Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Am The Infected


  • This topic is locked This topic is locked
16 replies to this topic

#1 benjira

benjira

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 03 January 2008 - 10:08 PM

Hello All

My first post to this site and hopefully I am in the right place. I picked up a friends computer thinking I was the hot shot problem solver, and what do my wondering eyes do appear,a nasty little virus not one from my ear. I have found more than 3 different viruses that I can not clean.I have done many searches on the TROJ_DLOADER and can not find anything about it.


TROJ_DLOADER.SYZ
TROJ_DLOADER.SXR
PE_TRATS.A
TROJ_VB.JAA
PE_TRATS.A-O


I have used the following to try and get rid of these buggars. In Safe Mode, not in safe mode etc...
I do have hijack this and can post a log file if need be. This is no fun.But I am not a quitter.

System Suite 8
Spybot Search and Destroy
Avast
Windows Malicious Software Removal Tool

If someone could kindly lead me in the right direction I would surely be much mopreciated.



Thanks
Benjira

Edited by benjira, 03 January 2008 - 10:20 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:01 AM

Posted 03 January 2008 - 11:31 PM

Welcome to BC benjira

In order to properly identify this malware and assist you better, we need some specific information.

What program is alerting you to the infection?
Did your scan provide a specific file name associated with these malware threats and if so, where are they located (full file path) at on your system? If your scan saved a log file, it should show exactly what and where the malware has been found so post that instead.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 benjira

benjira
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 04 January 2008 - 12:36 AM

thanks qman
right now I am in the process of running the super antispyware, after, running the ATF program. So far I am up to 11 threats and 7 are of the Vundo variety.The others are Trojan.downloader-gen. So far this is working better than anything else I have tried, when I have finished I will post the results.


Thanks
Benjira

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:01 AM

Posted 04 January 2008 - 08:29 AM

Ok. Don't forget to answer my question above as to what program was providing the malware alerts, what specific file name was associated with them and where they are located (full file path).
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 benjira

benjira
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 04 January 2008 - 10:13 AM

Here is the scan log from Super AntiSpyware, I am currently scanning with Dr.Web and will post results when finished




SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/04/2008 at 01:35 AM

Application Version : 3.9.1008

Core Rules Database Version : 3373
Trace Rules Database Version: 1368

Scan type : Complete Scan
Total Scan Time : 01:17:34

Memory items scanned : 185
Memory threats detected : 1
Registry items scanned : 3164
Registry threats detected : 8
File items scanned : 63970
File threats detected : 2

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\GEBYW.DLL
C:\WINDOWS\SYSTEM32\GEBYW.DLL
HKLM\Software\Classes\CLSID\{D3B71EF0-ACAC-4FB1-9D17-58D8C474C84B}
HKCR\CLSID\{D3B71EF0-ACAC-4FB1-9D17-58D8C474C84B}
HKCR\CLSID\{D3B71EF0-ACAC-4FB1-9D17-58D8C474C84B}\InprocServer32
HKCR\CLSID\{D3B71EF0-ACAC-4FB1-9D17-58D8C474C84B}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3B71EF0-ACAC-4FB1-9D17-58D8C474C84B}

Trojan.Downloader-Gen
[load] C:\WINDOWS\SYSTEM32\GEBYW.EXE
C:\WINDOWS\SYSTEM32\GEBYW.EXE
[load] C:\WINDOWS\SYSTEM32\GEBYW.EXE
[load] C:\WINDOWS\SYSTEM32\GEBYW.EXE

#6 benjira

benjira
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 04 January 2008 - 10:17 AM

Here are the scan logs from System Suite

On-Demand Virus Scanner Results:

Run: 1/3/2008 6:02:34 PM

Drives scanned:
C:\
Categories checked:
Boot Sectors
Executables
Macros

Results:

Found potential threat
In File: C:\Program Files\Avanquest\SystemSuite\MemCheck.exe
Name: PE_TRATS.A
Requested action: Move potential threat to folder C:\Documents and Settings\Administrator.BRUCEHOME\Application Data\Avanquest\SystemSuite\Quarantine
Results: Successfully carried out requested action.

