Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help Me Newbie To This


  • This topic is locked This topic is locked
15 replies to this topic

#1 ~1234

~1234

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 06 May 2008 - 08:24 PM

About a week ago I downloaded a file from Limewire. I was so stupid to do that because it was supposed to be a game and it took about 5 seconds to download. To add to it I opened the file and a window popped up with a black background. Ever since then I have been getting pop ups. Some of them say ads by gooochi, are just ads, and some are searches for stuff. I went to do a system restore but it was not any previous dates so I couldn't. So reinstalled Windows XP totally and deleted all my files and stuff. It is still there! I still get pop-ups. Also installed are these weird programs that I know I did not install. Someone I would greatly appreciate your help :]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:44:59 PM, on 5/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgsvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\stsystra.exe
C:\Documents and Settings\Sydney\lsass.exe
C:\WINDOWS\system32\bkEur18\bkEur182328.exe
c:\windows\system32\rwwnw64d.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\TWl0Y2hlbGw\command.exe
C:\WINDOWS\system32\lcntmkdm.exe
C:\WINDOWS\17PHolmes1000106.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Sydney\lsass.exe
O4 - HKLM\..\Run: [{A9-99-96-65-DW}] c:\windows\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\lcntmkdm.exe DWram
O4 - HKLM\..\Run: [{13e36e24-89fe-bc54-3953-335389628b1b}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{6de8ba7c-ed02-9998-3d06-661f928084a6}.dll" DllInit
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\lcntmkdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWl0Y2hlbGw\command.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 4002 bytes



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:15 PM

Posted 07 May 2008 - 01:24 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please go to this page and scroll down to step 6.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Follow the directions there to run DSS and then post those logs back here in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 ~1234

~1234
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 07 May 2008 - 05:08 PM

Deckard's System Scanner v20071014.68
Run by Sydney on 2008-05-07 18:03:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
6: 2008-05-07 22:03:53 UTC - RP6 - Deckard's System Scanner Restore Point
5: 2008-05-07 02:51:12 UTC - RP5 - Software Distribution Service 3.0
4: 2008-05-06 22:30:48 UTC - RP4 - Last known good configuration
3: 2008-05-06 22:30:43 UTC - RP3 - Installed SigmaTel Audio
2: 2008-05-06 22:30:43 UTC - RP2 - Installed Windows XP KB835221WXP.


-- First Restore Point --
1: 2008-05-06 22:30:42 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as Sydney.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:04:09 PM, on 5/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\TWl0Y2hlbGw\command.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Documents and Settings\Sydney\lsass.exe
C:\WINDOWS\system32\lcntmkdm.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\mrofinu1000106.exe
C:\Program Files\winvi\wupda.exe
c:\windows\system32\jlwnw64j.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sydney\Desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Sydney.exe

O2 - BHO: (no name) - {0D99C21B-CA48-4021-8948-7009DD5C3449} - C:\WINDOWS\system32\qOIyVNGY.dll
O2 - BHO: (no name) - {4F96CCB9-01EC-419E-AAEA-C2C913F2A236} - C:\WINDOWS\system32\khffgGYp.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Sydney\lsass.exe
O4 - HKLM\..\Run: [{A9-99-96-65-DW}] c:\windows\system32\jlwnw64j.exe DWram
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\lcntmkdm.exe DWram
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\lcntmkdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jlwnw64j.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: khffgGYp - C:\WINDOWS\SYSTEM32\khffgGYp.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWl0Y2hlbGw\command.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 3945 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 rdpcddd - c:\windows\system32\drivers\rdpcddd.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.6.0.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.6.0.0>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 cmdService (Command Service) - c:\windows\twl0y2hlbgw\command.exe
R2 Network Monitor - c:\program files\network monitor\netmon.exe service
R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>
R2 WLANKEEPER (Intel® PROSet/Wireless SSO Service) - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSO Service>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01C91028&REV_02\4&2FA23535&0&00F0
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01C91028&REV_02\4&2FA23535&0&00F0
Service:


