Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple, Major Problems


  • Please log in to reply
11 replies to this topic

#1 PrittStick

PrittStick

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Location:Wolverhampton, England
  • Local time:10:33 PM

Posted 20 April 2008 - 12:41 PM

Hi, I've got some pretty major problems with my computer for some bloody reason again, my family destroy it. Think you could help please?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:39:39, on 20/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 2180 bytes

BC AdBot (Login to Remove)

 


#2 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 25 April 2008 - 08:15 PM

PrittStick

Please download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Posted Image
Microsoft MVP - Windows Security

#3 PrittStick

PrittStick
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Location:Wolverhampton, England
  • Local time:10:33 PM

Posted 26 April 2008 - 04:39 AM

Thanks, here is the ComboFix log.



ComboFix 08-04-24.1 - ben 2008-04-26 9:54:30.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.219 [GMT 1:00]
Running from: C:\Documents and Settings\ben\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\ben\Desktop\Error Cleaner.url
C:\Documents and Settings\ben\Desktop\Privacy Protector.url
C:\Documents and Settings\ben\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\ben\Favorites\Error Cleaner.url
C:\Documents and Settings\ben\Favorites\Privacy Protector.url
C:\Documents and Settings\ben\Favorites\Spyware&Malware Protection.url
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
C:\WINDOWS\inf\ultra.inf
C:\WINDOWS\system32\ddcASjIa.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DOMAINSERVICE
-------\Service_DomainService


((((((((((((((((((((((((( Files Created from 2008-03-26 to 2008-04-26 )))))))))))))))))))))))))))))))
.

2008-04-26 09:47 . 2008-04-26 09:47 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-04-26 00:04 . 2008-04-26 00:32 <DIR> d-------- C:\Documents and Settings\ben\Application Data\Download Manager
2008-04-20 18:39 . 2008-04-20 18:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-19 16:57 . 2008-04-20 22:45 <DIR> d-------- C:\Documents and Settings\ben\Application Data\TmpRecentIcons
2008-04-19 13:26 . 2008-04-19 11:39 221,184 --a------ C:\WINDOWS\wdpoefan.dll
2008-04-19 13:26 . 2008-04-19 11:39 172,032 --a------ C:\WINDOWS\vadokmxt.dll
2008-04-19 13:26 . 2008-04-19 11:39 151,552 --a------ C:\WINDOWS\dpevflbg.dll
2008-04-19 13:26 . 2008-04-19 11:39 94,208 --a------ C:\WINDOWS\olgdqarf.exe
2008-04-15 22:54 . 2008-04-15 22:54 268 --ah----- C:\sqmdata07.sqm
2008-04-15 22:54 . 2008-04-15 22:54 244 --ah----- C:\sqmnoopt07.sqm
2008-04-02 19:49 . 2008-04-02 19:49 <DIR> d-------- C:\WINDOWS\system32\Epson
2008-04-02 09:40 . 2008-04-02 09:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2008-03-30 11:06 . 2008-03-30 11:10 <DIR> d-------- C:\Program Files\BitTorrent
2008-03-29 01:38 . 2008-03-29 01:38 <DIR> d-------- C:\Program Files\Real
2008-03-29 01:38 . 2008-03-29 01:38 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-03-29 01:38 . 2008-03-29 01:38 <DIR> d-------- C:\Program Files\Common Files\Real

