WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Slow startup, Popups

Started by silat , Jan 25 2008 03:14 PM

This topic is locked

15 replies to this topic

#1 silat

Authentic Member

Authentic Member
48 posts

Posted 25 January 2008 - 03:14 PM

Hello. Thanks for the time you will be giving me:)

Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:33 PM, on 1/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Lilly\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2C7E72F6-E589-4933-AD77-B05AC574FF09} - (no file)
O2 - BHO: (no name) - {416AAA67-6DAE-6B75-ADBD-60A39CFCADC0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A051B1FF-8D7E-418B-AABE-4FF82F4280A2} - C:\WINDOWS\system32\iifcaxu.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: (no name) - {d5e7334c-ab4d-4155-bcf0-b3886aefdf60} - (no file)
O2 - BHO: (no name) - {DD814F94-90C3-49DE-9EAD-D2955AE31E62} - (no file)
O2 - BHO: (no name) - {F6BF07FA-0CC2-4E37-A268-87C7B1EFE434} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...x86/c...nt/wuwe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...x86/c...nt/muwe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.co...aploader_v7.cab
O20 - Winlogon Notify: iifcaxu - C:\WINDOWS\SYSTEM32\iifcaxu.dll
O20 - Winlogon Notify: jkkll - C:\WINDOWS\
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TGlsbHk\command.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows NT\proprygefsiz.html

--
End of file - 5474 bytes

KAPERSKY Scan:
99% - Scan My Computer
----------------------
Scanned: 301794
Detected: 15
Untreated: 15
Start time: 1/25/2008 12:04:28 AM
Duration: 01:36:09
Finish time: 1/25/2008 1:40:37 AM
Signatures published: 1/24/2008 8:34:48 PM

Detected
--------
Status Object
------ ------
detected: adware not-a-virus:AdWare.Win32.Virtumonde.dxb File: C:\WINDOWS\system32\iifcaxu.dll
detected: adware not-a-virus:AdWare.Win32.Virtumonde.dxb File: C:\Documents and Settings\Lilly\Desktop\chucks\backups\backup-20080123-194618-476.dll
detected: Trojan program Trojan-Downloader.Win32.VB.cge File: C:\Documents and Settings\Lilly\Local Settings\Temp\snapsnet.exe//data0006
detected: Trojan program Trojan-Downloader.Win32.Adload.pr File: C:\Documents and Settings\Lilly\Local Settings\Temp\TMP130.tmp
detected: Trojan program Trojan-Downloader.Win32.Agent.hql File: C:\Documents and Settings\Lilly\Local Settings\Temp\TMP15A.tmp//PE_Patch.Upolyx//PE_Patch.UPX//UPX
detected: Trojan program Trojan.Win32.Scapur.k File: C:\Documents and Settings\Lilly\Local Settings\Temp\yazzsnet.exe//data0003//PE_Patch.PECompact//PecBundle//PECompact
detected: adware not-a-virus:AdWare.Win32.PurityScan.gs File: C:\Documents and Settings\Lilly\My Documents\?dobe\??rvices.exe//PE_Patch.PECompact//PecBundle//PECompact
detected: Trojan program Trojan-Downloader.Win32.Adload.pr File: C:\Program Files\Dot1XCfg\Dot1XCfg .exe
detected: Trojan program Trojan-Clicker.HTML.IFrame.dn File: C:\Program Files\Windows NT\proprygefsiz.html
detected: Trojan program Trojan-Downloader.Win32.Agent.hvj File: C:\WINDOWS\b122.exe
detected: Trojan program Trojan-Downloader.Win32.Agent.hql File: C:\WINDOWS\mrofinu1000106.exe//PE_Patch.Upolyx//PE_Patch.UPX//UPX
detected: Trojan program Trojan-Downloader.Win32.Agent.hql File: C:\WINDOWS\mrofinu572.exe.tmp//PE_Patch.Upolyx//PE_Patch.UPX//UPX
detected: adware not-a-virus:AdWare.Win32.Virtumonde.dxb File: C:\WINDOWS\system32\khfcbbx.dll
detected: Trojan program Trojan-Downloader.Win32.VB.cge File: C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
detected: adware not-a-virus:AdWare.Win32.TTC.a File: C:\WINDOWS\system32\winzs6\renamd83122.exe//data0002

Events
------
Time Name Status Reason
---- ---- ------ ------

Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted
------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------

Settings
--------
Parameter Value
--------- -----
Security Level Recommended
Action Prompt for action when the scan is complete
Run mode Manually
File types Scan all files
Scan only new and changed files No
Scan archives All
Scan embedded OLE objects All
Skip if object is larger than No
Skip if scan takes longer than No
Parse email formats No
Scan password-protected archives No
Enable iChecker technology Yes
Enable iSwift technology Yes
Record information about dangerous objects to program statistics Yes

Thanks for your efforts

Lew/+Silat
Oregon

Advertisements

Register to Remove

#2 Trevuren

Teacher Emeritus

Authentic Member
8,632 posts

Interests:Woodworking

Posted 25 January 2008 - 03:58 PM

Hi Silat,

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Microsoft MVP Consumer Security 2008 - 2009

Proud graduate of TC/WTT Classroom

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Posted Image

#3 Trevuren

Teacher Emeritus

Authentic Member
8,632 posts

Interests:Woodworking

Posted 25 January 2008 - 07:07 PM

I just noticed that you are a trainee here so I have moved your topic here. Trevuren

Microsoft MVP Consumer Security 2008 - 2009

Proud graduate of TC/WTT Classroom

#4 silat

Authentic Member

Authentic Member
48 posts

Posted 31 January 2008 - 12:07 AM

Here we go

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:00 PM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Lilly\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1187929089781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1187929074625
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.co...aploader_v7.cab
O20 - Winlogon Notify: jkkll - C:\WINDOWS\
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows NT\proprygefsiz.html