-- Files created between 2008-04-07 and 2008-05-07 -----------------------------

2008-05-07 17:31:26 49163 --a------ C:\WINDOWS\system32\jlwnw64j.exe <Not Verified; ; Browser Driver>
2008-05-06 22:51:20 0 d-------- C:\WINDOWS\system32\PreInstall
2008-05-06 22:51:17 0 d--h----- C:\WINDOWS\$hf_mig$
2008-05-06 22:42:14 0 d---s---- C:\Documents and Settings\Sydney\UserData
2008-05-06 21:28:23 0 d-------- C:\Documents and Settings\Sydney\Application Data\Adobe
2008-05-06 18:45:59 0 d-------- C:\Documents and Settings\Sydney\Application Data\Macromedia
2008-05-06 18:43:57 0 d-------- C:\Program Files\Trend Micro
2008-05-06 18:32:58 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-06 18:32:52 0 d-------- C:\Documents and Settings\Sydney\Application Data\Mozilla
2008-05-06 18:30:32 7970 --ahs---- C:\WINDOWS\system32\YGNVyIOq.ini2
2008-05-06 18:30:27 281600 --a------ C:\WINDOWS\system32\qOIyVNGY.dll
2008-05-06 18:26:15 687592 --a------ C:\WINDOWS\system32\atmtd.dll
2008-05-06 18:26:13 862 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-05-06 18:26:13 37376 --a------ C:\WINDOWS\mrofinu1000106.exe
2008-05-06 18:26:07 37376 --a------ C:\WINDOWS\mrofinu1188.exe
2008-05-06 18:26:03 200768 --a------ C:\WINDOWS\system32\lcntmkdm.exe
2008-05-06 18:26:03 0 d-------- C:\Documents and Settings\LocalService\Application Data\NetMon
2008-05-06 18:26:01 1989 --a------ C:\WINDOWS\uninstall_nmon.vbs
2008-05-06 18:26:01 0 d-------- C:\Program Files\Network Monitor
2008-05-06 18:26:00 0 d--hs---- C:\WINDOWS\TWl0Y2hlbGw
2008-05-06 18:25:54 401964 --a------ C:\WINDOWS\system32\g90.exe
2008-05-06 18:25:50 49160 --a------ C:\WINDOWS\system32\rwwnw64d.exe <Not Verified; ; Browser Driver>
2008-05-06 18:25:47 0 d-------- C:\Program Files\winvi
2008-05-06 18:25:46 86144 --a------ C:\WINDOWS\system32\drivers\rdpcddd.sys
2008-05-06 18:25:43 0 d-------- C:\WINDOWS\system32\din3
2008-05-06 18:25:43 0 d-------- C:\WINDOWS\system32\cNF
2008-05-06 18:25:43 0 d-------- C:\WINDOWS\system32\cdTMP
2008-05-06 18:25:43 0 d-------- C:\WINDOWS\system32\12033
2008-05-06 18:25:31 0 d-------- C:\WINDOWS\system32\bkEur18
2008-05-06 18:25:31 0 d-------- C:\Temp
2008-05-06 18:25:21 44544 --a------ C:\WINDOWS\system32\khffgGYp.dll
2008-05-06 18:25:14 28160 --a------ C:\Documents and Settings\Sydney\services.exe
2008-05-06 18:24:50 85504 ---hs---- C:\Documents and Settings\Sydney\lsass.exe
2008-05-06 18:23:33 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-05-06 18:20:35 389120 --a------ C:\WINDOWS\system32\STLang.dll <Not Verified; SigmaTel, Inc.; C-Major Audio>
2008-05-06 18:20:35 393216 --a------ C:\WINDOWS\stsystra.exe <Not Verified; SigmaTel, Inc.; C-Major Audio>
2008-05-06 18:20:10 0 d-------- C:\Program Files\SigmaTel
2008-05-06 18:20:10 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-06 18:18:28 0 d-------- C:\Documents and Settings\Sydney\Application Data\Intel
2008-05-06 18:18:28 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Intel
2008-05-06 18:18:28 0 d-------- C:\Documents and Settings\LocalService\Application Data\Intel
2008-05-06 18:18:28 0 d-------- C:\Documents and Settings\Default User\Application Data\Intel
2008-05-06 18:18:22 21425 --a------ C:\WINDOWS\system32\drivers\AegisP.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.6.0.0>
2008-05-06 18:18:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Intel
2008-05-06 18:17:56 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-06 18:17:31 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-05-06 18:17:29 0 d-------- C:\Program Files\Intel
2008-05-06 18:12:02 0 d-------- C:\Documents and Settings\Sydney\Application Data\Identities
2008-05-06 18:11:52 0 d--h----- C:\Documents and Settings\Sydney\Templates
2008-05-06 18:11:52 0 dr------- C:\Documents and Settings\Sydney\Start Menu
2008-05-06 18:11:52 0 dr-h----- C:\Documents and Settings\Sydney\SendTo
2008-05-06 18:11:52 0 dr-h----- C:\Documents and Settings\Sydney\Recent
2008-05-06 18:11:52 0 d--h----- C:\Documents and Settings\Sydney\PrintHood
2008-05-06 18:11:52 786432 --ah----- C:\Documents and Settings\Sydney\NTUSER.DAT
2008-05-06 18:11:52 0 d--h----- C:\Documents and Settings\Sydney\NetHood
2008-05-06 18:11:52 0 dr------- C:\Documents and Settings\Sydney\My Documents
2008-05-06 18:11:52 0 d--h----- C:\Documents and Settings\Sydney\Local Settings
2008-05-06 18:11:52 0 dr------- C:\Documents and Settings\Sydney\Favorites
2008-05-06 18:11:52 0 d-------- C:\Documents and Settings\Sydney\Desktop
2008-05-06 18:11:52 0 d---s---- C:\Documents and Settings\Sydney\Cookies
2008-05-06 18:11:52 0 dr-h----- C:\Documents and Settings\Sydney\Application Data
2008-05-06 18:09:26 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-05-06 18:09:25 0 d-------- C:\WINDOWS\Prefetch
2008-05-06 18:09:21 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-05-06 18:09:20 225280 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-05-06 18:09:20 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-05-06 18:09:20 0 d---s---- C:\Documents and Settings\LocalService\Cookies
2008-05-06 18:09:20 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-05-06 18:09:20 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-05-06 18:08:09 225280 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-05-06 18:08:09 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-05-06 18:08:09 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2008-05-06 18:08:09 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-05-06 18:08:09 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-05-06 18:04:48 0 d-------- C:\WINDOWS\system32\xircom
2008-05-06 18:04:48 0 d-------- C:\Program Files\microsoft frontpage
2008-05-06 18:04:44 225280 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-05-06 18:04:44 0 d-------- C:\DELL
2008-05-06 18:04:37 0 -rahs---- C:\MSDOS.SYS
2008-05-06 18:04:37 0 -rahs---- C:\IO.SYS
2008-05-06 18:04:37 0 --a------ C:\CONFIG.SYS
2008-05-06 18:04:37 0 --a------ C:\AUTOEXEC.BAT
2008-05-06 18:03:31 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-05-06 18:03:22 0 dr------- C:\WINDOWS\Offline Web Pages
2008-05-06 18:03:22 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-05-06 18:03:11 0 d--h----- C:\Program Files\WindowsUpdate
2008-05-06 18:02:51 0 d-------- C:\WINDOWS\system32\DirectX
2008-05-06 18:02:13 0 d---s---- C:\WINDOWS\Tasks
2008-05-06 18:02:12 0 d-------- C:\Program Files\Common Files\MSSoap
2008-05-06 18:02:08 0 d-------- C:\WINDOWS\srchasst
2008-05-06 18:02:06 0 d-------- C:\WINDOWS\system32\Macromed
2008-05-06 18:01:56 0 d-------- C:\Program Files\Movie Maker
2008-05-06 18:01:48 0 d-------- C:\WINDOWS\system32\Restore
2008-05-06 18:01:24 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-05-06 18:01:05 0 d-------- C:\WINDOWS\Registration
2008-05-06 18:00:37 0 d-------- C:\Program Files\Online Services
2008-05-06 18:00:32 0 d-------- C:\Program Files\Messenger
2008-05-06 18:00:28 0 d-------- C:\Program Files\MSN Gaming Zone
2008-05-06 17:59:44 0 d-------- C:\Program Files\Windows NT
2008-05-06 17:59:41 0 d-------- C:\WINDOWS\system32\MsDtc
2008-05-06 17:59:39 0 d-------- C:\WINDOWS\system32\Com
2008-05-06 13:55:29 0 d--hs---- C:\WINDOWS\Installer
2008-05-06 13:55:29 0 d-------- C:\Program Files\Common Files\ODBC
2008-05-06 13:55:25 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-05-06 13:55:24 0 dr------- C:\Program Files
2008-05-06 13:55:24 0 d-------- C:\Program Files\Common Files
2008-05-06 13:54:59 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-05-06 13:54:59 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-05-06 13:54:59 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-05-06 13:54:59 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-05-06 13:54:59 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-05-06 13:54:59 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-05-06 13:54:59 0 dr------- C:\Documents and Settings\All Users\Documents
2008-05-06 13:54:59 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-05-06 13:54:58 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-05-06 13:54:58 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-05-06 13:54:58 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-05-06 13:54:58 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-05-06 13:54:58 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-05-06 13:54:58 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-05-06 13:54:58 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-05-06 13:54:58 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-05-06 13:54:45 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-05-06 13:54:45 0 d-------- C:\WINDOWS\system32\CatRoot
2008-05-06 13:54:39 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-05-06 13:54:39 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-05-06 13:54:39 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-05-06 13:54:39 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-05-06 13:54:14 0 d--hs---- C:\System Volume Information
2008-05-06 13:54:14 0 d-------- C:\Documents and Settings
2008-05-06 13:40:41 0 d-------- C:\WINDOWS
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\WinSxS
2008-05-06 13:40:41 0 dr------- C:\WINDOWS\Web
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\twain_32
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system32
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system32\wins
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system32\wbem
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system32\usmt
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system32\spool
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system32\ShellExt
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system32\Setup
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system32\ras
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system32\oobe
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system32\npp
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system32\mui
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system32\inetsrv
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system32\IME
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system32\icsxml
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system32\ias
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system32\export
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system32\drivers
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-05-06 13:40:41 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system32\dhcp
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system32\config
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system32\3076
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system32\2052
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system32\1054
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system32\1042
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system32\1041
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system32\1037
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system32\1033
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system32\1031
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system32\1028
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system32\1025
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\system
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\security
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\Resources
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\repair
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\Provisioning
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\PeerNet
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\pchealth
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\mui
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\msapps
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\msagent
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\Media
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\java
2008-05-06 13:40:41 0 d--h----- C:\WINDOWS\inf
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\ime
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\Help
2008-05-06 13:40:41 0 dr--s---- C:\WINDOWS\Fonts
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\Driver Cache
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\dell
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\Debug
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\Cursors
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\Connection Wizard
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\Config
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\AppPatch
2008-05-06 13:40:41 0 d-------- C:\WINDOWS\addins