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-26 09:12 141,998,112 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-26 09:08 2,638,880 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-04-26 09:07 249,440 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-04-26 09:07 1,904,852 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-26 08:47 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-04-25 23:47 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-20 17:13 --------- d-----w C:\Program Files\Windows Live
2008-04-20 17:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-18 05:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-12 12:08 --------- d-----w C:\Program Files\MSN Messenger
2008-04-12 12:08 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-04-09 23:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-31 14:32 --------- d-----w C:\Documents and Settings\ben\Application Data\BitTorrent
2007-05-01 07:37 168 --sh--r C:\WINDOWS\system32\18ACB7B6B2.sys
2007-05-01 07:37 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-04-14 15:11 766,167 --sha-w C:\WINDOWS\system32\srqss.bak1
.
<pre>
----a-w			67,488 2008-02-24 19:50:43  C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy .exe
----a-w			39,792 2008-01-07 17:23:01  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w		   249,896 2008-01-18 13:22:55  C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt .exe
----a-w		 1,106,944 2008-01-18 23:20:30  C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer .exe
----a-w		   868,352 2008-01-07 17:23:17  C:\Program Files\Creative\Sync Manager Unicode\CTSyncU .exe
----a-w		   132,496 2008-01-24 16:37:20  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w		 2,229,248 2008-01-17 15:19:58  C:\Program Files\Messenger\msmsgs .exe
----a-w		 5,674,352 2008-01-24 16:37:59  C:\Program Files\MSN Messenger\msnmsgr  .exe
----a-w		   167,936 2008-01-18 13:22:28  C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication .exe
----a-w		   847,872 2008-01-06 19:15:29  C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2 .exe
----a-w		   200,704 2008-01-16 07:37:21  C:\Program Files\PowerISO\PWRISOVM .EXE
----a-w		 1,318,912 2008-01-21 14:00:40  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
----a-w		   158,208 2008-01-24 12:47:26  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w			15,360 2008-01-24 12:47:26  C:\WINDOWS\system32\ctfmon .exe
----a-w		17,642,616 2008-01-09 15:26:32  C:\WINDOWS\system32\MRT .exe
----a-w			74,240 2008-01-13 15:43:06  C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S10IC1 .EXE
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 23:06 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-22 12:17 262401]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-29 01:38 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 02:17 443968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"wdpoefan"= {F645B00C-1DAA-4DDF-A42C-AB4F87E0B978} - C:\WINDOWS\wdpoefan.dll [2008-04-19 11:39 221184]
"vadokmxt"= {78F7EAEF-9356-4FA0-A713-245439326AB1} - C:\WINDOWS\vadokmxt.dll [2008-04-19 11:39 172032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcASjIa]
ddcASjIa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2007-09-08 00:01 43008 C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasySpywareCleaner]
C:\Program Files\EasySpywareCleaner\EasySpywareCleaner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\pmkhh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2006-11-24 02:06 487424 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
C:\WINDOWS\system32\spoolvs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2 Demo\\Bf2_w32ded.exe"=
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2 Demo\\BF2.exe"=
"C:\\Program Files\\SpacialAudio\\SAMBC\\SAMBC.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\MSN Messenger\\msnmsgr .exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3306:TCP"= 3306:TCP:TCP

R3 STAC97NA;SigmaTel 3D Environmental Audio;C:\WINDOWS\system32\drivers\stac97na.sys [2002-09-20 19:42]
R3 STAC97NH;STAC97NH;C:\WINDOWS\system32\drivers\stac97nh.sys [2002-09-20 19:43]
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);C:\WINDOWS\system32\drivers\ctlsb16.sys [2001-08-17 13:19]
S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-02-19 14:50]
S3 papycpu;papycpu;C:\WINDOWS\system32\drivers\papycpu.sys [1998-09-14 12:57]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-19 17:18:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-26 10:10:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MySQL]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\wdpoefan.dll
-> C:\WINDOWS\vadokmxt.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\ati2evxx.exe
.
**************************************************************************
.
Completion time: 2008-04-26 10:32:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-26 09:31:05

Pre-Run: 20,099,170,304 bytes free
Post-Run: 20,032,561,152 bytes free

191 --- E O F --- 2008-04-09 23:55:14

#4 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 26 April 2008 - 06:13 PM

PrittStick

1. Open NotePad (not wordpad). Copy and paste the following into Notepad (not the word Code)

File::
C:\WINDOWS\wdpoefan.dll
C:\WINDOWS\vadokmxt.dll
C:\WINDOWS\dpevflbg.dll
C:\WINDOWS\olgdqarf.exe
C:\WINDOWS\system32\srqss.bak1
C:\WINDOWS\wdpoefan.dll
C:\WINDOWS\vadokmxt.dll
C:\Program Files\EasySpywareCleaner\EasySpywareCleaner.exe
C:\WINDOWS\system32\pmkhh.exe
C:\WINDOWS\system32\spoolvs.exe

