Help - Search - Members - Calendar
Full Version: Confirmation Of Removal Of Check_lsa7
BleepingComputer.com > Security > Am I infected? What do I do?
   
Alvord12
Nov 27 2007, 11:13 AM
My Computer was infected with check_LSA7,
By reading the solutions from the forum I downloaded ComboFix and now the file has been deleted,
Just to make sure my PC is now completely clean I have posted the log of ComboFix

ComboFix 07-11-19.4 - NAIR 2007-11-27 20:59:12.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.813 [GMT 5.5:30]
Running from: C:\Documents and Settings\NAIR\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\gebya.dll
C:\WINDOWS\system32\gjkkj.bak1
C:\WINDOWS\system32\gjkkj.ini
C:\WINDOWS\system32\gjkkj.ini2
C:\WINDOWS\system32\gjkkj.tmp
C:\WINDOWS\system32\jkkjg.dll
C:\WINDOWS\system32\tgtoxhns.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-27 to 2007-11-27 )))))))))))))))))))))))))))))))
.

2007-11-27 16:25 <DIR> d-------- C:\Quarantine
2007-11-26 21:03 <DIR> d-------- C:\Program Files\VID_0E8F&PID_1009
2007-11-20 23:16 <DIR> d-------- C:\Program Files\RocketDock
2007-11-19 23:19 5,368 --a------ C:\WINDOWS\BricoPackFoldersDelete.cmd
2007-11-18 22:42 <DIR> d-------- C:\WINDOWS\system32\Futuremark
2007-11-18 16:33 25,037 --a------ C:\WINDOWS\system32\Nucleus.dll
2007-11-18 09:12 <DIR> d-------- C:\Documents and Settings\NAIR\Application Data\Auslogics
2007-11-18 09:11 <DIR> d-------- C:\Program Files\AusLogics System Information
2007-11-18 08:38 <DIR> d-------- C:\Program Files\AusLogics Disk Defrag
2007-11-17 20:45 4,096 --a------ C:\WINDOWS\d3dx.dat
2007-11-15 20:54 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2007-11-15 20:53 <DIR> d-------- C:\Documents and Settings\NAIR\Application Data\SystemRequirementsLab
2007-11-13 20:34 <DIR> d-------- C:\Documents and Settings\NAIR\Application Data\.BitZip
2007-11-11 19:47 <DIR> d-------- C:\Fraps
2007-11-10 21:00 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2007-11-10 21:00 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2007-11-10 16:19 223,128 --a------ C:\WINDOWS\system32\drivers\vaxscsi.sys
2007-11-10 08:03 <DIR> d-------- C:\NVIDIA
2007-11-08 12:55 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Allume Systems
2007-11-08 12:55 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Allume Systems
2007-11-08 12:55 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Allume Systems
2007-11-08 12:39 <DIR> d-------- C:\Documents and Settings\NAIR\Application Data\Aladdin Systems
2007-11-08 12:38 <DIR> d-------- C:\Documents and Settings\NAIR\Application Data\Allume Systems
2007-11-08 12:37 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-11-05 10:32 286,720 --a------ C:\WINDOWS\iun503.exe
2007-11-04 22:51 <DIR> d-------- C:\Documents and Settings\NAIR\Application Data\Apple Computer
2007-11-04 11:14 <DIR> d-------- C:\Program Files\QuickTime
2007-10-31 20:59 <DIR> d-------- C:\Program Files\HKTW
2007-10-31 20:59 504,020 --a------ C:\WINDOWS\system32\CN_Ben10.scr
2007-10-29 23:00 <DIR> d-------- C:\Documents and Settings\NAIR\Application Data\Media Player Classic
2007-10-27 23:11 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-10-27 23:10 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2007-10-27 23:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-26 02:10 38,400 ----a-w C:\WINDOWS\system32\hggecaa.dll
2007-11-19 17:51 71,474 ----a-w C:\WINDOWS\BricoPackUninst.cmd
2007-11-16 08:49 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-11-13 15:24 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-11-13 15:04 --------- d-----w C:\Documents and Settings\NAIR\Application Data\.BitZip
2007-10-22 15:41 --------- d-----w C:\Documents and Settings\NAIR\Application Data\ViStart
2007-10-21 22:07 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-21 01:57 --------- d-----w C:\Documents and Settings\NAIR\Application Data\MP3Rocket
2007-10-20 16:14 --------- d-----w C:\Program Files\Common Files\Apple
2007-10-20 15:24 --------- d-----w C:\Program Files\Java
2007-10-20 15:24 --------- d-----w C:\Program Files\Common Files\Java
2007-10-19 15:41 --------- d-----w C:\Program Files\Comodo
2007-10-18 14:25 --------- d-----w C:\Program Files\Common Files\Network Associates
2007-10-18 01:54 --------- d-----w C:\Documents and Settings\NAIR\Application Data\Comodo
2007-10-18 01:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comodo
2007-10-17 15:52 --------- d-----w C:\Program Files\Web Publish
2007-10-17 15:35 79,664 ----a-w C:\WINDOWS\system32\jehsjdsb.dll
2007-10-17 00:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2007-10-14 12:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-10-14 11:55 --------- d-----w C:\Program Files\Yahoo!
2007-10-12 09:44 3,734,536 ----a-w C:\WINDOWS\system32\d3dx9_36.dll
2007-10-12 02:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-06 11:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\POPWWPROFILES
2007-10-04 11:44 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-10-04 11:44 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-10-04 11:44 8,491,008 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-10-04 11:44 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-10-04 11:44 6,854,464 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-10-04 11:44 6,854,464 ----a-w C:\WINDOWS\system32\dllcache\nv4_mini.sys