Found potential threat
In File: C:\Program Files\Messenger\msmsgs.exe
Name: PE_TRATS.A
Requested action: Move potential threat to folder C:\Documents and Settings\Administrator.BRUCEHOME\Application Data\Avanquest\SystemSuite\Quarantine
Results: Successfully carried out requested action.

Found potential threat
In File: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
Name: PE_TRATS.A
Requested action: Move potential threat to folder C:\Documents and Settings\Administrator.BRUCEHOME\Application Data\Avanquest\SystemSuite\Quarantine
Results: Successfully carried out requested action.

Found potential threat
In File: C:\WINDOWS\system32\gebyw.exe
Name: PE_TRATS.A-O
Requested action: Move potential threat to folder C:\Documents and Settings\Administrator.BRUCEHOME\Application Data\Avanquest\SystemSuite\Quarantine
Results: Successfully carried out requested action.

Found potential threat
In File: C:\WINDOZE\system32\hkcmd.exe
Name: PE_TRATS.A
Requested action: Move potential threat to folder C:\Documents and Settings\Administrator.BRUCEHOME\Application Data\Avanquest\SystemSuite\Quarantine
Results: Successfully carried out requested action.

Found potential threat
In File: C:\WINDOZE\system32\igfxtray.exe
Name: PE_TRATS.A
Requested action: Move potential threat to folder C:\Documents and Settings\Administrator.BRUCEHOME\Application Data\Avanquest\SystemSuite\Quarantine
Results: Successfully carried out requested action.

Files not scanned:
C:\pagefile.sys
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll
C:\WINDOWS\$NtUninstallKB828741$\es.dll
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll
C:\WINDOZE\SoftwareDistribution\EventCache\AD674747-B713-477E-BFA8-4BD66114FFF0.bin

18573 Executables scanned
255 Macros scanned
10 Files inside archives scanned
21 Files that could not be scanned (files in use, encrypted archives, etc.)
18838 Total files scanned

Recommended action:

Some files could not be scanned. These files may be encrypted or in use by either Windows or another application.

The scanner cannot scan files that are locked by Windows, but most of these files are at a very low risk of infection. These include files with a .log extension (or no extension at all), virtual memory files (*.swp in Windows 95/98 or pagefile.sys in Windows NT/2000) and System Registry files (user.dat, system.dat, ntuser.dat).

If you would like to scan these files, close all open applications, decrypt any encrypted files, and try again. If you still cannot access the files, use the Virus Rescue Disk to scan them.

In some cases you may need to use the Virus Rescue Disk set. The disk set, including instructions, can be downloaded from http://www.v-com.com/virusinfo/rescue.html. Please use a machine that is not infected with a virus to create the disk set. Please note the Virus Rescue Disk set is only compatible with FAT file systems. Windows NT and operating systems that are installed on NTFS file system are incompatible.

You may wish to boot into Safe Mode and run Deep Scan.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:01 AM

Posted 04 January 2008 - 10:26 AM

Please follow the the instructions for using Vundofix in BC's self-help tutorial: "How To Remove Vundo/Winfixer Infection".

After running VundoFix, a text file named vundofix.txt will have automatically been saved to the root of the system drive, usually at C:\vundofix.txt. Please copy & paste the contents of that text file into your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 benjira

benjira
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 04 January 2008 - 11:24 AM

Here is the Vundofix log
VundoFix V6.7.7

Checking Java version...

Scan started at 11:15:40 PM 1/3/2008

Listing files found while scanning....

C:\windows\system32\gebyw.dll
C:\windows\system32\wybeg.ini
C:\windows\system32\wybeg.ini2

Beginning removal...

Attempting to delete C:\windows\system32\gebyw.dll
C:\windows\system32\gebyw.dll Has been deleted!

Attempting to delete C:\windows\system32\wybeg.ini
C:\windows\system32\wybeg.ini Has been deleted!