Folder::
C:\Program Files\EasySpywareCleaner

RENV::
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy .exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt .exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer .exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\MSN Messenger\msnmsgr  .exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication .exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2 .exe
C:\Program Files\PowerISO\PWRISOVM .EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\MRT .exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S10IC1 .EXE

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"wdpoefan"=-
"vadokmxt"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcASjIa]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasySpywareCleaner]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]

Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe
Posted ImageYou will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply

Posted Image
Microsoft MVP - Windows Security

#5 PrittStick

PrittStick
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Location:Wolverhampton, England
  • Local time:10:33 PM

Posted 27 April 2008 - 01:25 PM

Hi bamajim.

When I turned my computer on about an hour ago the entire virus was back. I don't know how this happened but my siblings claimed they hadn't done anything dodgey... Anyway, I re-ran ComboFix first of all and saved the log. I then visited this website and found your reply to which I then followed the instructions. The following is first of all the log from the repeat of the scan I did originally and the second log is the one that is related to your last reply.

ComboFix 08-04-24.1 - ben 2008-04-27 18:29:45.2 - NTFSx86
Running from: C:\Documents and Settings\ben\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\ben\Desktop\Error Cleaner.url
C:\Documents and Settings\ben\Desktop\Privacy Protector.url
C:\Documents and Settings\ben\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\ben\Favorites\Error Cleaner.url
C:\Documents and Settings\ben\Favorites\Privacy Protector.url
C:\Documents and Settings\ben\Favorites\Spyware&Malware Protection.url

.
((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.

2008-04-26 09:47 . 2008-04-26 09:47 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-04-26 00:04 . 2008-04-26 00:32 <DIR> d-------- C:\Documents and Settings\ben\Application Data\Download Manager
2008-04-20 18:39 . 2008-04-20 18:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-19 16:57 . 2008-04-20 22:45 <DIR> d-------- C:\Documents and Settings\ben\Application Data\TmpRecentIcons
2008-04-19 13:26 . 2008-04-19 11:39 221,184 --a------ C:\WINDOWS\wdpoefan.dll
2008-04-19 13:26 . 2008-04-19 11:39 172,032 --a------ C:\WINDOWS\vadokmxt.dll
2008-04-19 13:26 . 2008-04-19 11:39 151,552 --a------ C:\WINDOWS\dpevflbg.dll
2008-04-19 13:26 . 2008-04-19 11:39 94,208 --a------ C:\WINDOWS\olgdqarf.exe
2008-04-15 22:54 . 2008-04-15 22:54 268 --ah----- C:\sqmdata07.sqm
2008-04-15 22:54 . 2008-04-15 22:54 244 --ah----- C:\sqmnoopt07.sqm
2008-04-02 19:49 . 2008-04-02 19:49 <DIR> d-------- C:\WINDOWS\system32\Epson
2008-04-02 09:40 . 2008-04-02 09:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2008-03-30 11:06 . 2008-03-30 11:10 <DIR> d-------- C:\Program Files\BitTorrent
2008-03-29 01:38 . 2008-03-29 01:38 <DIR> d-------- C:\Program Files\Real
2008-03-29 01:38 . 2008-03-29 01:38 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-03-29 01:38 . 2008-03-29 01:38 <DIR> d-------- C:\Program Files\Common Files\Real