-- Find3M Report ---------------------------------------------------------------

2008-05-06 13:54:58 62 --ahs---- C:\Documents and Settings\Sydney\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D99C21B-CA48-4021-8948-7009DD5C3449}]
05/06/2008 06:30 PM 281600 --a------ C:\WINDOWS\system32\qOIyVNGY.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4F96CCB9-01EC-419E-AAEA-C2C913F2A236}]
05/06/2008 06:25 PM 44544 --a------ C:\WINDOWS\system32\khffgGYp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [02/21/2007 11:19 AM]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [02/21/2007 11:17 AM]
"SigmatelSysTrayApp"="stsystra.exe" [09/09/2005 06:19 PM C:\WINDOWS\stsystra.exe]
"LSA Shellu"="C:\Documents and Settings\Sydney\lsass.exe" [05/03/2008 12:16 AM]
"{A9-99-96-65-DW}"="c:\windows\system32\jlwnw64j.exe" [05/07/2008 05:31 PM]
"ExploreUpdSched"="C:\WINDOWS\system32\lcntmkdm.exe" [05/06/2008 06:26 PM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [10/14/2005 03:49 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [10/14/2005 03:46 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [10/14/2005 03:50 PM]
"runner1"="C:\WINDOWS\mrofinu1000106.exe" [05/06/2008 06:26 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinUpdater"="C:\Program Files\winvi\update.exe" []
"WebSUpdater"="C:\Program Files\winvi\wupda.exe" [04/25/2008 03:57 AM]

