Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With A Virus


  • This topic is locked This topic is locked
16 replies to this topic

#1 debrahale

debrahale

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 17 March 2008 - 02:26 PM

Helo,

I keep getting facke security pop ups and need help in removing the virus do not know exactly what kind but here is my hijackthis log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:35:14 PM, on 3/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\dlbucoms.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Administrator.STUDENT-C48B2E3\Local Settings\Temporary Internet Files\Content.IE5\XEIYTRQ7\stinger[1].exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: etlrlws - {25485FED-AF05-4B71-A543-BB24FCECA3DD} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [DLBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - http://www.pandasoftware.com/activescan (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O21 - SSODL: altvxvm - {3741DCF9-69C3-4DB8-A067-4D2AB5AB819D} - C:\WINDOWS\altvxvm.dll
O21 - SSODL: bokpkov - {A533A2B5-875D-4FBE-B2D8-FC77327D2E85} - C:\WINDOWS\bokpkov.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 5389 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:13 PM

Posted 18 March 2008 - 08:03 AM

Hi,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 debrahale

debrahale
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 24 March 2008 - 10:53 AM

Hello,

I have tried to install the advir program you instructed me and the response I recieved was that I have a earlier virsion that needs to be uninstalled before it can setup. I looked in control pannel under installed programs and advir is not present what shall I do know?

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:13 PM

Posted 24 March 2008 - 10:54 AM

Hi,

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

-------------
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 debrahale

debrahale
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 24 March 2008 - 05:21 PM

Hello again,

I have manage to do eactly as you instructed and here are my results. Once again thank you kindly in helping me is this matter.


2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Adobe Reader 8.1.2
avast! Antivirus
Compatibility Pack for the 2007 Office system
Conexant D850 56K V.9x DFVc Modem
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
HijackThis 2.0.2
Intel® Extreme Graphics Driver
Java™ 6 Update 5
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office Live Add-in beta
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
neroxml
Security Update for Excel 2007 (KB946974)
Security Update for Office 2007 (KB947801)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows XP (KB944533)
SoundMAX
Windows Communication Foundation
Windows Imaging Component
Windows Internet Explorer 7
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
WinRAR archiver

Edited by debrahale, 24 March 2008 - 05:22 PM.


#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:13 PM

Posted 24 March 2008 - 05:24 PM

Hi,

I see you have Avast Antivirus installed.
Anyway, can you post a new HijackThislog... because it's confusing now.
Then we'll deal with the rest.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 debrahale

debrahale
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 24 March 2008 - 11:33 PM

Hello,

Here is my new hijackthis log and I downloaded avast when I could not do advir. Sorry!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:44 AM, on 3/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dlbucoms.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\msconfig.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [DRam prosessor] msconfig.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunServices: [DRam prosessor] msconfig.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O21 - SSODL: altvxvm - {3741DCF9-69C3-4DB8-A067-4D2AB5AB819D} - C:\WINDOWS\altvxvm.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe

--
End of file - 3915 bytes

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:13 PM

Posted 25 March 2008 - 01:10 AM

Hi,

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.
After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.

Then, * Download SDFix and save it to your Desktop.

* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 debrahale

debrahale
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 25 March 2008 - 09:33 PM

Hello,

Here is the files you wanted




SDFix: Version 1.161

Run by Administrator on Tue 03/25/2008 at 10:34 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\ADMINI~1.STU\Desktop\SDFix\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting


Checking Files :

Trojan Files Found:

C:\DOCUME~1\ADMINI~1.STU\LOCALS~1\Temp\ac8zt2.dat - Deleted
C:\WINDOWS\altvxvm.dll - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-25 22:41:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\WINDOWS\\system32\\dlbucoms.exe"="C:\\WINDOWS\\system32\\dlbucoms.exe:*:Enabled:Dell_942 Server"
"C:\\WINDOWS\\system32\\msconfig.exe"="C:\\WINDOWS\\system32\\msconfig.exe:*:Enabled:msconfig"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\DOCUME~1\ADMINI~1.STU\Desktop\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 13 Jun 2007 1,328,655 ..SHR --- "C:\WINDOWS\system32\msconfig.exe"
Tue 29 Jan 2008 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 27 Jan 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 12 Mar 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Tue 18 Mar 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp"
Mon 24 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bc066f3f60df1b38218903dd0d40ce98\BIT5.tmp"
Mon 28 Jan 2008 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"

Finished!












Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:03 PM, on 3/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dlbucoms.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe

--
End of file - 3856 bytes

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:13 PM

Posted 26 March 2008 - 03:22 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 debrahale

debrahale
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 26 March 2008 - 07:14 AM

Hello I have done what you have instructed Here are my logs.


ComboFix 08-03-25.4 - Administrator 2008-03-26 8:21:56.20 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.81 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator.STUDENT-C48B2E3\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.

2008-03-25 22:31 . 2008-03-25 22:31 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-25 22:12 . 2008-03-25 06:29 <DIR> d-------- C:\SDFix
2008-03-25 21:57 . 2008-03-25 21:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-24 12:20 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-03-24 12:20 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-03-24 12:20 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-03-24 12:20 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-24 12:20 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-03-24 12:20 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-24 12:20 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-24 12:20 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-24 12:19 . 2008-03-24 12:19 <DIR> d-------- C:\Program Files\Alwil Software
2008-03-24 00:42 . 2008-03-24 00:50 <DIR> d-------- C:\Program Files\Trojan Remover
2008-03-24 00:42 . 2008-03-24 00:42 <DIR> d-------- C:\Documents and Settings\Administrator.STUDENT-C48B2E3\Application Data\Simply Super Software
2008-03-24 00:42 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-03-23 15:33 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-23 15:32 . 2008-03-23 15:32 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-23 13:45 . 2008-03-23 13:45 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-03-23 13:40 . 2008-03-23 13:40 <DIR> d-------- C:\Program Files\MSBuild
2008-03-23 13:38 . 2008-03-23 13:38 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-03-22 20:50 . 2008-03-22 20:57 105,467,633 --a------ C:\Program Files\jstudio_ent81-ml-windows.exe
2008-03-21 21:05 . 2008-03-21 21:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-21 19:55 . 2008-03-21 20:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-03-21 12:06 . 2008-03-21 12:06 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-20 16:36 . 2008-03-20 16:36 <DIR> d-------- C:\WINDOWS\system32\Resource
2008-03-20 16:36 . 2008-03-20 16:36 <DIR> d-------- C:\Program Files\Citrix
2008-03-18 01:57 . 2008-03-18 01:57 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-03-17 17:36 . 2008-03-17 17:36 <DIR> d-------- C:\Program Files\BitTorrent
2008-03-17 16:34 . 2008-03-17 16:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-17 09:41 . 2008-03-18 01:58 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-03-17 09:41 . 2008-03-18 01:58 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-03-16 20:21 . 2008-03-25 21:50 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-16 18:45 . 2008-03-16 18:45 <DIR> d-------- C:\9497df7b6cd493cf010497c14a
2008-03-16 15:52 . 2008-03-17 15:05 <DIR> d-------- C:\DVD
2008-03-16 13:46 . 2008-03-16 13:46 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-03-16 12:34 . 2008-03-16 12:34 <DIR> d-------- C:\spoolerlogs
2008-03-15 21:50 . 2008-03-15 22:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-15 21:44 . 2008-03-15 22:08 <DIR> d-------- C:\Documents and Settings\Administrator.STUDENT-C48B2E3\Application Data\Symantec
2008-03-15 20:41 . 2008-03-15 20:41 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-03-14 20:34 . 2008-03-14 20:34 <DIR> d-------- C:\Documents and Settings\Administrator.STUDENT-C48B2E3\Application Data\TuneUp Software
2008-03-14 20:33 . 2008-03-14 20:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-03-14 19:45 . 2008-03-14 19:45 <DIR> d-------- C:\Program Files\ASCII
2008-03-14 19:45 . 2000-05-16 10:40 83,968 --a------ C:\WINDOWS\UnGins.exe
2008-03-13 12:46 . 2008-03-13 12:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\The Filter
2008-03-13 01:21 . 2008-03-13 01:31 <DIR> d-------- C:\Documents and Settings\Administrator.STUDENT-C48B2E3\Application Data\DivX
2008-03-02 19:56 . 2008-03-10 18:27 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-02-28 23:23 . 2008-03-02 19:55 21,840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2008-02-28 23:23 . 2008-03-02 19:55 17,212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2008-02-28 23:23 . 2008-03-02 19:55 12,067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2008-02-28 20:18 . 2008-03-24 14:42 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-02-27 23:00 . 2000-04-21 04:52 844,048 --a------ C:\WINDOWS\system32\Msdxm6.ocx
2008-02-27 23:00 . 2002-12-12 01:14 602,624 --a------ C:\WINDOWS\system32\dx7vbC.dll
2008-02-27 23:00 . 2001-06-26 20:35 131,072 --a------ C:\WINDOWS\system32\ARButton.ocx
2008-02-27 23:00 . 1999-03-29 07:34 110,595 --a------ C:\WINDOWS\system32\Msscript1.ocx
2008-02-27 23:00 . 2002-01-17 05:22 102,400 --a------ C:\WINDOWS\system32\cpvButton.ocx
2008-02-27 23:00 . 2001-04-07 17:43 65,536 --a------ C:\WINDOWS\system32\FoxCBmp3.dl
2008-02-27 23:00 . 1998-06-14 03:53 44,544 --a------ C:\WINDOWS\system32\Gif89.dll
2008-02-27 22:43 . 2008-02-27 22:49 <DIR> d-------- C:\Program Files\Platform Studio
2008-02-27 21:58 . 2008-03-17 14:45 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-02-27 21:58 . 2008-03-17 14:45 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-02-27 21:58 . 2008-03-17 14:45 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-02-27 21:58 . 2008-03-17 14:45 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-02-27 21:58 . 2008-03-17 14:45 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-02-27 21:58 . 2008-03-17 14:45 749 -rah----- C:\WINDOWS\system32\cdplayer.exe.manifest
2008-02-27 16:16 . 2008-02-27 22:16 <DIR> d-------- C:\Documents and Settings\Administrator.STUDENT-C48B2E3\Application Data\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-26 02:15 --------- d-----w C:\Documents and Settings\Administrator.STUDENT-C48B2E3\Application Data\BitTorrent