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 17:40 142,761,504 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-27 17:39 2,678,560 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-04-27 00:38 252,824 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-04-27 00:38 1,912,316 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-26 08:47 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-04-25 23:47 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-20 17:13 --------- d-----w C:\Program Files\Windows Live
2008-04-20 17:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-18 05:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-12 12:08 --------- d-----w C:\Program Files\MSN Messenger
2008-04-12 12:08 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-04-09 23:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-31 14:32 --------- d-----w C:\Documents and Settings\ben\Application Data\BitTorrent
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-19 13:50 1,419,232 ----a-w C:\WINDOWS\system32\wdfcoinstaller01005.dll
2007-05-01 07:37 168 --sh--r C:\WINDOWS\system32\18ACB7B6B2.sys
2007-05-01 07:37 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-04-14 15:11 766,167 --sha-w C:\WINDOWS\system32\srqss.bak1
.
<pre>
----a-w			67,488 2008-02-24 19:50:43  C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy .exe
----a-w			39,792 2008-01-07 17:23:01  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w		   249,896 2008-01-18 13:22:55  C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt .exe
----a-w		 1,106,944 2008-01-18 23:20:30  C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer .exe
----a-w		   868,352 2008-01-07 17:23:17  C:\Program Files\Creative\Sync Manager Unicode\CTSyncU .exe
----a-w		   132,496 2008-01-24 16:37:20  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w		 2,229,248 2008-01-17 15:19:58  C:\Program Files\Messenger\msmsgs .exe
----a-w		 5,674,352 2008-01-24 16:37:59  C:\Program Files\MSN Messenger\msnmsgr  .exe
----a-w		   167,936 2008-01-18 13:22:28  C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication .exe
----a-w		   847,872 2008-01-06 19:15:29  C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2 .exe
----a-w		   200,704 2008-01-16 07:37:21  C:\Program Files\PowerISO\PWRISOVM .EXE
----a-w		 1,318,912 2008-01-21 14:00:40  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
----a-w		   158,208 2008-01-24 12:47:26  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w			15,360 2008-01-24 12:47:26  C:\WINDOWS\system32\ctfmon .exe
----a-w		17,642,616 2008-01-09 15:26:32  C:\WINDOWS\system32\MRT .exe
----a-w			74,240 2008-01-13 15:43:06  C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S10IC1 .EXE
</pre>


((((((((((((((((((((((((((((( snapshot@2008-04-26_10.30.27.78 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-26 09:08:41 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-27 13:52:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 23:06 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-22 12:17 262401]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-29 01:38 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 02:17 443968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"wdpoefan"= {F645B00C-1DAA-4DDF-A42C-AB4F87E0B978} - C:\WINDOWS\wdpoefan.dll [2008-04-19 11:39 221184]
"vadokmxt"= {78F7EAEF-9356-4FA0-A713-245439326AB1} - C:\WINDOWS\vadokmxt.dll [2008-04-19 11:39 172032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcASjIa]
ddcASjIa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2007-09-08 00:01 43008 C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasySpywareCleaner]
C:\Program Files\EasySpywareCleaner\EasySpywareCleaner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\pmkhh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2006-11-24 02:06 487424 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
C:\WINDOWS\system32\spoolvs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2 Demo\\Bf2_w32ded.exe"=
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2 Demo\\BF2.exe"=
"C:\\Program Files\\SpacialAudio\\SAMBC\\SAMBC.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\MSN Messenger\\msnmsgr .exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3306:TCP"= 3306:TCP:TCP

R3 STAC97NA;SigmaTel 3D Environmental Audio;C:\WINDOWS\system32\drivers\stac97na.sys [2002-09-20 19:42]
R3 STAC97NH;STAC97NH;C:\WINDOWS\system32\drivers\stac97nh.sys [2002-09-20 19:43]
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);C:\WINDOWS\system32\drivers\ctlsb16.sys [2001-08-17 13:19]
S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-02-19 14:50]
S3 papycpu;papycpu;C:\WINDOWS\system32\drivers\papycpu.sys [1998-09-14 12:57]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-26 17:17:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 18:40:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\MySQL]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
Completion time: 2008-04-27 18:43:57
ComboFix-quarantined-files.txt 2008-04-27 17:42:52
ComboFix2.txt 2008-04-26 09:32:48