Attempting to delete C:\windows\system32\wybeg.ini2
C:\windows\system32\wybeg.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.7

Checking Java version...

Scan started at 11:13:28 AM 1/4/2008

Listing files found while scanning....

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:01 AM

Posted 04 January 2008 - 11:31 AM

How is your computer running now? Any more signs of infection?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 benjira

benjira
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 04 January 2008 - 12:05 PM

Hey Quietman

Do you ever sleep?
I scanned with Cure it and the log file is to big to cut and paste. Here is the synopsis

Objects scanned: 155134
Infected objects found: 22
Objects with modifications found: 0
Suspicious objects found: 3
Adware programs found: 0
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 3
Cured: 0
Deleted: 23
Renamed: 0
Moved: 0
Ignored: 0
Scan speed: 323 Kb/s
Scan time: 02:18:19

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:01 AM

Posted 04 January 2008 - 02:16 PM

Since you have so many infected files, lets check your system a little more.

Please download SDFix by AndyManchesta and save it to your desktop.
alternate download
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Double click SDFix.exe and it will extract the files to %systemdrive%
  • (this is the drive that contains the Windows Directory, typically C:\SDFix).
  • DO NOT use it just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load, the SDFix report will open on screen and also save a copy into the SDFix folder as Report.txt.
  • Copy and paste the contents of Report.txt in your next reply.
-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 benjira

benjira
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 04 January 2008 - 06:56 PM

OK

Here is the log from SD Fix, I am still getting a Systemsuite scanner alert saying that I am still infected with the Troj_DLoader.SXR I feel that it is running a little faster but it still is not right. Thanks again for all of your help. You just can't get in a hurry with these Beast's.




SDFix: Version 1.123

Run by Administrator on Fri 01/04/2008 at 05:12 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\TSQFY.EXE - Deleted
C:\Program Files\Setup.exe - Deleted



Folder C:\Program Files\Helper - Removed

Removing Temp Files...

ADS Check:

C:\WINDOZE
No streams found.

C:\WINDOZE\system32
No streams found.

C:\WINDOZE\system32\svchost.exe
No streams found.

C:\WINDOZE\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 17:50:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
%windir%\\system32\\sessmgr.exe="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP1\\Win32\\RpcDataSrv.exe="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP1\\Win32\\RpcDataSrv.exe:*:Enabled:SiSoftware Database Agent Service"
C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP1\\RpcSandraSrv.exe="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP1\\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Agent Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
%windir%\\system32\\sessmgr.exe="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Thu 3 Oct 2002 49,223 A..H. --- "C:\Program Files\America Online 8.0\aolphx.exe"
Thu 3 Oct 2002 36,939 A..H. --- "C:\Program Files\America Online 8.0\aoltray.exe"
Thu 3 Oct 2002 40,960 A..H. --- "C:\Program Files\America Online 8.0\RBM.exe"
Thu 3 Oct 2002 233,539 A..H. --- "C:\Program Files\America Online 8.0\waol.exe"
Tue 5 Mar 2002 106,564 A..H. --- "C:\Program Files\CompuServe 7.0\csphx.exe"
Tue 5 Mar 2002 32,840 A..H. --- "C:\Program Files\CompuServe 7.0\cstray.exe"
Mon 4 Mar 2002 40,960 A..H. --- "C:\Program Files\CompuServe 7.0\RBM.exe"
Tue 5 Mar 2002 180,288 A..H. --- "C:\Program Files\CompuServe 7.0\wcs2000.exe"
Thu 30 Dec 2004 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 3 Oct 2002 49,225 A..H. --- "C:\Program Files\America Online 8.0\COMIT\cswitch.exe"
Tue 5 Mar 2002 77,894 A..H. --- "C:\Program Files\CompuServe 7.0\COMIT\cswitch.exe"
Fri 15 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 16 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sun 7 Nov 2004 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Sun 7 Nov 2004 12,368 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Thu 3 Oct 2002 106,496 A..H. --- "C:\Program Files\Common Files\aolshare\shell\us\shellext.dll"
Wed 12 Dec 2001 102,400 A..H. --- "C:\Program Files\Common Files\csshare\shell\us\shellext.dll"
Thu 30 Dec 2004 4,348 A..H. --- "C:\Documents and Settings\Administrator.BRUCEHOME\Desktop\bruces stuff\K-Lite Music\License Backup\drmv1key.bak"
Fri 1 Dec 2006 20 A..H. --- "C:\Documents and Settings\Administrator.BRUCEHOME\Desktop\bruces stuff\K-Lite Music\License Backup\drmv1lic.bak"
Thu 30 Dec 2004 400 A.SH. --- "C:\Documents and Settings\Administrator.BRUCEHOME\Desktop\bruces stuff\K-Lite Music\License Backup\drmv2key.bak"
Thu 30 Dec 2004 4,348 A..H. --- "C:\Documents and Settings\Administrator.BRUCEHOME\Desktop\bruces stuff\My Music\License Backup\drmv1key.bak"
Tue 28 Jun 2005 20 A..H. --- "C:\Documents and Settings\Administrator.BRUCEHOME\Desktop\bruces stuff\My Music\License Backup\drmv1lic.bak"
Thu 30 Dec 2004 400 A.SH. --- "C:\Documents and Settings\Administrator.BRUCEHOME\Desktop\bruces stuff\My Music\License Backup\drmv2key.bak"