2008-03-26 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-25 04:13 --------- d-----w C:\Program Files\DivX
2008-03-24 14:57 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-03-23 19:33 --------- d-----w C:\Program Files\Java
2008-03-22 15:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-22 00:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-18 23:14 --------- d-----w C:\Program Files\MSN Games
2008-03-18 23:13 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-18 06:27 --------- d-----w C:\Documents and Settings\Administrator.STUDENT-C48B2E3\Application Data\Yahoo!
2008-03-17 22:04 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-17 19:09 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-03-17 19:04 --------- d-----w C:\Program Files\Yahoo!
2008-03-17 13:33 --------- d-----w C:\Program Files\dl_Cats
2008-03-16 21:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-16 02:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-23 18:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-02-23 00:40 --------- d-----w C:\Program Files\Google
2008-02-23 00:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-21 14:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Go Go Gourmet
2008-02-21 04:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-21 03:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-02-21 03:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\SITEguard
2008-02-21 02:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Zylom
2008-02-21 02:10 --------- d-----w C:\Documents and Settings\Administrator.STUDENT-C48B2E3\Application Data\LimeWire
2008-02-21 02:05 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-02-21 02:05 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-02-21 02:05 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-02-21 02:05 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-02-21 02:04 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-02-21 02:04 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-02-21 02:04 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-02-21 02:04 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-02-21 02:04 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-02-21 02:04 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-02-21 02:04 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-02-21 02:04 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-02-21 02:04 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-02-21 02:04 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-02-21 02:04 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-02-21 02:04 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-02-21 02:03 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-02-21 02:03 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-02-21 00:24 --------- d-----w C:\Documents and Settings\Administrator.STUDENT-C48B2E3\Application Data\Smart PC Solutions
2008-02-20 23:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-02-20 23:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Meal Memo Free View
2008-02-20 20:47 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-20 18:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Drivers Headquarters
2008-02-20 03:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\AGS Demo Game
2008-02-20 03:32 --------- d-----w C:\Program Files\001
2008-02-19 23:15 --------- d-----w C:\Documents and Settings\Administrator.STUDENT-C48B2E3\Application Data\WinPatrol
2008-02-19 20:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\ConeXware
2008-02-18 07:06 --------- d-----w C:\Program Files\IrfanView
2008-02-17 02:42 38,797,312 ----a-w C:\Program Files\sol-10-u4-ga-x86-v1.exe
2008-02-17 02:23 351,606 ----a-w C:\Program Files\sdm-2_0-windows-i586.exe
2008-02-16 14:50 65,536 ----a-w C:\WINDOWS\IFinst27.exe
2008-02-16 07:24 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-02-16 07:24 249,856 ------w C:\WINDOWS\Setup1.exe
2008-02-16 02:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-02-16 02:15 --------- d-----w C:\Program Files\Conduit
2008-02-14 07:54 --------- d-----w C:\Documents and Settings\Administrator.STUDENT-C48B2E3\Application Data\ICAClient
2008-02-14 07:44 --------- d-----w C:\Documents and Settings\Administrator.STUDENT-C48B2E3\Application Data\GetRight
2008-02-14 07:38 --------- d-----w C:\Documents and Settings\Administrator.STUDENT-C48B2E3\Application Data\GetRightToGo
2008-02-10 21:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2008-02-10 03:08 --------- d-----w C:\Documents and Settings\Administrator.STUDENT-C48B2E3\Application Data\iWin
2008-02-09 04:05 --------- d-----w C:\Documents and Settings\Administrator.STUDENT-C48B2E3\Application Data\PlayFirst
2008-02-05 05:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-02-04 05:08 --------- d-----w C:\Documents and Settings\Administrator.STUDENT-C48B2E3\Application Data\EA
2008-02-03 19:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-02-03 19:03 --------- d-----w C:\Documents and Settings\Administrator.STUDENT-C48B2E3\Application Data\Sandlot Games
2008-02-01 03:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Flood Light Games
2008-02-01 03:10 --------- d-----w C:\Documents and Settings\Administrator.STUDENT-C48B2E3\Application Data\Flood Light Games
2008-01-28 20:33 --------- d--h--w C:\Documents and Settings\All Users\Application Data\GTek
2008-01-28 20:33 --------- d--h--w C:\Documents and Settings\Administrator.STUDENT-C48B2E3\Application Data\GTek
2008-01-26 04:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\FloodLightGames
2008-01-26 04:42 --------- d-----w C:\Documents and Settings\Administrator.STUDENT-C48B2E3\Application Data\FloodLightGames
2008-01-14 18:50 155,648 ----a-w C:\WINDOWS\system32\igfxtray .exe
2008-01-07 01:06 3,120 ----a-w C:\WINDOWS\system32\2d2ca2ce-704a-428c-8cbe-0736b29190aa.dll
2007-06-13 10:23 1,328,655 --sh--r C:\WINDOWS\system32\msconfig.exe
.
<pre>
----a-w		   437,160 2008-01-14 23:59:08  C:\Program Files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
----a-w		 1,694,208 2008-01-14 18:50:48  C:\Program Files\Messenger\msmsgs .exe
----a-w			33,648 2008-01-14 15:40:38  C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
----a-w		   155,648 2008-01-14 18:50:41  C:\WINDOWS\system32\igfxtray .exe
</pre>