Pre-Run: 19,380,215,808 bytes free
Post-Run: 19,394,326,528 bytes free

174 --- E O F --- 2008-04-09 23:55:14





ComboFix 08-04-24.1 - ben 2008-04-27 18:50:32.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.247 [GMT 1:00]
Running from: C:\Documents and Settings\ben\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ben\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Program Files\EasySpywareCleaner\EasySpywareCleaner.exe
C:\WINDOWS\dpevflbg.dll
C:\WINDOWS\olgdqarf.exe
C:\WINDOWS\system32\pmkhh.exe
C:\WINDOWS\system32\spoolvs.exe
C:\WINDOWS\system32\srqss.bak1
C:\WINDOWS\vadokmxt.dll
C:\WINDOWS\wdpoefan.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\dpevflbg.dll
C:\WINDOWS\olgdqarf.exe
C:\WINDOWS\system32\srqss.bak1
C:\WINDOWS\vadokmxt.dll
C:\WINDOWS\wdpoefan.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.

2008-04-26 09:47 . 2008-04-26 09:47 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-04-26 00:04 . 2008-04-26 00:32 <DIR> d-------- C:\Documents and Settings\ben\Application Data\Download Manager
2008-04-20 18:39 . 2008-04-20 18:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-19 16:57 . 2008-04-20 22:45 <DIR> d-------- C:\Documents and Settings\ben\Application Data\TmpRecentIcons
2008-04-15 22:54 . 2008-04-15 22:54 268 --ah----- C:\sqmdata07.sqm
2008-04-15 22:54 . 2008-04-15 22:54 244 --ah----- C:\sqmnoopt07.sqm
2008-04-02 19:49 . 2008-04-02 19:49 <DIR> d-------- C:\WINDOWS\system32\Epson
2008-04-02 09:40 . 2008-04-02 09:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2008-03-30 11:06 . 2008-03-30 11:10 <DIR> d-------- C:\Program Files\BitTorrent
2008-03-29 01:38 . 2008-03-29 01:38 <DIR> d-------- C:\Program Files\Real
2008-03-29 01:38 . 2008-03-29 01:38 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-03-29 01:38 . 2008-03-29 01:38 <DIR> d-------- C:\Program Files\Common Files\Real

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 17:56 2,680,608 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-04-27 17:56 142,786,592 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-27 17:50 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-04-27 17:50 --------- d-----w C:\Program Files\PowerISO
2008-04-27 17:50 --------- d-----w C:\Program Files\MSN Messenger
2008-04-27 00:38 252,824 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-04-27 00:38 1,912,316 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-26 08:47 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-04-25 23:47 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-20 17:13 --------- d-----w C:\Program Files\Windows Live
2008-04-20 17:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-18 05:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-12 12:08 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-04-09 23:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-31 14:32 --------- d-----w C:\Documents and Settings\ben\Application Data\BitTorrent
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-19 13:50 1,419,232 ----a-w C:\WINDOWS\system32\wdfcoinstaller01005.dll
2007-05-01 07:37 168 --sh--r C:\WINDOWS\system32\18ACB7B6B2.sys
2007-05-01 07:37 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-04-26_10.30.27.78 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-26 09:08:41 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-27 13:52:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2004-08-04 12:00:00 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe
+ 2008-01-24 12:47:26 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig.exe
- 2004-08-04 12:00:00 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
+ 2008-01-24 12:47:26 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
- 2004-08-04 12:00:00 15,360 -c--a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
+ 2008-01-24 12:47:26 15,360 -c--a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
- 2004-08-04 12:00:00 158,208 -c--a-w C:\WINDOWS\system32\dllcache\msconfig.exe
+ 2008-01-24 12:47:26 158,208 -c--a-w C:\WINDOWS\system32\dllcache\msconfig.exe
- 2008-04-06 05:56:20 19,836,024 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-01-09 15:26:32 17,642,616 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-01-13 15:43:06 74,240 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S10IC1.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-24 13:47 15360]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 23:06 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-18 14:22 249896]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-29 01:38 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 02:17 443968]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-07 18:23 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2007-09-08 00:01 43008 C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2008-01-18 14:22 167936 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2008-01-06 20:15 847872 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2006-11-24 02:06 487424 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2 Demo\\Bf2_w32ded.exe"=
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2 Demo\\BF2.exe"=
"C:\\Program Files\\SpacialAudio\\SAMBC\\SAMBC.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3306:TCP"= 3306:TCP:TCP

