Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91736 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Massive infection - trojan remains


  • Please log in to reply
15 replies to this topic

#1 LostinOntario

LostinOntario

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 22 May 2008 - 02:02 PM

Hi all...
Yesterday while browsing for torrent files I inadvertently clicked on a bad link. Too late, I realized my mistake, a small dos command program ran, then disappeared and not long after all hell broke loose :pullhair: I am running BitDefender v. 10, and it caught a couple of intrusions, but did nothing to save my machine.

Various "windows security" popup windows appeared proclaiming I had been infected by something called NetBooster and I should download a program (for money of course) to rid myself of the infection. My computer became completely disabled by repeated popups, error messages etc. and would barely operate. Task Manager and most Windows control was removed from me (Administrator/sole user). I found a procedure to remove Netbooster on the Microsoft site, but of course that is not what I was really infected with and the solution did not work.

After hours of aggravation to no avail, I contacted Microsoft Support, and for the last 12 hours and overnight, have been troubleshooting with India to remove the problem(s). We've run many cleaners (but was not given such specific instructions as I've read her - "pretty much download this and run it..."), and countless scans including CC Cleaner, ComboFix (had BitDefender running at startup when I did this one and it may have interfered), Dial a Fix, Super Anti Spyware, Smitfraud Fix, Malware Bytes Anti-Malware and I am sure there were more (seems like hundreds!) Most of the worst of the infections are gone, but something still remains - at the very least, a Trojan File called Vundo keeps reappearing in my registry and small inconsistencies in Windows remain. None of the cleaners are working 100%

Please Help! I want my system back!

Logfile of HijackThis v1.99.1
Scan saved at 14:35:07, on 5/22/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [5444ad63] rundll32.exe "C:\WINDOWS\system32\afphovqk.dll",b
O4 - Startup: CPU Meter.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.h...nosticsxp2k.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase9563.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1209246550921
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ubiquiti Networks SRC Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Edited by LostinOntario, 22 May 2008 - 07:44 PM.

    Advertisements

Register to Remove


#2 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 23 May 2008 - 06:01 PM

hi LostinOntario,

we will get and use two downloads. the first one needs to run in safe mode:

SDFIX:
Download SDFix and save it to your Desktop.

http://downloads.and...Tools/SDFix.exe

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.

* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
* Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
--------------------------------------------------
next download and use combofix:

Download combofix from one of these links and save it to Desktop:

http://subs.geekstogo.com/ComboFix.exe
http://download.blee...Bs/ComboFix.exe

Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.


post the sdfix log and the combofix log please.
How Can I Reduce My Risk?

#3 LostinOntario

LostinOntario

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 23 May 2008 - 08:14 PM

Hi shelf life,
Thank you!!! Ok, first, I have done step one with SDFix/HijackThis...reports below...Question: why does this part "Files with Hidden Attributes :" show only some of my files and what does this mean?

off for step two.
____________________________________________

SDFix: Version 1.185
Run by Administrator on 05/23/08 at 20:52

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-23 21:01:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Tue 8 Jan 2008 40,960 A..H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL3506.tmp"
Sat 19 Jan 2008 44,544 A..H. --- "C:\Documents and Settings\Administrator\My Documents\Ambassador\~WRL0344.tmp"
Sat 19 Jan 2008 46,080 A..H. --- "C:\Documents and Settings\Administrator\My Documents\Ambassador\~WRL2865.tmp"
Sat 19 Jan 2008 48,640 A..H. --- "C:\Documents and Settings\Administrator\My Documents\Ambassador\~WRL3724.tmp"
Sat 26 Apr 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 9 Aug 2007 32,256 A..H. --- "C:\Documents and Settings\Administrator\My Documents\Companies\Gillam Air\Training\~WRL0154.tmp"
Fri 17 Aug 2007 25,088 A..H. --- "C:\Documents and Settings\Administrator\My Documents\Companies\Gillam Air\Training\~WRL0406.tmp"
Fri 17 Aug 2007 26,112 A..H. --- "C:\Documents and Settings\Administrator\My Documents\Companies\Gillam Air\Training\~WRL1877.tmp"
Wed 15 Aug 2007 23,552 A..H. --- "C:\Documents and Settings\Administrator\My Documents\Companies\Gillam Air\Training\~WRL1996.tmp"
Wed 15 Aug 2007 23,040 A..H. --- "C:\Documents and Settings\Administrator\My Documents\Companies\Gillam Air\Training\~WRL2340.tmp"
Fri 5 Oct 2007 27,136 A..H. --- "C:\Documents and Settings\Administrator\My Documents\Companies\Gillam Air\Training\~WRL2473.tmp"
Fri 5 Oct 2007 29,184 A..H. --- "C:\Documents and Settings\Administrator\My Documents\Companies\Gillam Air\Training\~WRL2577.tmp"
Thu 9 Aug 2007 28,160 A..H. --- "C:\Documents and Settings\Administrator\My Documents\Companies\Gillam Air\Training\~WRL3297.tmp"
Thu 21 Jun 2007 2,091,008 A..H. --- "C:\Documents and Settings\Administrator\My Documents\DaxAir Inc\Operations\OperationsManual\~WRL0595.tmp"
Tue 19 Jun 2007 20,480 A..H. --- "C:\Documents and Settings\Administrator\My Documents\DaxAir Inc\Operations\OperationsManual\~WRL0702.tmp"
Mon 18 Jun 2007 19,456 A..H. --- "C:\Documents and Settings\Administrator\My Documents\DaxAir Inc\Operations\OperationsManual\~WRL1020.tmp"
Tue 19 Jun 2007 20,992 A..H. --- "C:\Documents and Settings\Administrator\My Documents\DaxAir Inc\Operations\OperationsManual\~WRL2972.tmp"
Thu 21 Jun 2007 21,504 A..H. --- "C:\Documents and Settings\Administrator\My Documents\DaxAir Inc\Operations\OperationsManual\~WRL3164.tmp"

