Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Pop Ups and Google Search Issues (Please help)

Started by breakbeatz , Apr 02 2008 07:10 PM

  • This topic is locked This topic is locked
16 replies to this topic

#1 breakbeatz

breakbeatz

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 02 April 2008 - 07:10 PM

I am starting to get a pop up and whenever I do a search the first site listed is always: www.bediddle.com




Scan saved at 8:59:08 PM, on 4/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\jownw64n.exe
C:\Program Files\nvcoi\nvcoi.exe
C:\Program Files\JavaCore\JavaCore.exe
C:\Documents and Settings\Owner.ALEJANDR-E22612\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\Owner.ALEJANDR-E22612\Application Data\Microsoft\Windows\rayiou.exe
C:\Program Files\Corel\Graphics9\Register\Remind32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\kcntpkdn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner.ALEJANDR-E22612\Local Settings\Temporary Internet Files\Content.IE5\0MV5JU9P\HiJackThis_v2[1].exe
C:\Program Files\Internet Explorer\iexplore.exe

O4 - HKLM\..\Run: [{C1-1A-AA-A1-DW}] C:\WINDOWS\system32\jownw64n.exe DWram
O4 - HKLM\..\Run: [g]eeV\mWhjlnspB] C:\WINDOWS\system32\kcntpkdn.exe DWram
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Owner.ALEJANDR-E22612\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Owner.ALEJANDR-E22612\Application Data\Microsoft\Windows\rayiou.exe
O4 - S-1-5-18 Startup: Corel Registration.lnk = C:\Program Files\Corel\Graphics9\Register\Remind32.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Deewoo.lnk = C:\WINDOWS\system32\kcntpkdn.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: DW_Start.lnk = C:\WINDOWS\system32\jownw64n.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Corel Registration.lnk = C:\Program Files\Corel\Graphics9\Register\Remind32.exe (User 'Default user')
O4 - .DEFAULT Startup: Deewoo.lnk = C:\WINDOWS\system32\kcntpkdn.exe (User 'Default user')
O4 - .DEFAULT Startup: DW_Start.lnk = C:\WINDOWS\system32\jownw64n.exe (User 'Default user')
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\Graphics9\Register\Remind32.exe
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\kcntpkdn.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jownw64n.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4414 bytes

Thanks in advance for any help!

Edited by Scotty, 03 April 2008 - 03:54 AM.
Bad link removed

    Advertisements

Register to Remove

#2 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 03 April 2008 - 03:58 AM

Hi! Welcome to the forums.
My name is Scotty. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research.
Please be patient.

You are running HijackThis out of a temp folder. Most tools we use empty those folders so HijackThis will be deleted along with any backups. Please follow these instructions to install HijackThis into it's own folder.

Install HijackThis

  • Download HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.



Please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

#3 breakbeatz

breakbeatz

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 03 April 2008 - 07:15 AM

Here ya go. Thanks again for any help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:11 AM, on 4/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\jownw64n.exe
C:\Program Files\nvcoi\nvcoi.exe
C:\Program Files\JavaCore\JavaCore.exe
C:\Documents and Settings\Owner.ALEJANDR-E22612\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\Owner.ALEJANDR-E22612\Application Data\Microsoft\Windows\rayiou.exe
C:\Program Files\Corel\Graphics9\Register\Remind32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\kcntpkdn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [{C1-1A-AA-A1-DW}] C:\WINDOWS\system32\jownw64n.exe DWram
O4 - HKLM\..\Run: [g]eeV\mWhjlnspB] C:\WINDOWS\system32\kcntpkdn.exe DWram
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Owner.ALEJANDR-E22612\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Owner.ALEJANDR-E22612\Application Data\Microsoft\Windows\rayiou.exe
O4 - S-1-5-18 Startup: Corel Registration.lnk = C:\Program Files\Corel\Graphics9\Register\Remind32.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Deewoo.lnk = C:\WINDOWS\system32\kcntpkdn.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: DW_Start.lnk = C:\WINDOWS\system32\jownw64n.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Corel Registration.lnk = C:\Program Files\Corel\Graphics9\Register\Remind32.exe (User 'Default user')
O4 - .DEFAULT Startup: Deewoo.lnk = C:\WINDOWS\system32\kcntpkdn.exe (User 'Default user')
O4 - .DEFAULT Startup: DW_Start.lnk = C:\WINDOWS\system32\jownw64n.exe (User 'Default user')
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\Graphics9\Register\Remind32.exe
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\kcntpkdn.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jownw64n.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4046 bytes

Ad-Aware 2007
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Amazon MP3 Downloader 1.0.3
Apple Mobile Device Support
Apple Software Update
Audacity 1.3.4 (Unicode)
BugOff 1.10
Conexant D850 56K V.9x DFVc Modem
Corel Applications
dBpoweramp FLAC Codec
dBpowerAMP Music Converter
Dell Laser Printer 1100 Software Uninstall
Dell Resource CD
FlashFXP v3.0 (Build 1022)
GoldWave v5.06
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Photosmart Essential 2.5
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 3
Kaspersky Online Scanner
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Modem Helper
Nero Suite
QuickTime
QuickTime Alternative 2.3.0
RealPlayer
Rhapsody Player Engine
Safari
Security Update for Excel 2007 (KB946974)
Security Update for Office 2007 (KB947801)
Security Update for Outlook 2007 (KB946983)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
SoulSeek Client 157 test 12c
SoundMAX
SureThing CD Labeler 4 SE
Update for Outlook 2007 Junk Email Filter (kb947945)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
WAV Joiner Trial
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver

#4 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 03 April 2008 - 09:27 AM

Hi

If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

There is a tutorial on the basic use of Combofix here:
http://www.bleepingc...to-use-combofix


Please download Combofix from Bleeping Computer.