--
End of file - 4713 bytes

--------------------------------------------------------------------------------

ComboFix 08-01-31.3 - Lilly 2008-01-30 23:32:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.76 [GMT -5:00]
Running from: C:\Documents and Settings\Lilly\Desktop\lou\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\gebya.dll
C:\WINDOWS\system32\iifcaxu.dll
C:\Documents and Settings\Guest\Application Data\HbTools_Icons
C:\Documents and Settings\Guest\Application Data\HbTools_Icons\Software_Online_8.ico
C:\Documents and Settings\Guest\Application Data\HbTools_Icons\stl123456789.ico
C:\Documents and Settings\Guest\Application Data\HbTools_Icons\wallpapere1.ico
C:\Documents and Settings\Guest\Desktop\Free PC Wallpapers.lnk
C:\Documents and Settings\Lilly\My Documents\DOBE~1
C:\Program Files\outerinfo
C:\Program Files\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\system32\appatc~1
C:\WINDOWS\system32\appatc~1\A?pPatch\
C:\WINDOWS\system32\aybeg.ini
C:\WINDOWS\system32\aybeg.ini2
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
C:\WINDOWS\system32\edtoovhm.exe
C:\WINDOWS\system32\gebya.dll
C:\WINDOWS\system32\haagjrbu.dll
C:\WINDOWS\system32\hhhkj.ini
C:\WINDOWS\system32\hhhkj.ini2
C:\WINDOWS\system32\iifcaxu.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\TGlsbHk\
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

2008-01-30 23:42 . 2008-01-30 23:42 <DIR> d-------- C:\Temp\tn3
2008-01-28 21:06 . 2008-01-28 21:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-28 21:06 . 2008-01-28 21:06 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-25 02:02 . 2008-01-25 02:15 <DIR> d-------- C:\Program Files\cc cleaner
2008-01-24 23:53 . 2008-01-30 23:40 4,754,208 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-24 23:53 . 2008-01-30 23:40 64,748 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-24 23:53 . 2008-01-30 23:40 47,648 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-24 23:53 . 2008-01-30 23:40 5,540 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-24 23:48 . 2008-01-24 23:48 <DIR> d-------- C:\KAV
2008-01-24 23:20 . 2008-01-24 23:22 <DIR> d-------- C:\hijackthis
2008-01-23 03:24 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-23 03:24 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-23 03:23 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-23 03:23 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-23 03:23 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-23 03:23 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-23 03:22 . 2008-01-23 03:22 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-23 03:22 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-23 03:22 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-22 23:01 . 2008-01-24 22:09 1,267 --a------ C:\WINDOWS\wininit.ini
2008-01-22 20:58 . 2008-01-22 23:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-22 20:21 . 2008-01-23 20:07 114,688 --a------ C:\WINDOWS\system32\igfxpers .exe
2008-01-22 20:21 . 2008-01-23 20:07 94,208 --a------ C:\WINDOWS\system32\igfxtray .exe
2008-01-22 20:21 . 2008-01-23 20:07 77,824 --a------ C:\WINDOWS\system32\hkcmd .exe
2008-01-22 20:02 . 2008-01-22 21:30 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-22 19:37 . 2008-01-25 12:05 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-22 19:30 . 2008-01-25 12:12 <DIR> d-------- C:\WINDOWS\system32\winzs6
2008-01-22 19:30 . 2008-01-23 04:02 <DIR> d-------- C:\WINDOWS\system32\nui4
2008-01-22 19:30 . 2008-01-25 12:12 <DIR> d-------- C:\WINDOWS\system32\nGpxx01
2008-01-22 19:30 . 2008-01-22 19:30 <DIR> d-------- C:\WINDOWS\system32\extz1
2008-01-22 19:30 . 2008-01-22 20:19 <DIR> d-------- C:\WINDOWS\system32\comm7
2008-01-22 19:30 . 2008-01-22 19:30 <DIR> d-------- C:\Temp\gTiis19
2008-01-22 19:30 . 2008-01-22 19:30 <DIR> d-------- C:\Temp\cXzz9
2008-01-22 19:30 . 2008-01-30 23:42 <DIR> d-------- C:\Temp
2008-01-22 19:30 . 2008-01-22 19:30 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-22 19:30 . 2008-01-22 19:30 86,016 --a------ C:\WINDOWS\system32\drivers\sdbuss.sys
2008-01-06 17:23 . 2006-10-09 23:29 95,232 -ra------ C:\WINDOWS\system32\HPcam_03.dll
2008-01-06 17:23 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-01-06 17:23 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-01-06 17:14 . 2008-01-06 17:15 <DIR> d-------- C:\Program Files\Common Files\HP
2008-01-06 17:14 . 2008-01-06 17:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-01-06 17:14 . 2008-01-06 17:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-01-06 17:13 . 2008-01-06 17:13 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-06 17:12 . 2008-01-06 17:14 <DIR> d-------- C:\Program Files\HP
2008-01-06 17:12 . 2008-01-06 17:21 130,896 --a------ C:\WINDOWS\hpiins06.dat
2008-01-06 17:12 . 2007-04-18 23:13 0 --------- C:\WINDOWS\hpimdl06.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 01:59 --------- d-----w C:\Program Files\QuickTime
2008-01-04 03:03 --------- d-----w C:\Program Files\Macromedia
2008-01-04 03:02 --------- d-----w C:\Program Files\Common Files\Macromedia Shared
2008-01-04 02:49 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-01-04 02:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-11 05:57 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2007-06-12 04:40 32 -c--a-r C:\Documents and Settings\All Users\hash.dat
2006-11-26 05:32 104 --sh--r C:\WINDOWS\system32\2048C3C6A8.sys
2006-11-26 05:32 5,852 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2006-03-30 16:58 307,193 -csha-w C:\WINDOWS\system32\llkkj.bak1
2006-04-05 23:25 372,949 -csha-w C:\WINDOWS\system32\llkkj.bak2
.