Finished!

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:01 AM

Posted 04 January 2008 - 07:18 PM

Did your scan provide a specific file name associated with this malware threat and if so, where is it located (full file path) at on your system? If your scan saved a log file, it should show exactly what and where the malware has been found so post that instead.

Edited by quietman7, 04 January 2008 - 07:20 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 byteguy

byteguy

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Washington state
  • Local time:06:01 AM

Posted 04 January 2008 - 08:00 PM

I had a similar problem. Tried: scan with Trend Internet Security 2008, scan with Trend Housecall, scan with Panda PAVCL, scan with Ad-aware 7, then on to the help forums.

What finally fixed it was running Smitfraud, Superantispyware (www.superantispyware.com), Spywareterminator (www.spywareterminator.com). Also had to go to Windows directory and delete default.htm--which is the wallpaper that drives you nuts--telling you that you are at risk.

Had to do the above on a laptop.

Had another client with an identical problem on a desktop--much easier to fix. Just took his hard drive, put it as a second drive in my shop machine and ran a virus and spyware scan from the C drive. Cleared it right up. Worked so well because the system was not running files on that particular drive. This was not an option on the laptop.

Art
I have the power to channel my imagination into ever-soaring levels of suspicion and paranoia.

#15 benjira

benjira
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 04 January 2008 - 10:02 PM

Here are the ComboFix log files


ComboFix 08-01-04.1 - Administrator 2008-01-04 21:06:42.1 - NTFSx86
Running from: C:\Documents and Settings\Administrator.BRUCEHOME\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.