R3 STAC97NA;SigmaTel 3D Environmental Audio;C:\WINDOWS\system32\drivers\stac97na.sys [2002-09-20 19:42]
R3 STAC97NH;STAC97NH;C:\WINDOWS\system32\drivers\stac97nh.sys [2002-09-20 19:43]
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);C:\WINDOWS\system32\drivers\ctlsb16.sys [2001-08-17 13:19]
S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-02-19 14:50]
S3 papycpu;papycpu;C:\WINDOWS\system32\drivers\papycpu.sys [1998-09-14 12:57]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-26 17:17:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 18:57:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\MySQL]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
Completion time: 2008-04-27 19:03:30
ComboFix-quarantined-files.txt 2008-04-27 18:01:52
ComboFix2.txt 2008-04-27 17:43:59
ComboFix3.txt 2008-04-26 09:32:48

Pre-Run: 19,377,389,568 bytes free
Post-Run: 19,363,835,904 bytes free

164 --- E O F --- 2008-04-09 23:55:14

#6 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 27 April 2008 - 01:50 PM

PrittStick

Your siblings probably didn't do anything wrong. Just running Combofix did not resolve the issue entirely, hence my second post.

However this is an excellent place to get infected BitTorrent

Run an online virus scan called Kaspersky from HERE.1. Click on "Kaspersky Online Scanner"
2. A new smaller window will pop up. Press on "Accept". After reading the contents.
3. Now Kaspersky will update the anti-virus database. Let it run.
4. Click on "Next"->>"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
5. Then click on "My Computer". And the scan will start.
6. When the scan is complete Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan
Posted Image
Microsoft MVP - Windows Security

#7 PrittStick

PrittStick
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Location:Wolverhampton, England
  • Local time:10:33 PM

Posted 28 April 2008 - 02:59 PM

Here's the log :thumbsup:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, April 28, 2008 8:53:26 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/04/2008
Kaspersky Anti-Virus database records: 727826
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 134964
Number of viruses found: 15
Number of infected objects: 30
Number of suspicious objects: 0
Duration of the scan process: 14:02:56

