Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde


  • Please log in to reply
29 replies to this topic

#1 nancys

nancys

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:39 PM

Posted 29 July 2007 - 06:39 PM

:thumbsup:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:05:57 PM, on 7/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\dllcache\mswan.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\FreeCall.com\FreeCall\FreeCall.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
c:\winbash.exe
C:\WINDOWS\system32\rundll32.exe
c:\winbash.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Install_Messenger.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\bootstrap.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{77E210F3-5100-4904-99D5-CE71EEE7B723}: NameServer = 192.168.103.1
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Microsoft Genuine Update Advantage - Unknown owner - C:\WINDOWS\system32\dllcache\mswan.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4327 bytes


help me plz, i cannot go to my msn adress , it makes me crazy

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 30 July 2007 - 11:01 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum nancys :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

It appears you've no virus protection installed.
Download\install one of the following freeware options from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Avira AntiVir Personal Edition Classic
http://www.free-av.com/

---------------------------------------------

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.bat to your desktop.
Then double click on the fix.bat file on your desktopPosted Image
You'll see a black screen flash,thats normal.

@echo off
sc stop Microsoft Genuine Update Advantage
sc delete Microsoft Genuine Update Advantage

Restart your pc.

---------------------------------------------

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


---------------------------------------------

Now go to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 nancys

nancys
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:39 PM

Posted 01 August 2007 - 07:18 AM

hello richie

here is the log of hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:57:22 AM, on 8/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {72BE8679-EAED-470A-BA24-CA80CFA9B75F} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{77E210F3-5100-4904-99D5-CE71EEE7B723}: NameServer = 192.168.103.1
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 3834 bytes


thanx for ur help

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 01 August 2007 - 08:11 AM

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Posted Image
Posted Image

#5 nancys

nancys
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:39 PM

Posted 01 August 2007 - 09:20 AM

here is my log of combofix:

ComboFix 07-07-30.2 - "Administrator" 2007-08-01 7:11:50.3 [GMT -7:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True


((((((((((((((((((((((((( Files Created from 2007-07-01 to 2007-08-01 )))))))))))))))))))))))))))))))


2007-08-01 06:00 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-01 06:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-01 02:17 4,096 --a------ C:\WINDOWS\system32\drivers\KProcCheck.sys
2007-07-31 14:17 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-30 06:33 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-30 06:28 12,413,440 --a------ C:\avgas-setup-7.5.1.43.exe
2007-07-30 05:25 23,649,352 --a------ C:\avg75free_476a1048.exe
2007-07-30 02:02 126,016 --a------ C:\WINDOWS\system32\xcogeyhc.dll
2007-07-29 17:33 <DIR> d-------- C:\WINDOWS\pss
2007-07-29 16:03 <DIR> d-------- C:\Program Files\MSN Messenger
2007-07-29 15:56 18,895,728 --a------ C:\Program Files\Install_Messenger.exe
2007-07-29 13:15 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-29 13:13 <DIR> d-------- C:\Program Files\CCleaner
2007-07-29 13:10 2,720,456 --a------ C:\Program Files\ccsetup141.exe
2007-07-29 11:37 6,466 --ahs---- C:\WINDOWS\system32\wycdd.bak1
2007-07-29 06:47 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\MSNInstaller
2007-07-29 04:16 <DIR> d--h----- C:\WINDOWS\PIF
2007-07-27 15:40 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-27 08:10 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Talkback
2007-07-27 06:13 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-07-27 04:35 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-07-27 04:34 <DIR> d-------- C:\Program Files\Real
2007-07-27 04:34 <DIR> d-------- C:\Program Files\Common Files\Real
2007-07-27 04:34 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Real
2007-07-27 02:11 <DIR> d-------- C:\Program Files\Google
2007-07-27 02:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-07-27 02:10 835,704 --a------ C:\Program Files\Google Updater.exe
2007-07-27 02:04 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\FreeCall
2007-07-12 04:53 <DIR> d-------- C:\Program Files\FreeCall.com


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-29 11:51 --------- d-------- C:\Program Files\Common Files\Network Associates
2007-03-29 02:48 32080 --a--c--- C:\DOCUME~1\ADMINI~1\APPLIC~1\GDIPFONTCACHEV1.DAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-30 05:27]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 02:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"=0 (0x0)
"NoFind"=0 (0x0)
"NoRun"=0 (0x0)
"NoDesktop"=0 (0x0)
"NoClose"=0 (0x0)
"StartMenuLogOff"=0 (0x0)
"HideClock"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

R2 SoundMAX Agent Service (default);SoundMAX Agent Service;C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
S3 CA561;ICatch (VI) PC Camera;C:\WINDOWS\system32\Drivers\SPCA561.SYS
S3 FETNDISB;D-Link DFE-530TX PCI Fast Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\dlkfet5b.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{913c0b5a-bfaf-11db-aa2c-00e04d0011ae}]
AutoRun\command- fooool.exe
explore\Command- fooool.exe
open\Command- fooool.exe


