BleepingComputer.com: Privacy Protector, Error Cleaner, Spyware&malware Protection - Just Finished Using Sdfix.exe - Someone Let Me Know If I'm Alright?

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Privacy Protector, Error Cleaner, Spyware&malware Protection - Just Finished Using Sdfix.exe - Someone Let Me Know If I'm Alright? Someone let me know if I'm alright now..

#1 User is offline   Dingerz 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 11
  • Joined: 18-January 05

Posted 15 July 2008 - 05:48 AM

Alright, I posted earlier but now I found the real problem. I had malware installed on my computer and it was the Privacy Protector, Error Cleaner, Spyware&malware Protection problem.

I just ran SD fix.exe and it found a lot but now that my computer is up, I am still getting the attack messages.

I followed the instructions here:
http://www.bleepingcomputer.com/forums/topic105116.html

These are the results of my fix:


SDFix: Version 1.205
Run by Administrator on Tue 07/15/2008 at 06:26 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Restoring Windows ProductId To Remove Fake Virus Alert

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\user\Desktop\Error Cleaner.url - Deleted
C:\Documents and Settings\user\Favorites\Error Cleaner.url - Deleted
C:\Documents and Settings\user\Desktop\Privacy Protector.url - Deleted
C:\Documents and Settings\user\Favorites\Privacy Protector.url - Deleted
C:\Documents and Settings\user\Desktop\Spyware&Malware Protection.url - Deleted
C:\Documents and Settings\user\Favorites\Spyware&Malware Protection.url - Deleted
C:\WINDOWS\system32\s.bat - Deleted
C:\WINDOWS\EPEB.EXE - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-15 06:39:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Direct Connect\\Direct Connect.exe"="C:\\Program Files\\Direct Connect\\Direct Connect.exe:*:Enabled:File Sharing over TCP/IP"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\Program Files\\TorrentStorm\\Downloader\\Tor032\\tor032.exe"="C:\\Program Files\\TorrentStorm\\Downloader\\Tor032\\tor032.exe:*:Enabled:tor032"
"C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp"="C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp:*:Enabled:KazaaLite"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Disabled:LEXPPS.EXE"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Disabled:RealPlayer"
"C:\\Program Files\\AIM95\\aim.exe"="C:\\Program Files\\AIM95\\aim.exe:*:Disabled:AOL Instant Messenger"
"C:\\Program Files\\DC++\\DCPlusPlus.exe"="C:\\Program Files\\DC++\\DCPlusPlus.exe:*:Enabled:DC++"
"C:\\Documents and Settings\\user\\Desktop\\DCPlusPlus.exe"="C:\\Documents and Settings\\user\\Desktop\\DCPlusPlus.exe:*:Enabled:DC++"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\Program Files\\BitLord\\BitLord.exe"="C:\\Program Files\\BitLord\\BitLord.exe:*:Enabled:BitLord"
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="C:\\Program Files\\QuickTime\\QuickTimePlayer.exe:*:Enabled:QuickTime Player"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\WINDOWS\\system32\\mphmjuvf.exe"="C:\\WINDOWS\\system32\\mph"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 12 Dec 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 13 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT3.tmp"
Wed 11 Aug 2004 39,424 ...H. --- "C:\Documents and Settings\user\Application Data\Microsoft\Word\~WRL1042.tmp"
Mon 12 Dec 2005 4,348 A..H. --- "C:\Documents and Settings\user\My Documents\My Music\iTunes\iTunes Music\License Backup\drmv1key.bak"
Mon 12 Dec 2005 20 A..H. --- "C:\Documents and Settings\user\My Documents\My Music\iTunes\iTunes Music\License Backup\drmv1lic.bak"
Mon 12 Dec 2005 400 A.SH. --- "C:\Documents and Settings\user\My Documents\My Music\iTunes\iTunes Music\License Backup\drmv2key.bak"

Finished!