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log Object is locked skipped
C:\Documents and Settings\ben\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\ben\Desktop\james\hot chip.zip/Setup.exe Infected: not-a-virus:AdWare.Win32.Agent.zk skipped
C:\Documents and Settings\ben\Desktop\james\hot chip.zip ZIP: infected - 1 skipped
C:\Documents and Settings\ben\Desktop\james\saves the day-driving cars.wm Infected: Trojan-Downloader.WMA.Wimad.m skipped
C:\Documents and Settings\ben\Desktop\james\starsailers.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped
C:\Documents and Settings\ben\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\ben\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\ben\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ben\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ben\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ben\Local Settings\Temporary Internet Files\Content.IE5\BFS7V6TC\1320322[1].mp3 Object is locked skipped
C:\Documents and Settings\ben\Local Settings\Temporary Internet Files\Content.IE5\BFS7V6TC\143194[1].mp3 Object is locked skipped
C:\Documents and Settings\ben\Local Settings\Temporary Internet Files\Content.IE5\BFS7V6TC\153521[1].mp3 Object is locked skipped
C:\Documents and Settings\ben\Local Settings\Temporary Internet Files\Content.IE5\BFS7V6TC\1969174[1].mp3 Object is locked skipped
C:\Documents and Settings\ben\Local Settings\Temporary Internet Files\Content.IE5\BFS7V6TC\2011173[1].mp3 Object is locked skipped
C:\Documents and Settings\ben\Local Settings\Temporary Internet Files\Content.IE5\BFS7V6TC\254564[1].mp3 Object is locked skipped
C:\Documents and Settings\ben\Local Settings\Temporary Internet Files\Content.IE5\BFS7V6TC\55446[1].mp3 Object is locked skipped
C:\Documents and Settings\ben\Local Settings\Temporary Internet Files\Content.IE5\BFS7V6TC\get_video[1] Object is locked skipped
C:\Documents and Settings\ben\Local Settings\Temporary Internet Files\Content.IE5\BFS7V6TC\get_video[2] Object is locked skipped
C:\Documents and Settings\ben\Local Settings\Temporary Internet Files\Content.IE5\IG53AAYP\get_video[2] Object is locked skipped
C:\Documents and Settings\ben\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ben\Local Settings\Temporary Internet Files\Content.IE5\OFR2K93G\get_video[2] Object is locked skipped
C:\Documents and Settings\ben\Local Settings\Temporary Internet Files\Content.IE5\WXENN0HP\75281[1].mp3 Object is locked skipped
C:\Documents and Settings\ben\Local Settings\Temporary Internet Files\Content.IE5\WXENN0HP\get_video[4] Object is locked skipped
C:\Documents and Settings\ben\Local Settings\Temporary Internet Files\Content.IE5\YXPFUKGO\gary%20jules-11-mad_world[1].mp3 Object is locked skipped
C:\Documents and Settings\ben\Local Settings\Temporary Internet Files\Content.IE5\YXPFUKGO\std_576ccadac913360c9c5b711429e5cd63[1].mp3 Object is locked skipped
C:\Documents and Settings\ben\My Documents\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\ben\ntuser.dat Object is locked skipped
C:\Documents and Settings\ben\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Nero\Nero8\Nero BackItUp\BIU1.txt Object is locked skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080424-192928-359.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080424-192928-422.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qfr skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080424-192928-918.dll Infected: Trojan.Win32.Vapsup.efq skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080424-192948-163.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qfr skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080424-193109-155.dll Infected: Trojan.Win32.Vapsup.efq skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080424-194008-189.dll Infected: not-a-virus:Downloader.Win32.SpyGame skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080424-194008-949.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qfr skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080426-000832-528.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qfr skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\QooBox\Quarantine\C\WINDOWS\dpevflbg.dll.vir Infected: Trojan.Win32.Vapsup.efn skipped
C:\QooBox\Quarantine\C\WINDOWS\olgdqarf.exe.vir Infected: Trojan.Win32.Vapsup.edd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ddcASjIa.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.qfr skipped
C:\QooBox\Quarantine\C\WINDOWS\vadokmxt.dll.vir Infected: Trojan.Win32.Vapsup.efo skipped
C:\QooBox\Quarantine\C\WINDOWS\wdpoefan.dll.vir Infected: Trojan.Win32.Vapsup.efr skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{0BEACA1E-0E72-447E-BC66-29153F3F1838}\RP15\A0012602.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{0BEACA1E-0E72-447E-BC66-29153F3F1838}\RP43\A0038618.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{0BEACA1E-0E72-447E-BC66-29153F3F1838}\RP61\A0042717.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.e skipped
C:\System Volume Information\_restore{0BEACA1E-0E72-447E-BC66-29153F3F1838}\RP85\A0056595.dll Infected: Trojan.Win32.Vapsup.efq skipped
C:\System Volume Information\_restore{0BEACA1E-0E72-447E-BC66-29153F3F1838}\RP87\A0058590.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{0BEACA1E-0E72-447E-BC66-29153F3F1838}\RP87\A0058592.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qfr skipped
C:\System Volume Information\_restore{0BEACA1E-0E72-447E-BC66-29153F3F1838}\RP89\A0059754.dll Infected: Trojan.Win32.Vapsup.efn skipped
C:\System Volume Information\_restore{0BEACA1E-0E72-447E-BC66-29153F3F1838}\RP89\A0059755.exe Infected: Trojan.Win32.Vapsup.edd skipped
C:\System Volume Information\_restore{0BEACA1E-0E72-447E-BC66-29153F3F1838}\RP89\A0059756.dll Infected: Trojan.Win32.Vapsup.efo skipped
C:\System Volume Information\_restore{0BEACA1E-0E72-447E-BC66-29153F3F1838}\RP89\A0059757.dll Infected: Trojan.Win32.Vapsup.efr skipped
C:\System Volume Information\_restore{0BEACA1E-0E72-447E-BC66-29153F3F1838}\RP89\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{D6851CDE-4787-4543-9F88-87A71C36D0EB}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\xcpelhbm.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#8 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 28 April 2008 - 04:07 PM