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-01 07:13:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-01 7:14:21
C:\ComboFix-quarantined-files.txt ... 2007-08-01 07:14
C:\ComboFix2.txt ... 2007-08-01 07:10
C:\ComboFix3.txt ... 2007-07-31 14:33

--- E O F ---

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 01 August 2007 - 09:47 AM

Copy and paste ALL the following blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\xcogeyhc.dll
C:\WINDOWS\system32\wycdd.bak1

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{913c0b5a-bfaf-11db-aa2c-00e04d0011ae}]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Let me know how your pc is running now.
Posted Image
Posted Image

#7 nancys

nancys
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:39 PM

Posted 01 August 2007 - 11:21 AM

i did the steps of combofix,here is the new report:

ComboFix 07-07-30.2 - "Administrator" 2007-08-01 9:13:14.4 [GMT -7:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\wycdd.bak1
C:\WINDOWS\system32\xcogeyhc.dll


((((((((((((((((((((((((( Files Created from 2007-07-01 to 2007-08-01 )))))))))))))))))))))))))))))))


2007-08-01 06:00 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-01 06:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-01 02:17 4,096 --a------ C:\WINDOWS\system32\drivers\KProcCheck.sys
2007-07-31 14:17 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-30 06:33 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-30 06:28 12,413,440 --a------ C:\avgas-setup-7.5.1.43.exe
2007-07-30 05:25 23,649,352 --a------ C:\avg75free_476a1048.exe
2007-07-29 17:33 <DIR> d-------- C:\WINDOWS\pss
2007-07-29 16:03 <DIR> d-------- C:\Program Files\MSN Messenger
2007-07-29 15:56 18,895,728 --a------ C:\Program Files\Install_Messenger.exe
2007-07-29 13:15 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-29 13:13 <DIR> d-------- C:\Program Files\CCleaner
2007-07-29 13:10 2,720,456 --a------ C:\Program Files\ccsetup141.exe
2007-07-29 06:47 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\MSNInstaller
2007-07-29 04:16 <DIR> d--h----- C:\WINDOWS\PIF
2007-07-27 15:40 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-27 08:10 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Talkback
2007-07-27 06:13 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-07-27 04:35 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-07-27 04:34 <DIR> d-------- C:\Program Files\Real
2007-07-27 04:34 <DIR> d-------- C:\Program Files\Common Files\Real
2007-07-27 04:34 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Real
2007-07-27 02:11 <DIR> d-------- C:\Program Files\Google
2007-07-27 02:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-07-27 02:10 835,704 --a------ C:\Program Files\Google Updater.exe
2007-07-27 02:04 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\FreeCall
2007-07-12 04:53 <DIR> d-------- C:\Program Files\FreeCall.com


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-29 11:51 --------- d-------- C:\Program Files\Common Files\Network Associates
2007-03-29 02:48 32080 --a--c--- C:\DOCUME~1\ADMINI~1\APPLIC~1\GDIPFONTCACHEV1.DAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-30 05:27]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 02:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"=0 (0x0)
"NoFind"=0 (0x0)
"NoRun"=0 (0x0)
"NoDesktop"=0 (0x0)
"NoClose"=0 (0x0)
"StartMenuLogOff"=0 (0x0)
"HideClock"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

R2 SoundMAX Agent Service (default);SoundMAX Agent Service;C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
S3 CA561;ICatch (VI) PC Camera;C:\WINDOWS\system32\Drivers\SPCA561.SYS
S3 FETNDISB;D-Link DFE-530TX PCI Fast Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\dlkfet5b.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-01 09:15:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-01 9:16:08
C:\ComboFix-quarantined-files.txt ... 2007-08-01 09:15
C:\ComboFix2.txt ... 2007-08-01 07:14
C:\ComboFix3.txt ... 2007-07-31 14:33

--- E O F ---


AND HERE IS THE LASTEST LOG OF HIJACKTHIS:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:57 AM, on 8/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{77E210F3-5100-4904-99D5-CE71EEE7B723}: NameServer = 192.168.103.1
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 3878 bytes

#8 nancys

nancys
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:39 PM

Posted 01 August 2007 - 12:40 PM

KASPERSKY ONLINE SCANNER REPORT
Wednesday, August 01, 2007 10:35:56 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 1/08/2007
Kaspersky Anti-Virus database records: 347721


Scan Settings
Scan using the following antivirus database
standard
Scan Archives
true
Scan Mail Bases
true

Scan Target
My Computer
A:\
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects
35995
Number of viruses found
2
Number of infected objects
10
Number of suspicious objects
0
Duration of the scan process
00:41:08