<pre>
----a-w			79,224 2008-01-24 01:07:57  C:\Program Files\Alwil Software\Avast4\ashDisp .exe
----a-w		 1,404,928 2008-01-24 01:07:55  C:\Program Files\Analog Devices\Core\smax4pnp .exe
----a-w			50,736 2008-01-23 09:04:31  C:\Program Files\Common Files\AOL\1141593141\ee\AOLSoftware .exe
----a-w			81,920 2008-01-23 09:04:27  C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w		   389,632 2008-01-23 09:04:38  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w		   221,184 2008-01-23 09:04:27  C:\Program Files\Intel\Modem Event Monitor\IntelMEM .exe
----a-w			32,881 2008-01-24 00:22:18  C:\Program Files\Java\j2re1.4.2_03\bin\jusched .exe
----a-w		 1,121,792 2008-01-23 09:04:39  C:\Program Files\McAfee\SpamKiller\MSKDetct .exe
----a-w		 1,694,208 2008-01-23 09:04:48  C:\Program Files\Messenger\msmsgs .exe
----a-w			 8,192 2008-01-23 09:04:32  C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mimboot .exe
----a-w		 1,460,560 2008-01-24 01:08:10  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w			15,360 2008-01-23 02:30:29  C:\WINDOWS\system32\ctfmon .exe
----a-w			77,824 2008-01-24 01:07:54  C:\WINDOWS\system32\hkcmd .exe
----a-w		   114,688 2008-01-24 01:07:58  C:\WINDOWS\system32\igfxpers .exe
----a-w			94,208 2008-01-24 01:07:53  C:\WINDOWS\system32\igfxtray .exe
----a-w			36,864 2008-01-24 01:07:50  C:\WINDOWS\system32\spool\drivers\w32x86\2\printray .exe
</pre>

Lew/+Silat
Oregon

#5 Trevuren

Teacher Emeritus

Authentic Member
8,632 posts

Interests:Woodworking

Posted 05 February 2008 - 10:39 AM

A. First of all, I am sorry that I totally forgot about your log and your problem. No excuse. Next, you have fallen victim to the trojan file infector. This infection renames executable files that run at startup and replaces them with infected copies. We will try to reverse the process. Be advised that there is a possibility that you may have to reinstall certain programs where a legitimate replacement file can not be found.

B. 1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\igfxpers .exe
C:\WINDOWS\system32\igfxtray .exe
C:\WINDOWS\system32\hkcmd .exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\drivers\sdbuss.sys
C:\WINDOWS\system32\2048C3C6A8.sys
C:\WINDOWS\system32\llkkj.bak1
C:\WINDOWS\system32\llkkj.bak2

Folder::
C:\Temp
C:\WINDOWS\system32\winzs6
C:\WINDOWS\system32\nui4
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\extz1
C:\WINDOWS\system32\comm7

RenV::
----a-w			79,224 2008-01-24 01:07:57  C:\Program Files\Alwil Software\Avast4\ashDisp .exe
----a-w		 1,404,928 2008-01-24 01:07:55  C:\Program Files\Analog Devices\Core\smax4pnp .exe
----a-w			50,736 2008-01-23 09:04:31  C:\Program Files\Common Files\AOL\1141593141\ee\AOLSoftware .exe
----a-w			81,920 2008-01-23 09:04:27  C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w		   389,632 2008-01-23 09:04:38  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w		   221,184 2008-01-23 09:04:27  C:\Program Files\Intel\Modem Event Monitor\IntelMEM .exe
----a-w			32,881 2008-01-24 00:22:18  C:\Program Files\Java\j2re1.4.2_03\bin\jusched .exe
----a-w		 1,121,792 2008-01-23 09:04:39  C:\Program Files\McAfee\SpamKiller\MSKDetct .exe
----a-w		 1,694,208 2008-01-23 09:04:48  C:\Program Files\Messenger\msmsgs .exe
----a-w			 8,192 2008-01-23 09:04:32  C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mimboot .exe
----a-w		 1,460,560 2008-01-24 01:08:10  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w			15,360 2008-01-23 02:30:29  C:\WINDOWS\system32\ctfmon .exe
----a-w			77,824 2008-01-24 01:07:54  C:\WINDOWS\system32\hkcmd .exe
----a-w		   114,688 2008-01-24 01:07:58  C:\WINDOWS\system32\igfxpers .exe
----a-w			94,208 2008-01-24 01:07:53  C:\WINDOWS\system32\igfxtray .exe
----a-w			36,864 2008-01-24 01:07:50  C:\WINDOWS\system32\spool\drivers\w32x86\2\printray .exe

Driver::
sdbuss


Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkll]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMX]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sen]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Txalap]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Now drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. All your monitoring programs (Antivirus/Antispyware, Guards and Shields) will be stopped.