If you can't download it from there, please try these 2 alternative sites:

Forospyware
Geeks to Go

  • Save it to your Desktop.
  • Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
  • Click Start>Run copy/paste or type "%userprofile%\desktop\combofix.exe" /killall into the Run box and click OK.
  • When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



In your next reply post:
ComboFix.txt
New HijackThis log taken after the above scan has run
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

#5 breakbeatz

breakbeatz

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 03 April 2008 - 10:04 AM

ComboFix 08-04-02.1 - Owner 2008-04-03 11:49:56.1 - NTFSx86
Running from: C:\Documents and Settings\Owner.ALEJANDR-E22612\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
TimedOut: progfile.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService.NT AUTHORITY.000\Application Data\NetMon
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Application Data\NetMon\log.txt
C:\Documents and Settings\LocalService.NT AUTHORITY.002\Application Data\NetMon
C:\Documents and Settings\LocalService.NT AUTHORITY.002\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService.NT AUTHORITY.002\Application Data\NetMon\log.txt
C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\NetMon
C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\NetMon\log.txt
C:\Documents and Settings\Owner.ALEJANDR-E22612\Application Data\WinTouch
C:\Documents and Settings\Owner.ALEJANDR-E22612\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\Owner.ALEJANDR-E22612\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\Owner.ALEJANDR-E22612\Application Data\WinTouch\WTUninstaller.exe
C:\Documents and Settings\Owner.ALEJANDR-E22612\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\Owner.ALEJANDR-E22612\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Owner.ALEJANDR-E22612\Start Menu\Programs\Startup\DW_Start.lnk
C:\Program Files\Common Files\{5C4C1~1
C:\Program Files\Helper
C:\Program Files\Helper\Helper9.dll
C:\Program Files\inetget2
C:\Program Files\JavaCore
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\JavaCore\UnInstall.exe
C:\Program Files\lsass.exe
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\outlook
C:\Program Files\outlook\p.zip
C:\Program Files\Temporary
C:\Program Files\Temporary\InsiDERInst.exe
C:\Program Files\winupdate
C:\Program Files\winupdate\winupdate.exe
C:\Program Files\wmplayer
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\gbRve12
C:\Temp\gbRve12\csLioes.log
C:\WINDOWS\b138.exe
C:\WINDOWS\b152.exe
C:\WINDOWS\b153.exe
C:\WINDOWS\mrofinu.exe
C:\WINDOWS\mrofinu.exe.tmp
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\MODEMCSAA.sys
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\uninstall_nmon.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_MODEMCSAA
-------\Service_MODEMCSAA


((((((((((((((((((((((((( Files Created from 2008-03-03 to 2008-04-03 )))))))))))))))))))))))))))))))
.

2008-04-03 11:56 . 2008-04-03 11:56 32 --a------ C:\WINDOWS\system32\msnav32.ax
2008-04-02 16:29 . 2008-04-02 16:29 <DIR> d-------- C:\Documents and Settings\Owner.ALEJANDR-E22612\Application Data\Corel
2008-04-02 10:31 . 2008-04-02 10:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-02 08:40 . 2008-04-02 08:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-02 08:40 . 2008-04-02 08:42 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-04-02 08:21 . 2008-04-02 08:21 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-02 08:21 . 2008-04-02 08:21 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-04-02 08:16 . 2008-04-02 08:16 <DIR> d-------- C:\Program Files\InterMute
2008-04-02 08:15 . 2008-04-02 08:15 <DIR> d-------- C:\Program Files\nvcoi
2008-04-02 08:10 . 2008-04-02 08:10 <DIR> d-------- C:\Program Files\CPV
2008-04-01 22:55 . 2008-04-01 22:55 9,662 --a------ C:\WINDOWS\system32\vaio3-011.ico
2008-04-01 07:54 . 2008-04-01 07:54 57,357 --a------ C:\WINDOWS\system32\jownw64n.exe
2008-04-01 07:21 . 2008-04-01 07:21 <DIR> d-------- C:\WINDOWS\system32\xTmp
2008-04-01 07:21 . 2008-04-01 07:21 <DIR> d-------- C:\WINDOWS\system32\winz1
2008-04-01 07:21 . 2008-04-01 07:21 <DIR> d-------- C:\WINDOWS\system32\IDME
2008-04-01 07:21 . 2008-04-01 07:21 <DIR> d-------- C:\WINDOWS\system32\aqVreo04
2008-04-01 07:21 . 2008-04-01 07:21 204,870 --a------ C:\WINDOWS\system32\kcntpkdn.exe
2008-04-01 07:21 . 2008-04-01 07:21 57,350 --a------ C:\WINDOWS\system32\rwwnw64d.exe
2008-04-01 07:21 . 2008-04-01 20:56 934 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-03-27 22:48 . 2008-04-01 07:35 <DIR> d-------- C:\Documents and Settings\Owner.ALEJANDR-E22612\Application Data\iPhoneRingToneMaker
2008-03-23 18:58 . 1999-02-17 12:49 1,039,360 -ra------ C:\WINDOWS\system32\MSJET35.DLL
2008-03-23 18:58 . 1999-02-17 12:49 368,912 -ra------ C:\WINDOWS\system32\VBAR332.DLL
2008-03-23 18:57 . 1998-09-25 12:18 607,744 --------- C:\WINDOWS\system32\Decslib.dll
2008-03-23 18:55 . 1998-11-03 11:10 112,688 --------- C:\WINDOWS\system32\shw32.dll
2008-03-23 18:55 . 1996-12-10 13:21 39,095 --------- C:\WINDOWS\iccsigs.dat
2008-03-23 18:55 . 1999-03-08 07:53 28,252 --------- C:\WINDOWS\corelpf.lrs
2008-03-23 18:54 . 1997-07-30 12:59 909,312 --------- C:\WINDOWS\system32\qd3d.dll
2008-03-23 18:54 . 1997-07-30 15:21 553,984 --------- C:\WINDOWS\system32\rave.dll
2008-03-23 18:54 . 1999-07-21 20:14 245,760 --------- C:\WINDOWS\system32\Sccomp91.dll
2008-03-23 18:54 . 1999-07-21 20:14 225,280 --------- C:\WINDOWS\system32\Scint91.dll
2008-03-23 18:54 . 1997-07-30 15:43 211,456 --------- C:\WINDOWS\system32\qd3d_ir2.q3x
2008-03-23 18:54 . 1998-12-10 08:42 168,448 --------- C:\WINDOWS\system32\Awrtl30.dll
2008-03-23 18:54 . 1999-07-21 20:15 110,592 --------- C:\WINDOWS\system32\Sccres91.dll
2008-03-23 18:54 . 1999-03-21 09:49 100,864 --------- C:\WINDOWS\system32\awpe.dll
2008-03-23 18:54 . 1997-07-30 15:58 70,656 --------- C:\WINDOWS\system32\3dviewer.dll
2008-03-23 18:32 . 2008-03-23 18:33 <DIR> d-------- C:\Program Files\Safari
2008-03-22 18:34 . 2008-03-22 18:34 51 --a------ C:\WINDOWS\mix-fx.ini
2008-03-22 16:53 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-22 16:53 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-22 16:53 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-21 20:06 . 2008-03-21 20:06 1,099,839 --a------ C:\WINDOWS\system32\TmpA5341453
2008-03-20 19:54 . 2008-03-20 19:54 <DIR> d-------- C:\Program Files\MSBuild
2008-03-20 19:43 . 2008-03-23 13:03 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2008-03-15 08:45 . 2008-03-15 08:45 40,960 --a------ C:\WINDOWS\system32\aqVreo04\aqVreo041066.exe
2008-03-12 22:48 . 2005-09-25 20:11 2,494,464 --a------ C:\WINDOWS\system32\advrcntr2.dll
2008-03-12 08:03 . 2008-03-12 08:03 <DIR> d-------- C:\f730c731ea6d390d87c7b3baabf2b3d7
2008-03-09 17:29 . 2008-03-09 17:28 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp FLAC Codec.bmp
2008-03-09 17:29 . 2008-03-09 17:29 2,987 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2008-03-09 10:55 . 2008-03-09 10:55 <DIR> d-------- C:\Documents and Settings\Owner.ALEJANDR-E22612\Application Data\Amazon
2008-03-09 10:53 . 2008-03-09 10:53 <DIR> d-------- C:\Program Files\Amazon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-02 21:51 --------- d-----w C:\Program Files\FlashFXP
2008-04-02 12:40 --------- d-----w C:\Program Files\Lavasoft
2008-03-31 04:39 --------- d-----w C:\Program Files\Soulseek-Test
2008-03-23 23:22 --------- d-----w C:\Program Files\Corel
2008-03-23 22:33 --------- d-----w C:\Documents and Settings\Owner.ALEJANDR-E22612\Application Data\Apple Computer
2008-03-20 23:55 --------- d-----w C:\Program Files\Microsoft Works
2008-03-20 23:54 --------- d-----w C:\Documents and Settings\Owner.ALEJANDR-E22612\Application Data\Ableton
2008-03-01 22:19 --------- d-----w C:\Documents and Settings\Owner.ALEJANDR-E22612\Application Data\Audacity
2008-03-01 18:59 --------- d-----w C:\Program Files\Audacity 1.3 Beta (Unicode)
2008-02-24 03:00 --------- d-----w C:\Program Files\iTunes
2008-02-24 03:00 --------- d-----w C:\Program Files\iPod
2008-02-24 03:00 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-02-24 02:59 --------- d-----w C:\Program Files\QuickTime Alternative
2008-02-24 02:58 --------- d-----w C:\Program Files\Common Files\Apple
2008-02-24 02:58 --------- d-----w C:\Program Files\Apple Software Update
2008-02-24 02:58 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2008-02-20 01:59 --------- d-----w C:\Program Files\GoldWave
2008-02-20 00:53 --------- d-----w C:\Program Files\mp3DirectCut
2008-02-18 16:16 30,464 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-02-13 01:54 --------- d-----w C:\Program Files\coolpro
2008-02-06 19:14 --------- d-----w C:\Program Files\Windows Media Connect 2
2003-08-27 19:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.