Infected Object Name
Virus Name
Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat
Object is locked
skipped

C:\Documents and Settings\Administrator\Desktop\MSNFix\MSNFix\backup\winbash.exe
Infected: Trojan.Win32.Autoit.ar
skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Object is locked
skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Object is locked
skipped

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Object is locked
skipped

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007080120070802\index.dat
Object is locked
skipped

C:\Documents and Settings\Administrator\Local Settings\Temp\~DFF498.tmp
Object is locked
skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Object is locked
skipped

C:\Documents and Settings\Administrator\My Documents\My Received Files\lcapi0.log
Object is locked
skipped

C:\Documents and Settings\Administrator\My Documents\My Received Files\MsnMsgr.txt
Object is locked
skipped

C:\Documents and Settings\Administrator\My Documents\My Received Files\Transport0.log
Object is locked
skipped

C:\Documents and Settings\Administrator\NTUSER.DAT
Object is locked
skipped

C:\Documents and Settings\Administrator\ntuser.dat.LOG
Object is locked
skipped

C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log
Object is locked
skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log
Object is locked
skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck
Object is locked
skipped

C:\Documents and Settings\LocalService\Cookies\index.dat
Object is locked
skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Object is locked
skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Object is locked
skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat
Object is locked
skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\5VMDEPPO\setup[1].exe
Infected: Trojan.Win32.Autoit.ar
skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\5VMDEPPO\setup[2].exe
Infected: Trojan.Win32.Autoit.ar
skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\5VMDEPPO\setup[3].exe
Infected: Trojan.Win32.Autoit.ar
skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Object is locked
skipped

C:\Documents and Settings\LocalService\NTUSER.DAT
Object is locked
skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG
Object is locked
skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Object is locked
skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Object is locked
skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT
Object is locked
skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG
Object is locked
skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\cvpeemdg.dll.vir
Infected: Trojan.Win32.BHO.bd
skipped

C:\System Volume Information\MountPointManagerRemoteDatabase
Object is locked
skipped

C:\System Volume Information\_restore{E16BD09B-209E-4D6C-93DF-6B3A2B158C10}\RP102\A0038537.exe
Infected: Trojan.Win32.Autoit.ar
skipped

C:\System Volume Information\_restore{E16BD09B-209E-4D6C-93DF-6B3A2B158C10}\RP103\A0039537.exe
Infected: Trojan.Win32.Autoit.ar
skipped

C:\System Volume Information\_restore{E16BD09B-209E-4D6C-93DF-6B3A2B158C10}\RP105\A0042569.exe
Infected: Trojan.Win32.Autoit.ar
skipped

C:\System Volume Information\_restore{E16BD09B-209E-4D6C-93DF-6B3A2B158C10}\RP107\A0042645.dll
Infected: Trojan.Win32.BHO.bd
skipped

C:\System Volume Information\_restore{E16BD09B-209E-4D6C-93DF-6B3A2B158C10}\RP108\change.log
Object is locked
skipped

C:\System Volume Information\_restore{E16BD09B-209E-4D6C-93DF-6B3A2B158C10}\RP99\A0038195.exe
Infected: Trojan.Win32.Autoit.ar
skipped

C:\WINDOWS\Debug\PASSWD.LOG
Object is locked
skipped

C:\WINDOWS\SchedLgU.Txt
Object is locked
skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log
Object is locked
skipped

C:\WINDOWS\Sti_Trace.log
Object is locked
skipped

C:\WINDOWS\system32\config\AppEvent.Evt
Object is locked
skipped

C:\WINDOWS\system32\config\default
Object is locked
skipped

C:\WINDOWS\system32\config\default.LOG
Object is locked
skipped

C:\WINDOWS\system32\config\SAM
Object is locked
skipped

C:\WINDOWS\system32\config\SAM.LOG
Object is locked
skipped

C:\WINDOWS\system32\config\SecEvent.Evt
Object is locked
skipped

C:\WINDOWS\system32\config\SECURITY
Object is locked
skipped

C:\WINDOWS\system32\config\SECURITY.LOG
Object is locked
skipped

C:\WINDOWS\system32\config\software
Object is locked
skipped

C:\WINDOWS\system32\config\software.LOG
Object is locked
skipped

C:\WINDOWS\system32\config\SysEvent.Evt
Object is locked
skipped

C:\WINDOWS\system32\config\system
Object is locked
skipped

C:\WINDOWS\system32\config\system.LOG
Object is locked
skipped

C:\WINDOWS\system32\h323log.txt
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA
Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP
Object is locked
skipped

C:\WINDOWS\wiadebug.log
Object is locked
skipped

C:\WINDOWS\wiaservc.log
Object is locked
skipped

C:\WINDOWS\WindowsUpdate.log
Object is locked
skipped

D:\System Volume Information\MountPointManagerRemoteDatabase
Object is locked
skipped

D:\System Volume Information\_restore{E16BD09B-209E-4D6C-93DF-6B3A2B158C10}\RP108\change.log
Object is locked
skipped

E:\System Volume Information\MountPointManagerRemoteDatabase
Object is locked
skipped

E:\System Volume Information\_restore{E16BD09B-209E-4D6C-93DF-6B3A2B158C10}\RP108\change.log
Object is locked
skipped

Scan process completed.