Posted Image

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

6. ComboFix will automatically REBOOT your machine when the KillAll:: switch is used..

7. Post the following logs/Reports:

ComboFix.txt
Fresh HijackThis log run after all the other tools have performed their cleanup.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

C. I need you to run the following scan: Eset Online Scanner

Place a check mark in the box YES, I accept the Terms Of Use
Click the Start button.
Now click the Install button.
Click Start. The scanner engine will initialize and update.
Do Not place a check mark in the box beside Remove found threats.
Click the Scan button. The scan will now run, please be patient.
When the scan finishes click the Details tab.
Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

Microsoft MVP Consumer Security 2008 - 2009

Proud graduate of TC/WTT Classroom

#6 silat

Authentic Member

Authentic Member
48 posts

Posted 06 February 2008 - 10:52 PM

Hello:)
Ive been trying to get Eset to run but it gives me an error downloading its signatures. Ive gone to the neighbors to run it and get the same error on their computer. Its been 24 hours . Ill try again tomorrow..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:29:09 PM, on 2/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
===========================================================================
ComboFix 08-01-31.3 - Lilly 2008-02-06 22:53:43.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.103 [GMT -5:00]
Running from: C:\Documents and Settings\Lilly\Desktop\lou\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lilly\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\2048C3C6A8.sys
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\sdbuss.sys
C:\WINDOWS\system32\hkcmd .exe
C:\WINDOWS\system32\igfxpers .exe
C:\WINDOWS\system32\igfxtray .exe
C:\WINDOWS\system32\llkkj.bak1
C:\WINDOWS\system32\llkkj.bak2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\sdbuss.sys
C:\Temp
C:\Temp\gTiis19\lTig.log
C:\temp\tn3
C:\WINDOWS\system32\2048C3C6A8.sys
C:\WINDOWS\system32\comm7
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\sdbuss.sys
C:\WINDOWS\system32\extz1
C:\WINDOWS\system32\extz1\lovstadcom2.exe
C:\WINDOWS\system32\hkcmd .exe
C:\WINDOWS\system32\igfxpers .exe
C:\WINDOWS\system32\igfxtray .exe
C:\WINDOWS\system32\llkkj.bak1
C:\WINDOWS\system32\llkkj.bak2
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\nui4
C:\WINDOWS\system32\winzs6

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SDBUSS
-------\sdbuss

((((((((((((((((((((((((( Files Created from 2008-01-07 to 2008-02-07 )))))))))))))))))))))))))))))))
.

2008-02-06 21:29 . 2008-02-06 21:29 <DIR> d-------- C:\Documents and Settings\Lilly\Application Data\HP
2008-01-25 02:02 . 2008-01-25 02:15 <DIR> d-------- C:\Program Files\cc cleaner
2008-01-24 23:53 . 2008-01-30 23:40 4,754,208 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-24 23:53 . 2008-01-30 23:40 64,748 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-24 23:53 . 2008-01-30 23:40 47,648 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-24 23:53 . 2008-01-30 23:40 5,540 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-24 23:48 . 2008-01-24 23:48 <DIR> d-------- C:\KAV
2008-01-24 23:20 . 2008-01-30 23:49 <DIR> d-------- C:\hijackthis
2008-01-23 03:24 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-23 03:24 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-23 03:23 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-23 03:23 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-23 03:23 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-23 03:23 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-23 03:22 . 2008-01-23 03:22 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-23 03:22 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-23 03:22 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-22 23:01 . 2008-01-24 22:09 1,267 --a------ C:\WINDOWS\wininit.ini
2008-01-22 20:58 . 2008-01-22 23:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-22 19:37 . 2008-01-25 12:05 <DIR> d-------- C:\Program Files\Dot1XCfg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 01:59 --------- d-----w C:\Program Files\QuickTime
2008-01-06 22:15 --------- d-----w C:\Program Files\Common Files\HP
2008-01-06 22:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-01-06 22:14 --------- d-----w C:\Program Files\HP
2008-01-06 22:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-01-04 03:03 --------- d-----w C:\Program Files\Macromedia
2008-01-04 03:02 --------- d-----w C:\Program Files\Common Files\Macromedia Shared
2008-01-04 02:49 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-01-04 02:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-12 04:40 32 -c--a-r C:\Documents and Settings\All Users\hash.dat
2006-11-26 05:32 5,852 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

<pre>
----a-w			79,224 2008-01-24 01:07:57  C:\Program Files\Alwil Software\Avast4\ashDisp .exe
----a-w		 1,404,928 2008-01-24 01:07:55  C:\Program Files\Analog Devices\Core\smax4pnp .exe
----a-w			50,736 2008-01-23 09:04:31  C:\Program Files\Common Files\AOL\1141593141\ee\AOLSoftware .exe
----a-w			81,920 2008-01-23 09:04:27  C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w		   389,632 2008-01-23 09:04:38  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w		   221,184 2008-01-23 09:04:27  C:\Program Files\Intel\Modem Event Monitor\IntelMEM .exe
----a-w			32,881 2008-01-24 00:22:18  C:\Program Files\Java\j2re1.4.2_03\bin\jusched .exe
----a-w		 1,121,792 2008-01-23 09:04:39  C:\Program Files\McAfee\SpamKiller\MSKDetct .exe
----a-w		 1,694,208 2008-01-23 09:04:48  C:\Program Files\Messenger\msmsgs .exe
----a-w			 8,192 2008-01-23 09:04:32  C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mimboot .exe
----a-w		 1,460,560 2008-01-24 01:08:10  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w			36,864 2008-01-24 01:07:50  C:\WINDOWS\system32\spool\drivers\w32x86\2\printray .exe
</pre>

Lew/+Silat
Oregon

#7 Trevuren

Teacher Emeritus

Authentic Member
8,632 posts

Interests:Woodworking

Posted 07 February 2008 - 12:10 PM

Your system is infected with a Vundo trojan File infector. This infection renames executable files that run at startup and replaces them with infected copies. We will try to reverse the process. Be advised that there is a possibility that you may have to reinstall certain programs where a legitimate replacement file can not be found.