------- Sigcheck -------

2007-06-13 06:23 1040384 731c62f0c09ee496ce5de5172443b5db C:\WINDOWS\explorer.exe
2007-06-13 07:26 1040384 4a03b83455863c0af46c3bf5e41dc91e C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 08:00 1039360 6c1c4260383f99fea4733e2f777623fc C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 06:23 1040384 731c62f0c09ee496ce5de5172443b5db C:\WINDOWS\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 22528]
"nvcoi"="C:\Program Files\nvcoi\nvcoi.exe" [2008-04-02 08:15 132916]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{C1-1A-AA-A1-DW}"="c:\windows\system32\rwwnw64d.exe" [2008-04-01 07:21 57350]
"g]eeV\mWhjlnspB"="C:\WINDOWS\system32\kcntpkdn.exe" [2008-04-01 07:21 204870]

C:\Documents and Settings\Owner.ALEJANDR-E22612\Start Menu\Programs\Startup\
Corel Registration.lnk - C:\Program Files\Corel\Graphics9\Register\Remind32.exe [2007-08-17 21:10:20 74752]
Deewoo.lnk - C:\WINDOWS\system32\kcntpkdn.exe [2008-04-01 07:21:46 204870]
DW_Start.lnk - C:\WINDOWS\system32\rwwnw64d.exe [2008-04-01 07:21:41 57350]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Soulseek-Test\\slsk.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-03-30 00:29:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-03 11:56:38
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\zxdnt3d.cfg 21 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"g]eeV\\mWhjlnspB"="C:\\WINDOWS\\system32\\kcntpkdn.exe DWram"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Completion time: 2008-04-03 12:01:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-03 16:00:57
Pre-Run: 33,783,390,208 bytes free
Post-Run: 33,963,495,424 bytes free
.
2008-03-23 17:03:22 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03, on 2008-04-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\kcntpkdn.exe
C:\Program Files\nvcoi\nvcoi.exe
C:\Program Files\Corel\Graphics9\Register\Remind32.exe
c:\windows\system32\rwwnw64d.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O4 - HKLM\..\Run: [{C1-1A-AA-A1-DW}] c:\windows\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [g]eeV\mWhjlnspB] C:\WINDOWS\system32\kcntpkdn.exe DWram
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
O4 - S-1-5-18 Startup: Corel Registration.lnk = C:\Program Files\Corel\Graphics9\Register\Remind32.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Deewoo.lnk = C:\WINDOWS\system32\kcntpkdn.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Corel Registration.lnk = C:\Program Files\Corel\Graphics9\Register\Remind32.exe (User 'Default user')
O4 - .DEFAULT Startup: Deewoo.lnk = C:\WINDOWS\system32\kcntpkdn.exe (User 'Default user')
O4 - .DEFAULT Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe (User 'Default user')
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\Graphics9\Register\Remind32.exe
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\kcntpkdn.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 3825 bytes

#6 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 03 April 2008 - 10:16 AM

Hi

Ugh, that's a messy one. :smack:


We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System, which in your case is SP2

XP Media Centre is based upon XP Professional

Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.

Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

#7 breakbeatz

breakbeatz

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 03 April 2008 - 10:57 AM

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

#8 breakbeatz

breakbeatz

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 03 April 2008 - 08:01 PM

Ok Scotty, Now what do I do? Thanks again

#9 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 04 April 2008 - 04:08 AM

Hi

Remember to disconnect from the Internet before carrying out the next instruction, and to save the following script before you do.


Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C 

KillAll::
 
File::
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\jownw64n.exe
C:\WINDOWS\system32\kcntpkdn.exe
C:\WINDOWS\system32\rwwnw64d.exe
C:\Documents and Settings\Owner.ALEJANDR-E22612\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Owner.ALEJANDR-E22612\Start Menu\Programs\Startup\DW_Start.lnk
C:\WINDOWS\system32\zxdnt3d.cfg 

Folder::
C:\Program Files\nvcoi
C:\Program Files\CPV
C:\WINDOWS\system32\aqVreo04
C:\WINDOWS\system32\IDME

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nvcoi"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{C1-1A-AA-A1-DW}"=-
"g]eeV\mWhjlnspB"=-

DirLook::
C:\WINDOWS\system32\xTmp
C:\WINDOWS\system32\winz1

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe

In your next reply post:
ComboFix.txt
New HijackThis log taken after the above scan has run
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

#10 breakbeatz

breakbeatz

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 04 April 2008 - 06:20 AM

Ok Scotty,


ComboFix 08-04-02.1 - Owner 2008-04-04 8:06:51.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.251 [GMT -4:00]
Running from: C:\Documents and Settings\Owner.ALEJANDR-E22612\Desktop\1\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.ALEJANDR-E22612\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Owner.ALEJANDR-E22612\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Owner.ALEJANDR-E22612\Start Menu\Programs\Startup\DW_Start.lnk
C:\WINDOWS\system32\jownw64n.exe
C:\WINDOWS\system32\kcntpkdn.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\zxdnt3d.cfg
.
TimedOut: progfile.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService.NT AUTHORITY.002\Application Data\NetMon
C:\Documents and Settings\LocalService.NT AUTHORITY.002\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService.NT AUTHORITY.002\Application Data\NetMon\log.txt
C:\Documents and Settings\Owner.ALEJANDR-E22612\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Owner.ALEJANDR-E22612\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Owner.ALEJANDR-E22612\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\Owner.ALEJANDR-E22612\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Owner.ALEJANDR-E22612\Start Menu\Programs\Startup\DW_Start.lnk
C:\Program Files\Common Files\wqrk
C:\Program Files\Common Files\wqrk\wqrka.exe
C:\Program Files\Common Files\wqrk\wqrka.lck
C:\Program Files\Common Files\wqrk\wqrkd\class-barrel
C:\Program Files\Common Files\wqrk\wqrkd\vocabulary
C:\Program Files\Common Files\wqrk\wqrkd\wqrkc.dll
C:\Program Files\Common Files\wqrk\wqrkl.exe
C:\Program Files\Common Files\wqrk\wqrkl.lck
C:\Program Files\Common Files\wqrk\wqrkm.exe
C:\Program Files\Common Files\wqrk\wqrkm.lck
C:\Program Files\Common Files\wqrk\wqrkp.exe
C:\Program Files\Common Files\wqrk\wqrkp.lck
C:\Program Files\Common Files\Yazzle1560OinAdmin.exe
C:\Program Files\Common Files\Yazzle1560OinUninstaller.exe
C:\Program Files\CPV
C:\Program Files\CPV\CPV7.dll
C:\Program Files\inetget2
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\nvcoi
C:\Program Files\nvcoi\mst.stt
C:\Program Files\nvcoi\nvcoi.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\WINDOWS\b103.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\b116.exe
C:\WINDOWS\icroso~1.net
C:\WINDOWS\icroso~1.net\?icrosoft.NET\
C:\WINDOWS\icroso~1.net\wowexec.exe
C:\WINDOWS\mrofinu1001186.exe
C:\WINDOWS\QWxlamFuZHJvIFphbW9yYQ\
C:\WINDOWS\QWxlamFuZHJvIFphbW9yYQ\\asappsrv.dll
C:\WINDOWS\QWxlamFuZHJvIFphbW9yYQ\\command.exe
C:\WINDOWS\QWxlamFuZHJvIFphbW9yYQ\\kqU5uAIRtJLSKID1vq6Vsk.vbs
C:\WINDOWS\QWxlamFuZHJvIFphbW9yYQ\command.exe
C:\WINDOWS\system32\aqVreo04
C:\WINDOWS\system32\aqVreo04\aqVreo041066.exe
C:\WINDOWS\system32\asembl~1
C:\WINDOWS\system32\asembl~1\??xplore.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\bjo.dll
C:\WINDOWS\system32\IDME
C:\WINDOWS\system32\IDME\dimnet201.exe
C:\WINDOWS\system32\IDME\TGbn1dll.exe
C:\WINDOWS\system32\jownw64n.exe
C:\WINDOWS\system32\kcntpkdn.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\wqrk
C:\WINDOWS\wqrk\wqrk.dat
C:\WINDOWS\wqrk\wu

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Service_cmdService
-------\Service_Network Monitor


((((((((((((((((((((((((( Files Created from 2008-03-04 to 2008-04-04 )))))))))))))))))))))))))))))))
.