Finished!

________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 21:06:07, on 5/23/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [5444ad63] rundll32.exe "C:\WINDOWS\system32\afphovqk.dll",b
O4 - Startup: CPU Meter.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.h...nosticsxp2k.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1209246550921
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ubiquiti Networks SRC Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#4 LostinOntario

LostinOntario

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 23 May 2008 - 08:31 PM

Hi shelf life,
Back again with round two:

ComboFix 08-05-21.3 - Administrator 2008-05-23 21:19:48.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1570 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\afphovqk.dll
C:\WINDOWS\system32\kqvohpfa.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\njiehbpu.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.

2008-05-23 20:47 . 2008-05-23 20:47 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-23 20:43 . 2008-05-23 21:04 <DIR> d-------- C:\SDFix
2008-05-22 09:05 . 1601-01-01 00:00 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-22 09:05 . 1601-01-01 00:00 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-22 09:05 . 1601-01-01 00:00 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-22 09:05 . 1601-01-01 00:00 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-22 09:05 . 1601-01-01 00:00 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-22 08:16 . 2008-05-22 10:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Thinstall
2008-05-21 23:10 . 2008-05-22 15:45 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-05-21 23:04 . 2008-05-22 09:07 2,352 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-21 22:13 . 2008-05-21 22:13 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-05-21 21:23 . 2008-05-21 21:23 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-21 12:56 . 2008-05-21 12:56 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-21 12:10 . 2008-05-21 12:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TmpRecentIcons
2008-05-21 10:51 . 2008-05-20 18:47 159,744 --a------ C:\WINDOWS\efvr.exe
2008-05-15 12:58 . 2008-05-15 12:58 <DIR> d-------- C:\Program Files\DVD-RAM
2008-05-15 12:58 . 2004-08-28 00:37 155,648 --a------ C:\WINDOWS\system32\RAMASST.exe
2008-05-15 12:58 . 2005-04-22 04:36 135,168 --a------ C:\WINDOWS\system32\DVDMenu.dll
2008-05-15 12:58 . 2004-08-28 00:33 110,592 --a------ C:\WINDOWS\system32\DVDRAMSV.exe
2008-05-15 12:58 . 2005-06-02 03:33 102,384 --a------ C:\WINDOWS\system32\drivers\meiudf.sys
2008-05-15 12:48 . 2008-05-15 12:48 <DIR> d-------- C:\Program Files\GCC4243N_fw
2008-05-14 17:30 . 2008-05-14 17:30 <DIR> d-------- C:\WINDOWS\BBSTORE
2008-05-14 17:29 . 1998-06-03 09:08 2,124,288 --a------ C:\WINDOWS\system32\QuickTimeMusicalInstruments.qtx
2008-05-14 17:29 . 1998-03-20 13:39 969,216 --a------ C:\WINDOWS\system32\qd3d.dll
2008-05-14 17:29 . 1998-06-03 09:08 747,008 --a------ C:\WINDOWS\system32\Indeo4.qtx
2008-05-14 17:29 . 1998-03-20 13:41 596,992 --a------ C:\WINDOWS\system32\rave.dll
2008-05-14 17:29 . 1998-06-03 09:08 370,176 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-05-14 17:29 . 1998-03-20 13:40 253,952 --a------ C:\WINDOWS\system32\QD3D_IR2.q3x
2008-05-14 17:29 . 1998-06-03 09:08 202,240 --a------ C:\WINDOWS\system32\QuickTime.cpl
2008-05-14 17:29 . 1998-03-20 13:38 126,976 --a------ C:\WINDOWS\system32\3DViewer.dll
2008-05-14 17:29 . 1998-03-20 13:40 44,032 --a------ C:\WINDOWS\system32\QD3DCustomElements.q3x
2008-05-14 17:29 . 2008-05-14 17:29 212 --a------ C:\WINDOWS\system32\QuickTime.qtp
2008-05-14 17:28 . 1998-06-03 09:08 6,047,744 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-05-14 17:27 . 1998-03-20 13:01 299,008 --a------ C:\WINDOWS\uninst.exe
2008-05-14 17:24 . 2008-05-14 17:24 0 --a------ C:\WINDOWS\SETUP32.INI
2008-05-10 07:39 . 2008-05-10 07:39 <DIR> d-------- C:\Documents and Settings\Administrator\TmpInstall
2008-05-09 19:49 . 2008-05-09 19:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-05-09 19:19 . 2008-05-09 19:48 <DIR> d-------- C:\Program Files\Yahoo!
2008-05-02 21:44 . 2006-12-22 09:21 360,533 --a------ C:\WINDOWS\system32\acs.exe
2008-05-02 21:40 . 2008-05-02 21:40 <DIR> d-------- C:\Program Files\Ubiquiti Networks SRC
2008-05-02 21:39 . 2007-03-13 09:32 511,584 --a------ C:\WINDOWS\system32\netsr.sys