A. Click Start >> Control Panel. Double click on Display (or Display Properties) and click on the Desktop tab. Click on Customize Desktop and click the Web tab.
For every item in the Web Pages box (except the "My Current Homepage" entry), uncheck it, and delete it.
Also, have a look at the Lock Desktop Items checkbox and make sure it is -unchecked-.
Click OK and OK again until you have exited the display properties

B. 1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\WINDOWS\system32\igfxpers .exe
C:\WINDOWS\system32\igfxtray .exe
C:\WINDOWS\system32\hkcmd .exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\sdbuss.sys
C:\Documents and Settings\All Users\hash.dat
C:\WINDOWS\system32\2048C3C6A8.sys
C:\WINDOWS\system32\llkkj.bak1
C:\WINDOWS\system32\llkkj.bak2

Folder::
C:\TempC:\WINDOWS\system32\winzs6
C:\WINDOWS\system32\nui4
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\extz1
C:\WINDOWS\system32\comm7

RenV::
----a-w			79,224 2008-01-24 01:07:57  C:\Program Files\Alwil Software\Avast4\ashDisp .exe
----a-w		 1,404,928 2008-01-24 01:07:55  C:\Program Files\Analog Devices\Core\smax4pnp .exe
----a-w			50,736 2008-01-23 09:04:31  C:\Program Files\Common Files\AOL\1141593141\ee\AOLSoftware .exe
----a-w			81,920 2008-01-23 09:04:27  C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w		   389,632 2008-01-23 09:04:38  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w		   221,184 2008-01-23 09:04:27  C:\Program Files\Intel\Modem Event Monitor\IntelMEM .exe
----a-w			32,881 2008-01-24 00:22:18  C:\Program Files\Java\j2re1.4.2_03\bin\jusched .exe
----a-w		 1,121,792 2008-01-23 09:04:39  C:\Program Files\McAfee\SpamKiller\MSKDetct .exe
----a-w		 1,694,208 2008-01-23 09:04:48  C:\Program Files\Messenger\msmsgs .exe
----a-w			 8,192 2008-01-23 09:04:32  C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mimboot .exe
----a-w		 1,460,560 2008-01-24 01:08:10  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w			15,360 2008-01-23 02:30:29  C:\WINDOWS\system32\ctfmon .exe
----a-w			77,824 2008-01-24 01:07:54  C:\WINDOWS\system32\hkcmd .exe
----a-w		   114,688 2008-01-24 01:07:58  C:\WINDOWS\system32\igfxpers .exe
----a-w			94,208 2008-01-24 01:07:53  C:\WINDOWS\system32\igfxtray .exe
----a-w			36,864 2008-01-24 01:07:50  C:\WINDOWS\system32\spool\drivers\w32x86\2\printray .exe

Driver::
sdbuss

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkll]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMX]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sen]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Txalap]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]

ComboFix.txt
Fresh HijackThis log run after all the other tools have performed their cleanup.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

C. Using Internet Explorer, please do a Kaspersky Online Scan

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure as follows:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will provide a report if your system is infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop and post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Microsoft MVP Consumer Security 2008 - 2009

Proud graduate of TC/WTT Classroom

#8 silat

Authentic Member

Authentic Member
48 posts

Posted 10 February 2008 - 04:28 PM

Here you go:)

Thanks

ComboFix 08-01-31.3 - Lilly 2008-02-10 15:09:08.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.101 [GMT -5:00]
Running from: C:\Documents and Settings\Lilly\Desktop\lou\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lilly\Desktop\lou\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\All Users\hash.dat
C:\WINDOWS\system32\2048C3C6A8.sys
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\sdbuss.sys
C:\WINDOWS\system32\hkcmd .exe
C:\WINDOWS\system32\igfxpers .exe
C:\WINDOWS\system32\igfxtray .exe
C:\WINDOWS\system32\llkkj.bak1
C:\WINDOWS\system32\llkkj.bak2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\hash.dat

.
((((((((((((((((((((((((( Files Created from 2008-01-10 to 2008-02-10 )))))))))))))))))))))))))))))))
.

2008-02-06 23:15 . 2008-02-06 23:15 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-02-06 21:29 . 2008-02-06 21:29 <DIR> d-------- C:\Documents and Settings\Lilly\Application Data\HP
2008-01-25 02:02 . 2008-01-25 02:15 <DIR> d-------- C:\Program Files\cc cleaner
2008-01-24 23:53 . 2008-01-30 23:40 4,754,208 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-24 23:53 . 2008-01-30 23:40 64,748 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-24 23:53 . 2008-01-30 23:40 47,648 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-24 23:53 . 2008-01-30 23:40 5,540 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-24 23:48 . 2008-01-24 23:48 <DIR> d-------- C:\KAV
2008-01-24 23:20 . 2008-02-06 23:29 <DIR> d-------- C:\hijackthis
2008-01-23 03:24 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-23 03:24 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-23 03:23 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-23 03:23 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-23 03:23 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-23 03:23 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-23 03:22 . 2008-01-23 03:22 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-23 03:22 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-23 03:22 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-22 23:01 . 2008-01-24 22:09 1,267 --a------ C:\WINDOWS\wininit.ini
2008-01-22 20:58 . 2008-01-22 23:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-22 19:37 . 2008-01-25 12:05 <DIR> d-------- C:\Program Files\Dot1XCfg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 06:15 --------- d-----w C:\Program Files\Google
2008-01-24 01:59 --------- d-----w C:\Program Files\QuickTime
2008-01-06 22:15 --------- d-----w C:\Program Files\Common Files\HP
2008-01-06 22:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-01-06 22:14 --------- d-----w C:\Program Files\HP
2008-01-06 22:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-01-04 03:03 --------- d-----w C:\Program Files\Macromedia
2008-01-04 03:02 --------- d-----w C:\Program Files\Common Files\Macromedia Shared
2008-01-04 02:49 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-01-04 02:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2006-11-26 05:32 5,852 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

