Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Otherinfo Spyware Removal Help


  • This topic is locked This topic is locked
32 replies to this topic

#1 TheoSqua

TheoSqua

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:24 AM

Posted 17 May 2008 - 08:07 PM

Hi all,

A computer I use got a nasty bit of spyware on it. I believe it was called OuterInfo or something like that. I did a google on the program and found this site, and that someone recommended using ComboFix for removing the prgoram. I downloaded ComboFix and ran it and it removed all of the spyware, but i'm still concerned that there's some program or function still being ran on the computer.

When the spyware was installed on the comp it blocked access to CTRL + ALT + DELETE and the task manager. I was able to re-allow the task bar by going to start-->run-->gpedit.msc and re-disabling the remove task manager function thingie, but whenever I reboot the task manager is disabled again.

This computer is for a business and processes credit cards, so i'm being overly thorough in making sure that there's no sort of key logger on the computer.

So if anyone with the knowlege of this sort of thing would be willing to look at the HJT and ComboFix logs to see if all is good to go, i'd greatlyappreciate it.


HJT logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:11:37 PM, on 5/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\StarMicronics\TSP100\Software\20061130\portemu.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.amarraspa.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061227
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1
O2 - BHO: (no name) - {1204C302-8CD1-4968-A193-1C27B90F15A6} - C:\WINDOWS\system32\tuvWQKeB.dll
O2 - BHO: {a8f5cc58-190c-8d0a-b0d4-22fc3e84a172} - {271a48e3-cf22-4d0b-a0d8-c09185cc5f8a} - C:\WINDOWS\system32\pwmforru.dll
O2 - BHO: (no name) - {342512DC-7D1D-4541-8483-057319362868} - C:\WINDOWS\system32\yayxyvvT.dll
O2 - BHO: (no name) - {6FD94244-B809-4584-99CD-720A2BBC5B5D} - C:\WINDOWS\system32\xxyayVOG.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: MySidesearch Search Assistant - {9506910A-0F94-4ea1-B567-7070428B8B2B} - C:\WINDOWS\system32\mysidesearch_sidebar.dll
O2 - BHO: (no name) - {A1DDA4AC-4F4B-49CA-B64F-FB6D8D05A75C} - C:\WINDOWS\system32\byXPIyvu.dll
O2 - BHO: (no name) - {AA986B73-9579-4FA9-A34E-AEC4232ECD6B} - C:\WINDOWS\system32\pmnljHaw.dll
O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\khfFwWqp.dll
O2 - BHO: QXK Rhythm - {DF47FCFB-AA32-4ECC-9F32-C99E30385AF3} - C:\WINDOWS\fvowketqsoq.dll (file missing)
O2 - BHO: (no name) - {DFD83F9A-8843-46ED-925D-2668D9617576} - C:\WINDOWS\system32\cbXQiJdb.dll
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)
O3 - Toolbar: pvnsmfor - {C17C95A8-9A32-4250-8F46-D7DFBB4B4947} - C:\WINDOWS\pvnsmfor.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BM133de534] Rundll32.exe "C:\WINDOWS\system32\xxxqaguh.dll",s
O4 - HKLM\..\Run: [100ed6a8] rundll32.exe "C:\WINDOWS\system32\ksnsogqe.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: khfFwWqp - C:\WINDOWS\SYSTEM32\khfFwWqp.dll
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
O21 - SSODL: rteKPyDJH - {100ED608-BAA4-7CA2-FA87-A290519D6DD6} - C:\WINDOWS\system32\wly.dll (file missing)
O21 - SSODL: mpfanvqg - {22F63B94-91BA-4B14-907D-2074E780F811} - C:\WINDOWS\mpfanvqg.dll (file missing)
O21 - SSODL: vbksrofa - {77F9252B-C23D-4816-8087-ADCC5854CA30} - C:\WINDOWS\vbksrofa.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Port Emulator (Star) (PortEmulator) - Star Micronics Co., Ltd. - C:\Program Files\StarMicronics\TSP100\Software\20061130\portemu.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:24 AM

Posted 23 May 2008 - 01:55 PM

Hi TheoSqua,

and that someone recommended using ComboFix for removing the prgoram. I downloaded ComboFix



That person gave you some very bad advice. :thumbsup:
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Did you install Recovery Console before running ComboFix? <== IMPORTANT





This computer is for a business and processes credit cards, so i'm being overly thorough in making sure that there's no sort of key logger on the computer.




You said this is a business computer.....does your company have an IT department?

If so, this would be a job for them.

This computer is really infected, and this is what they are paid to do. We're volunteers that work for free here, on a donation only basis. Your company may have policies in place for this kind of thing, and I won't be responsible for possibly going against policy.

Please let me know what you're going to do.