2008-05-02 21:39 . 2007-03-13 09:32 511,584 --a------ C:\WINDOWS\system32\net9xsr.sys
2008-05-02 21:39 . 2007-03-13 09:32 511,584 --a------ C:\WINDOWS\system32\drivers\netsr.sys
2008-05-02 21:39 . 2007-03-13 09:32 511,552 --a------ C:\WINDOWS\system32\netsr4.sys
2008-05-02 21:39 . 2007-03-13 09:33 511,552 --a------ C:\WINDOWS\system32\net9xsr4.sys
2008-05-02 21:39 . 2007-03-13 09:31 510,016 --a------ C:\WINDOWS\system32\netsr9.sys
2008-05-02 21:39 . 2007-03-13 09:33 510,016 --a------ C:\WINDOWS\system32\net9xsr9.sys
2008-05-02 21:39 . 2007-03-13 17:25 45,797 --a------ C:\WINDOWS\system32\netsrc.inf
2008-05-02 21:12 . 2008-05-02 21:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-05-01 14:05 . 2008-05-16 12:55 229 --a------ C:\WINDOWS\r0viewinfo.ini
2008-05-01 13:47 . 2008-05-01 13:47 0 --a------ C:\WINDOWS\system32\R0P
2008-05-01 13:42 . 2008-05-01 13:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\RingCentral
2008-05-01 13:35 . 2008-05-01 13:35 214 --a------ C:\WINDOWS\HP_48BitScanUpdatePatch.ini
2008-05-01 08:29 . 2008-05-14 23:09 <DIR> d-------- C:\Jag Season 10
2008-04-28 21:41 . 2008-05-02 07:11 <DIR> d-------- C:\JAG Season 7
2008-04-28 20:54 . 2008-04-28 20:54 <DIR> d-------- C:\Program Files\123di_40
2008-04-28 20:09 . 2008-04-28 20:09 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-28 20:09 . 2008-04-28 20:09 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-28 12:50 . 2008-04-28 12:50 <DIR> d-------- C:\Program Files\Common Files\HP
2008-04-28 12:49 . 2008-04-28 12:49 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-04-28 12:49 . 2008-04-28 12:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-04-28 12:48 . 2004-05-11 10:53 626,960 -ra------ C:\WINDOWS\system32\hpvaut32.dll
2008-04-28 12:48 . 2004-05-11 10:53 487,424 -ra------ C:\WINDOWS\system32\hpvcp70.dll
2008-04-28 12:48 . 2004-05-11 10:53 344,064 -ra------ C:\WINDOWS\system32\hpvcr70.dll
2008-04-28 12:48 . 2004-05-11 10:53 82,432 -ra------ C:\WINDOWS\system32\MSXML4r.dll
2008-04-28 12:48 . 2004-05-11 10:53 44,544 -ra------ C:\WINDOWS\system32\MSXML4a.dll
2008-04-28 12:47 . 2008-04-28 12:47 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-04-28 12:44 . 2008-04-28 12:52 104,156 --a------ C:\WINDOWS\hpoins04.dat
2008-04-28 12:44 . 2004-06-22 08:04 17,176 --------- C:\WINDOWS\hpomdl04.dat
2008-04-28 12:15 . 2008-05-01 13:35 <DIR> d-------- C:\temp\FixEngine
2008-04-28 11:43 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-04-28 11:43 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-04-28 11:43 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-28 11:43 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-04-28 11:43 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-04-28 11:43 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-04-28 11:29 . 2008-04-28 12:51 <DIR> d-------- C:\Program Files\HP
2008-04-28 11:29 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-04-28 11:29 . 2004-03-18 16:53 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-04-28 11:29 . 2004-03-18 16:56 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-04-28 11:29 . 2004-03-18 16:39 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-04-28 11:29 . 2004-03-18 16:55 65,536 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-04-28 11:29 . 2004-03-18 16:38 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-04-28 11:29 . 2004-03-18 16:39 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-04-28 10:08 . 2008-04-28 10:10 <DIR> d-------- C:\temp\HP_WebRelease
2008-04-28 10:08 . 2008-05-02 21:40 <DIR> d-------- C:\temp
2008-04-27 14:07 . 2008-04-27 14:07 <DIR> d-------- C:\JAG Season 9
2008-04-27 13:50 . 2008-04-27 14:00 <DIR> d-------- C:\local_sites
2008-04-27 13:32 . 2008-04-27 13:46 <DIR> d-------- C:\sites
2008-04-26 23:18 . 2008-04-26 23:18 <DIR> d-------- C:\Program Files\RingCentral
2008-04-26 23:17 . 2008-04-26 23:17 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-26 23:02 . 2008-04-26 23:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-04-26 23:02 . 2008-05-17 21:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Azureus
2008-04-26 22:55 . 2008-05-22 09:11 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-04-26 22:55 . 2008-05-22 09:11 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-04-26 22:53 . 2008-04-26 22:53 <DIR> d-------- C:\Program Files\Azureus
2008-04-26 21:54 . 2008-04-26 21:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\vlc