C:\Documents and Settings\Sydney\Start Menu\Programs\Startup\
Deewoo.lnk - C:\WINDOWS\system32\lcntmkdm.exe [5/6/2008 6:26:03 PM]
DW_Start.lnk - C:\WINDOWS\system32\jlwnw64j.exe [5/7/2008 5:31:26 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceActiveDesktopOn"=0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4F96CCB9-01EC-419E-AAEA-C2C913F2A236}"= C:\WINDOWS\system32\khffgGYp.dll [05/06/2008 06:25 PM 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khffgGYp]
khffgGYp.dll 05/06/2008 06:25 PM 44544 C:\WINDOWS\system32\khffgGYp.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\qOIyVNGY


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b4b4a1b-1b95-11dd-a95c-806d6172696f}]
AutoRun\command- D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70887a3d-1bb9-11dd-a95d-c336e334025e}]
Auto\command- E:\Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe




-- End of Deckard's System Scanner: finished at 2008-05-07 18:05:18 ------------


and another notepad window popped up saying extra

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1.70GHz
Percentage of Memory in Use: 53%
Physical Memory (total/avail): 503.37 MiB / 235.34 MiB
Pagefile Memory (total/avail): 1228.81 MiB / 980.38 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1925.84 MiB

C: is Fixed (NTFS) - 37.25 GiB total, 35 GiB free.
D: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - ST9408114A - 37.26 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.25 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Sydney\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=B3DR00M
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Sydney
LOGONSERVER=\\B3DR00M
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Sydney\LOCALS~1\Temp
TMP=C:\DOCUME~1\Sydney\LOCALS~1\Temp
USERDOMAIN=B3DR00M
USERNAME=Sydney
USERPROFILE=C:\Documents and Settings\Sydney
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Sydney (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Command --> wscript "C:\WINDOWS\TWl0Y2hlbGw\nq5XsZ15v3T.vbs"
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel® Graphics Media Accelerator Driver for Mobile --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
mCore --> MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDriver --> MsiExec.exe /I{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mHlpDell --> MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mSCfg --> MsiExec.exe /I{829CD169-E692-48E8-9BDE-A3E8D8B65538}
mSSO --> MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
MSXML 6.0 Parser --> MsiExec.exe /I{AEB9948B-4FF2-47C9-990E-47014492A0FE}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mWMI --> MsiExec.exe /I{63DB9CCD-2B56-4217-9A3D-507AC78320CA}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
Network Monitor --> wscript "C:\WINDOWS\uninstall_nmon.vbs"
SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly


-- Application Event Log -------------------------------------------------------

Event Record #/Type68 / Warning
Event Submitted/Written: 05/06/2008 06:18:59 PM
Event ID/Source: 5603 / WinMgmt
Event Description:
A provider, CIMWiFiProvider, has been registered in the WMI namespace, root\CIMV2, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Event Record #/Type67 / Warning
Event Submitted/Written: 05/06/2008 06:18:59 PM
Event ID/Source: 5603 / WinMgmt
Event Description:
A provider, CIMWiFiProvider, has been registered in the WMI namespace, root\CIMV2, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Event Record #/Type66 / Warning
Event Submitted/Written: 05/06/2008 06:18:59 PM
Event ID/Source: 5603 / WinMgmt
Event Description:
A provider, CIMWiFiProvider, has been registered in the WMI namespace, root\CIMV2, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Event Record #/Type11 / Warning
Event Submitted/Written: 05/06/2008 06:00:52 PM
Event ID/Source: 63 / WinMgmt
Event Description:
A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type665 / Error
Event Submitted/Written: 05/06/2008 10:57:33 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126

Event Record #/Type662 / Error
Event Submitted/Written: 05/06/2008 10:57:33 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126

Event Record #/Type659 / Error
Event Submitted/Written: 05/06/2008 10:57:33 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126

Event Record #/Type656 / Error
Event Submitted/Written: 05/06/2008 10:57:33 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126

Event Record #/Type653 / Error
Event Submitted/Written: 05/06/2008 10:57:32 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126



-- End of Deckard's System Scanner: finished at 2008-05-07 18:05:18 ------------



#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:15 PM

Posted 07 May 2008 - 05:15 PM

You've got a lot of nastiness there my friend.