2007-10-04 11:44 6,750,208 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-10-04 11:44 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-10-04 11:44 5,783,424 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-10-04 11:44 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-10-04 11:44 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-10-04 11:44 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-10-04 11:44 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-10-04 11:44 364,544 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-10-04 11:44 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-10-04 11:44 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-10-04 11:44 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-10-04 11:44 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-10-04 11:44 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-10-04 11:44 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-10-04 11:44 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-10-04 11:44 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-10-04 11:44 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-10-04 11:44 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-10-04 11:44 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-10-04 11:44 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-10-04 11:44 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-10-04 11:44 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll
2007-10-04 11:44 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-10-04 11:44 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-10-04 11:44 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-10-02 04:26 444,776 ----a-w C:\WINDOWS\system32\d3dx10_36.dll
2007-09-30 14:59 8,464 ----a-w C:\WINDOWS\system32\sporder.dll
2007-09-29 17:09 --------- d-----w C:\Program Files\Ares
2007-09-28 16:13 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-09-27 14:07 --------- d-----w C:\Documents and Settings\NAIR\Application Data\SafeIT Security
2007-09-11 23:14 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-05-13 04:22 20,336 ----a-w C:\Documents and Settings\NAIR\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17B88DF7-95AB-44DA-8ECD-5FF0B6CAEC67}]
2007-11-26 07:40 38400 --a------ C:\WINDOWS\system32\hggecaa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9284461-90A2-43A3-BE7F-534E6BE14555}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 19:26]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 13:58]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-09-29 07:10]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-04-07 03:12]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-10-23 20:04]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 19:26 C:\WINDOWS\system32\rundll32.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-03 19:26 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\NAIR\Start Menu\Programs\Startup\
RocketDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-19 03:35:02]
TransBar.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe [2005-06-02 01:11:18]
UberIcon.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 13:13:08]
Y'z Shadow.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe [2006-05-21 13:13:14]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{17B88DF7-95AB-44DA-8ECD-5FF0B6CAEC67}"= C:\WINDOWS\system32\hggecaa.dll [2007-11-26 07:40 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggecaa]
hggecaa.dll 2007-11-26 07:40 38400 C:\WINDOWS\system32\hggecaa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvuurs]
tuvuurs.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^NAIR^Start Menu^Programs^Startup^Adobe Gamma.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^NAIR^Start Menu^Programs^Startup^RocketDock.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^NAIR^Start Menu^Programs^Startup^Webshots.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^NAIR^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntiSpyware]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
C:\Program Files\Ares\Ares.exe -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2005-10-28 16:25 94208 --a------ C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BOC-425]
2007-08-08 19:49 338432 --a------ C:\PROGRA~1\Comodo\CBOClean\BOC425.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-03 19:26 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
2007-05-04 08:17 863744 --a------ C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLD.EXE]
C:\Program Files\Download Direct\DLD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Uploader Oe Integration]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
?

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe /StartedFromRunKey

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSFG.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE_Plugin_Startup]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTAVApp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
?

