Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud-c Keeps Reappearing. Can Not Destroy.


  • Please log in to reply
1 reply to this topic

#1 Iris_Tim

Iris_Tim

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 01 February 2008 - 11:01 PM

Hey Guys, I've been tearing my hair out trying to kill this little bugger. No luck, perhaps you can help. HJT and ComboFix logs to follow.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:18 PM, on 2/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6C09FF3E-FEA5-40A0-A683-1C7CB9FB1A9D} - C:\Program Files\Windows Media Player\mevog83122.dll (file missing)
O2 - BHO: (no name) - {E97F3FD1-A046-4148-83A7-EBD0A58575EC} - C:\Program Files\Windows Media Player\mevog4444.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon BJ Memory Card Manager (Bjmcmng) - CANON INC. - C:\Program Files\Canon\BJCard\Bjmcmng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 3384 bytes

----------------------------------------------------

ComboFix 08-02.01.6 - Nick 2008-02-01 19:50:42.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.56 [GMT -7:00]
Running from: C:\Documents and Settings\Nick\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Owner\My Documents\STEM~1
C:\Documents and Settings\Owner\My Documents\STEM~1\??stem\
C:\Documents and Settings\Owner\My Documents\STEM~1\cmd .exe
C:\Documents and Settings\Owner\My Documents\STEM~1\cmd.exe
C:\Program Files\Common Files\crosof~1.net
C:\Program Files\Common Files\crosof~1.net\??rvices.exe
C:\Program Files\outerinfo
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\awtsr.exe
C:\WINDOWS\system32\b3
C:\WINDOWS\system32\b3\timedrdll2.exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
C:\WINDOWS\system32\e9
C:\WINDOWS\system32\e9\farstadcom2.exe
C:\WINDOWS\system32\hgggeec.dll
C:\WINDOWS\system32\khfeffg.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\p2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\RCX26.tmp
C:\WINDOWS\system32\RCX28.tmp
C:\WINDOWS\system32\RCX29.tmp
C:\WINDOWS\system32\RCX2A.tmp
C:\WINDOWS\system32\RCX35.tmp
C:\WINDOWS\system32\RCX36.tmp
C:\WINDOWS\system32\RCX3B.tmp
C:\WINDOWS\system32\RCX3E.tmp
C:\WINDOWS\system32\RCX45.tmp
C:\WINDOWS\system32\RCX46.tmp
C:\WINDOWS\system32\RCX47.tmp
C:\WINDOWS\system32\rstwa.ini
C:\WINDOWS\system32\rstwa.ini2
C:\WINDOWS\system32\t8
C:\WINDOWS\system32\t8\tycodllz83122.exe
C:\WINDOWS\system32\wnstssu.exe
C:\WINDOWS\system32\z4
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
hxxp://80.93.59.108
hxxp://au.download.windowsupdate.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_QQD.SYS
-------\qqd.sys


