Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Thread - 2nd Attempt, Don't Know Virus Type


  • This topic is locked This topic is locked
16 replies to this topic

#1 franchise95p

franchise95p

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 22 March 2008 - 02:52 PM

Good afternoon!

Originally, I posted this:

Hello all. I wish I were making my first post here under better circumstances, but any help I can get would be appreciated.

I am currently using AVG Free, AVG Anti-Spyare, Adaware, Spybot S&D, Spyware Blaster, & SpywareGuard. I have something.

I had Nero on my computer, deleted it, realized I needed it to use DVD Shrink, tried scamming a free copy, and the keygen downloader I found screwed me up something royally. I have learned my lesson.

Here is what my vault currently looks like:

Posted Image


And here is my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:41 PM, on 3/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Documents and Settings\Administrator\Desktop\~SECURITY~\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Documents and Settings\Administrator\Desktop\~SECURITY~\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Documents and Settings\Administrator\Desktop\~SECURITY~\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [BM7fbba6e4] Rundll32.exe "C:\WINDOWS\system32\ogewbbhi.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1147982589956
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Documents and Settings\Administrator\Desktop\~SECURITY~\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe

--
End of file - 6514 bytes

Any help would be GREATLY appreciated.



Original thread


Since then, I have:

-Ran the cleanmgr option per the required thread.
-Scanned with Ad-Aware & Spybot
-Tried using Housecal,l only to have it shut down Firefox all 4 times.
-Tried using Panda Anti-Virus, only to have it shut down IE twice.
-Tried using Bit Defender(using IE), only to have it display an error message about connecting.
-Updated & re-ran AVG Free Edition
-Ran Stinger

Log:

McAfee® Stinger Version 3.8.0 built on Sep 10 2007

Copyright © 2007 McAfee, Inc. All Rights Reserved.

Virus data file v1000 created on Sep 10 2007.

Ready to scan for 191 viruses, trojans and variants.



Scan initiated on Sat Mar 22 08:58:48 2008

Number of clean files: 231885


-Installed & ran Spygate Personal Firewall.
-Updated Windows
-Reran HiJack This

New Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:27 PM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Documents and Settings\Administrator\Desktop\~SECURITY~\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Documents and Settings\Administrator\Desktop\~SECURITY~\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Documents and Settings\Administrator\Desktop\~SECURITY~\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [BM7fbba6e4] Rundll32.exe "C:\WINDOWS\system32\xcfxyjnk.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147982589956
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Documents and Settings\Administrator\Desktop\~SECURITY~\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 5871 bytes

I am still getting Spyware Guard browser protection alerts about BHO's - C:\WINDOWS\system32\ddccy.dll as well as my computer closing programs, and the desktop being free of icons, as well as the toolbar. I am also getting new tabs opened in both IE & Firefox, taking me to random sites.

I have also downloaded & ran a Virtumondo program, but that came back with 0 results.

Any help would be fantastic.

Thank you.

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:37 PM

Posted 27 March 2008 - 07:34 AM

Hello and welcome to BleepingComputer. :thumbsup:

I apologize for the long delay. Forums are extremely busy.

Please disable SpywareGuard for it may prevent the fixes we are about to do.
Double-click the red SG icon in your system tray.
Click Options.
Under General, uncheck all 3 options, then click "Save Settings"
Close SpywareGuard.
We will re-enable it once your system is clean.

Then....

Please download Combofix to your desktop:
  • Double-click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#3 franchise95p

franchise95p
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 27 March 2008 - 11:22 PM

ComboFix 08-03-26.3 - Administrator 2008-03-27 20:52:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.83 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
-- Script messages for sUBs --
MTEE /+ d-delA.dat


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM7fbba6e4.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ackbopiu.dll
C:\WINDOWS\system32\arvemgig.dll
C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\edsyfsrn.dll
C:\WINDOWS\system32\ljvsamtr.dll
C:\WINDOWS\system32\ngvgodny.dll
C:\WINDOWS\system32\ulmcyong.dll
C:\WINDOWS\system32\yccdd.ini
C:\WINDOWS\system32\yccdd.ini2

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-28 )))))))))))))))))))))))))))))))
.