2008-04-04 05:40 . 2008-04-04 05:40 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-04-03 19:57 . 2008-04-03 19:57 9,662 --a------ C:\WINDOWS\system32\iphone-6y.ico
2008-04-02 16:29 . 2008-04-02 16:29 <DIR> d-------- C:\Documents and Settings\Owner.ALEJANDR-E22612\Application Data\Corel
2008-04-02 10:31 . 2008-04-02 10:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-02 08:40 . 2008-04-02 08:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-02 08:40 . 2008-04-02 08:42 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-04-02 08:21 . 2008-04-02 08:21 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-02 08:21 . 2008-04-02 08:21 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-04-02 08:16 . 2008-04-02 08:16 <DIR> d-------- C:\Program Files\InterMute
2008-04-01 22:55 . 2008-04-01 22:55 9,662 --a------ C:\WINDOWS\system32\vaio3-011.ico
2008-04-01 07:21 . 2008-04-01 07:21 <DIR> d-------- C:\WINDOWS\system32\xTmp
2008-04-01 07:21 . 2008-04-01 07:21 <DIR> d-------- C:\WINDOWS\system32\winz1
2008-04-01 07:21 . 2008-04-03 13:57 935 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-03-27 22:48 . 2008-04-01 07:35 <DIR> d-------- C:\Documents and Settings\Owner.ALEJANDR-E22612\Application Data\iPhoneRingToneMaker
2008-03-23 18:58 . 1999-02-17 12:49 1,039,360 -ra------ C:\WINDOWS\system32\MSJET35.DLL
2008-03-23 18:58 . 1999-02-17 12:49 368,912 -ra------ C:\WINDOWS\system32\VBAR332.DLL
2008-03-23 18:57 . 1998-09-25 12:18 607,744 --------- C:\WINDOWS\system32\Decslib.dll
2008-03-23 18:55 . 1998-11-03 11:10 112,688 --------- C:\WINDOWS\system32\shw32.dll
2008-03-23 18:55 . 1996-12-10 13:21 39,095 --------- C:\WINDOWS\iccsigs.dat
2008-03-23 18:55 . 1999-03-08 07:53 28,252 --------- C:\WINDOWS\corelpf.lrs
2008-03-23 18:54 . 1997-07-30 12:59 909,312 --------- C:\WINDOWS\system32\qd3d.dll
2008-03-23 18:54 . 1997-07-30 15:21 553,984 --------- C:\WINDOWS\system32\rave.dll
2008-03-23 18:54 . 1999-07-21 20:14 245,760 --------- C:\WINDOWS\system32\Sccomp91.dll
2008-03-23 18:54 . 1999-07-21 20:14 225,280 --------- C:\WINDOWS\system32\Scint91.dll
2008-03-23 18:54 . 1997-07-30 15:43 211,456 --------- C:\WINDOWS\system32\qd3d_ir2.q3x
2008-03-23 18:54 . 1998-12-10 08:42 168,448 --------- C:\WINDOWS\system32\Awrtl30.dll
2008-03-23 18:54 . 1999-07-21 20:15 110,592 --------- C:\WINDOWS\system32\Sccres91.dll
2008-03-23 18:54 . 1999-03-21 09:49 100,864 --------- C:\WINDOWS\system32\awpe.dll
2008-03-23 18:54 . 1997-07-30 15:58 70,656 --------- C:\WINDOWS\system32\3dviewer.dll
2008-03-23 18:32 . 2008-03-23 18:33 <DIR> d-------- C:\Program Files\Safari
2008-03-22 18:34 . 2008-03-22 18:34 51 --a------ C:\WINDOWS\mix-fx.ini
2008-03-22 16:53 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-22 16:53 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-22 16:53 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-21 20:06 . 2008-03-21 20:06 1,099,839 --a------ C:\WINDOWS\system32\TmpA5341453
2008-03-20 19:54 . 2008-03-20 19:54 <DIR> d-------- C:\Program Files\MSBuild
2008-03-20 19:43 . 2008-03-23 13:03 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2008-03-12 22:48 . 2005-09-25 20:11 2,494,464 --a------ C:\WINDOWS\system32\advrcntr2.dll
2008-03-12 08:03 . 2008-03-12 08:03 <DIR> d-------- C:\f730c731ea6d390d87c7b3baabf2b3d7
2008-03-09 17:29 . 2008-03-09 17:28 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp FLAC Codec.bmp
2008-03-09 17:29 . 2008-03-09 17:29 2,987 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2008-03-09 10:55 . 2008-03-09 10:55 <DIR> d-------- C:\Documents and Settings\Owner.ALEJANDR-E22612\Application Data\Amazon
2008-03-09 10:53 . 2008-03-09 10:53 <DIR> d-------- C:\Program Files\Amazon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-04 11:12 --------- d-----w C:\Program Files\Winamp
2008-04-04 11:12 --------- d-----w C:\Program Files\WAV Joiner Trial
2008-04-04 11:12 --------- d-----w C:\Program Files\WAV Joiner
2008-04-04 11:12 --------- d-----w C:\Program Files\QuickTime Alternative
2008-04-04 11:11 --------- d-----w C:\Program Files\mp3DirectCut
2008-04-04 11:11 --------- d-----w C:\Program Files\mp3 direct cut
2008-04-04 11:11 --------- d-----w C:\Program Files\Modem Helper
2008-04-04 11:11 --------- d-----w C:\Program Files\Microsoft Plus! Photo Story 2 LE
2008-04-04 11:09 --------- d-----w C:\Program Files\GoldWave
2008-04-02 21:51 --------- d-----w C:\Program Files\FlashFXP
2008-04-02 12:40 --------- d-----w C:\Program Files\Lavasoft
2008-03-31 04:39 --------- d-----w C:\Program Files\Soulseek-Test
2008-03-23 23:22 --------- d-----w C:\Program Files\Corel
2008-03-23 22:33 --------- d-----w C:\Documents and Settings\Owner.ALEJANDR-E22612\Application Data\Apple Computer
2008-03-20 23:55 --------- d-----w C:\Program Files\Microsoft Works
2008-03-20 23:54 --------- d-----w C:\Documents and Settings\Owner.ALEJANDR-E22612\Application Data\Ableton
2008-03-01 22:19 --------- d-----w C:\Documents and Settings\Owner.ALEJANDR-E22612\Application Data\Audacity
2008-03-01 18:59 --------- d-----w C:\Program Files\Audacity 1.3 Beta (Unicode)
2008-02-24 03:00 --------- d-----w C:\Program Files\iTunes
2008-02-24 03:00 --------- d-----w C:\Program Files\iPod
2008-02-24 03:00 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-02-24 02:58 --------- d-----w C:\Program Files\Common Files\Apple
2008-02-24 02:58 --------- d-----w C:\Program Files\Apple Software Update
2008-02-24 02:58 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2008-02-18 16:16 30,464 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-02-13 01:54 --------- d-----w C:\Program Files\coolpro
2008-02-06 19:14 --------- d-----w C:\Program Files\Windows Media Connect 2
2003-08-27 19:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\system32\winz1 ----