2008-01-04 21:04 . 2000-08-31 08:00 51,200 --a------ C:\WINDOZE\NirCmd.exe
2008-01-04 17:10 . 2008-01-04 17:10 <DIR> d-------- C:\WINDOZE\ERUNT
2008-01-04 15:04 . 2008-01-04 18:07 1,043,860 ---hs---- C:\WINDOZE\system32\rexksnaq.ini
2008-01-04 12:34 . 2008-01-03 21:41 1,212,976 --a------ C:\SDFix.exe
2008-01-04 11:14 . 2008-01-04 11:14 <DIR> d-------- C:\Documents and Settings\Bruce\DoctorWeb
2008-01-04 08:34 . 2008-01-04 08:34 <DIR> d-------- C:\Documents and Settings\Administrator.BRUCEHOME\DoctorWeb
2008-01-04 08:29 . 2008-01-04 08:29 <DIR> d-------- C:\Program Files\CCleaner
2008-01-04 08:12 . 2008-01-04 08:16 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-01-04 01:58 . 2008-01-04 09:28 604 --a------ C:\WINDOZE\system32\tmp.reg
2008-01-04 01:56 . 2007-09-05 23:22 289,144 --a------ C:\WINDOZE\system32\VCCLSID.exe
2008-01-04 01:56 . 2006-04-27 16:49 288,417 --a------ C:\WINDOZE\system32\SrchSTS.exe
2008-01-04 01:56 . 2007-12-20 23:11 81,920 --a------ C:\WINDOZE\system32\IEDFix.exe
2008-01-04 01:56 . 2003-06-05 20:13 53,248 --a------ C:\WINDOZE\system32\Process.exe
2008-01-04 01:56 . 2004-07-31 17:50 51,200 --a------ C:\WINDOZE\system32\dumphive.exe
2008-01-04 01:56 . 2007-10-03 23:36 25,600 --a------ C:\WINDOZE\system32\WS2Fix.exe
2008-01-04 00:05 . 2008-01-04 00:05 <DIR> d-------- C:\Documents and Settings\All Users.WINDOZE\Application Data\SUPERAntiSpyware.com
2008-01-04 00:04 . 2008-01-04 01:48 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-04 00:04 . 2008-01-04 00:04 <DIR> d-------- C:\Documents and Settings\Administrator.BRUCEHOME\Application Data\SUPERAntiSpyware.com
2008-01-03 23:15 . 2008-01-04 11:01 <DIR> d-------- C:\VundoFix Backups
2008-01-03 20:39 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOZE\system32\dllcache\usbstor.sys
2008-01-03 19:18 . 2007-12-04 09:51 42,912 --a------ C:\WINDOZE\system32\drivers\aswTdi.sys
2008-01-03 19:18 . 2007-12-04 09:49 26,624 --a------ C:\WINDOZE\system32\drivers\aavmker4.sys
2008-01-03 19:18 . 2007-12-04 09:53 23,152 --a------ C:\WINDOZE\system32\drivers\aswRdr.sys
2008-01-03 19:17 . 2008-01-03 19:17 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-03 19:17 . 2003-03-18 16:20 1,060,864 --a------ C:\WINDOZE\system32\MFC71.dll
2008-01-03 19:17 . 2007-12-04 08:04 837,496 --a------ C:\WINDOZE\system32\aswBoot.exe
2008-01-03 19:17 . 2003-03-18 15:14 499,712 --a------ C:\WINDOZE\system32\MSVCP71.dll
2008-01-03 19:17 . 2004-01-09 04:13 380,928 --a------ C:\WINDOZE\system32\actskin4.ocx
2008-01-03 19:17 . 2003-02-20 22:42 348,160 --a------ C:\WINDOZE\system32\MSVCR71.dll
2008-01-03 19:17 . 2007-12-04 07:54 95,608 --a------ C:\WINDOZE\system32\AvastSS.scr
2008-01-03 19:17 . 2007-12-04 09:55 94,544 --a------ C:\WINDOZE\system32\drivers\aswmon2.sys