Edited by SifuMike, 23 May 2008 - 01:56 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 TheoSqua

TheoSqua
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:24 AM

Posted 24 May 2008 - 02:44 PM

I'm the closest thing to an IT department we have. :-P

I did not create a recovery point before using combofix.

Do you think it'd be best to just attempt a reformat?

It's a small family owned business, so there really isn't any sort of policy.

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:24 AM

Posted 24 May 2008 - 04:45 PM

Hi TheoSqua,


Do you think it'd be best to just attempt a reformat?


That depends on you and what is on the computer.
Since this is business computer, and you want to be absolutly sure all malware is gone, then I recommend you reformat and reload your computer. It's a lot of work I know. :thumbsup:

If the data you have on this computer is only peronal stuff then I will do my best to remove the malware.

If you decide to let me remove the malware, then install Recovery Console before proceeding.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System
If you have Windows Media Edition, then you will need to download the XP Pro setup package.


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

  • At the next prompt, click 'Yes' to run the full ComboFix scan.

    Posted Image

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log for further review.

Edited by SifuMike, 24 May 2008 - 04:50 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 TheoSqua

TheoSqua
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:24 AM

Posted 26 May 2008 - 11:07 PM

Thanks for the help, greatly appreciated.

here's the combofix log:

ComboFix 08-05-26.2 - Admin 2008-05-26 22:52:25.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.675 [GMT -5:00]
Running from: F:\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\dbar
C:\Program Files\dbar\basis.xml
C:\Program Files\dbar\channel.tmpl
C:\Program Files\dbar\content.tmpl
C:\Program Files\dbar\dbaruninst.exe
C:\Program Files\dbar\deskbar.crc
C:\Program Files\dbar\deskbar.inf
C:\Program Files\dbar\edit_rss.tmpl
C:\Program Files\dbar\local.xml
C:\Program Files\dbar\nav1.bmp
C:\Program Files\dbar\nav2.bmp
C:\Program Files\dbar\new_alert.tmpl
C:\Program Files\dbar\version.ini
C:\Program Files\dbar\version.txt
C:\Program Files\winvi
C:\Program Files\winvi\dsktp\AC_RunActiveContent.js
C:\Program Files\winvi\dsktp\desktop.html
C:\Program Files\winvi\dsktp\internetDetection.swf
C:\Program Files\winvi\dsktp\settings.sol
C:\Program Files\winvi\icons\bufferthis.ico
C:\Program Files\winvi\icons\flashfunpages.ico
C:\Program Files\winvi\icons\funnies.ico
C:\Program Files\winvi\icons\funnyfunpages.ico
C:\Program Files\winvi\icons\goodcleanvideos.ico
C:\Program Files\winvi\icons\newfunpages.ico
C:\Program Files\winvi\icons\positivethoughts.ico
C:\Program Files\winvi\icons\removespyware.ico
C:\Program Files\winvi\icons\thissiterocks.ico
C:\Program Files\winvi\Uninst.exe
C:\Program Files\winvi\update.exe
C:\Program Files\winvi\version.ini
C:\Program Files\winvi\wupda.exe
C:\Temp\tmpvc14
C:\Temp\tmpvc14\dllvc.log
C:\WINDOWS\BM133de534.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aewchtor.exe
C:\WINDOWS\system32\arwowbvo.ini
C:\WINDOWS\system32\bfjodmja.exe
C:\WINDOWS\system32\bnlixoxs.exe
C:\WINDOWS\system32\byqndfcv.dll
C:\WINDOWS\system32\byXPIyvu.dll
C:\WINDOWS\system32\cbXQiJdb.dll
C:\WINDOWS\system32\cbXQklkh.dll
C:\WINDOWS\system32\ecjmovcy.dll
C:\WINDOWS\system32\eeyfjpnh.dll
C:\WINDOWS\system32\gbnwbjeb.dll
C:\WINDOWS\system32\ghsgeose.exe
C:\WINDOWS\system32\gjjlcpmx.dll
C:\WINDOWS\system32\glqlthdk.dll
C:\WINDOWS\system32\gludkchp.dll
C:\WINDOWS\system32\hibvdrim.ini
C:\WINDOWS\system32\hklkQXbc.ini
C:\WINDOWS\system32\hklkQXbc.ini2
C:\WINDOWS\system32\hojgvpqx.dll
C:\WINDOWS\system32\ihwssaqk.dll
C:\WINDOWS\system32\iigtxcdw.exe
C:\WINDOWS\system32\ilbrlrfp.ini
C:\WINDOWS\system32\jlmcnwpd.exe
C:\WINDOWS\system32\kajavcrq.dll
C:\WINDOWS\system32\khfFwWqp.dll
C:\WINDOWS\system32\lshtlonh.dll
C:\WINDOWS\system32\lyjbsiry.exe
C:\WINDOWS\system32\mrqnfolv.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\ovemxayw.exe
C:\WINDOWS\system32\owpvxpba.dll
C:\WINDOWS\system32\oxbhyvng.dll
C:\WINDOWS\system32\pjnjppvo.dll
C:\WINDOWS\system32\pMDsRLBr.dll
C:\WINDOWS\system32\pmnljHaw.dll