2008-03-22 11:46 . 2008-03-22 11:57 4,485,529,600 --a------ C:\GOODMORN.ISO
2008-03-22 11:12 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-03-22 11:12 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-03-22 11:12 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-03-22 11:12 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-03-22 11:12 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-03-22 11:12 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-03-22 11:12 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-03-22 11:11 . 2008-03-22 11:11 <DIR> d-------- C:\Program Files\Sygate
2008-03-21 20:47 . 2008-03-21 20:47 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-21 20:47 . 2008-03-21 20:47 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-20 20:11 . 2008-03-20 20:06 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-03-20 20:06 . 2008-03-21 06:38 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-03-16 18:53 . 2008-03-16 18:53 <DIR> d-------- C:\VundoFix Backups
2008-03-16 13:02 . 2008-03-16 13:28 4,681,592,832 --a------ C:\310_TO_YUMA.ISO
2008-03-15 10:57 . 2008-03-23 20:14 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-15 09:33 . 2008-03-15 09:33 63 --a------ C:\WINDOWS\system32\7c8887f6
2008-03-15 09:03 . 2008-03-15 09:03 680,960 --a------ C:\WINDOWS\is-K3SGR.exe
2008-03-15 09:03 . 2008-03-15 09:03 10,453 --a------ C:\WINDOWS\is-K3SGR.msg
2008-03-15 09:03 . 2008-03-15 09:03 343 --a------ C:\WINDOWS\is-K3SGR.lst
2008-03-15 00:10 . 2008-03-15 13:34 4,681,437,184 --a------ C:\ASDF.ISO
2008-03-09 13:58 . 2008-03-09 13:58 0 --a------ C:\WINDOWS\Irremote.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-26 10:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-24 03:14 --------- d-----w C:\Program Files\SpywareBlaster
2008-03-24 03:13 --------- d-----w C:\Program Files\SpywareGuard
2008-03-22 18:40 --------- d-----w C:\Program Files\Java
2008-03-22 15:55 --------- d-----w C:\Program Files\Trillian
2008-03-17 01:13 --------- d-----w C:\Program Files\Common Files\Nero
2008-03-17 01:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-03-16 20:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-15 07:18 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-03-07 13:04 --------- d-----w C:\Program Files\DVDFab HD Decrypter 4
2008-03-01 18:24 --------- d-----w C:\Program Files\LimeWire
2008-02-24 20:57 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Nero
2008-02-22 05:44 --------- d-----w C:\Program Files\CDBurnerXP
2008-02-22 04:05 --------- d-----w C:\Program Files\Reference Assemblies
2008-02-22 04:05 --------- d-----w C:\Program Files\MSBuild
2008-02-22 03:57 --------- d-----w C:\Program Files\MSXML 6.0
2008-02-22 03:19 --------- d-----w C:\Program Files\MSXML 4.0
2008-02-21 05:30 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-20 04:44 --------- d-----w C:\Program Files\Ahead
2008-02-19 05:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-18 03:20 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-17 19:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-17 19:27 --------- d-----w C:\Program Files\Lavasoft
2008-02-17 19:27 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-02-17 19:26 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-17 16:33 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-03 04:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\TVU Networks
2008-02-03 04:52 --------- d-----w C:\Documents and Settings\Administrator\Application Data\TVU Networks
2008-01-31 00:10 274,432 ----a-w C:\WINDOWS\system32\libcurl.dll
2007-02-24 18:35 87,608 ----a-w C:\Documents and Settings\Administrator\Application Data\ezpinst.exe
2007-02-24 18:35 47,360 ----a-w C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26DE2CAA-8FFC-4AA3-B1A5-1B80E5FE1339}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70AB0A8B-8A8A-496F-A339-4CD2F3352991}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4FFC19D-F950-445C-AD42-FF3FFD7278D3}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-10-02 13:37 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-10-02 13:19 118784]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-20 21:38 579072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-18 23:01 282624]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 04:01 32768]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"!AVG Anti-Spyware"="C:\Documents and Settings\Administrator\Desktop\~SECURITY~\AVG Anti-Spyware 7.5\avgas.exe" [2007-07-01 11:59 6731312]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 19:39 219136]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 01:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvwvuu]
tuvwvuu.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 21:01:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Documents and Settings\Administrator\Desktop\~SECURITY~\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
.
**************************************************************************
.
Completion time: 2008-03-27 21:07:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-28 04:06:56
Pre-Run: 22,447,345,664 bytes free
Post-Run: 24,864,616,448 bytes free
.
2008-03-12 03:55:31 --- E O F ---

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:37 PM

Posted 28 March 2008 - 05:05 AM

Please post a fresh HijackThis log. :thumbsup:
Hi there, stranger!