Please download ComboFix and save it to your desktop.
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 ~1234

~1234
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 07 May 2008 - 05:35 PM

ComboFix 08-05-01.3 - Sydney 2008-05-07 18:27:05.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.194 [GMT -4:00]
Running from: C:\Documents and Settings\Sydney\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\Sydney\lsass.exe
C:\Documents and Settings\Sydney\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Sydney\Start Menu\Programs\Startup\DW_Start.lnk
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\temp\tn3
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\rdpcddd.sys
C:\WINDOWS\system32\khffgGYp.dll
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qOIyVNGY.dll
C:\WINDOWS\system32\YGNVyIOq.ini
C:\WINDOWS\system32\YGNVyIOq.ini2
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\TWl0Y2hlbGw\
C:\WINDOWS\TWl0Y2hlbGw\\asappsrv.dll
C:\WINDOWS\TWl0Y2hlbGw\\command.exe
C:\WINDOWS\TWl0Y2hlbGw\\nq5XsZ15v3T.vbs
C:\WINDOWS\TWl0Y2hlbGw\command.exe
C:\WINDOWS\uninstall_nmon.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Legacy_RDPCDDD
-------\Service_cmdService
-------\Service_Network Monitor
-------\Service_rdpcddd


((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 )))))))))))))))))))))))))))))))
.

2008-05-07 18:03 . 2008-05-07 18:03 <DIR> d-------- C:\Deckard
2008-05-07 17:31 . 2008-05-07 17:31 49,163 --a------ C:\WINDOWS\system32\jlwnw64j.exe
2008-05-06 22:51 . 2008-05-06 22:51 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-05-06 22:51 . 2005-02-24 23:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-05-06 22:42 . 2008-05-06 22:42 <DIR> d---s---- C:\Documents and Settings\Sydney\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-07 21:42 --------- d-----w C:\Program Files\winvi
2008-05-06 22:43 --------- d-----w C:\Program Files\Trend Micro
2008-05-06 22:26 401,964 ----a-w C:\WINDOWS\system32\g90.exe
2008-05-06 22:26 200,768 ----a-w C:\WINDOWS\system32\lcntmkdm.exe
2008-05-06 22:25 49,160 ----a-w C:\WINDOWS\system32\rwwnw64d.exe
2008-05-06 22:25 28,160 ----a-w C:\Documents and Settings\Sydney\services.exe
2008-05-06 22:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-06 22:20 --------- d-----w C:\Program Files\SigmaTel
2008-05-06 22:18 21,425 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-05-06 22:18 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\Intel
2008-05-06 22:18 --------- d-----w C:\Documents and Settings\Sydney\Application Data\Intel
2008-05-06 22:18 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Intel
2008-05-06 22:18 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Intel
2008-05-06 22:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intel
2008-05-06 22:17 --------- d-----w C:\Program Files\Intel
2008-05-06 22:17 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-06 22:04 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinUpdater"="C:\Program Files\winvi\update.exe" [ ]
"WebSUpdater"="C:\Program Files\winvi\wupda.exe" [2008-04-25 03:57 198185]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 11:19 819200]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 11:17 970752]
"SigmatelSysTrayApp"="stsystra.exe" [2005-09-09 18:19 393216 C:\WINDOWS\stsystra.exe]
"{A9-99-96-65-DW}"="c:\windows\system32\rwwnw64d.exe" [2008-05-06 18:25 49160]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 15:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 15:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 15:50 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khffgGYp]
khffgGYp.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70887a3d-1bb9-11dd-a95d-c336e334025e}]
\Shell\Auto\command - E:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 18:32:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2008-05-07 18:33:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-07 22:33:25

Pre-Run: 37,534,117,888 bytes free
Post-Run: 37,504,622,592 bytes free

122 --- E O F --- 2008-05-07 02:51:25

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:15 PM

Posted 08 May 2008 - 09:36 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
C:\Program Files\winvi

File::
C:\WINDOWS\system32\jlwnw64j.exe
C:\WINDOWS\system32\g90.exe
C:\WINDOWS\system32\lcntmkdm.exe
C:\WINDOWS\system32\rwwnw64d.exe
C:\Documents and Settings\Sydney\services.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinUpdater"=-
"WebSUpdater"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{A9-99-96-65-DW}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khffgGYp]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


===============



Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 ~1234

~1234
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 08 May 2008 - 04:49 PM

ComboFix 08-05-01.3 - Sydney 2008-05-08 17:43:36.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.280 [GMT -4:00]
Running from: C:\Documents and Settings\Sydney\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sydney\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Sydney\services.exe
C:\WINDOWS\system32\g90.exe
C:\WINDOWS\system32\jlwnw64j.exe
C:\WINDOWS\system32\lcntmkdm.exe
C:\WINDOWS\system32\rwwnw64d.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Sydney\services.exe
C:\Program Files\winvi
C:\Program Files\winvi\dsktp\AC_RunActiveContent.js
C:\Program Files\winvi\dsktp\desktop.html
C:\Program Files\winvi\dsktp\internetDetection.swf
C:\Program Files\winvi\dsktp\settings.sol
C:\Program Files\winvi\version.ini
C:\Program Files\winvi\wupda.exe
C:\WINDOWS\system32\g90.exe
C:\WINDOWS\system32\jlwnw64j.exe
C:\WINDOWS\system32\lcntmkdm.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((( Files Created from 2008-04-08 to 2008-05-08 )))))))))))))))))))))))))))))))
.