2008-04-26 21:51 . 2008-04-26 21:51 <DIR> d-------- C:\Program Files\VideoLAN
2008-04-26 20:20 . 2008-04-26 23:11 422 --a------ C:\WINDOWS\system32\mapisvc.inf
2008-04-26 20:19 . 2008-04-26 20:19 <DIR> d-------- C:\Program Files\Microsoft Small Business
2008-04-26 20:15 . 2008-04-27 17:17 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2008-04-26 20:12 . 2008-04-26 20:14 <DIR> d-------- C:\Office 2007 Professional Free trial
2008-04-26 18:41 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-26 18:41 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-26 18:00 . 2008-05-11 13:15 <DIR> d-------- C:\Program Files\Aspell
2008-04-26 17:52 . 2008-04-26 17:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Bitdefender
2008-04-26 17:25 . 2008-05-23 21:20 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-04-26 17:20 . 2008-04-26 17:20 <DIR> d-------- C:\Program Files\Softwin
2008-04-26 17:20 . 2008-04-26 17:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-04-26 17:19 . 2008-04-26 17:20 <DIR> d-------- C:\Program Files\Common Files\Softwin
2008-04-26 16:30 . 2008-04-26 16:30 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-04-26 16:18 . 2008-04-26 21:52 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-04-26 16:17 . 2008-05-22 12:08 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-26 16:17 . 2008-04-26 21:53 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-26 16:10 . 2008-04-26 16:10 <DIR> d-------- C:\Program Files\MSBuild
2008-04-26 16:07 . 2008-04-26 16:33 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-04-26 16:06 . 2008-04-26 16:06 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-04-26 16:05 . 2008-04-26 16:05 <DIR> d-------- C:\0bb02b09561cca42b791a23e
2008-04-26 16:05 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-04-26 15:53 . 2008-04-26 15:53 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-04-26 15:43 . 2008-05-15 18:20 <DIR> d-------- C:\Program Files\QuickTime
2008-04-26 13:45 . 2008-04-26 13:45 44 --a------ C:\WINDOWS\SMWizard.INI
2008-04-26 13:21 . 2008-05-22 12:08 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-26 13:16 . 2008-04-26 13:16 <DIR> d-------- C:\Program Files\Belarc
2008-04-26 13:16 . 2008-02-27 13:49 3,840 --a------ C:\WINDOWS\system32\drivers\BANTExt.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-26 02:49 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-22_ 9.56.55.90 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-22 14:54:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-24 02:00:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-23 08:54:18 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-05-24 01:48:09 2,400,256 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-05-24 01:48:09 352,256 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-05-23 08:54:18 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-05-24 01:47:44 2,400,256 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-05-24 01:47:44 352,256 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-05-22 14:21:39 90,076 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-24 02:05:29 90,076 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-22 14:21:39 491,804 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-24 02:05:29 491,804 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 07:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00 455168]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 09:12 88209 C:\WINDOWS\AGRSMMSG.exe]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 07:00 15360]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
CPU Meter.lnk - C:\WINDOWS\system32\taskmgr.exe [2004-08-04 07:00:00 135680]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2008-05-15 12:58:47 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codec"= l3codecp.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=C:\WINDOWS\pss\DVD Check.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-01-11 19:54 623992 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2004-05-12 15:18 241664 c:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-02-12 13:38 49152 c:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
--a------ 2004-12-08 17:23 790528 C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 09:11 1388544 C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
--a------ 2004-12-08 18:44 184320 C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"63414:TCP"= 63414:TCP:Azureus Port