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 01 August 2007 - 02:13 PM

Please don't run any more scans other than the ones i ask you to run,thanks.

Clear your 'System Restore' points by doing the following:
Right-click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Select 'Turn Off System Restore On All Drives'.
Select 'Apply'.
You will then get the following warning:
"You have chosen to turn off System Restore.
If you continue,all existing restore points will be deleted,and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?".
Then select 'Yes',your 'System Restore' directories will be purged.

Restart your pc.

Turn 'System Restore' back on:
Right click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Unselect 'Turn Off System Restore On All Drives'.
Select 'Apply',then click 'Ok'.

--------------------------------------------------------------

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Also post a new Hijackthis log.
Let me know how your pc is running now.
Posted Image
Posted Image

#10 nancys

nancys
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:39 PM

Posted 01 August 2007 - 03:49 PM

finally here is the report of Dr.web

Fport.exe;C:\Documents and Settings\Administrator\Desktop\DiagHelp\DiagHelp;Program.FPort.20;Incurable.Moved.;
pslist.exe;C:\Documents and Settings\Administrator\Desktop\DiagHelp\DiagHelp;Program.PsList.126;Incurable.Moved.;
winbash.exe;C:\Documents and Settings\Administrator\Desktop\MSNFix\MSNFix\backup;Win32.HLLW.Crazy;Incurable.Moved.;
Process.exe;C:\Documents and Settings\Administrator\Desktop\MSNFix\MSNFix\incl;Tool.Prockill;Incurable.Moved.;
setup[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\5VMDEPPO;Win32.HLLW.Crazy;Incurable.Moved.;
setup[2].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\5VMDEPPO;Win32.HLLW.Crazy;Incurable.Moved.;
setup[3].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\5VMDEPPO;Win32.HLLW.Crazy;Incurable.Moved.;
cvpeemdg.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
hggdeec.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
pmnlk.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
tuvuuur.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
xcogeyhc.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
A0000005.exe;C:\System Volume Information\_restore{E16BD09B-209E-4D6C-93DF-6B3A2B158C10}\RP1;Win32.HLLW.Crazy;Incurable.Moved.;


and here is the log of hijackthis :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:48:42 PM, on 8/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{77E210F3-5100-4904-99D5-CE71EEE7B723}: NameServer = 192.168.103.1
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 3899 bytes


thanx for ur help

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 01 August 2007 - 04:06 PM

Your log is clean :thumbsup:
If all's ok,please do the following.

Find and delete:
fix.bat
Combofix.exe

C:\QOOBOX

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

----------------------------------------------------

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

Edited by RichieUK, 01 August 2007 - 04:07 PM.

Posted Image
Posted Image

#12 nancys

nancys
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:39 PM

Posted 01 August 2007 - 04:17 PM

is fix.bat = msnfix ? and is it safe to re connect on my msn
i deleted Combofix.exe and C:\QOOBOX
and i already have the ccleaner, does it do the same procedures then ATF Cleaner? or is it safer to re install the ATF Cleaner?

thanx again

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 01 August 2007 - 04:34 PM

is fix.bat = msnfix ?

No,its nothing to do with msnfix,its a fix i posted earlier on in this topic.

and is it safe to re connect on my msn

Yes,you're perfectly safe to reconnect to msn.

i already have the ccleaner, does it do the same procedures then ATF Cleaner? or is it safer to re install the ATF Cleaner?

Hang on to CCleaner,remove ATF Cleaner if you like.
:thumbsup:
Posted Image
Posted Image

#14 nancys

nancys
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:39 PM

Posted 01 August 2007 - 04:55 PM

all the steps are done :flowers:
i just have one more question :
i have all these on my pc now: AVG antivirus, AVG antispyware, msnfix, DiagHelp , HijackThis, Ccleaner and Dr.web
what do i have to remove? and what is the best free antivirus ?

thanx again u r the best :thumbsup:

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 01 August 2007 - 05:30 PM

i have all these on my pc now: AVG antivirus, AVG antispyware, msnfix, DiagHelp , HijackThis, Ccleaner and Dr.web
what do i have to remove?

Remove these:
msnfix
DiagHelp
HijackThis
Dr.web

what is the best free antivirus ?

In my opinion you already have the best,AVG7 Free Edition.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users