C:\WINDOWS\system32\pmrmkvby.ini
C:\WINDOWS\system32\pvgwaghr.dll
C:\WINDOWS\system32\pwmforru.dll
C:\WINDOWS\system32\qcyhdoxf.dll
C:\WINDOWS\system32\qjnqhvms.exe
C:\WINDOWS\system32\rBLRsDMp.ini
C:\WINDOWS\system32\rBLRsDMp.ini2
C:\WINDOWS\system32\rnhhykvh.exe
C:\WINDOWS\system32\rooorrnq.exe
C:\WINDOWS\system32\rpxbignu.dll
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\scfbhdgo.exe
C:\WINDOWS\system32\sibcpvre.exe
C:\WINDOWS\system32\sockins32.dll
C:\WINDOWS\system32\ssqPihGy.dll
C:\WINDOWS\system32\tequbsdu.exe
C:\WINDOWS\system32\toadaicx.ini
C:\WINDOWS\system32\trsrshhw.dll
C:\WINDOWS\system32\tuvWQKeB.dll
C:\WINDOWS\system32\uaoyrevs.dll
C:\WINDOWS\system32\ulqffpjr.exe
C:\WINDOWS\system32\uxacdpbo.dll
C:\WINDOWS\system32\vcjkysix.exe
C:\WINDOWS\system32\wevoeriq.dll
C:\WINDOWS\system32\wjdfsagl.dll
C:\WINDOWS\system32\wkveonfo.dll
C:\WINDOWS\system32\wodjmyiv.dll
C:\WINDOWS\system32\wvreowkp.dll
C:\WINDOWS\system32\xdrkcllq.ini
C:\WINDOWS\system32\xlckbmkw.exe
C:\WINDOWS\system32\xmpnlgpp.dll
C:\WINDOWS\system32\xplhcgxq.ini
C:\WINDOWS\system32\xxxqaguh.dll
C:\WINDOWS\system32\xxyayVOG.dll
C:\WINDOWS\system32\yayxyvvT.dll
C:\WINDOWS\system32\yfmblapl.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-26 22:40 . 2008-05-26 22:40 90,896 --a------ C:\WINDOWS\system32\oxmrlsxn.dll
2008-05-24 14:41 . 2008-05-24 14:41 100,624 --a------ C:\WINDOWS\system32\jhaufyhc.dll
2008-05-24 14:32 . 2008-05-24 14:32 90,960 --a------ C:\WINDOWS\system32\dxbjnjwn.dll
2008-05-23 14:32 . 2008-05-23 14:32 100,608 --a------ C:\WINDOWS\system32\tidnvxay.dll
2008-05-23 14:32 . 2008-05-23 14:32 91,008 --a------ C:\WINDOWS\system32\utkyqxay.dll
2008-05-22 14:35 . 2008-05-22 14:35 100,016 --a------ C:\WINDOWS\system32\rebfsjcc.dll
2008-05-17 19:29 . 2008-05-17 19:29 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-17 19:29 . 2008-05-17 19:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-17 16:57 . 2008-05-17 16:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-17 16:41 . 2008-05-17 16:41 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-14 03:36 . 2008-05-14 15:45 894 --ahs---- C:\WINDOWS\system32\fykmrisf.ini
2008-05-13 15:42 . 2008-05-26 22:56 0 --a------ C:\WINDOWS\system32\NvApps.xml
2008-05-13 15:33 . 2008-05-13 17:21 774 --ahs---- C:\WINDOWS\system32\snodhjej.ini
2008-05-11 17:59 . 2008-05-11 17:59 269,334 --a------ C:\WINDOWS\system32\hcfqhsnapcrah.bmp
2008-05-11 17:55 . 2008-05-11 17:55 5,120 --a------ C:\Documents and Settings\Administrator\ftp34.dll
2008-05-11 17:50 . 2008-05-11 17:50 269,334 --a------ C:\WINDOWS\system32\jmhsjitkbqdon.bmp
2008-05-11 17:46 . 2008-05-11 17:46 269,334 --a------ C:\WINDOWS\system32\rqpcbqd.bmp
2008-05-11 17:34 . 2008-05-11 17:34 269,334 --a------ C:\WINDOWS\system32\mlcnqdcfid.bmp
2008-05-11 17:34 . 2008-05-11 18:19 5,120 --a------ C:\Documents and Settings\LocalService\ftp34.dll
2008-05-11 17:28 . 2008-05-11 17:28 80,384 --a------ C:\ydrvr.exe
2008-05-11 17:28 . 2008-05-11 17:28 40,960 --a------ C:\difkghmd.exe
2008-05-11 17:26 . 2008-05-11 17:28 2 --a------ C:\269407751
2008-05-11 17:25 . 2008-05-11 17:25 269,334 --a------ C:\WINDOWS\system32\kfedofedkret.bmp
2008-05-11 17:25 . 2008-05-11 17:25 80,384 --a------ C:\rssnel.exe
2008-05-11 17:25 . 2008-05-11 18:20 5,120 --a------ C:\WINDOWS\system32\ftp34.dll
2008-05-11 17:25 . 2008-05-11 18:20 5,120 --a------ C:\Documents and Settings\Admin\ftp34.dll
2008-05-11 17:22 . 2008-05-11 17:22 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-11 17:22 . 2008-05-11 17:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-11 17:22 . 2008-05-11 17:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-11 17:09 . 2008-05-11 17:09 401,969 --a------ C:\WINDOWS\system32\g67.exe
2008-05-11 17:09 . 2008-05-11 17:09 63,902 --a------ C:\WINDOWS\system32\{80ade23d-3639-f568-d1b0-00e29aa0301c}.dll-uninst.exe
2008-05-11 17:09 . 2008-05-11 17:09 49,189 --a------ C:\WINDOWS\system32\jpwnw64m.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-16 23:17 --------- d-----w C:\Program Files\ICQ6
2008-05-11 22:17 --------- d-----w C:\Program Files\Java
2008-04-10 20:11 --------- d-----w C:\Documents and Settings\Admin\Application Data\Viewpoint
2003-02-21 10:42 348,160 ----a-w C:\Program Files\msvcr71.dll
2005-07-29 21:24 472 --sha-r C:\WINDOWS\QWRtaW4\kqlQuqb.vbs
.