<pre>
----a-w			79,224 2008-01-24 01:07:57  C:\Program Files\Alwil Software\Avast4\ashDisp .exe
----a-w		 1,404,928 2008-01-24 01:07:55  C:\Program Files\Analog Devices\Core\smax4pnp .exe
----a-w			50,736 2008-01-23 09:04:31  C:\Program Files\Common Files\AOL\1141593141\ee\AOLSoftware .exe
----a-w			81,920 2008-01-23 09:04:27  C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w		   389,632 2008-01-23 09:04:38  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w		   221,184 2008-01-23 09:04:27  C:\Program Files\Intel\Modem Event Monitor\IntelMEM .exe
----a-w			32,881 2008-01-24 00:22:18  C:\Program Files\Java\j2re1.4.2_03\bin\jusched .exe
----a-w		 1,121,792 2008-01-23 09:04:39  C:\Program Files\McAfee\SpamKiller\MSKDetct .exe
----a-w		 1,694,208 2008-01-23 09:04:48  C:\Program Files\Messenger\msmsgs .exe
----a-w			 8,192 2008-01-23 09:04:32  C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mimboot .exe
----a-w		 1,460,560 2008-01-24 01:08:10  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w			36,864 2008-01-24 01:07:50  C:\WINDOWS\system32\spool\drivers\w32x86\2\printray .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-02-07 01:15 171448]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2005-05-15 03:04 332800 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2005-02-23 17:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2006-09-18 12:46 110592 C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a--c--- 2006-02-20 10:37 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{62f2912a-edee-11db-be28-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-10 15:15:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-02-10 15:26:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-10 20:25:59
ComboFix2.txt 2008-02-07 04:10:07
ComboFix3.txt 2008-01-31 04:46:56
.
2008-01-09 08:03:24 --- E O F ---
===============================================================
Sunday, February 10, 2008 5:02:07 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/02/2008
Kaspersky Anti-Virus database records: 556132

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 93584
Number of viruses found 5
Number of infected objects 11
Number of suspicious objects 0
Duration of the scan process 01:01:20

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\InboxLOG.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\OutboxLOG.txt Object is locked skipped

C:\Documents and Settings\Lilly\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Lilly\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped

C:\Documents and Settings\Lilly\Local Settings\Application Data\AOL OCP\AIM\Storage\data\yourlovedujour\localStorage\common.cls Object is locked skipped

C:\Documents and Settings\Lilly\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Lilly\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Lilly\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Lilly\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Lilly\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Lilly\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\edtoovhm.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwe skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\haagjrbu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\catchme2008-01-30_234204.98.zip/gebya.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.etj skipped

C:\QooBox\Quarantine\catchme2008-01-30_234204.98.zip/iifcaxu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dxb skipped

C:\QooBox\Quarantine\catchme2008-01-30_234204.98.zip ZIP: infected - 2 skipped

C:\QooBox\Quarantine\catchme2008-02-06_230542.48.zip/sdbuss.sys Infected: Rootkit.Win32.Agent.to skipped

C:\QooBox\Quarantine\catchme2008-02-06_230542.48.zip ZIP: infected - 1 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP13\change.log Object is locked skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000008.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000009.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000018.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.etj skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000019.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dxb skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{60A035BD-A544-48CE-B353-707D44BDFD41}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\TEMP\Perflib_Perfdata_680.dat Object is locked skipped

C:\WINDOWS\TEMP\T30DebugLogFile.txt Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
================================================================================
===============

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:05:38 PM, on 2/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1187929089781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1187929074625
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.co...aploader_v7.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 5564 bytes

Lew/+Silat
Oregon

#9 Trevuren

Teacher Emeritus

Authentic Member
8,632 posts

Interests:Woodworking

Posted 10 February 2008 - 07:34 PM

A. We will start by making all files visible:

To enable the viewing of Hidden files follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Put a checkmark in the checkbox labeled Display the contents of system folders.
6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
9. Press the Apply button and then the OK button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

Now, There is a file in your log of which I am unsure. For that reason, I need you to submit it to Jotti's for analysis.

1. Click HERE to get to Jotti's site.

2. At the top of the Jotti window, use the Browse button to locate the following file on your system:

C:\WINDOWS\system32\hpdevmgmt.dll

3. Once you have located the file, click SUBMIT and the content of the file will be uploaded by the site and analysed.

4. Please provide me with the results of the analysis.

5. Now do the same with these two other files:

C:\WINDOWS\system32\hpqcxs08.dll

C:\WINDOWS\system32\hpqddsvc.dll

B. Please RUN HijackThis

Click the SCAN button to produce a log.
Place a check mark beside each one of the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.co...aploader_v7.cab
Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

C. Please DELETE your current copy of ComboFix from your desktop along with the following folder: C:\ComboFix.

Please download ComboFix by sUBs from HERE or HERE directly to your Desktop.

D. 1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

RenV::
----a-w			79,224 2008-01-24 01:07:57  C:\Program Files\Alwil Software\Avast4\ashDisp .exe
----a-w		 1,404,928 2008-01-24 01:07:55  C:\Program Files\Analog Devices\Core\smax4pnp .exe
----a-w			50,736 2008-01-23 09:04:31  C:\Program Files\Common Files\AOL\1141593141\ee\AOLSoftware .exe
----a-w			81,920 2008-01-23 09:04:27  C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w		   389,632 2008-01-23 09:04:38  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w		   221,184 2008-01-23 09:04:27  C:\Program Files\Intel\Modem Event Monitor\IntelMEM .exe
----a-w			32,881 2008-01-24 00:22:18  C:\Program Files\Java\j2re1.4.2_03\bin\jusched .exe
----a-w		 1,121,792 2008-01-23 09:04:39  C:\Program Files\McAfee\SpamKiller\MSKDetct .exe
----a-w		 1,694,208 2008-01-23 09:04:48  C:\Program Files\Messenger\msmsgs .exe
----a-w			 8,192 2008-01-23 09:04:32  C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mimboot .exe
----a-w		 1,460,560 2008-01-24 01:08:10  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w			36,864 2008-01-24 01:07:50  C:\WINDOWS\system32\spool\drivers\w32x86\2\printray .ex

KillAll::

ComboFix.txt
Fresh HijackThis log run after all the other tools have performed their cleanup.