Tara

#2 User is offline   Dingerz 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 11
  • Joined: 18-January 05

Posted 15 July 2008 - 06:03 AM

My ComboFix log:

ComboFix 08-07-13.11 - user 2008-07-15 6:56:27.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.616 [GMT -4:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\user\Application Data\inst.exe
C:\Documents and Settings\user\Desktop\Error Cleaner.url
C:\Documents and Settings\user\Desktop\Privacy Protector.url
C:\Documents and Settings\user\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\user\Favorites\Error Cleaner.url
C:\Documents and Settings\user\Favorites\Privacy Protector.url
C:\Documents and Settings\user\Favorites\Spyware&Malware Protection.url
C:\WINDOWS\system32\mcrh.tmp

.
((((((((((((((((((((((((( Files Created from 2008-06-15 to 2008-07-15 )))))))))))))))))))))))))))))))
.

2008-07-15 06:19 . 2008-07-15 06:20 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-15 06:18 . 2004-04-08 01:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-07-15 06:18 . 2008-07-15 06:18 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-15 06:10 . 2008-07-15 06:42 <DIR> d-------- C:\SDFix
2008-07-15 05:17 . 2008-07-15 05:17 <DIR> d-------- C:\Deckard
2008-07-15 03:36 . 2008-07-15 03:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-15 00:41 . 2008-07-15 05:52 <DIR> d-------- C:\Program Files\Exterminate It!
2008-07-15 00:32 . 2008-07-14 18:43 516,096 --a------ C:\WINDOWS\kgxmotaptvw.dll
2008-07-15 00:32 . 2008-07-14 18:43 356,352 --a------ C:\WINDOWS\evgratsm.dll
2008-07-15 00:32 . 2008-07-14 18:43 311,296 --a------ C:\WINDOWS\kvxqmtre.dll
2008-07-15 00:32 . 2008-07-14 18:43 159,744 --a------ C:\WINDOWS\qndsfmao.dll
2008-07-02 13:00 . 2008-07-15 01:27 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-02 11:13 . 2008-07-15 05:58 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-02 11:13 . 2008-07-02 11:13 <DIR> d-------- C:\Documents and Settings\JaneGuy\Application Data\AVG7
2008-07-02 11:13 . 2008-07-02 11:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVG7
2008-07-02 11:13 . 2008-07-04 12:33 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-02 11:13 . 2008-07-04 12:34 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-02 11:13 . 2008-07-04 12:33 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-02 11:12 . 2008-07-15 04:44 <DIR> d-------- C:\Program Files\AVG
2008-07-02 11:12 . 2008-07-02 11:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-20 13:41 . 2008-06-20 13:41 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 06:44 . 2008-06-20 06:44 138,368 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-19 00:32 . 2008-06-19 00:32 <DIR> d-------- C:\Documents and Settings\user\Application Data\Ableton
2008-06-19 00:32 . 2008-06-19 00:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ableton
2008-06-19 00:31 . 2008-06-19 00:31 <DIR> d-------- C:\Program Files\Ableton
2008-06-19 00:31 . 2007-09-03 14:03 368,640 --a------ C:\WINDOWS\system32\ReWire.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-15 09:58 --------- d-----w C:\Program Files\BitLord
2008-07-15 08:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-15 06:56 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-15 06:56 --------- d-----w C:\Program Files\Trillian
2008-07-15 06:52 --------- d-----w C:\Program Files\SpywareBlaster
2008-07-15 06:42 --------- d-----w C:\Program Files\DC++
2008-07-11 02:42 --------- d-----w C:\Program Files\Lavasoft
2008-07-11 02:42 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-11 02:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-09 19:53 9,626 ----a-w C:\Documents and Settings\JaneGuy\Application Data\wklnhst.dat
2008-07-09 06:52 --------- d-----w C:\Program Files\Amazon
2008-07-02 17:00 --------- d-----w C:\Program Files\DIGStream
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 16:08 --------- d-----w C:\Documents and Settings\JaneGuy\Application Data\InterVideo
2008-06-07 15:42 52,228 ----a-w C:\Documents and Settings\user\Application Data\wklnhst.dat
2008-06-02 07:20 --------- d-----w C:\Documents and Settings\JaneGuy\Application Data\Search Settings
2008-06-02 06:22 --------- d-----w C:\Documents and Settings\user\Application Data\DivX
2008-06-02 03:32 --------- d-----w C:\Program Files\Dealio
2008-06-02 02:31 --------- d-----w C:\Documents and Settings\user\Application Data\Search Settings
2008-06-02 02:29 --------- d-----w C:\Program Files\Search Settings
2008-06-02 02:22 --------- d-----w C:\Program Files\The KMPlayer
2008-05-26 08:40 --------- d-----w C:\Documents and Settings\JaneGuy\Application Data\vlc
2008-05-24 02:48 --------- d-----w C:\Program Files\Google
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2007-07-30 05:54 3,836,577 ----a-w C:\Program Files\DCPlusPlus-0.698.exe
2007-07-08 22:54 47,360 ----a-w C:\Documents and Settings\user\Application Data\pcouffin.sys
2005-12-12 03:05 79,952 ----a-w C:\Documents and Settings\user\Application Data\GDIPFONTCACHEV1.DAT
2005-05-31 06:56 2,576,384 ----a-w C:\Program Files\Transcoder.exe
2004-10-11 23:23 150 ---ha-w C:\Documents and Settings\user\hpothb07.dat
2004-10-01 19:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2005-01-01 05:38 4,402 --sha-w C:\WINDOWS\dblat.dat
2005-01-08 06:37 4,402 --sha-w C:\WINDOWS\zxwrv.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{05721FB0-2C8D-41A1-BEF7-0957168A3502}]
2008-07-14 18:43 516096 --a------ C:\WINDOWS\kgxmotaptvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{9A3D91FB-FCF6-46A4-A0C2-B4865D8D05DC}"= "C:\WINDOWS\qndsfmao.dll" [2008-07-14 18:43 159744]