2008-05-08 17:40 . 2008-05-08 17:40 200,773 --a------ C:\WINDOWS\system32\lcntmkdn.exe
2008-05-08 03:00 . 2008-05-08 03:00 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-05-08 02:43 . 2008-05-08 02:43 13,942 --a------ C:\WINDOWS\system32\iphone-011.ico
2008-05-07 23:38 . 2008-05-07 23:38 11 --a------ C:\WINDOWS\3DShadow.INI
2008-05-07 22:32 . 2008-05-07 22:32 9,662 --a------ C:\WINDOWS\system32\vaio3-011.ico
2008-05-07 22:23 . 2008-05-07 22:23 <DIR> d-------- C:\Documents and Settings\Sydney\Application Data\Jasc
2008-05-07 20:37 . 2008-05-08 17:43 <DIR> d-------- C:\Documents and Settings\Sydney\Application Data\LimeWire
2008-05-07 20:32 . 2008-05-07 20:32 200,769 --a------ C:\WINDOWS\system32\tcntaxdn.exe
2008-05-07 20:28 . 2008-05-07 20:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-05-07 20:27 . 2008-05-07 20:28 <DIR> d-------- C:\Program Files\Common Files\Jasc Software Inc
2008-05-07 20:27 . 2008-05-07 20:27 <DIR> d-------- C:\Documents and Settings\Sydney\Application Data\Jasc Software Inc
2008-05-07 20:26 . 2008-05-07 22:04 <DIR> d-------- C:\Program Files\Jasc Software Inc
2008-05-07 19:55 . 2008-05-07 19:55 <DIR> d-------- C:\Program Files\Java
2008-05-07 19:55 . 2008-05-07 19:55 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-07 19:55 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-07 19:50 . 2008-05-07 19:50 <DIR> d-------- C:\Program Files\CCleaner
2008-05-07 18:58 . 2008-05-07 19:02 <DIR> d-------- C:\Program Files\LimeWire
2008-05-07 18:03 . 2008-05-07 18:03 <DIR> d-------- C:\Deckard
2008-05-06 22:51 . 2008-05-06 22:51 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-05-06 22:51 . 2005-02-24 23:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-05-06 22:42 . 2008-05-06 22:42 <DIR> d---s---- C:\Documents and Settings\Sydney\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-08 00:27 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-06 22:43 --------- d-----w C:\Program Files\Trend Micro
2008-05-06 22:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-06 22:20 --------- d-----w C:\Program Files\SigmaTel
2008-05-06 22:18 21,425 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-05-06 22:18 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\Intel
2008-05-06 22:18 --------- d-----w C:\Documents and Settings\Sydney\Application Data\Intel
2008-05-06 22:18 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Intel
2008-05-06 22:18 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Intel
2008-05-06 22:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intel
2008-05-06 22:17 --------- d-----w C:\Program Files\Intel
2008-05-06 22:04 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((( snapshot@2008-05-07_18.33.14.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-07 22:32:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-08 21:11:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2002-07-25 22:13:18 24,576 ----a-w C:\WINDOWS\Downloaded Program Files\dwusplay.dll
+ 2002-07-25 22:13:12 196,608 ----a-w C:\WINDOWS\Downloaded Program Files\dwusplay.exe
+ 2004-06-16 10:02:10 323,584 ----a-w C:\WINDOWS\Downloaded Program Files\isusweb.dll
+ 2008-05-08 02:04:15 10,134 ----a-r C:\WINDOWS\Installer\{7C4196CA-CA41-4F34-9C08-7724E7705D52}\ARPPRODUCTICON.exe
+ 2008-05-08 02:04:15 49,152 ----a-r C:\WINDOWS\Installer\{7C4196CA-CA41-4F34-9C08-7724E7705D52}\NewShortcut1_7C4196CACA414F349C087724E7705D52.exe
+ 2008-05-08 00:28:08 25,214 ----a-r C:\WINDOWS\Installer\{F843C6A3-224D-4615-94F8-3C461BD9AEA0}\ARPPRODUCTICON.exe
- 2008-05-06 22:08:01 90,296 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-05-08 21:11:50 138,848 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-03-25 05:28:39 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-03-25 05:28:43 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 06:37:01 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2006-01-21 20:01:22 25,088 ----a-w C:\WINDOWS\system32\Macromed\Flash\genuinst.exe
+ 2006-01-03 23:14:12 20,480 ----a-w C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe
- 2005-09-08 05:03:50 1,330,888 ----a-w C:\WINDOWS\system32\msxml6.dll
+ 2007-05-15 19:43:10 1,320,800 ----a-w C:\WINDOWS\system32\msxml6.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 11:19 819200]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 11:17 970752]
"SigmatelSysTrayApp"="stsystra.exe" [2005-09-09 18:19 393216 C:\WINDOWS\stsystra.exe]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 15:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 15:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 15:50 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70887a3d-1bb9-11dd-a95d-c336e334025e}]
\Shell\Auto\command - E:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-08 17:44:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-08 17:44:26
ComboFix-quarantined-files.txt 2008-05-08 21:44:25
ComboFix2.txt 2008-05-08 21:40:09
ComboFix3.txt 2008-05-07 22:33:31

Pre-Run: 36,594,417,664 bytes free
Post-Run: 36,590,854,144 bytes free

127 --- E O F --- 2008-05-08 07:00:48



#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:15 PM

Posted 08 May 2008 - 04:59 PM

Please post the log from your Superantispyware scan once you've had a chance to run it.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 ~1234

~1234
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 08 May 2008 - 04:59 PM

also I re downloaded Limewire. Should I have not did that> Since I got the virus from Limewire a file.

