 Neo

Silver Member

Guests
374 posts

Posted 15 March 2009 - 04:38 PM

Tomk,
Hope this worked....Oh, and before the reboot I still couldnt get to the Kaspersky link you provided. I will try again after I send you this. (fingers crossed)

ComboFix 09-03-14.02 - Compaq_Owner 2009-03-15 17:03:58.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.222.27 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1229 [VPS 090314-0] *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\program files\hijackthis.log
c:\program files\lphinlz.txt
c:\program files\startuplist.txt
c:\program files\xveiih.exe
c:\windows\system32\01.tmp
c:\windows\system32\drivers\zkfus.sys
c:\windows\system32\jfxfwse.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\hijackthis.log
c:\program files\lphinlz.txt
c:\program files\startuplist.txt
c:\program files\xveiih.exe
c:\windows\system32\drivers\zkfus.sys
c:\windows\system32\jfxfwse.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_dbthee
-------\Service_dbthee

((((((((((((((((((((((((( Files Created from 2009-02-15 to 2009-03-15 )))))))))))))))))))))))))))))))
.

2009-03-15 17:02 . 2009-03-15 17:02 <DIR> d-------- C:\32788R22FWJFW
2009-03-15 16:10 . 2009-03-15 16:10 <DIR> d-------- C:\KAV
2009-03-15 09:41 . 2009-03-15 09:41 <DIR> d-------- c:\documents and settings\Compaq_Owner\DoctorWeb
2009-03-14 23:54 . 2009-03-14 23:54 <DIR> d--h----- c:\windows\$hf_mig$
2009-03-14 22:32 . 2009-03-14 22:32 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-14 16:12 . 2009-03-14 16:12 <DIR> d--h----- c:\windows\PIF
2009-03-13 23:50 . 2009-03-14 11:56 <DIR> d-------- C:\Lop SD
2009-03-13 18:21 . 2009-03-14 05:46 <DIR> d-------- c:\program files\Full Tilt Poker.Net
2009-03-13 00:59 . 2009-03-13 01:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-13 00:59 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-13 00:59 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-12 22:34 . 2009-03-12 22:34 <DIR> d-------- c:\windows\Sun
2009-03-12 02:36 . 2009-03-12 02:37 <DIR> d-------- C:\Rooter$
2009-03-09 17:12 . 2009-03-09 17:12 <DIR> d-------- c:\program files\Trend Micro
2009-03-05 19:00 . 2009-03-05 19:00 <DIR> d-------- c:\windows\Speeditup Free

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-15 03:32 --------- d-----w c:\program files\Java
2009-03-14 16:56 8,704 --sha-w c:\program files\Thumbs.db
2009-03-13 23:21 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-13 06:17 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-05 23:41 --------- d-----w c:\program files\CCleaner
2009-01-29 10:10 --------- d-----w c:\program files\Spybot - Search & Destroy
2006-09-04 23:02 11,682,968 ----a-w c:\program files\setupeng.exe
2006-09-03 20:37 11,746,992 ----a-w c:\program files\antivir_workstation_win7u_en_h.exe
2006-08-25 17:23 56,742 ----a-w c:\program files\vdl.dat
2006-08-25 15:30 452,719 ----a-w c:\program files\sarman.pdf
2005-02-16 17:06 218,112 ----a-w c:\program files\HijackThis.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-03-12_13.07.20.61 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-03-15 05:03:01 9,888 ----a-w c:\windows\SoftwareDistribution\EventCache\{D3FDF6C5-D6E0-412C-93D8-7C6CEFE1E2C6}.bin
- 2008-03-25 06:28:39 135,168 ----a-w c:\windows\system32\java.exe
+ 2009-03-15 03:32:19 144,792 ----a-w c:\windows\system32\java.exe
- 2008-03-25 06:28:43 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2009-03-15 03:32:19 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-03-25 07:37:01 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2009-03-15 03:32:19 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-03-15 22:08:17 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_450.dat
+ 2009-03-15 22:08:44 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-08-08 180269]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-14 148888]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-06-13 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-06-13 20560]
S0 szkg5;szkg;c:\windows\system32\DRIVERS\szkg.sys --> c:\windows\system32\DRIVERS\szkg.sys [?]
S2 dbthee;Center Time;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]
S3 PCD5SRVC;PCD5SRVC - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [2005-05-10 20224]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - DBTHEE
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\evspears@hifo.net\
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?.intl=us&.src=ym
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-15 17:09:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCD5SRVC]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dbthee]
"ServiceDll"="c:\windows\system32\jfxfwse.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(368)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-15 17:15:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-15 22:15:41
ComboFix2.txt 2009-03-15 20:34:25
ComboFix3.txt 2009-03-15 18:25:19
ComboFix4.txt 2009-03-12 18:08:46

Pre-Run: 65,710,821,376 bytes free
Post-Run: 65,627,537,408 bytes free

Current=1 Default=1 Failed=4 LastKnownGood=5 Sets=,1,2,4,5
147 --- E O F --- 2008-06-13 23:12:36

newbe17

Best
Wishes,

Neo

Posted Image

#58 Neo

Silver Member

Guests
374 posts

Posted 15 March 2009 - 04:46 PM

Tomk, GOOD NEWS!!! It went to the Kaspersky link!!! :woot:

I'm there right now doing as u asked.... I'll get right back withya :woot:

Newbe17

Best
Wishes,

Neo

Posted Image

#59 Neo

Silver Member

Guests
374 posts

Posted 15 March 2009 - 05:04 PM

Tomk, When I clicked to accept the terms and conditions , it attempted to re-connect me to the site and it couldn't :pullhair:

But as you said b4, we don't need to worry bout it just now

Newbe17

Best
Wishes,

Neo

Posted Image

#60 Neo

Silver Member

Guests
374 posts

Posted 15 March 2009 - 05:10 PM

Tomk. oh, and windows still doesn't load properly at startup.... It's still giving me choices of how to start up windows. newbe17

Best
Wishes,

Neo

Posted Image

Body Background

skin color theme