------- Sigcheck -------

2004-08-04 06:00 506368 910f2b52c0c94b3ff211eb9893c96d42 C:\WINDOWS\system32\winlogon.exe

2004-08-04 06:00 1034752 d1d920b3db684304c731f718521df3fb C:\WINDOWS\explorer.exe

2004-08-04 06:00 110592 9996eede31da5c1239447fd55051d6dc C:\WINDOWS\system32\services.exe

2004-08-04 06:00 14848 80a76019a063c7874a8d101e9568b39a C:\WINDOWS\system32\lsass.exe
.
((((((((((((((((((((((((((((( snapshot@2008-05-17_18.59.47.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-17 23:56:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-27 03:55:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2000-08-31 13:00:00 73,728 ----a-w C:\WINDOWS\fdsv.exe
+ 2000-08-31 13:00:00 89,504 ----a-w C:\WINDOWS\fdsv.exe
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{80fa7700-a0f6-46f7-962c-bb95a572af2e}]
2008-05-24 14:41 100624 --a------ C:\WINDOWS\system32\jhaufyhc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9506910A-0F94-4ea1-B567-7070428B8B2B}]
2008-03-27 10:35 333824 --a------ C:\WINDOWS\system32\mysidesearch_sidebar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF47FCFB-AA32-4ECC-9F32-C99E30385AF3}]
C:\WINDOWS\fvowketqsoq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{C17C95A8-9A32-4250-8F46-D7DFBB4B4947}"= "C:\WINDOWS\pvnsmfor.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{c17c95a8-9a32-4250-8f46-d7dfbb4b4947}]
[HKEY_CLASSES_ROOT\pvnsmfor.1]
[HKEY_CLASSES_ROOT\TypeLib\{85116C11-B265-4635-8FD8-A500007A6915}]
[HKEY_CLASSES_ROOT\pvnsmfor]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-03 15:28 7630848]
"100ed6a8"="C:\WINDOWS\system32\qllckrdx.dll" [ ]
"BM133de534"="C:\WINDOWS\system32\oxmrlsxn.dll" [2008-05-26 22:40 90896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"rteKPyDJH"= {100ED608-BAA4-7CA2-FA87-A290519D6DD6} - C:\WINDOWS\system32\wly.dll [ ]
"mpfanvqg"= {22F63B94-91BA-4B14-907D-2074E780F811} - C:\WINDOWS\mpfanvqg.dll [ ]
"vbksrofa"= {77F9252B-C23D-4816-8087-ADCC5854CA30} - C:\WINDOWS\vbksrofa.dll [ ]