#10 ~1234

~1234
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 09 May 2008 - 02:42 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/08/2008 at 06:09 PM

Application Version : 4.0.1154

Core Rules Database Version : 3455
Trace Rules Database Version: 1447

Scan type : Complete Scan
Total Scan Time : 00:14:41

Memory items scanned : 362
Memory threats detected : 0
Registry items scanned : 3076
Registry threats detected : 0
File items scanned : 15909
File threats detected : 32

Trojan.Downloader-CommandDesktop
C:\DECKARD\SYSTEM SCANNER\BACKUP\DOCUME~1\SYDNEY\LOCALS~1\TEMP\CMDINST.EXE

Trojan.NetMon/DNSChange
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\NETWORK MONITOR\NETMON.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4663120D-D8EB-41A8-93B0-03FAB9DEDCEC}\RP7\A0000233.EXE

Trojan.Downloader-Gen/MROFIN
C:\QOOBOX\QUARANTINE\C\WINDOWS\MROFINU1000106.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\MROFINU1188.EXE.VIR

Trojan.Unclassified/BrowserDriver
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\JLWNW64J.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\RWWNW64D.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4663120D-D8EB-41A8-93B0-03FAB9DEDCEC}\RP12\A0000572.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4663120D-D8EB-41A8-93B0-03FAB9DEDCEC}\RP12\A0000574.EXE
C:\WINDOWS\SYSTEM32\CDTMP\CDREV132.EXE

Adware.DeeWoo/ThinkAdz
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\LCNTMKDM.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4663120D-D8EB-41A8-93B0-03FAB9DEDCEC}\RP12\A0000573.EXE
C:\WINDOWS\SYSTEM32\LCNTMKDN.EXE
C:\WINDOWS\SYSTEM32\TCNTAXDN.EXE

Adware.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\ZXDNT3D.CFG.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4663120D-D8EB-41A8-93B0-03FAB9DEDCEC}\RP11\A0000322.CFG
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4663120D-D8EB-41A8-93B0-03FAB9DEDCEC}\RP12\A0000569.CFG
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4663120D-D8EB-41A8-93B0-03FAB9DEDCEC}\RP4\A0000118.CFG

Adware.Adservs
C:\QOOBOX\QUARANTINE\C\WINDOWS\TWL0Y2HLBGW\ASAPPSRV.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4663120D-D8EB-41A8-93B0-03FAB9DEDCEC}\RP7\A0000246.DLL
C:\WINDOWS\SYSTEM32\12033\CVSERCHKA.EXE
C:\WINDOWS\Prefetch\CVSERCHKA.EXE-2567A04C.pf

Unclassified.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\TWL0Y2HLBGW\COMMAND.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4663120D-D8EB-41A8-93B0-03FAB9DEDCEC}\RP7\A0000245.EXE

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\TWL0Y2HLBGW\NQ5XSZ15V3T.VBS.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\UNINSTALL_NMON.VBS.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4663120D-D8EB-41A8-93B0-03FAB9DEDCEC}\RP7\A0000238.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4663120D-D8EB-41A8-93B0-03FAB9DEDCEC}\RP7\A0000247.VBS

Adware.AdRotate/System
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4663120D-D8EB-41A8-93B0-03FAB9DEDCEC}\RP11\A0000321.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4663120D-D8EB-41A8-93B0-03FAB9DEDCEC}\RP4\A0000117.DLL

Adware.Vundo-Variant/H
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4663120D-D8EB-41A8-93B0-03FAB9DEDCEC}\RP7\A0000244.DLL

Rootkit.TNCore-Installer
C:\WINDOWS\SYSTEM32\DIN3\IS-SETUP03X.EXE



#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:15 PM

Posted 09 May 2008 - 08:31 AM

Certainly it's your computer, but you should know that much of what you download using Limewire will carry some type of malware.


Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\lcntmkdn.exe
C:\WINDOWS\system32\tcntaxdn.exe
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 ~1234

~1234
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 09 May 2008 - 04:28 PM

Hijack This

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:26:21 PM, on 5/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 3456 bytes

---------------------------------------------------------------------------------------------------------------------------------------------------------------
Combo Fix

ComboFix 08-05-01.3 - Sydney 2008-05-09 17:24:36.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.278 [GMT -4:00]
Running from: C:\Documents and Settings\Sydney\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sydney\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\lcntmkdn.exe
C:\WINDOWS\system32\tcntaxdn.exe
.