((((((((((((((((((((((((((((( snapshot_2008-03-24_17.19.00.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-25 10:28:52 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-03-26 02:32:03 4,407,296 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-03-26 02:32:03 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-03-25 10:28:52 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-03-26 02:31:49 4,407,296 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-03-26 02:31:49 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2008-03-26 01:59:08 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
+ 2008-03-26 01:59:08 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
+ 2008-03-26 01:59:08 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
+ 2008-03-26 01:59:08 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
+ 2007-07-11 17:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 16:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-08-07 16:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
- 2008-03-24 18:45:34 274,168 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-03-26 02:40:14 274,168 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-12-14 15:32:52 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
- 2000-08-31 13:00:00 136,704 ----a-w C:\WINDOWS\system32\swsc.exe
+ 2000-08-31 12:00:00 136,704 ----a-w C:\WINDOWS\system32\swsc.exe
- 2000-08-31 13:00:00 212,480 ----a-w C:\WINDOWS\system32\swxcacls.exe
+ 2000-08-31 12:00:00 212,480 ----a-w C:\WINDOWS\system32\swxcacls.exe
- 2000-08-31 13:00:00 49,152 ----a-w C:\WINDOWS\system32\VFind.exe
+ 2000-08-31 12:00:00 49,152 ----a-w C:\WINDOWS\system32\VFind.exe
+ 2008-03-26 02:52:31 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_4a8.dat
+ 2008-03-26 02:40:36 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_50c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 09:59 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 09:59 126976]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
"NoStartMenuPinnedList"= 0 (0x0)
"NoStartMenuMFUprogramsList"= 0 (0x0)
"NoUserNameInStartMenu"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinters"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\WINDOWS\\system32\\dlbucoms.exe"=
"C:\\WINDOWS\\system32\\msconfig.exe"=