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^Deewoo.lnk]
path=C:\Documents and Settings\Admin\Start Menu\Programs\Startup\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Admin\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\Admin\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
backup=C:\WINDOWS\pss\autorun.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 10:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
C:\Documents and Settings\Admin\cftmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthorizationAgent]
C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 06:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2006-08-28 22:57 395776 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a------ 2005-09-08 06:20 122940 C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriveSystem]
C:\WINDOWS\system32\maxpaynowti1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-06-23 17:31 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
--a------ 2008-05-11 17:00 200772 C:\WINDOWS\system32\kcntqkdm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-12-27 08:24 169984 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\icasServ]
--a------ 2006-05-12 17:27 13824 C:\WINDOWS\system32\icasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 17:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 17:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mex]
C:\Documents and Settings\Admin\Application Data\?dobe\?hkdsk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]
C:\WINDOWS\system32\drivers\spools.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-10-03 15:28 7630848 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-03 15:28 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Printer]
C:\WINDOWS\system32\printer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule15]
C:\Program Files\QdrModule\QdrModule15.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack15]
C:\Program Files\QdrPack\QdrPack15.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runwinlogon]
C:\WINDOWS\winlogon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2006-08-30 02:32 282624 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
C:\WINDOWS\system32\spoolvs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemDrive]
C:\WINDOWS\system32\maxpaynow1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tair]
C:\WINDOWS\PPPATC~1\regedit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSUpdater]
C:\Program Files\winvi\wupda.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinUpdater]
C:\Program Files\winvi\update.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{787430f4-3e62-39fc-512d-c6b613300f4a}]
C:\WINDOWS\system32\{80ade23d-3639-f568-d1b0-00e29aa0301c}.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{ED-D6-60-07-DW}]
--a------ 2008-05-11 17:09 49189 C:\windows\system32\jpwnw64m.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=

R2 ASFIPmon;Broadcom ASF IP Monitor;"C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe" -service []
R2 PortEmulator;Port Emulator (Star);C:\Program Files\StarMicronics\TSP100\Software\20061130\portemu.exe [2006-11-28 12:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{159719ee-2ba0-11dd-9579-001a70a6d6c5}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - GTNDIS5
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-26 22:56:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-05-26 22:57:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-27 03:57:11
ComboFix2.txt 2008-05-18 01:29:09
ComboFix3.txt 2008-05-18 00:00:09

Pre-Run: 151,479,799,808 bytes free
Post-Run: 151,443,738,624 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

331












Here's HiJackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:15 PM, on 5/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\StarMicronics\TSP100\Software\20061130\portemu.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.amarraspa.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061227
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: {e2fa275a-59bb-c269-7f64-6f0a0077af08} - {80fa7700-a0f6-46f7-962c-bb95a572af2e} - C:\WINDOWS\system32\jhaufyhc.dll
O2 - BHO: MySidesearch Search Assistant - {9506910A-0F94-4ea1-B567-7070428B8B2B} - C:\WINDOWS\system32\mysidesearch_sidebar.dll
O2 - BHO: QXK Rhythm - {DF47FCFB-AA32-4ECC-9F32-C99E30385AF3} - C:\WINDOWS\fvowketqsoq.dll (file missing)
O3 - Toolbar: pvnsmfor - {C17C95A8-9A32-4250-8F46-D7DFBB4B4947} - C:\WINDOWS\pvnsmfor.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [100ed6a8] rundll32.exe "C:\WINDOWS\system32\qllckrdx.dll",b
O4 - HKLM\..\Run: [BM133de534] Rundll32.exe "C:\WINDOWS\system32\oxmrlsxn.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O21 - SSODL: rteKPyDJH - {100ED608-BAA4-7CA2-FA87-A290519D6DD6} - C:\WINDOWS\system32\wly.dll (file missing)
O21 - SSODL: mpfanvqg - {22F63B94-91BA-4B14-907D-2074E780F811} - C:\WINDOWS\mpfanvqg.dll (file missing)
O21 - SSODL: vbksrofa - {77F9252B-C23D-4816-8087-ADCC5854CA30} - C:\WINDOWS\vbksrofa.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Port Emulator (Star) (PortEmulator) - Star Micronics Co., Ltd. - C:\Program Files\StarMicronics\TSP100\Software\20061130\portemu.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 5229 bytes

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:24 AM

Posted 27 May 2008 - 12:36 AM

Hi TheoSqua,

You win the prize for the most infected computer of the month. :thumbsup:

You have some suspicious files we need to check.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\system32\kfedofedkret.bmp

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Perform the same for next files:

C:\WINDOWS\system32\hcfqhsnapcrah.bmp
C:\WINDOWS\system32\jmhsjitkbqdon.bmp
C:\WINDOWS\system32\rqpcbqd.bmp
C:\WINDOWS\system32\mlcnqdcfid.bmp
C:\WINDOWS\system32\g67.exe
C:\WINDOWS\system32\{80ade23d-3639-f568-d1b0-00e29aa0301c}.dll-uninst.exe
C:\WINDOWS\system32\jpwnw64m.exe
C:\Documents and Settings\LocalService\ftp34.dll
C:\269407751



Once scanned, copy and paste the results also in your next reply.

NOTE: I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.

**************************

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum

-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

Edited by SifuMike, 27 May 2008 - 01:00 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 TheoSqua

TheoSqua
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:24 AM

Posted 27 May 2008 - 07:19 PM

Hope this is what you're needing. I only pasted the scans from programs that detected something with the file.