R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;"C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [2008-01-11 17:50]
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
R3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [2006-12-22 09:21]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ []
S3 SRC;Ubiquiti Wireless SRC/XR2 Network Adapter Service;C:\WINDOWS\system32\DRIVERS\netsr.sys [2007-03-13 09:32]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-23 21:22:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-23 21:24:09
ComboFix-quarantined-files.txt 2008-05-24 02:24:01
ComboFix2.txt 2008-05-22 14:58:08

Pre-Run: 101,103,923,200 bytes free
Post-Run: 101,092,245,504 bytes free

239 --- E O F --- 2008-05-16 16:56:21

_________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 21:25:42, on 5/23/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - Startup: CPU Meter.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.h...nosticsxp2k.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1209246550921
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ubiquiti Networks SRC Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#5 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 24 May 2008 - 01:39 PM

hi LostinOntario,

ok thanks for the info. not much there as far as malware goes. combofix removed some files. hows it looking now on your end?


Question: why does this part "Files with Hidden Attributes :" show only some of my files and what does this mean

it just means those file dont show or they hide from a directory listing
How Can I Reduce My Risk?

#6 LostinOntario

LostinOntario

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 24 May 2008 - 01:57 PM

Hi shelf life, The files that combofix removed: C:\WINDOWS\system32\afphovqk.dll C:\WINDOWS\system32\kqvohpfa.ini C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\njiehbpu.dll had been removed several times before by the various cleaners (including combofix), but kept reappearing at some point following a re-boot. I re-booted after step two of your suggestions, and did a search on those four files and so far they were only found re-named as .vir files in quarantine. There was another Vundo file that kept reappearing in the registry (before I came to you guys for help) - I will run Superantispyware again to see if it picks it up and report back shortly. Thanks! Regards, LostinOntario

#7 LostinOntario

LostinOntario

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 24 May 2008 - 02:20 PM

Hi shelf life - back again! I don't know if this is a result of the chaos that had previously invaded my computer, or if there is still a problem. I just tried to download/install SUPERAntiSpyware on my computer (had it on here a few days ago no problem) but I got the following error message: Error 1303: Installation has insufficient privileges to access this directory C:\Program Files\SUPERAntiSpyware The installation cannot continue. Log on as administrator or contact your system administrator. I am the administrator!!! and only "user" for the computer. Since the infection, I have received a few different messages about insufficient privileges when going about my business and I don't know where to look to fix them. There should be no restrictions to my own access! I don't particularly need that program, but it kept finding the same Trojan file re-inserted in my registry after re-booting, even after the program removed it. Just wanted to see if it is gone... Ideas? Am I still infected or do my settings (or my own privileges!) just need to be re-set somewhere? Thanks! LostinOntario :scratch:

Edited by LostinOntario, 24 May 2008 - 02:21 PM.


#8 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 24 May 2008 - 04:57 PM

hi

[I have received a few different messages about insufficient privileges when going about my business

could be malware damage or corrupt damaged user account? dont know which one. there is a new anti-malware app, you might give it a try:
http://www.malwarebytes.org/
How Can I Reduce My Risk?