2008-01-03 19:17 . 2007-12-04 09:56 93,264 --a------ C:\WINDOZE\system32\drivers\aswmon.sys
2008-01-03 14:04 . 2008-01-03 14:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Avanquest
2008-01-03 09:35 . 2008-01-03 09:35 0 --a------ C:\WINDOZE\nsreg.dat
2008-01-03 03:09 . 2008-01-03 03:09 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Avanquest
2008-01-03 03:06 . 2008-01-03 03:06 <DIR> d-------- C:\Documents and Settings\All Users.WINDOZE\Application Data\BVRP Software
2008-01-03 03:05 . 2008-01-03 03:05 <DIR> dr-hs---- C:\_Backup.RC
2008-01-03 03:05 . 2008-01-03 03:05 <DIR> d--h----- C:\_Backup
2008-01-03 03:00 . 2008-01-03 03:00 <DIR> d-------- C:\Documents and Settings\Administrator.BRUCEHOME\Application Data\Avanquest
2008-01-03 02:59 . 2008-01-03 02:59 23,600 --a------ C:\WINDOZE\system32\drivers\TVICHW32.SYS
2008-01-03 02:56 . 2008-01-03 02:56 <DIR> d-------- C:\Program Files\Avanquest
2008-01-03 02:53 . 2008-01-03 23:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-03 02:37 . 2008-01-03 02:37 <DIR> d-------- C:\Program Files\Avance Sound Manager
2008-01-03 02:37 . 2002-06-29 18:05 654,508 --a------ C:\WINDOZE\system32\drivers\ALCXWDM.SYS
2008-01-03 02:37 . 2002-06-29 18:05 617,984 --a------ C:\WINDOZE\system32\ALSNDMGR.CPL
2008-01-03 02:37 . 2002-06-29 18:05 208,896 --------- C:\WINDOZE\alcupd.exe
2008-01-03 02:37 . 2002-06-29 18:05 141,016 --a------ C:\WINDOZE\system32\ALSNDMGR.WAV
2008-01-03 02:37 . 2002-06-29 18:05 135,168 --------- C:\WINDOZE\alcrmv.exe
2008-01-03 02:37 . 2002-06-29 18:05 46,592 --a------ C:\WINDOZE\SOUNDMAN.EXE
2008-01-03 02:37 . 2002-06-29 18:05 584 --------- C:\WINDOZE\system32\drivers\alcxinit.dat
2008-01-03 02:37 . 2002-06-29 18:05 164 --------- C:\WINDOZE\avrack.ini
2008-01-03 02:26 . 2008-01-03 02:26 559 --a------ C:\WINDOZE\PhotoImpression.ini
2008-01-03 02:25 . 2008-01-03 02:25 <DIR> d-------- C:\Documents and Settings\All Users.WINDOZE\Application Data\MSN6
2008-01-03 02:25 . 2008-01-03 02:25 <DIR> d-------- C:\Documents and Settings\Administrator.BRUCEHOME\Application Data\MSN6
2008-01-03 02:09 . 2008-01-03 02:09 <DIR> d-------- C:\Program Files\SiSoftware
2008-01-03 02:01 . 2005-06-21 16:43 163,840 --a------ C:\WINDOZE\system32\igfxres.dll
2008-01-03 02:00 . 2008-01-03 02:00 <DIR> d-------- C:\Documents and Settings\ADMINI~1~BRU\LOCALS~1
2008-01-03 01:07 . 2008-01-03 12:12 <DIR> d--h----- C:\WINDOZE\$hf_mig$
2008-01-03 01:07 . 2005-06-28 10:21 22,752 --a------ C:\WINDOZE\system32\spupdsvc.exe
2008-01-03 01:06 . 2008-01-03 01:06 13,646 --a------ C:\WINDOZE\system32\wpa.bak
2008-01-03 01:00 . 2008-01-03 01:10 <DIR> d-------- C:\Documents and Settings\All Users.WINDOZE\Application Data\Spybot - Search & Destroy
2007-12-29 11:39 . 2007-12-29 11:39 <DIR> d-------- C:\Temp\cEeer12