C:\WINDOWS\system32\kfedofedkret.bmp
Ewido 4.0 2008.05.25 Downloader.FakeAlert.bu
NOD32v2 3128 2008.05.23 Win32/TrojanDownloader.FakeAlert.BU
Prevx1 V2 2008.05.25 Malicious Software

C:\WINDOWS\system32\hcfqhsnapcrah.bmp
Ewido 4.0 2008.05.25 Downloader.FakeAlert.bu
NOD32v2 3128 2008.05.23 Win32/TrojanDownloader.FakeAlert.BU
Prevx1 V2 2008.05.25 Malicious Software

C:\WINDOWS\system32\jmhsjitkbqdon.bmp
Ewido 4.0 2008.05.25 Downloader.FakeAlert.bu
NOD32v2 3128 2008.05.23 Win32/TrojanDownloader.FakeAlert.BU
Prevx1 V2 2008.05.25 Malicious Software

C:\WINDOWS\system32\rqpcbqd.bmp
Ewido 4.0 2008.05.25 Downloader.FakeAlert.bu
NOD32v2 3128 2008.05.23 Win32/TrojanDownloader.FakeAlert.BU
Prevx1 V2 2008.05.25 Malicious Software

C:\WINDOWS\system32\mlcnqdcfid.bmp
Ewido 4.0 2008.05.25 Downloader.FakeAlert.bu
NOD32v2 3128 2008.05.23 Win32/TrojanDownloader.FakeAlert.BU
Prevx1 V2 2008.05.25 Malicious Software

Note: All above files are the same file size.

C:\WINDOWS\system32\g67.exe
AntiVir 7.8.0.19 2008.05.27 DR/Gooochi
Avast 4.8.1195.0 2008.05.27 Win32:Rootkit-gen
BitDefender 7.2 2008.05.28 MemScan:Adware.Rotator.B
ClamAV 0.92.1 2008.05.27 Adware.Agent-2080
Fortinet 3.14.0.0 2008.05.27 Adware/Vapsup.0408
Kaspersky 7.0.0.125 2008.05.28 not-a-virus:AdWare.Win32.Agent.byy
Rising 20.46.12.00 2008.05.27 AdWare.Win32.Rotator.a
Sophos 4.29.0 2008.05.28 Troj/BHODLL-H
VBA32 3.12.6.6 2008.05.28 AdWare.Win32.Agent.byy
Webwasher-Gateway 6.6.2 2008.05.28 Trojan.Dropper.Gooochi

Additional information
File size: 401969 bytes
MD5...: e81a53308b8d47fa8eab745e8cb1f328
SHA1..: 009b849ce3e77d534954593de72083a2e5a83db7
SHA256: 13be00df78d3f646fe631cdaa873f762b5e410fc89404a1642072a807f9b168d
SHA512: 74bc882dfd8349e0738927c2bb2fe3e7e82f66c04018c43ee0df73d0aff2b911
f2b9f88e8d630aaaa282b9ec0fcde9a6b081502451da915cfbc8a7d884cc147c
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x403225
timedatestamp.....: 0x47acc8b2 (Fri Feb 08 21:25:06 2008)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x5934 0x5a00 6.46 663546ac41801daf2dc51f560ec05a56
.rdata 0x7000 0x1190 0x1200 5.18 db16645055619c0cc73276ff5c3adb75
.data 0x9000 0x1af98 0x400 4.70 f0511f18783910813a0de0de02bc1206
.ndata 0x24000 0xc000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x30000 0x6c8 0x800 2.91 45197172dd9457c3c73ddd577483e4cd

( 8 imports )
> KERNEL32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
> USER32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
> GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
> SHELL32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
> ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
> COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create
> ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
> VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

( 0 exports )



C:\WINDOWS\system32\{80ade23d-3639-f568-d1b0-00e29aa0301c}.dll-uninst.exe
Avast 4.8.1195.0 2008.05.27 Win32:Trojan-gen {Other}
Fortinet 3.14.0.0 2008.05.27 Adware/Vapsup.0408
GData 2.0.7306.1023 2008.05.23 Win32:Trojan-gen
Ikarus T3.1.1.26.0 2008.05.27 Win32.SuspectCrc
Prevx1 V2 2008.05.27 Cloaked Malware


Additional information
File size: 63902 bytes
MD5...: 4e8fb6d6305b5c37a3e59629f3af5746
SHA1..: 8b62ac339182bf5d06c9baf4335abe64d9590eae
SHA256: 0446ddbeb530ba8c7f63f8de85b945e0b83299d7fa2ab708648ea1280dc5442c
SHA512: 84d4d6d14d5bba2396c1dfa27819f5481f63e2a215cd740b3aae652184f91b36
a01a9f61d16c27e86b5c1efe36d2dc709196db7be6c69c5d707c021d3697c8b9
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x403225
timedatestamp.....: 0x47acc8b2 (Fri Feb 08 21:25:06 2008)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x5934 0x5a00 6.46 663546ac41801daf2dc51f560ec05a56
.rdata 0x7000 0x1190 0x1200 5.18 db16645055619c0cc73276ff5c3adb75
.data 0x9000 0x1af98 0x400 4.70 f0511f18783910813a0de0de02bc1206
.ndata 0x24000 0xc000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x30000 0x6c8 0x800 2.76 7aa1e07300cf82d1881606e8a7e9d1c3