#5 franchise95p

franchise95p
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 28 March 2008 - 07:44 AM

Done & done:







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:43:58 AM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Documents and Settings\Administrator\Desktop\~SECURITY~\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Documents and Settings\Administrator\Desktop\~SECURITY~\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Documents and Settings\Administrator\Desktop\~SECURITY~\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1147982589956
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O20 - Winlogon Notify: tuvwvuu - tuvwvuu.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Documents and Settings\Administrator\Desktop\~SECURITY~\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 6376 bytes

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:37 PM

Posted 28 March 2008 - 07:57 AM

Hello.

Please disable SpywareGuard.
Double-click the red SG icon in your system tray.
Click Options.
Under General, uncheck all 3 options, then click "Save Settings"
Close SpywareGuard.
We will re-enable it once your system is clean.

---

After done, please rerun a scan with HijackThis and check the following object for removal:

O20 - Winlogon Notify: tuvwvuu - tuvwvuu.dll (file missing)


Now close ALL other open windows and hit FIX CHECKED. Exit HijackThis.

If you are prompted by TeaTimer when hitting fix checked, please allow the registry change.

---

Please do an online scan with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Standard
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will start to scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post. :thumbsup:

Hi there, stranger!

#7 franchise95p

franchise95p
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 28 March 2008 - 10:12 PM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, March 28, 2008 8:12:10 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/03/2008
Kaspersky Anti-Virus database records: 601649
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 36570
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:02:04

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\je1v1nvz.default\cert8.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\je1v1nvz.default\history.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\je1v1nvz.default\key3.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\je1v1nvz.default\parent.lock Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\je1v1nvz.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\je1v1nvz.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\je1v1nvz.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\je1v1nvz.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\je1v1nvz.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\je1v1nvz.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\je1v1nvz.default\XUL.mfl Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF8D89.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Sygate\SPF\debug.log Object is locked skipped
C:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped
C:\Program Files\Sygate\SPF\seclog.log Object is locked skipped
C:\Program Files\Sygate\SPF\syslog.log Object is locked skipped
C:\Program Files\Sygate\SPF\tralog.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3B8E63F7-ECC4-4B14-A0E1-09CF15D920BC}\RP602\A0026306.dll Object is locked skipped
C:\System Volume Information\_restore{3B8E63F7-ECC4-4B14-A0E1-09CF15D920BC}\RP602\A0026310.dll Object is locked skipped
C:\System Volume Information\_restore{3B8E63F7-ECC4-4B14-A0E1-09CF15D920BC}\RP604\A0026331.dll Object is locked skipped
C:\System Volume Information\_restore{3B8E63F7-ECC4-4B14-A0E1-09CF15D920BC}\RP604\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:37 PM

Posted 29 March 2008 - 04:33 AM

Hello again. Kaspersky didn't come up with anything either.

Do you have any particular problems with the PC? Virus notifications, slowness, anything?

Do you recognize these files?

C:\WINDOWS\is-K3SGR.exe
C:\WINDOWS\is-K3SGR.msg
C:\WINDOWS\is-K3SGR.lst

Please surf to www.virustotal.com

Paste the following filepath to the blank field and hit Send File:

C:\WINDOWS\is-K3SGR.exe

Wait till scanners have finished, then copy & paste all the information you get. It might take a while. :thumbsup:
Hi there, stranger!

#9 franchise95p

franchise95p
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 29 March 2008 - 10:56 AM

Before I begin I really want to thank everyone for all the help I've received. It is most appreciated.

My computer was giving me AVG Trojan Detected! warnings multiple times per day as well as randomly opening tabs while I was browsing, directing me to sites that were various advertisements (Scratch and win, free savings/deals/vacations, etc.). Also both Mozilla & IE would crash all the time. Frequently when they did, my desktop would be blank and my toolbar would be gone. I'd have to open task manager, log off, and then log back on, to be able to access anything.

Since I've gone through the steps in this thread, my computer seems to be running at the speed it was before. I also haven't seen a trojan detection in a short while either.

I have the following files:

C:\WINDOWS
is-K3SGR with the setup icon next to it, file type - Application (665 KB)
is-K3SGR with the email message icon next to it, file type - Outlook Item (11 KB)
is-K3SGR.lst with some other icon next to it, file type - LST File (1 KB)

Here is what VirusTotal had to say:

Antivirus	  Version	  Last Update	  Result
AhnLab-V3	2008.3.29.0	2008.03.29	-
AntiVir	7.6.0.78	2008.03.28	-
Authentium	4.93.8	2008.03.29	-
Avast	4.7.1098.0	2008.03.29	-
AVG	7.5.0.516	2008.03.28	-
BitDefender	7.2	2008.03.29	-
CAT-QuickHeal	9.50	2008.03.28	-
ClamAV	0.92.1	2008.03.29	-
DrWeb	4.44.0.09170	2008.03.29	-
eSafe	7.0.15.0	2008.03.18	-
eTrust-Vet	31.3.5653	2008.03.29	-
Ewido	4.0	2008.03.29	-
F-Prot	4.4.2.54	2008.03.28	-
F-Secure	6.70.13260.0	2008.03.29	-
FileAdvisor	1	2008.03.29	-
Fortinet	3.14.0.0	2008.03.29	-
Ikarus	T3.1.1.20	2008.03.29	Trojan.Win32.Agent.dfl
Kaspersky	7.0.0.125	2008.03.29	-
McAfee	5262	2008.03.28	-
Microsoft	1.3301	2008.03.28	-
NOD32v2	2983	2008.03.29	-
Norman	5.80.02	2008.03.28	-
Panda	9.0.0.4	2008.03.29	-
Prevx1	V2	2008.03.29	Heuristic: Suspicious Hijacker
Rising	20.37.51.00	2008.03.29	-
Sophos	4.28.0	2008.03.29	-
Sunbelt	3.0.978.0	2008.03.18	-
Symantec	10	2008.03.29	-
TheHacker	6.2.92.258	2008.03.29	-
VBA32	3.12.6.3	2008.03.25	-
VirusBuster	4.3.26:9	2008.03.28	-
Webwasher-Gateway	6.6.2	2008.03.29	-
Additional information
File size: 680960 bytes
MD5: 428df97465967e0998cbfd34e1da5ee7
SHA1: c9b770cbea342a27034a86b0a3360ca7a8ea7bcd
PEiD: -
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=F61B8FB300550E74645B0A1B8473C000B6F9234F

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware


#10 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:37 PM

Posted 29 March 2008 - 11:06 AM

Glad to be of help. :blink:

Please surf to http://uploadmalware.com/

In the username field put: franchise95p
Topic where the file was requested: http://www.bleepingcomputer.com/forums/index.php?showtopic=137652

Files to submit: C:\WINDOWS\is-K3SGR.exe

Hit Send File. Thank you!

It is safe to say.. Delete this file:

C:\WINDOWS\is-K3SGR.exe

Empty your recycle bin.

Please surf back to virustotal.com and submit both of the following files (the first one, then when the scanners have finished - send the other one):

C:\WINDOWS\is-K3SGR.msg
C:\WINDOWS\is-K3SGR.lst


Post back with the results. :thumbsup:
Hi there, stranger!

#11 franchise95p

franchise95p
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 29 March 2008 - 11:34 AM

File sent.

File deleted. Bin emptied.

MSG:
Antivirus	  Version	  Last Update	  Result
AhnLab-V3	2008.3.29.0	2008.03.29	-
AntiVir	7.6.0.78	2008.03.28	-
Authentium	4.93.8	2008.03.29	-
Avast	4.7.1098.0	2008.03.29	-
AVG	7.5.0.516	2008.03.28	-
BitDefender	7.2	2008.03.29	-
CAT-QuickHeal	9.50	2008.03.28	-
ClamAV	0.92.1	2008.03.29	-
DrWeb	4.44.0.09170	2008.03.29	-
eSafe	7.0.15.0	2008.03.18	-
eTrust-Vet	31.3.5653	2008.03.29	-
Ewido	4.0	2008.03.29	-
F-Prot	4.4.2.54	2008.03.28	-
F-Secure	6.70.13260.0	2008.03.29	-
FileAdvisor	1	2008.03.29	-
Fortinet	3.14.0.0	2008.03.29	-
Ikarus	T3.1.1.20	2008.03.29	-
Kaspersky	7.0.0.125	2008.03.29	-
McAfee	5262	2008.03.28	-
Microsoft	1.3301	2008.03.28	-
NOD32v2	2983	2008.03.29	-
Norman	5.80.02	2008.03.28	-
Panda	9.0.0.4	2008.03.29	-
Prevx1	V2	2008.03.29	-
Rising	20.37.51.00	2008.03.29	-
Sophos	4.28.0	2008.03.29	-
Sunbelt	3.0.978.0	2008.03.18	-
Symantec	10	2008.03.29	-
TheHacker	6.2.92.258	2008.03.29	-
VBA32	3.12.6.3	2008.03.25	-
VirusBuster	4.3.26:9	2008.03.29	-
Webwasher-Gateway	6.6.2	2008.03.29	-
Additional information
File size: 10453 bytes
MD5: a4477f6686ff7b50d6574e2b62b9bfdf
SHA1: 493dc7dcc4bc9c3b4b8ab2ad0040bb98dbea6e5c
PEiD: -