Microsoft MVP Consumer Security 2008 - 2009

Proud graduate of TC/WTT Classroom

#10 silat

Authentic Member

Authentic Member
48 posts

Posted 12 February 2008 - 09:02 PM

These 3 items were not found on the machine with all sys and hidden files exposed. :pullhair:

C:\WINDOWS\system32\hpdevmgmt.dll

C:\WINDOWS\system32\hpqcxs08.dll

C:\WINDOWS\system32\hpqddsvc.dll

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:49 PM, on 2/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\spider.exe
C:\WINDOWS\system32\notepad.exe
C:\hijackthis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1187929089781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1187929074625
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 5411 bytes

--------------------------------------------------------------------------------

ComboFix 08-02-13.2 - Lilly 2008-02-12 21:42:08.4 - NTFSx86

Running from: C:\Documents and Settings\Lilly\Desktop\lou\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lilly\Desktop\lou\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-13 to 2008-02-13 )))))))))))))))))))))))))))))))
.

2008-02-12 18:35 . 2008-02-12 18:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-12 18:35 . 2008-02-12 18:35 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-12 14:31 . 2008-02-12 14:31 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-02-10 15:43 . 2008-02-10 15:43 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-10 15:43 . 2008-02-10 15:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-06 23:15 . 2008-02-06 23:15 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-02-06 21:29 . 2008-02-06 21:29 <DIR> d-------- C:\Documents and Settings\Lilly\Application Data\HP
2008-01-25 02:02 . 2008-01-25 02:15 <DIR> d-------- C:\Program Files\cc cleaner
2008-01-24 23:53 . 2008-02-10 17:10 4,761,376 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-24 23:53 . 2008-02-10 17:10 64,844 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-24 23:53 . 2008-02-10 17:10 48,160 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-24 23:53 . 2008-02-10 17:10 5,588 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-24 23:48 . 2008-01-24 23:48 <DIR> d-------- C:\KAV
2008-01-24 23:20 . 2008-02-12 21:36 <DIR> d-------- C:\hijackthis
2008-01-23 03:24 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-23 03:24 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-23 03:23 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-23 03:23 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-23 03:23 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-23 03:23 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-23 03:22 . 2008-01-23 03:22 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-23 03:22 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-23 03:22 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-22 23:01 . 2008-01-24 22:09 1,267 --a------ C:\WINDOWS\wininit.ini
2008-01-22 20:58 . 2008-01-23 20:29 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-22 20:58 . 2008-01-22 23:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-22 19:37 . 2008-01-25 12:05 <DIR> d-------- C:\Program Files\Dot1XCfg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 06:15 --------- d-----w C:\Program Files\Google
2008-01-24 01:59 --------- d-----w C:\Program Files\QuickTime
2008-01-06 22:15 --------- d-----w C:\Program Files\Common Files\HP
2008-01-06 22:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-01-06 22:14 --------- d-----w C:\Program Files\HP
2008-01-06 22:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-01-04 03:03 --------- d-----w C:\Program Files\Macromedia
2008-01-04 03:02 --------- d-----w C:\Program Files\Common Files\Macromedia Shared
2008-01-04 02:49 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-01-04 02:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2006-11-26 05:32 5,852 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

<pre>
----a-w			79,224 2008-01-24 01:07:57  C:\Program Files\Alwil Software\Avast4\ashDisp .exe
----a-w		 1,404,928 2008-01-24 01:07:55  C:\Program Files\Analog Devices\Core\smax4pnp .exe
----a-w			50,736 2008-01-23 09:04:31  C:\Program Files\Common Files\AOL\1141593141\ee\AOLSoftware .exe
----a-w			81,920 2008-01-23 09:04:27  C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w		   389,632 2008-01-23 09:04:38  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w		   221,184 2008-01-23 09:04:27  C:\Program Files\Intel\Modem Event Monitor\IntelMEM .exe
----a-w			32,881 2008-01-24 00:22:18  C:\Program Files\Java\j2re1.4.2_03\bin\jusched .exe
----a-w		 1,121,792 2008-01-23 09:04:39  C:\Program Files\McAfee\SpamKiller\MSKDetct .exe
----a-w		 1,694,208 2008-01-23 09:04:48  C:\Program Files\Messenger\msmsgs .exe
----a-w			 8,192 2008-01-23 09:04:32  C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mimboot .exe
----a-w		 1,460,560 2008-01-24 01:08:10  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w			36,864 2008-01-24 01:07:50  C:\WINDOWS\system32\spool\drivers\w32x86\2\printray .exe
</pre>

Lew/+Silat
Oregon

Advertisements

Register to Remove

#11 Trevuren

Teacher Emeritus

Authentic Member
8,632 posts

Interests:Woodworking

Posted 12 February 2008 - 09:28 PM

Please run Kaspersky, yes again.