( 8 imports )
> KERNEL32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
> USER32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
> GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
> SHELL32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
> ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
> COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create
> ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
> VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

( 0 exports )


C:\WINDOWS\system32\jpwnw64m.exe
AntiVir 7.8.0.19 2008.05.27 ADSPY/ZenoSearch.AM
Avast 4.8.1195.0 2008.05.27 Win32:Trojan-gen {VC}
AVG 7.5.0.516 2008.05.27 Lop.4.A
BitDefender 7.2 2008.05.28 Generic.Zeno.E5F12F0C
CAT-QuickHeal 9.50 2008.05.26 AdWare.ZenoSearch.am (Not a Virus)
ClamAV 0.92.1 2008.05.27 Adware.Zenosearch-6
DrWeb 4.44.0.09170 2008.05.27 Adware.ZenoSearch
eSafe 7.0.15.0 2008.05.27 AdWare.Win32.ZenoSea
Ewido 4.0 2008.05.27 Not-A-Virus.Adware.ZenoSearch
F-Prot 4.4.4.56 2008.05.27 W32/ZenoSearch.A.gen!Eldorado
Fortinet 3.14.0.0 2008.05.27 Adware/ZenoSearch
GData 2.0.7306.1023 2008.05.27 Win32:Trojan-gen
Ikarus T3.1.1.26.0 2008.05.28 Generic.Zeno
Kaspersky 7.0.0.125 2008.05.28 not-a-virus:AdWare.Win32.ZenoSearch.am
McAfee 5304 2008.05.27 potentially unwanted program Adware-Zeno
Microsoft 1.3520 2008.05.28 Adware:Win32/ZenoSearch
NOD32v2 3137 2008.05.28 Win32/Adware.ZenoSearch
Norman 5.80.02 2008.05.27 W32/ZenoSearch.DK
Panda 9.0.0.4 2008.05.28 Adware/Zenosearch
Prevx1 V2 2008.05.28 Malicious Software
Sophos 4.29.0 2008.05.28 ZenoSearch
Symantec 10 2008.05.28 Adware.ZenoSearch
TheHacker 6.2.92.321 2008.05.27 Adware/ZenoSearch.am
VBA32 3.12.6.6 2008.05.28 AdWare.Win32.ZenoSearch.am
VirusBuster 4.3.26:9 2008.05.27 Adware.ZenoSearch.Gen.2
Webwasher-Gateway 6.6.2 2008.05.28 Ad-Spyware.ZenoSearch.AM

Additional information
File size: 49189 bytes
MD5...: 3c79a81fba5e75f9e860852cc5f55f4e
SHA1..: b74190e1203ad44add6b1075562e4b0225c6036d
SHA256: 07eef0e357cd31787e27f5c3abec180b34df3d783279278f35594194eabe38d7
SHA512: a5ae3de72ec9ead293374e787321642665bacc969f6fd00f68e918a24cf13162
d97b734a6e0964d3af9c005131875c982cc52c0f873b7fe265559575838e1731
PEiD..: Armadillo v1.71
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x406b4c
timedatestamp.....: 0x47b3d4b9 (Thu Feb 14 05:42:17 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x6a5a 0x7000 5.90 ef2e0e32c9ad0f7d1fc099de5671c884
.rdata 0x8000 0x1cd4 0x2000 4.34 bc3fa2ed981830dea155bd573eaa6e93
.data 0xa000 0xae8 0x1000 3.78 3bde612e57108b56edf00cd978339ded
.rsrc 0xb000 0xd60 0x1000 3.03 36b17df2d3ecb6b988326d952a4ac607