S3 ProtoWall;ProtoWall Defender;C:\WINDOWS\system32\DRIVERS\ProtoWall.sys []
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 XDva076;XDva076;C:\WINDOWS\system32\XDva076.sys []

*Newly Created Service* - IDSVC
.
Contents of the 'Scheduled Tasks' folder
"2008-03-22 01:18:56 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-26 08:24:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-03-26 8:25:55
ComboFix-quarantined-files.txt 2008-03-26 12:25:38
ComboFix2.txt 2008-03-25 04:24:33
ComboFix3.txt 2008-03-25 03:56:53
ComboFix4.txt 2008-03-24 21:19:49
ComboFix5.txt 2008-03-24 14:35:51
.
2008-03-24 18:43:29 --- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:30:26 AM, on 3/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dlbucoms.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe

--
End of file - 4128 bytes

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:13 PM

Posted 26 March 2008 - 07:25 AM

Hi,

First of all... not sure where you have read the instructions to use Combofix, but the first step required before you run it is to install the Recovery Console.
Read here how to do this with Combofix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

The reason why Recovery Console is recommended is because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged. Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

Then, * Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\2d2ca2ce-704a-428c-8cbe-0736b29190aa.dll
C:\WINDOWS\system32\msconfig.exe
RENV::
C:\Program Files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
C:\WINDOWS\system32\igfxtray .exe
Driver::
XDva076
SymIMMP
SymIM
ProtoWall
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:0000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\msconfig.exe"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:13 PM

Posted 02 April 2008 - 12:25 PM

Still with us?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 debrahale

debrahale
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 02 April 2008 - 01:09 PM

Yes I have to wait untill payday in order to do exactly what you instructed me to do. Please be patient and thank you for your help thus so far.

Thank You Kindly!

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:13 PM

Posted 02 April 2008 - 01:44 PM

Ok, no problem. I read you later :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users