((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-05-08 17:51 . 2008-05-09 03:39 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-08 17:51 . 2008-05-08 17:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-08 17:51 . 2008-05-08 17:51 <DIR> d-------- C:\Documents and Settings\Sydney\Application Data\SUPERAntiSpyware.com
2008-05-08 17:51 . 2008-05-08 17:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-08 03:00 . 2008-05-08 03:00 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-05-08 02:43 . 2008-05-08 02:43 13,942 --a------ C:\WINDOWS\system32\iphone-011.ico
2008-05-07 23:38 . 2008-05-07 23:38 11 --a------ C:\WINDOWS\3DShadow.INI
2008-05-07 22:32 . 2008-05-07 22:32 9,662 --a------ C:\WINDOWS\system32\vaio3-011.ico
2008-05-07 22:23 . 2008-05-07 22:23 <DIR> d-------- C:\Documents and Settings\Sydney\Application Data\Jasc
2008-05-07 20:37 . 2008-05-09 03:40 <DIR> d-------- C:\Documents and Settings\Sydney\Application Data\LimeWire
2008-05-07 20:28 . 2008-05-07 20:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-05-07 20:27 . 2008-05-07 20:28 <DIR> d-------- C:\Program Files\Common Files\Jasc Software Inc
2008-05-07 20:27 . 2008-05-07 20:27 <DIR> d-------- C:\Documents and Settings\Sydney\Application Data\Jasc Software Inc
2008-05-07 20:26 . 2008-05-07 22:04 <DIR> d-------- C:\Program Files\Jasc Software Inc
2008-05-07 19:55 . 2008-05-07 19:55 <DIR> d-------- C:\Program Files\Java
2008-05-07 19:55 . 2008-05-07 19:55 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-07 19:55 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-07 19:50 . 2008-05-07 19:50 <DIR> d-------- C:\Program Files\CCleaner
2008-05-07 18:58 . 2008-05-07 19:02 <DIR> d-------- C:\Program Files\LimeWire
2008-05-07 18:03 . 2008-05-07 18:03 <DIR> d-------- C:\Deckard
2008-05-06 22:51 . 2008-05-06 22:51 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-05-06 22:51 . 2005-02-24 23:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-05-06 22:42 . 2008-05-06 22:42 <DIR> d---s---- C:\Documents and Settings\Sydney\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-08 00:27 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-06 22:43 --------- d-----w C:\Program Files\Trend Micro
2008-05-06 22:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-06 22:20 --------- d-----w C:\Program Files\SigmaTel
2008-05-06 22:18 21,425 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-05-06 22:18 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\Intel
2008-05-06 22:18 --------- d-----w C:\Documents and Settings\Sydney\Application Data\Intel
2008-05-06 22:18 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Intel
2008-05-06 22:18 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Intel
2008-05-06 22:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intel
2008-05-06 22:17 --------- d-----w C:\Program Files\Intel
2008-05-06 22:04 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((( snapshot@2008-05-07_18.33.14.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-07 22:32:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-09 21:18:15 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2002-07-25 22:13:18 24,576 ----a-w C:\WINDOWS\Downloaded Program Files\dwusplay.dll
+ 2002-07-25 22:13:12 196,608 ----a-w C:\WINDOWS\Downloaded Program Files\dwusplay.exe
+ 2004-06-16 10:02:10 323,584 ----a-w C:\WINDOWS\Downloaded Program Files\isusweb.dll
+ 2008-05-08 02:04:15 10,134 ----a-r C:\WINDOWS\Installer\{7C4196CA-CA41-4F34-9C08-7724E7705D52}\ARPPRODUCTICON.exe
+ 2008-05-08 02:04:15 49,152 ----a-r C:\WINDOWS\Installer\{7C4196CA-CA41-4F34-9C08-7724E7705D52}\NewShortcut1_7C4196CACA414F349C087724E7705D52.exe
+ 2008-05-08 21:51:32 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-05-08 21:51:32 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-05-08 00:28:08 25,214 ----a-r C:\WINDOWS\Installer\{F843C6A3-224D-4615-94F8-3C461BD9AEA0}\ARPPRODUCTICON.exe
- 2008-05-06 22:08:01 90,296 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-05-09 21:18:14 157,952 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-03-25 05:28:39 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-03-25 05:28:43 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 06:37:01 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2006-01-21 20:01:22 25,088 ----a-w C:\WINDOWS\system32\Macromed\Flash\genuinst.exe
+ 2006-01-03 23:14:12 20,480 ----a-w C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe
+ 2008-04-06 02:56:22 19,836,024 ----a-w C:\WINDOWS\system32\MRT.exe
- 2005-09-08 05:03:50 1,330,888 ----a-w C:\WINDOWS\system32\msxml6.dll
+ 2007-05-15 19:43:10 1,320,800 ----a-w C:\WINDOWS\system32\msxml6.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 11:19 819200]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 11:17 970752]
"SigmatelSysTrayApp"="stsystra.exe" [2005-09-09 18:19 393216 C:\WINDOWS\stsystra.exe]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 15:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 15:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 15:50 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70887a3d-1bb9-11dd-a95d-c336e334025e}]
\Shell\Auto\command - E:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

*Newly Created Service* - SASDIFSV
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 17:25:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-09 17:25:41
ComboFix-quarantined-files.txt 2008-05-09 21:25:35
ComboFix2.txt 2008-05-08 21:44:27
ComboFix3.txt 2008-05-08 21:40:09
ComboFix4.txt 2008-05-07 22:33:31

Pre-Run: 36,481,474,560 bytes free
Post-Run: 36,480,331,776 bytes free

119 --- E O F --- 2008-05-09 07:42:15



#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:15 PM

Posted 10 May 2008 - 07:04 AM

Looks pretty good to me.
How are things on your end? Any problems?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 ~1234

~1234
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 10 May 2008 - 09:32 AM

Nope.
Thank you very much as soon as I make some money I will be sure to donate for your help.
Thanks again!

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:15 PM

Posted 11 May 2008 - 09:22 AM

Glad I could help out!

Just a few last things and you should be good to go! :)


First, your log shows that you don't have the recovery console installed.
Check this link for more info on the recovery console and how to get it installed.

How to install and use the Windows XP Recovery Console



===================



Next, let's remove Combofix now that we're done with it and clean up a few other things.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

    • Posted Image
  • When shown the disclaimer, Select "2"



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :thumbsup:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users