((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-02-01 20:08 . 2008-02-01 20:08 <DIR> d-------- C:\Temp\tn3
2008-02-01 19:52 . 2008-02-01 19:52 91,648 --a------ C:\cp1467.nls
2008-02-01 11:44 . 2008-02-01 11:45 58,883 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-02-01 04:05 . 2008-02-01 04:05 24,064 --a------ C:\WINDOWS\system32\bww.dll
2008-02-01 03:24 . 2008-02-01 03:24 <DIR> d-------- C:\VundoFix Backups
2008-02-01 02:49 . 2008-02-01 19:43 <DIR> d-------- C:\Share
2008-02-01 02:27 . 2008-02-01 02:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-31 22:32 . 2008-02-01 03:15 <DIR> d-------- C:\Documents and Settings\Nick Cappellini\Application Data\AVG7
2008-01-29 10:51 . 2008-01-29 10:51 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-28 15:39 . 2008-01-31 21:08 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-01-28 15:39 . 2008-01-28 15:39 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-28 15:38 . 2008-01-28 15:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-28 15:09 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-01-28 15:09 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-01-28 15:08 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-01-28 15:08 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-01-13 13:12 . 2008-01-13 13:12 86,016 --a------ C:\WINDOWS\system32\drivers\msteee.sys
2008-01-13 13:11 . 2008-01-13 13:11 <DIR> d-------- C:\WINDOWS\system32\edcA01
2008-01-13 13:11 . 2008-01-13 13:12 <DIR> d-------- C:\Temp\Ryuan1
2008-01-13 12:49 . 2008-01-28 15:06 155,648 --a------ C:\WINDOWS\system32\igfxtray .exe
2008-01-13 12:49 . 2008-01-28 15:06 126,976 --a------ C:\WINDOWS\system32\hkcmd .exe
2008-01-13 12:49 . 2008-02-01 02:57 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-13 12:09 . 2008-01-16 16:46 380,928 --a------ C:\WINDOWS\mrofinu72.exe.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 10:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-29 16:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-29 16:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-29 16:44 --------- d-----w C:\Program Files\Canon
2008-01-29 16:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-29 16:29 --------- d-----w C:\Program Files\Yahoo!
2008-01-28 22:06 --------- d-----w C:\Program Files\QuickTime
2005-08-02 23:46 187,904 --sha-r C:\WINDOWS\TWljaGVsbGUgQ2FwcGVsbGluaQ\asappsrv.dll
2005-08-02 23:58 293,888 --sha-r C:\WINDOWS\TWljaGVsbGUgQ2FwcGVsbGluaQ\command.exe
2005-07-29 23:24 472 --sha-r C:\WINDOWS\TWljaGVsbGUgQ2FwcGVsbGluaQ\nq53u3pPv3o0kZITw3pPv35Ruk.vbs
.
<pre>
----a-w			46,080 2008-01-29 16:43:45  C:\COREL\Office7\Shared\QFinder7\QFSCHED .EXE
----a-w		   716,800 2008-01-28 22:07:00  C:\Program Files\Canon\BJCard\BJLaunch .exe
----a-w		   579,072 2008-02-01 09:57:44  C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w		   219,136 2008-02-01 10:08:18  C:\Program Files\Grisoft\AVG7\avgw .exe
----a-w		 1,694,208 2008-01-28 22:07:05  C:\Program Files\Messenger\msmsgs .exe
----a-w		   155,648 2008-01-28 22:06:44  C:\Program Files\QuickTime\qttask			.exe
----a-w		   522,752 2008-01-28 22:06:40  C:\Program Files\QuickTime\qttask		   .exe
----a-w		   522,752 2008-01-16 23:46:09  C:\Program Files\QuickTime\qttask		  .exe
----a-w		   522,752 2008-01-15 11:31:39  C:\Program Files\QuickTime\qttask		 .exe
----a-w		   522,752 2008-01-14 12:57:22  C:\Program Files\QuickTime\qttask		.exe
----a-w		   522,752 2008-01-14 12:08:39  C:\Program Files\QuickTime\qttask	   .exe
----a-w		   522,752 2008-01-14 10:57:29  C:\Program Files\QuickTime\qttask	  .exe
----a-w		   522,752 2008-01-14 01:26:14  C:\Program Files\QuickTime\qttask	 .exe
----a-w		   522,752 2008-01-14 01:24:18  C:\Program Files\QuickTime\qttask	.exe
----a-w		   522,752 2008-01-13 23:26:12  C:\Program Files\QuickTime\qttask   .exe
----a-w		   522,752 2008-01-13 23:11:52  C:\Program Files\QuickTime\qttask  .exe
----a-w		   522,752 2008-01-13 23:04:12  C:\Program Files\QuickTime\qttask .exe
----a-w		   500,736 2008-02-01 07:40:07  C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
----a-w			15,360 2008-02-01 09:57:46  C:\WINDOWS\system32\ctfmon .exe
----a-w		   126,976 2008-01-28 22:06:50  C:\WINDOWS\system32\hkcmd .exe
----a-w		   155,648 2008-01-28 22:06:47  C:\WINDOWS\system32\igfxtray .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C09FF3E-FEA5-40A0-A683-1C7CB9FB1A9D}]
C:\Program Files\Windows Media Player\mevog83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E97F3FD1-A046-4148-83A7-EBD0A58575EC}]
C:\Program Files\Windows Media Player\mevog4444.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-01 02:57 1116672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2003-06-18 17:17 54472]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-01 01:41 642560]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-07-31 18:31:54 106560]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="cssaj.exe"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Corel Desktop Application Director.LNK]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Corel Desktop Application Director.LNK
backup=C:\WINDOWS\pss\Corel Desktop Application Director.LNKStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PerfectPrint.LNK]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PerfectPrint.LNK
backup=C:\WINDOWS\pss\PerfectPrint.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ActionScr]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJLaunchEXE]
--a------ 2008-01-16 16:46 1072640 C:\Program Files\Canon\BJCard\BJLaunch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJPD HID Control]
C:\Program Files\Canon\BJPV\TVMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmz]
C:\Program Files\Common Files\??crosoft.NET\??rvices.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2008-01-28 15:06 467968 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2008-01-28 15:06 496640 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\awtsr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Maca]
C:\DOCUME~1\Owner\MYDOCU~1\STEM~1\cmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-01-28 15:06 2226688 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ParisM]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PasswdMon]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule11]
C:\Program Files\QdrModule\QdrModule11.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack11]
C:\Program Files\QdrPack\QdrPack11.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
c:\Corel\Office7\Shared\QFinder7\QFSCHED.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-28 15:06 155648 C:\Program Files\QuickTime\qttask .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu72.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sbin]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysSupport]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\userinit]
C:\WINDOWS\system32\ntos.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.6\webbuying.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"svcWRSSSDK"=2 (0x2)
"cmdService"=2 (0x2)

R1 msteee;msteee;C:\WINDOWS\system32\drivers\msteee.sys [2008-01-13 13:12]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-02 03:10:01 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 20:09:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\WinZip\WZQKPICK.EXE
.
**************************************************************************
.
Completion time: 2008-02-01 20:11:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-02 03:11:14
.
2008-01-09 10:02:13 --- E O F ---




Thanks for any help you can provide.

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 05 February 2008 - 07:39 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Iris_Tim
My name is Richie and i'll be helping you to fix your problems.

First please delete the version of Combofix you're using now by doing the following:

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.
This will uninstall Combofix,delete its related folders and files,reset your clock settings,hide file extensions,hide the system/hidden files and resets System Restore again.

Posted Image
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,NOT for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix by sUBs and save to your desktop.
Alternative Combofix download link HERE.
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.

Edited by RichieUK, 05 February 2008 - 07:41 AM.

Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users