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
1/3/2008 18:50 --------- d-----w C:\Program Files\Norton AntiVirus
1/3/2008 18:49 --------- d-----w C:\Program Files\MSN Messenger
1/3/2008 18:47 --------- d-----w C:\Program Files\Common Files\Symantec Shared
1/3/2008 7:37 --------- d-----w C:\Program Files\AvRack
12/31/2007 17:17 --------- d-----w C:\Program Files\Lexmark X5100 Series
12/30/2007 23:04 --------- d-----w C:\Documents and Settings\Bruce\Application Data\Netscape
12/29/2007 18:01 --------- d-----w C:\Program Files\QuickTime
12/29/2007 18:01 --------- d-----w C:\Program Files\Microsoft Works
12/29/2007 17:08 --------- d-----w C:\Program Files\Plaxo
12/29/2007 16:41 --------- d-----w C:\Program Files\Picasa
12/29/2007 0:31 --------- d-----w C:\Documents and Settings\Bruce\Application Data\ZoomBrowser EX
12/15/2007 0:35 --------- d-----w C:\Program Files\BellSouth
12/9/2007 23:03 --------- d-----w C:\Documents and Settings\Bruce\Application Data\WeatherBug
12/6/2007 0:01 --------- d-----w C:\Program Files\Symantec
11/13/2007 10:25 20,480 #NAME? C:\WINDOZE\system32\drivers\secdrv.sys
10/29/2007 22:43 1,287,680 #NAME? C:\WINDOZE\system32\quartz.dll
10/27/2007 22:39 230,912 #NAME? C:\WINDOZE\system32\wmasf.dll
3/10/2007 21:51 9,436,018 #NAME? C:\Program Files\AutoGordianKnot.2.40.Setup.exe
2/19/2007 0:31 19,203,280 #NAME? C:\Program Files\nsb-install-8-1-2.exe
1/6/2007 14:30 4,766,808 #NAME? C:\Program Files\BellSouthMessengerSetup43.exe
11/30/2006 1:53 36,076,512 #NAME? C:\Program Files\NAV071400.exe
2/25/2006 22:55 3,910,704 #NAME? C:\Program Files\BellSouthMessengerSetup42.exe
12/15/2005 1:53 6,811,904 #NAME? C:\Program Files\psa2011se_us.exe
12/18/2004 0:16 1,951,432 #NAME? C:\Program Files\ppviewer.exe
11/20/2004 14:57 26,953,157 #NAME? C:\Program Files\NAV10ESD.exe
11/10/2004 0:56 487,544 #NAME? C:\Program Files\msgr6suite.exe
9/13/2003 2:45 603,943 #NAME? C:\Program Files\Pink Floyd.exe
9/13/2003 2:45 407,240 #NAME? C:\Program Files\Pink Floyd.scr
9/13/2003 2:45 40,960 #NAME? C:\Program Files\Pink Floyd.dll
9/13/2003 2:45 18,192 #NAME? C:\Program Files\Pink Floyd.dat
.
<pre>								
	----a-w		   445,952 2007-12-31 16:36:57  C:\Documents and Settings\Administrator.BRUCEHOME\Desktop\bruces stuff\Lexmark X5100 Series\lxbabmgr .exe								
	----a-w			79,224 2008-01-04 06:42:05  C:\Program Files\Alwil Software\Avast4\ashDisp .exe								
	----a-w		   445,952 2007-12-31 16:36:57  C:\Program Files\Lexmark X5100 Series\lxbabmgr .exe								
	----a-w		 1,694,208 2008-01-03 22:14:31  C:\Program Files\Messenger\msmsgs .exe								
	----a-w			15,360 2008-01-03 01:59:01  C:\WINDOWS\system32\ctfmon .exe								
	</pre>



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22ee8a8a-49b8-4840-9ee0-81b3f6b47ec6}]
C:\WINDOZE\system32\uflxsuds.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS="C:\Program Files\Messenger\msmsgs.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
IgfxTray="C:\WINDOZE\system32\igfxtray.exe" [ ]
HotKeysCmds="C:\WINDOZE\system32\hkcmd.exe" [ ]
SoundMan="SOUNDMAN.EXE" [2002-06-29 18:05 46592 C:\WINDOZE\SOUNDMAN.EXE]
VirusScannerPro="C:\PROGRA~1\AVANQU~1\SYSTEM~1\MemCheck.exe" [ ]
b06aa6a4="C:\WINDOZE\system32\qanskxer.dll" [ ]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R3 KFilter;KFilter;C:\PROGRA~1\AVANQU~1\SYSTEM~1\KFilter.sys [2007-09-05 10:54]
R3 MailScan;MailScan;C:\PROGRA~1\AVANQU~1\SYSTEM~1\MailScan.sys [2007-09-11 02:32]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 21:22:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-04 21:29:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-05 02:28:55




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users