2008-02-14 10:42 57344 --a------ C:\WINDOWS\system32\winz1\begmgr11.exe

---- Directory of C:\WINDOWS\system32\xTmp ----

2007-08-14 17:22 35857 --a------ C:\WINDOWS\system32\xTmp\v55api.exe


------- Sigcheck -------

2007-06-13 06:23 1040384 731c62f0c09ee496ce5de5172443b5db C:\WINDOWS\explorer.exe
2007-06-13 07:26 1040384 4a03b83455863c0af46c3bf5e41dc91e C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 08:00 1039360 6c1c4260383f99fea4733e2f777623fc C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 06:23 1040384 731c62f0c09ee496ce5de5172443b5db C:\WINDOWS\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((( snapshot@2008-04-03_12.00.37.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 12:00:00 174,080 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2000-08-31 12:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2008-04-03 15:56:15 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-04 12:12:22 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-03 15:56:15 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-04 12:12:22 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-03 15:56:15 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-04 12:12:22 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 22528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"g]eeV\mWhjlnspB"="C:\WINDOWS\system32\kcntpkdn.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Rrea"="C:\WINDOWS\ICROSO~1.NET\wowexec.exe" [ ]
"Tudd"="C:\WINDOWS\system32\a?sembly\??xplore.exe" [ ]
"wqrk"="C:\PROGRA~1\COMMON~1\wqrk\wqrkm.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Soulseek-Test\\slsk.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-03-30 00:29:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-04 08:12:45
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"g]eeV\\mWhjlnspB"="C:\\WINDOWS\\system32\\kcntpkdn.exe DWram"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Corel\Graphics9\Register\Remind32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-04-04 8:17:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-04 12:17:26
ComboFix2.txt 2008-04-03 16:01:01
Pre-Run: 33,445,462,016 bytes free
Post-Run: 33,414,873,088 bytes free
.
2008-03-23 17:03:22 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:18, on 2008-04-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Corel\Graphics9\Register\Remind32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O4 - HKLM\..\Run: [g]eeV\mWhjlnspB] C:\WINDOWS\system32\kcntpkdn.exe DWram
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Rrea] "C:\WINDOWS\ICROSO~1.NET\wowexec.exe" -vt yazb (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Tudd] C:\WINDOWS\system32\a?sembly\??xplore.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [wqrk] C:\PROGRA~1\COMMON~1\wqrk\wqrkm.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Rrea] "C:\WINDOWS\ICROSO~1.NET\wowexec.exe" -vt yazb (User 'Default user')
O4 - S-1-5-18 Startup: Corel Registration.lnk = C:\Program Files\Corel\Graphics9\Register\Remind32.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Corel Registration.lnk = C:\Program Files\Corel\Graphics9\Register\Remind32.exe (User 'Default user')
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\Graphics9\Register\Remind32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 3499 bytes

    Advertisements

Register to Remove

#11 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 04 April 2008 - 06:28 AM

Hi

Remember to disconnect from the Internet before carrying out the next instruction, and to save the following script before you do.


Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C 

KillAll::
 
Folder::
C:\WINDOWS\system32\winz1
C:\WINDOWS\system32\xTmp

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"g]eeV\mWhjlnspB"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Rrea"=-
"Tudd"=-
"wqrk"=-

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe


Lets run an F-Secure online scan it will scan for Viruses, Spyware and RootKits:
  • Click HERE
  • Scroll to the bottom of the page and click the Start Scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report)
    Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

Note: This scan will only work with Internet Explorer.
You must be logged on a administrator rights to run this scan.
The scan may take a few hours.

In your next reply post:
ComboFix.txt
F-Secure scan
New HijackThis log taken after the above scan has run
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

#12 breakbeatz

breakbeatz

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 04 April 2008 - 07:42 AM

Hey Scotty,
I can't get the F-Secure to work. It says downloaded database corrupt?

Here are the other two logs.

ComboFix 08-04-02.1 - Owner 2008-04-04 8:48:24.3 - NTFSx86
Running from: C:\Documents and Settings\Owner.ALEJANDR-E22612\Desktop\1\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.ALEJANDR-E22612\Desktop\CFScript.txt
* Created a new restore point
.
TimedOut: progfile.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\winz1
C:\WINDOWS\system32\winz1\begmgr11.exe
C:\WINDOWS\system32\xTmp
C:\WINDOWS\system32\xTmp\v55api.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-04 to 2008-04-04 )))))))))))))))))))))))))))))))
.