#9 LostinOntario

LostinOntario

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 24 May 2008 - 05:16 PM

Hi shelf life, I checked out that link - I don't suppose there is a free one you could recommend (really broke!!!)? Is this to fix my permissions problem or to see if I still have any bad guys still in my machine? I'll read up on settings for the administrator account in my XP book, but like I said, I am the only user. If the administrator account is corrupt, is there a fix for that? Cheers, LiO

Edited by LostinOntario, 24 May 2008 - 05:18 PM.


#10 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 24 May 2008 - 08:24 PM

hi LostinOntario

I don't suppose there is a free one


Its the real time protection component that costs money. the on demand scanner is free to update and use.

its a replacement for superantispyware and also another check for "bad guy" it wont fix the other problem.


If the administrator account is corrupt, is there a fix for that?
yes you can create a new account, but not sure if thats it. you only get the message when you ty to install software?
How Can I Reduce My Risk?

    Advertisements

Register to Remove


#11 LostinOntario

LostinOntario

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 24 May 2008 - 09:53 PM

Hi shelf life, Thank you for your patience! When I finally found the free part you were talking about, I felt a bit the fool - Malwarebytes' Anti-Malware is the last program that I had tried before coming to these forums (there were so many programs run!). I successfully installed the program, and ran a full scan. I was hoping to tell you I was all clean, but it did find three bad files. I have copied the logfile below. Regarding the other matter, I was denied "permission" on two occasions in the past 4 days - installing cleaner programs (SuperAntiSpyware - second time only, and one other one - can't remember). Other random errors were re accessing files/programs or making changes to settings on my computer. Should I maybe reserve judgement until the machine has been pronounced clean and I work through the various Windows settings to verify them? So much has happened in the past few days and so far none of the errors show any consistency or trends - they appear to be minor Windows inconsistencies and annoyances that weren't there before. _____________________________ Malwarebytes' Anti-Malware 1.12 Database version: 785 Scan type: Full Scan (C:\|) Objects scanned: 168631 Time elapsed: 50 minute(s), 16 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

#12 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 25 May 2008 - 06:16 AM

hi LostinOntario,

HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.

you did this after the scan?
When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.

i will post back about the other problem when iam in windows.
How Can I Reduce My Risk?

#13 LostinOntario

LostinOntario

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 25 May 2008 - 07:05 AM

Hi shelf life, Yes, I did this after the scan, all three were checked and I clicked "remove". Which is why I con't inderstand why it says "no action taken". I did open those keys in the registry to see if those files, were still there, but they are not. I've since re-booted and done another full scan and no items were found - good news I think! Other than the minor glitches/annoyances above, my machine seems to be behaving normally - thankfully!! :notworthy: I really appreciate your help! LiO

Edited by LostinOntario, 25 May 2008 - 08:24 AM.


#14 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 26 May 2008 - 09:36 AM

hi,

good. your welcome.

until the machine has been pronounced clean


looks like we can say that now.
you can remove combofix like this:
start>run and type in combofix /u click ok
note: there is a space after the x and before the /

FYI: there is a new version of hjt.

check your java version:
Vulnerabilities/exploits in versions of Sun Java may be responsible for some malware installs via your browser.

It is important to keep Sun Java up to date and also to remove older versions which may have vulnerabilites/exploits that can be taken advantage of to possibly introduce malware via your browser.

* 1. Uninstall old versions of Sun Java via Add/Remove Programs.
* 2. Click the Remove or Change/Remove button
* 3. Reboot your PC if prompted.

to check if you have the latest version of Java and to download the latest version:

http://www.java.com/...d/installed.jsp

see if the other problems have cleared up.
How Can I Reduce My Risk?

#15 LostinOntario

LostinOntario

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 26 May 2008 - 10:24 AM

Hi shelf life, First of all, thank you for all your help. While on the surface my machine appeared to be clean, unfortunately Windows was still slow, behaving erratically and infected or corrupted beyond obvious repair, including the Administrator account. No attempted fixes seemed to work and new HijackThis reports continued to report odd entries. In the end I had to reinstall my OS and start over. In retrospect, maybe I should have done this sooner as I realize now that it would have been difficult for you to step in once all the ad hoc removals were done by the Microsoft people. If this happens again (I hope not!!!!), I will certainly know now to come here first before attempting any removals in order to maintain a logical process. Thank you again! Cheers, LostinOntario

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users