[HKEY_CLASSES_ROOT\clsid\{9a3d91fb-fcf6-46a4-a0c2-b4865d8d05dc}]
[HKEY_CLASSES_ROOT\qndsfmao.1]
[HKEY_CLASSES_ROOT\TypeLib\{1CA3FDCA-2340-4DD0-80E3-68EC677CD140}]
[HKEY_CLASSES_ROOT\qndsfmao]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 12:00 200704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 01:31 208952]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 08:00 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 08:00 455168]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 16:28 790528]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-03-11 11:24 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 11:11 114688]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-06-25 15:30 335872]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 07:32 50688]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-07-12 05:58 1397760]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 11:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SearchSettings"="C:\Program Files\Search Settings\SearchSettings.exe" [2008-02-06 17:47 1036640]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-04 12:34 1232152]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2004-04-08 01:39:00 114688]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"evgratsm"= {1B25B29D-4C71-4306-8DDD-4DA6FA910B99} - C:\WINDOWS\evgratsm.dll [2008-07-14 18:43 356352]
"kvxqmtre"= {38D6D4BE-706C-493F-A42A-7CAD1794F3D4} - C:\WINDOWS\kvxqmtre.dll [2008-07-14 18:43 311296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"vidc.hfyu"= huffyuv.dll
"msacm.divxa32"= DivXa32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax DllCmd 4.0.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax DllCmd 4.0.lnk
backup=C:\WINDOWS\pss\eFax DllCmd 4.0.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax Tray Menu 4.0.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax Tray Menu 4.0.lnk
backup=C:\WINDOWS\pss\eFax Tray Menu 4.0.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Finding Notes Easy.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Finding Notes Easy.lnk
backup=C:\WINDOWS\pss\Finding Notes Easy.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGServices]
--a------ 2005-05-19 13:55 101888 C:\Program Files\ESPNRunTime\DIGServices.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar]
--------- 2004-04-21 10:26 86016 C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 11:56 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
--a------ 2006-05-25 21:24 1003520 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2004-11-02 20:24 32768 C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-17 10:42 69632 c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 16:17 159744 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"TapiSrv"=3 (0x3)
"iPod Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\TorrentStorm\\Downloader\\Tor032\\tor032.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\AIM95\\aim.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-04 12:33]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-04 12:33]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-04 12:33]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-04 12:34]
R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2005-05-04 08:58]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a699bfe6-2c23-11dc-9fc9-806d6172696f}]
\Shell\AutoRun\command - D:\AutoRun\Demo.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-07-02 00:37:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{0AEBF16C-963C-4CA2-8673-E4F0650D6DA9} - C:\WINDOWS\system32\pmkhg.dll
HKCU-Run-PowerBar - (no file)
MSConfigStartUp-DIGStream - C:\Program Files\DIGStream\digstream.exe
MSConfigStartUp-TkBellExe - C:\Program Files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-15 06:59:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PowerBar = ????????????l?@?l?@?D?????A~??????????????A~l?@?l?@????? ???????????W?D~??A~??????A~K?A~x???????[?A~???????? ??????????????|x???0?????????????st??A~????????????????`8??????R???????l?@?l?@?????Q?B~????t?@?????l?@?8?@?l?@?3??s????????????????????8?@?_??s8?@?8?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-15 7:02:11
ComboFix-quarantined-files.txt 2008-07-15 11:01:52