PrittStick

Just a few to clean up

1. We need to make sure we can see hidden files and folders

To enable the viewing of Hidden and System files follow these steps: Right click on Start and select Explore.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Click Yes To confirm
Press the Apply button and then the OK button.
Next Using Windows Explorer(Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate and Delete the following filesC:\Documents and Settings\ben\Desktop\james\hot chip.zip ZIP
C:\Documents and Settings\ben\Desktop\james\saves the day-driving cars.wm
C:\Documents and Settings\ben\Desktop\james\starsailers.mp3
C:\WINDOWS\system32\xcpelhbm.exe

Locate and Delete the following folderC:\Program Files\Trend Micro\HijackThis\backups
Locate and empty the following folder(but do not delete the folder itself)C:\QooBox\Quarantine
Close windows explorer ->> Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log

And in your reply tell me how your PC is running now.
Posted Image
Microsoft MVP - Windows Security

#9 PrittStick

PrittStick
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Location:Wolverhampton, England
  • Local time:10:33 PM

Posted 28 April 2008 - 07:17 PM

Hi bamajim, thanks for helping, my computer is much better now. Overall I don't have any major issues now but I do feel that my computer can get very slow which has only seemed to have happened over the past week or so.

Here is my HijackThis log. Thanks again :thumbsup:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:14:49, on 29/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1165078554578
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppD...ap/DigWXMSN.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.11) - http://gameadvisor.futuremark.com/global/msc311.cab
O16 - DPF: {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} (NTR ActiveX 1.1.8) - http://eu.ntrsupport.com/inquiero/mod/setu...tivex118_24.cab
O16 - DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} (InfosFinder2.InfosFinder) - http://support.packardbell.com/files/activ...nfosFinder2.CAB
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 6957 bytes

#10 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 29 April 2008 - 07:14 AM

PrittStick

You may now remove/delete/uninstall the tools we used to clean your PC

Now that your log is clean

There are some final notes:
Disable and Enable System RestoreLets create a clean System Restore point
the instructions are here
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:Download the latest version of
Java Runtime Environment (JRE) 6.u5.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u5-windowsi586-p.exe to install the newest version.
Update your Anti Virus Software

Use and maintain a Firewall There is a list HEREAll of which are free
Visit Microsoft's Windows Update Site Frequently for critical updates

Backup your Important Documents and Files on a regular basisTo a disc or a USB key, not your Hardrive
You may want to read this article"So how did I get infected in the first place" by Tony Klein

surf safe
Posted Image
Microsoft MVP - Windows Security

#11 PrittStick

PrittStick
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Location:Wolverhampton, England
  • Local time:10:33 PM

Posted 13 May 2008 - 10:04 AM

Hi, I just wanted to say that I have done all of the things you have recommended and if you feel the need to check anything, here is a new HijackThis log.

Thanks again :thumbsup:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:03:53, on 13/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1165078554578
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppD...ap/DigWXMSN.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.11) - http://gameadvisor.futuremark.com/global/msc311.cab
O16 - DPF: {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} (NTR ActiveX 1.1.8) - http://eu.ntrsupport.com/inquiero/mod/setu...tivex118_24.cab
O16 - DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} (InfosFinder2.InfosFinder) - http://support.packardbell.com/files/activ...nfosFinder2.CAB
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 7784 bytes

#12 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 13 May 2008 - 11:09 AM

PrittStick

You are most welcome.

Looks good :thumbsup:

surf safe
Posted Image
Microsoft MVP - Windows Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users