2008-04-04 05:40 . 2008-04-04 05:40 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-04-03 19:57 . 2008-04-03 19:57 9,662 --a------ C:\WINDOWS\system32\iphone-6y.ico
2008-04-02 16:29 . 2008-04-02 16:29 <DIR> d-------- C:\Documents and Settings\Owner.ALEJANDR-E22612\Application Data\Corel
2008-04-02 10:31 . 2008-04-02 10:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-02 08:40 . 2008-04-02 08:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-02 08:40 . 2008-04-02 08:42 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-04-02 08:21 . 2008-04-02 08:21 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-02 08:21 . 2008-04-02 08:21 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-04-02 08:16 . 2008-04-02 08:16 <DIR> d-------- C:\Program Files\InterMute
2008-04-01 22:55 . 2008-04-01 22:55 9,662 --a------ C:\WINDOWS\system32\vaio3-011.ico
2008-04-01 07:21 . 2008-04-03 13:57 935 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-03-27 22:48 . 2008-04-01 07:35 <DIR> d-------- C:\Documents and Settings\Owner.ALEJANDR-E22612\Application Data\iPhoneRingToneMaker
2008-03-23 18:58 . 1999-02-17 12:49 1,039,360 -ra------ C:\WINDOWS\system32\MSJET35.DLL
2008-03-23 18:58 . 1999-02-17 12:49 368,912 -ra------ C:\WINDOWS\system32\VBAR332.DLL
2008-03-23 18:57 . 1998-09-25 12:18 607,744 --------- C:\WINDOWS\system32\Decslib.dll
2008-03-23 18:55 . 1998-11-03 11:10 112,688 --------- C:\WINDOWS\system32\shw32.dll
2008-03-23 18:55 . 1996-12-10 13:21 39,095 --------- C:\WINDOWS\iccsigs.dat
2008-03-23 18:55 . 1999-03-08 07:53 28,252 --------- C:\WINDOWS\corelpf.lrs
2008-03-23 18:54 . 1997-07-30 12:59 909,312 --------- C:\WINDOWS\system32\qd3d.dll
2008-03-23 18:54 . 1997-07-30 15:21 553,984 --------- C:\WINDOWS\system32\rave.dll
2008-03-23 18:54 . 1999-07-21 20:14 245,760 --------- C:\WINDOWS\system32\Sccomp91.dll
2008-03-23 18:54 . 1999-07-21 20:14 225,280 --------- C:\WINDOWS\system32\Scint91.dll
2008-03-23 18:54 . 1997-07-30 15:43 211,456 --------- C:\WINDOWS\system32\qd3d_ir2.q3x
2008-03-23 18:54 . 1998-12-10 08:42 168,448 --------- C:\WINDOWS\system32\Awrtl30.dll
2008-03-23 18:54 . 1999-07-21 20:15 110,592 --------- C:\WINDOWS\system32\Sccres91.dll
2008-03-23 18:54 . 1999-03-21 09:49 100,864 --------- C:\WINDOWS\system32\awpe.dll
2008-03-23 18:54 . 1997-07-30 15:58 70,656 --------- C:\WINDOWS\system32\3dviewer.dll
2008-03-23 18:32 . 2008-03-23 18:33 <DIR> d-------- C:\Program Files\Safari
2008-03-22 18:34 . 2008-03-22 18:34 51 --a------ C:\WINDOWS\mix-fx.ini
2008-03-22 16:53 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-22 16:53 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-22 16:53 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-21 20:06 . 2008-03-21 20:06 1,099,839 --a------ C:\WINDOWS\system32\TmpA5341453
2008-03-20 19:54 . 2008-03-20 19:54 <DIR> d-------- C:\Program Files\MSBuild
2008-03-20 19:43 . 2008-03-23 13:03 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2008-03-12 22:48 . 2005-09-25 20:11 2,494,464 --a------ C:\WINDOWS\system32\advrcntr2.dll
2008-03-12 08:03 . 2008-03-12 08:03 <DIR> d-------- C:\f730c731ea6d390d87c7b3baabf2b3d7
2008-03-09 17:29 . 2008-03-09 17:28 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp FLAC Codec.bmp
2008-03-09 17:29 . 2008-03-09 17:29 2,987 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2008-03-09 10:55 . 2008-03-09 10:55 <DIR> d-------- C:\Documents and Settings\Owner.ALEJANDR-E22612\Application Data\Amazon
2008-03-09 10:53 . 2008-03-09 10:53 <DIR> d-------- C:\Program Files\Amazon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-04 11:12 --------- d-----w C:\Program Files\Winamp
2008-04-04 11:12 --------- d-----w C:\Program Files\WAV Joiner Trial
2008-04-04 11:12 --------- d-----w C:\Program Files\WAV Joiner
2008-04-04 11:12 --------- d-----w C:\Program Files\QuickTime Alternative
2008-04-04 11:11 --------- d-----w C:\Program Files\mp3DirectCut
2008-04-04 11:11 --------- d-----w C:\Program Files\mp3 direct cut
2008-04-04 11:11 --------- d-----w C:\Program Files\Modem Helper
2008-04-04 11:11 --------- d-----w C:\Program Files\Microsoft Plus! Photo Story 2 LE
2008-04-04 11:09 --------- d-----w C:\Program Files\GoldWave
2008-04-02 21:51 --------- d-----w C:\Program Files\FlashFXP
2008-04-02 12:40 --------- d-----w C:\Program Files\Lavasoft
2008-03-31 04:39 --------- d-----w C:\Program Files\Soulseek-Test
2008-03-23 23:22 --------- d-----w C:\Program Files\Corel
2008-03-23 22:33 --------- d-----w C:\Documents and Settings\Owner.ALEJANDR-E22612\Application Data\Apple Computer
2008-03-20 23:55 --------- d-----w C:\Program Files\Microsoft Works
2008-03-20 23:54 --------- d-----w C:\Documents and Settings\Owner.ALEJANDR-E22612\Application Data\Ableton
2008-03-01 22:19 --------- d-----w C:\Documents and Settings\Owner.ALEJANDR-E22612\Application Data\Audacity
2008-03-01 18:59 --------- d-----w C:\Program Files\Audacity 1.3 Beta (Unicode)
2008-02-24 03:00 --------- d-----w C:\Program Files\iTunes
2008-02-24 03:00 --------- d-----w C:\Program Files\iPod
2008-02-24 03:00 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-02-24 02:58 --------- d-----w C:\Program Files\Common Files\Apple
2008-02-24 02:58 --------- d-----w C:\Program Files\Apple Software Update
2008-02-24 02:58 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2008-02-18 16:16 30,464 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-02-13 01:54 --------- d-----w C:\Program Files\coolpro
2008-02-06 19:14 --------- d-----w C:\Program Files\Windows Media Connect 2
2003-08-27 19:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.

------- Sigcheck -------

2007-06-13 06:23 1040384 731c62f0c09ee496ce5de5172443b5db C:\WINDOWS\explorer.exe
2007-06-13 07:26 1040384 4a03b83455863c0af46c3bf5e41dc91e C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 08:00 1039360 6c1c4260383f99fea4733e2f777623fc C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 06:23 1040384 731c62f0c09ee496ce5de5172443b5db C:\WINDOWS\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((( snapshot@2008-04-03_12.00.37.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 12:00:00 174,080 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2000-08-31 12:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2008-04-03 15:56:15 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-04 12:52:03 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-03 15:56:15 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-04 12:52:03 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-03 15:56:15 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-04 12:52:03 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 22528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"g]eeV\mWhjlnspB"="C:\WINDOWS\system32\kcntpkdn.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Soulseek-Test\\slsk.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-03-30 00:29:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-04 08:52:24
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"g]eeV\\mWhjlnspB"="C:\\WINDOWS\\system32\\kcntpkdn.exe DWram"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Corel\Graphics9\Register\Remind32.exe
.
**************************************************************************
.
Completion time: 2008-04-04 8:57:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-04 12:57:32
ComboFix2.txt 2008-04-04 12:17:30
ComboFix3.txt 2008-04-03 16:01:01
Pre-Run: 33,446,887,424 bytes free
Post-Run: 33,391,460,352 bytes free
.
2008-03-23 17:03:22 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:42, on 2008-04-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Corel\Graphics9\Register\Remind32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O4 - HKLM\..\Run: [g]eeV\mWhjlnspB] C:\WINDOWS\system32\kcntpkdn.exe DWram
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: Corel Registration.lnk = C:\Program Files\Corel\Graphics9\Register\Remind32.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Corel Registration.lnk = C:\Program Files\Corel\Graphics9\Register\Remind32.exe (User 'Default user')
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\Graphics9\Register\Remind32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 3178 bytes

#13 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 04 April 2008 - 07:56 AM

No worries.

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present):

O4 - HKLM\..\Run: [g]eeV\mWhjlnspB] C:\WINDOWS\system32\kcntpkdn.exe DWram


WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked exit HijackThis and reboot.


BLACKLIGHT
  • Please download F-Secure Blacklight (fsbl.exe) from here
  • Save into C:\ with a name of fsbl.exe
  • Go to Start > Run
  • Copy and paste the contents of the below codebox into the run box 
    C:\fsbl.exe /expert
  • Click OK
  • This will launch BlackLight
  • Select I accept the agreement
  • Click Next
  • Click Scan
  • Wait for the scan to finish
  • Click on Next>
  • Click Exit
  • A logfile will have been created in the C:\ drive
  • It will be named fsbl-xxxxxxxxxxxxxx.log where xxxxxxxxxxxxxx is the date and time of the scan
  • Use notepad to open that log
  • Post the contents of that log as a reply to this topic.



Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here with the Blacklight report and a new HijackThis log.

You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

#14 breakbeatz

breakbeatz

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 05 April 2008 - 06:03 AM

Malwarebytes' Anti-Malware 1.10
Database version: 592

Scan type: Full Scan (A:\|C:\|)
Objects scanned: 959256
Time elapsed: 2 hour(s), 12 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 34

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\testcpv6.bho (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{50ccd00a-66b6-4d95-aaef-8ee959498f92} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\CPV (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BO1jiZmwnF2zhi (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\nvcoi (Trojan.Stars) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\xInsiDERexe (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\stfngdvw.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinTouch (Adware.WinPop) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Owner.ALEJANDR-743359\Local Settings\Temp\gos19E.tmp (Dialer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.ALEJANDR-743359\Local Settings\Temp\win188.exe (Adware.Clickspring) -> Quarantined and deleted successfully.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080402-103858-592.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\Common Files\wqrk\wqrkd\class-barrel.vir (Malware.Trace) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\Common Files\wqrk\wqrkd\vocabulary.vir (Malware.Trace) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\Common Files\wqrk\wqrkd\wqrkc.dll.vir (Adware.TargetServer) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\CPV\CPV7.dll.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\Outerinfo\FF\components\FF.dll.vir (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\uninstall_nmon.vbs.vir (Malware.Trace) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\QWxlamFuZHJvIFphbW9yYQ\asappsrv.dll.vir (AdWare.CommAd) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\atmtd.dll.vir (Adware.TargetSaver) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\atmtd.dll._.vir (Adware.TargetSaver) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\bjo.dll.vir (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\tsuninst.exe.vir (Spyware.TargetSaver) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0C99DB9E-6A91-4101-BA89-EB337421E305}\RP277\A0041578.exe (Virus.Virut) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0C99DB9E-6A91-4101-BA89-EB337421E305}\RP279\A0043059.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E7D4531E-3F7A-4E7C-9DA9-14D413209EEF}\RP100\A0023794.exe (Adware.Clickspring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E7D4531E-3F7A-4E7C-9DA9-14D413209EEF}\RP100\A0023801.exe (Trojan.Proxy) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E7D4531E-3F7A-4E7C-9DA9-14D413209EEF}\RP100\A0023804.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E7D4531E-3F7A-4E7C-9DA9-14D413209EEF}\RP100\A0023843.exe (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E7D4531E-3F7A-4E7C-9DA9-14D413209EEF}\RP103\A0027255.vbs (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E7D4531E-3F7A-4E7C-9DA9-14D413209EEF}\RP105\A0027765.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E7D4531E-3F7A-4E7C-9DA9-14D413209EEF}\RP105\A0027768.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E7D4531E-3F7A-4E7C-9DA9-14D413209EEF}\RP105\A0027774.exe (Spyware.TargetSaver) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E7D4531E-3F7A-4E7C-9DA9-14D413209EEF}\RP105\A0027781.dll (Adware.TargetSaver) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E7D4531E-3F7A-4E7C-9DA9-14D413209EEF}\RP105\A0027782.vbs (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E7D4531E-3F7A-4E7C-9DA9-14D413209EEF}\RP105\A0027785.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E7D4531E-3F7A-4E7C-9DA9-14D413209EEF}\RP105\A0027787.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E7D4531E-3F7A-4E7C-9DA9-14D413209EEF}\RP105\A0027799.dll (Adware.TargetServer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E7D4531E-3F7A-4E7C-9DA9-14D413209EEF}\RP105\A0027800.dll (AdWare.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E7D4531E-3F7A-4E7C-9DA9-14D413209EEF}\RP106\A0028218.exe (Adware.Clickspring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E7D4531E-3F7A-4E7C-9DA9-14D413209EEF}\RP99\A0022522.dll (Adware.TargetSaver) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E7D4531E-3F7A-4E7C-9DA9-14D413209EEF}\RP99\A0022533.dll (AdWare.CommAd) -> Quarantined and deleted successfully.

04/04/08 22:58:05 [Info]: BlackLight Engine 1.0.70 initialized
04/04/08 22:58:05 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/04/08 22:58:05 [Note]: 7019 4
04/04/08 22:58:05 [Note]: 7005 0
04/04/08 22:58:10 [Note]: 7006 0
04/04/08 22:58:10 [Note]: 7022 0
04/04/08 22:58:10 [Note]: 7011 1768
04/04/08 22:58:10 [Note]: 7035 0
04/04/08 22:58:10 [Note]: 7026 0
04/04/08 22:58:11 [Note]: 7026 0
04/04/08 22:58:14 [Note]: FSRAW library version 1.7.1024
04/04/08 23:07:18 [Note]: 7007 0

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:02:59 AM, on 2008-04-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Corel\Graphics9\Register\Remind32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: Corel Registration.lnk = C:\Program Files\Corel\Graphics9\Register\Remind32.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Corel Registration.lnk = C:\Program Files\Corel\Graphics9\Register\Remind32.exe (User 'Default user')
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\Graphics9\Register\Remind32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 3268 bytes

#15 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 05 April 2008 - 06:22 AM

Hi

Congratulations, you appear to be malware free. :woot:

Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

    Posted Image


You can delete fsbl.exe from your Desktop.


Delete the older versions of Java and download the newest.
Please follow these steps to remove older version Java components.
  • Close any programmes you may have running, ESPECIALLY your web browser
  • Click Start > Control Panel.
  • Click Add/Remove Programs.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove all versions of Java.
  • Reboot your computer once all Java components are removed.
Then download the latest version of Java Runtime Environment (JRE) (4th one down the list), which is JRE6u5, and click Yes at the page warning. Under "Platform" select Windows, then check the box to accept the Licence Agreement. Click Yes at the second page warning before downloading the Offline file.


Malwarebytes Anti-Malware is a good program to keep. If you wish to keep it, use it to do a quick scan once a week and keep it updated.
Remember, only the paid for version offers real-time protection

Here is another free program I recommend.

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here


Make sure your Windows is ALWAYS up to date!

An unpatched Windows is vulnerable and even with the "best" Antivirus and Firewall installed, malware will find its way through.
So visit http://windowsupdate.microsoft.com/ to download and install the latest updates.


Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"

Here is some great information from experts in this field that will help you stay clean and safe online.
http://forum.malware...wtopic.php?t=14

Follow this list and your potential for being infected again will reduce dramatically.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·