Pre-Run: 67,084,783,616 bytes free
Post-Run: 67,858,534,400 bytes free

217 --- E O F --- 2008-07-09 07:26:02


Tara

#3 User is offline   Dingerz 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 11
  • Joined: 18-January 05

Posted 15 July 2008 - 06:06 AM

I am STILL getting a popup saying my computer is compromised.
The three icons for the privacy cleaner, error cleaner and spyware and malware are still on my desktop. Should I just delete them?

My Hijack Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:05: VIRUS ALERT!, on 7/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)
O2 - BHO: QXK Olive - {05721FB0-2C8D-41A1-BEF7-0957168A3502} - C:\WINDOWS\kgxmotaptvw.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O3 - Toolbar: qndsfmao - {9A3D91FB-FCF6-46A4-A0C2-B4865D8D05DC} - C:\WINDOWS\qndsfmao.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://69.44.122.156/scanner/ppctlcab.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://www.viidoo.tv/TVUAx.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdq/downloads/sysinfo.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://www.cogeco.ca/en/ols21/fscax.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.walmartphotocentre.ca/activex/PCAXSetup.cab?
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex...tupv2.0.0.9.cab?
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex...upv2.0.0.10.cab?
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O21 - SSODL: evgratsm - {1B25B29D-4C71-4306-8DDD-4DA6FA910B99} - C:\WINDOWS\evgratsm.dll
O21 - SSODL: kvxqmtre - {38D6D4BE-706C-493F-A42A-7CAD1794F3D4} - C:\WINDOWS\kvxqmtre.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 9166 bytes

Tara

This post has been edited by Dingerz: 15 July 2008 - 06:14 AM

#4 User is offline   Dingerz 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 11
  • Joined: 18-January 05

Posted 15 July 2008 - 10:54 AM

Someone help?? It's so bad.. I ran all that and it all came back.

Tara :thumbsup:

#5 User is offline   Thunder 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 3,294
  • Joined: 12-December 05
  • Gender:Male
  • Location:Belgium

Posted 16 July 2008 - 03:58 AM

Hello Tara,

Please do not open more than one thread for the same problem.

Let's continue here :
http://www.bleepingcomputer.com/forums/topic157807.html

I'll close this topic.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users