LST:
Antivirus	  Version	  Last Update	  Result
AhnLab-V3	2008.3.29.0	2008.03.29	-
AntiVir	7.6.0.78	2008.03.28	-
Authentium	4.93.8	2008.03.29	-
Avast	4.7.1098.0	2008.03.29	-
AVG	7.5.0.516	2008.03.28	-
BitDefender	7.2	2008.03.29	-
CAT-QuickHeal	9.50	2008.03.28	-
ClamAV	0.92.1	2008.03.29	-
DrWeb	4.44.0.09170	2008.03.29	-
eSafe	7.0.15.0	2008.03.18	-
eTrust-Vet	31.3.5653	2008.03.29	-
Ewido	4.0	2008.03.29	-
F-Prot	4.4.2.54	2008.03.28	-
F-Secure	6.70.13260.0	2008.03.29	-
FileAdvisor	1	2008.03.29	-
Fortinet	3.14.0.0	2008.03.29	-
Ikarus	T3.1.1.20	2008.03.29	-
Kaspersky	7.0.0.125	2008.03.29	-
McAfee	5262	2008.03.28	-
Microsoft	1.3301	2008.03.28	-
NOD32v2	2983	2008.03.29	-
Norman	5.80.02	2008.03.28	-
Panda	9.0.0.4	2008.03.29	-
Prevx1	V2	2008.03.29	-
Rising	20.37.51.00	2008.03.29	-
Sophos	4.28.0	2008.03.29	-
Sunbelt	3.0.978.0	2008.03.18	-
Symantec	10	2008.03.29	-
TheHacker	6.2.92.258	2008.03.29	-
VBA32	3.12.6.3	2008.03.25	-
VirusBuster	4.3.26:9	2008.03.29	-
Webwasher-Gateway	6.6.2	2008.03.29	-
Additional information
File size: 343 bytes
MD5: 0f1335f19b286bec93ac43282e0140e8
SHA1: 0e9ec408916773a116ef9e9973f435c64443e547
PEiD: -


#12 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:37 PM

Posted 29 March 2008 - 11:55 AM

Go ahead and delete them aswell since they appear not to be required. In fact, no info of them available.

Ok.. So no more problems with popups or virus alerts or anything? :thumbsup:
Hi there, stranger!

#13 franchise95p

franchise95p
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 29 March 2008 - 01:06 PM

Nope. So far as I can tell, my computer seems cured. I just didn't know if maybe there was still something sneaky tucked in there.

I forgot, I was also getting a TON of spywareguard notices popping up on my screen about BHO's being changed as well. I've since disabled that program, so I'm hoping when I get it up & running again, I've no problems.


EDIT: So, is it acceptable to delete the Stinger file I downloaded, all my HiJackThis info, its backups, and the combofix from my desktop?

Edited by franchise95p, 29 March 2008 - 01:07 PM.


#14 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:37 PM

Posted 29 March 2008 - 02:44 PM

Yes it is. :thumbsup:

Go to Start -> Run and type/paste in:

ComboFix /u

Hit enter or click OK. When shown the disclaimer, select 2

Please download OTCleanIt and save it to desktop.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to reboot during the cleanup, select YES.
  • The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware:

Detect and Remove Programs:Prevention Programs:
  • Comodo BOClean <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
  • SpywareBlaster <= SpywareBlaster will prevent spyware from being installed. Detailed installation guide provided.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known adsites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Other necessary Programs:
  • Antivirus Program <= An antivirus program is a must! Whether it is a free version like Avast! or Anti-Vir, or a shareware version like NOD32 this is a must have. (Note to only use 1 at-the-time)
  • Firewall <= A firewall is definitely a must have. Two good free versions are Comodo and Online Armor. (Note to only use 1 at-the-time)
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice:
So how did I get infected in the first place?

Setup guide for Comodo Firewall
Setup guide for Avast! 4 Free
Setup guide for AVG Free Antivirus
Hi there, stranger!

#15 franchise95p

franchise95p
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 30 March 2008 - 12:56 AM

Thank you.

In the meantime, I just reran my AVG Anti-Spyware 7.5, and it came up with 3 tracking cookies & 1 Trojan.Agent located at C:\Program Files\Mozilla Firefox\readme.bat. The action recommended was to quarantine it, which I did. Should I be concerned about it or take any additional action?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users