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer]
rundll32.exe C:\WINDOWS\system32\kjkfwgne.dll,sitypnow

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE /STANDALONE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2007-08-31 16:46 1460560 --a------ C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 01:11 132496 --a------ C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe C:\WINDOWS\system32\flkmuycf.dll,forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Update Scheduler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViOrb]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vista Sidebar]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViStart]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VisualTooltip]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2007-05-15 03:52 35328 --a------ C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XdriveTray]
xdrive.exe /trayicon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XdriveTrayIcon]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mcusrmgr"=2 (0x2)
"mctskshd.exe"=2 (0x2)
"McSysmon"=2 (0x2)
"McRedirector"=2 (0x2)
"McNASvc"=2 (0x2)
"mcmispupdmgr"=2 (0x2)
"McLogManagerService"=2 (0x2)
"McAfee HackerWatch Service"=2 (0x2)
"Emproxy"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"MDM"=2 (0x2)
"IDriverT"=3 (0x3)
"SpamCatcherUniversal"=2 (0x2)
"ServiceLayer"=3 (0x3)

R3 crtaud;Conexant Riptide WDM Audio Driver;C:\WINDOWS\system32\drivers\crtaud.sys
R3 rpfun;Conexant Riptide Dummy Driver;C:\WINDOWS\system32\drivers\rpfun.sys
R3 rthwcls;Conexant Riptide Bus / Firmware Downloader;C:\WINDOWS\system32\drivers\rthwcls.sys
S3 BOCDRIVE;BOClean Kernel Monitor.;\??\C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys
S3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\system32\DRIVERS\loop.sys
S3 mxfsgMon;mxfsgMon;\??\C:\PROGRA~1\ALLUME~1\INTERN~1.0\FILESY~1\mxfsgMon.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0abfe226-9415-11dc-91b7-806d6172696f}]
\Shell\AutoRun\command - G:\autorun.exe

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 21:05:00
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-27 21:06:19 - machine was rebooted
.
--- E O F ---

After this for added security I ran VundoFix which showed that there were no infections. Here is the log


VundoFix V6.6.2

Checking Java version...

Scan started at 9:07:56 PM 11/27/2007

Listing files found while scanning....

No infected files were found.

Then I ran SDFix, whose logs are as follows

SDFix: Version 1.115

Run by NAIR on Tue 11/27/2007 at 09:19 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Service asc3550v - Deleted after Reboot

Normal Mode:
Checking Files:

No Trojan Files Found





Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 21:25:51
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

Tue 23 Oct 2007 211 A..H. --- "C:\boot.ini.comodofirewall"
Tue 11 Jul 1995 1,024 A..H. --- "C:\WINDOWS\system32\msfxmod.dll"
Thu 24 May 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 17 Nov 2005 521,128 A..H. --- "C:\Program Files\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe"
Thu 18 Oct 2007 5,319,000 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8aba0967f899f346d112e436c1f1b5c7\BITE3.tmp"
Fri 28 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7df990f29ea1581f1010ec45815309f4\BITB.tmp"
Fri 28 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c97d43fbb6bae8868beda9ebacec893a\BITC.tmp"
Fri 28 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f139320bcb75ba26729612b59ef01051\BIT13.tmp"
Fri 28 Sep 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!

Can somebody please tell me if my PC is now clean questionmark.gif
quietman7
Nov 27 2007, 11:06 PM
You should not be following specific instructions provided to someone else especially in the HijackThis forum. Those instructions were most likely given under the guidance of a trained staff expert to help fix that particular member's problems, NOT YOURS. Before taking any action, the helper must investigate the nature of the malware issues and then formulate a fix for the victim. Although your problem may be similar, the solution is not always the same.

You should not be using Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please follow the the instructions for using Vundofix in BC's self-help tutorial: "How To Remove Vundo/Winfixer Infection".

Then download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under "General and Startup", make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Click Close to exit the program.
Alvord12
Dec 2 2007, 04:18 AM
I used Dr.Web to find the virus file and it managed to delete it. Everything seems to work fine now.
I've posted my HijackThis logs after the Vundo Was deleted.
quietman7
Dec 2 2007, 10:45 AM
Your hijackthis log is posted here. I removed your duplicate post of that log in this thread as we do not allow posting of logs in this forum.

After posting a log you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic until you are cleared by the HJT Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Thanks for your cooperation and good luck with your log.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2008 Invision Power Services, Inc.