Using Internet Explorer, please do a Kaspersky Online Scan

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure as follows:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will provide a report if your system is infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop and post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Microsoft MVP Consumer Security 2008 - 2009

Proud graduate of TC/WTT Classroom

#12 silat

Authentic Member

Authentic Member
48 posts

Posted 14 February 2008 - 05:30 PM

KASPERSKY ONLINE SCANNER REPORT Thursday, February 14, 2008 3:42:02 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 14/02/2008 Kaspersky Anti-Virus database records: 566941 Scan Settings Scan using the following antivirus database extended Scan Archives true Scan Mail Bases true Scan Target My Computer C:\ D:\ Scan Statistics Total number of scanned objects 94121 Number of viruses found 5 Number of infected objects 11 Number of suspicious objects 0 Duration of the scan process 01:06:18 Infected Object Name Virus Name Last Action C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\Apps.Lst Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\Diction.lst Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\main.idx Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\sap.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\spool.lst Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\STYLE.LST Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\sysnews.lst Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\Toolbar.lst Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\organize\CACHE\corbell300 Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\organize\corbell311 Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\organize\corbell311.abi Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\organize\corbell311.aby Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\ShopAssist\DataStore\global\clientcache.adb Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\ShopAssist\DataStore\users\Corbell311.adb Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\storage\cache.db Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\storage\server.lock Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\storage\stderr.txt Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\storage\stdout.txt Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\Lilly\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Lilly\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Lilly\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Lilly\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Lilly\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Lilly\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Lilly\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped C:\QooBox\Quarantine\C\WINDOWS\system32\edtoovhm.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwe skipped C:\QooBox\Quarantine\C\WINDOWS\system32\haagjrbu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped C:\QooBox\Quarantine\catchme2008-01-30_234204.98.zip/gebya.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.etj skipped C:\QooBox\Quarantine\catchme2008-01-30_234204.98.zip/iifcaxu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dxb skipped C:\QooBox\Quarantine\catchme2008-01-30_234204.98.zip ZIP: infected - 2 skipped C:\QooBox\Quarantine\catchme2008-02-06_230542.48.zip/sdbuss.sys Infected: Rootkit.Win32.Agent.to skipped C:\QooBox\Quarantine\catchme2008-02-06_230542.48.zip ZIP: infected - 1 skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP18\change.log Object is locked skipped C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000008.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000009.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000018.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.etj skipped C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000019.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dxb skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{AD32E901-AB00-48D7-AADF-82BBED8C1DD7}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\DEFAULT Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SYSTEM Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\TEMP\Perflib_Perfdata_668.dat Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed.

Lew/+Silat
Oregon

#13 Trevuren

Teacher Emeritus

Authentic Member
8,632 posts

Interests:Woodworking

Posted 14 February 2008 - 06:00 PM

All infected items are now in quarantine and will be removed during our final cleanup procedures.

If you have no more malware-related problems that you are aware of, just give me the OK and we can start these final but essential cleanup procedures and recommendations.

Trevuren

Microsoft MVP Consumer Security 2008 - 2009

Proud graduate of TC/WTT Classroom

#14 silat

Authentic Member

Authentic Member
48 posts

Posted 15 February 2008 - 01:56 AM

My friend is excited to be on the way to recovery.. I so appreciate you taking care of me. Im ready for the final:)

Lew/+Silat
Oregon

#15 Trevuren

Teacher Emeritus

Authentic Member
8,632 posts

Interests:Woodworking

Posted 15 February 2008 - 11:53 AM

Congratulations, your logs look CLEAN

There are a few things you must do once you system is completely clean:

Time for some housekeeping

Click START then RUN
Now type Combofix /u in the runbox and click OK

The above procedure will:

Delete the following:
- ComboFix and its associated files and folders.
- VundoFix backups, if present
- The C:\Deckard folder, if present
- The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

Here are some tips to reduce the potential for spyware infection in the future:

1. Make your Internet Explorer More Secure

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab.
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
- Change the Download signed ActiveX controls to Prompt.
- Change the Download unsigned ActiveX controls to Disable.
- Change the Initialise and script ActiveX controls not marked as safe to Disable.
- Change the Installation of desktop items to Prompt.
- Change the Launching programs and files in an IFRAME to Prompt.
- Change the Navigate sub-frames across different domains to Prompt.
- When all these settings have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

2. Use and Update an Anti-Virus Software - I can not overemphasize the need for you to use and update your Anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

3. FIREWALL
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here

Do not install more than one firewall program because they will conflict with each other

4. Make sure you keep your Windows OS current by visiting Windows update regularly to download and install any critical updates and service packs. Without these you are leaving the back door open.

5. Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

6. Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.

7. Install Spybot - Search and Destroy - Download and install Spybot - Search and Destroy with its TeaTimer option. This will provide real time spyware and hijacker protection on your computer alongside your virus protection. You should scan your computer with the program on a regular basis just as you would with your anti-virus software. A tutorial on installing and using this product can be found here:
Instructions for - Spybot S & D and Ad-aware

8. Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place?

Microsoft MVP Consumer Security 2008 - 2009

Proud graduate of TC/WTT Classroom

Body Background

skin color theme

Slow startup, Popups

#1 silat

Advertisements

Register to Remove

#2 Trevuren

#3 Trevuren

#4 silat

#5 Trevuren

#6 silat

#7 Trevuren

#8 silat

#9 Trevuren

#10 silat

Advertisements

Register to Remove

#11 Trevuren

#12 silat

#13 Trevuren

#14 silat

#15 Trevuren

Related Topics

1 user(s) are reading this topic

About What the Tech

Follow Us

Body Background

skin color theme

Slow startup, Popups

#1 silat

Advertisements Register to Remove

#2 Trevuren

#3 Trevuren

#4 silat

#5 Trevuren

#6 silat

#7 Trevuren

#8 silat

#9 Trevuren

#10 silat

Advertisements Register to Remove

#11 Trevuren

#12 silat

#13 Trevuren

#14 silat

#15 Trevuren

Related Topics

1 user(s) are reading this topic

About What the Tech

Follow Us

Sign In

Advertisements

Register to Remove

Advertisements

Register to Remove