( 10 imports )
> iphlpapi.dll: GetAdaptersInfo
> WININET.dll: InternetReadFile, InternetOpenA, InternetOpenUrlA, InternetGetLastResponseInfoA
> MFC42.DLL: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
> MSVCRT.dll: _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, _XcptFilter, _exit, __1type_info@@UAE@XZ, _onexit, __dllonexit, atoi, exit, time, srand, rand, _mbscmp, _setmbcp, __CxxFrameHandler
> KERNEL32.dll: CopyFileA, ReleaseMutex, TerminateProcess, LoadLibraryA, GetProcAddress, FreeLibrary, GetLastError, CreateMutexA, SetCurrentDirectoryA, GetSystemDirectoryA, GetFileSize, CreateFileA, DeleteFileA, CreateProcessA, GetTickCount, GetVolumeInformationA, lstrcpyA, lstrcmpiA, GetVersionExA, WriteFile, lstrcmpA, MultiByteToWideChar, Sleep, WaitForSingleObject, GetModuleHandleA, GetStartupInfoA, CloseHandle, GetModuleFileNameA
> USER32.dll: TranslateMessage, EnableWindow, PeekMessageA, DispatchMessageA
> ADVAPI32.dll: RegSetValueExA, RegCreateKeyExA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey
> SHELL32.dll: SHGetPathFromIDListA, SHGetSpecialFolderLocation
> ole32.dll: CoUninitialize, CoCreateInstance, CoInitialize
> OLEAUT32.dll: -, -

( 0 exports )


C:\Documents and Settings\LocalService\ftp34.dll
AntiVir - - TR/Spy.Gen
Avast - - Win32:Rootkit-gen
AVG - - PSW.Agent.SYV
BitDefender - - Trojan.Downloader.Small.AAOH
CAT-QuickHeal - - TrojanDownloader.Small.vem
ClamAV - - Trojan.Downloader-34503
DrWeb - - Trojan.DownLoader.59739
eTrust-Vet - - Win32/Ruternam!generic
F-Secure - - Trojan-Downloader.Win32.Small.vem
Fortinet - - W32/Small.VEM!tr.dldr
GData - - Trojan-Downloader.Win32.Small.vem
Ikarus - - Trojan-Spy
Kaspersky - - Trojan-Downloader.Win32.Small.vem
McAfee - - BackDoor-DNR
Microsoft - - TrojanDownloader:Win32/Kogant.A
NOD32v2 - - Win32/TrojanDownloader.Agent.NYW
Panda - - Trj/Agent.ISS
Prevx1 - - Cloaked Malware
Sophos - - Troj/Agent-GXN
Sunbelt - - Trojan.Spy.Gen
Symantec - - Trojan Horse
VBA32 - - Trojan-Downloader.Win32.Small.vem
VirusBuster - - Trojan.DL.Small.ALJA
Webwasher-Gateway - - Trojan.Spy.Gen

Additional information
MD5: 282b2617356b0bbd801e6fe01bee268f
SHA1: e7525098e94c2869884c5912b8032785fc5f5775
SHA256: 1149ca0b67d47d09954ea0b60f7eec808d43dab8ad98ec62e10079725e62b106
SHA512: 9043ec2978e5e6e97f8aa68684a49aa226d882126e1f080d70bd33ca8919960f69464d97cbbb2a367ee211bdec90f3aed6b7789a54312836ab1105ab72e6ce7a




C:\269407751
0/32



SDFix: Version 1.186
Run by Admin on Tue 05/27/2008 at 07:04 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\PROGRA~1\SDFix\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value
Restoring Default Desktop Wallpaper

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\HCFQHS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\JMHSJI~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\KFEDOF~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\MLCNQD~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\RQPCBQD.BMP - Deleted
C:\269407~1 - Deleted
C:\WINDOWS\system32\dFrnx06\dFrnx061083.exe - Deleted



Folder C:\WINDOWS\system32\dFrnx06 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 19:07:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\ICQ6\\ICQ.exe"="C:\\Program Files\\ICQ6\\ICQ.exe:*:Enabled:ICQ6"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Admin\\Application Data\\printer.exe"="C:\\Documents and Settings\\Admin\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Admin\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Admin\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Admin\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\Admin\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Application Data\\sysdefender.exe"="C:\\Documents and Settings\\Administrator\\Application Data\\sysdefender.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\Administrator\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\PROGRA~1\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 4 Oct 2006 3,072,000 A..H. --- "C:\Documents and Settings\Admin\Application Data\U3\temp\Launchpad Removal.exe"
Wed 27 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Wed 27 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Wed 27 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Wed 27 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"
Wed 27 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"
Wed 27 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch6\lock.tmp"

Finished!


HJTlog

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:11:03 PM, on 5/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\StarMicronics\TSP100\Software\20061130\portemu.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061227
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: {e2fa275a-59bb-c269-7f64-6f0a0077af08} - {80fa7700-a0f6-46f7-962c-bb95a572af2e} - C:\WINDOWS\system32\jhaufyhc.dll
O2 - BHO: MySidesearch Search Assistant - {9506910A-0F94-4ea1-B567-7070428B8B2B} - C:\WINDOWS\system32\mysidesearch_sidebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [100ed6a8] rundll32.exe "C:\WINDOWS\system32\qllckrdx.dll",b
O4 - HKLM\..\Run: [BM133de534] Rundll32.exe "C:\WINDOWS\system32\oxmrlsxn.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O21 - SSODL: rteKPyDJH - {100ED608-BAA4-7CA2-FA87-A290519D6DD6} - C:\WINDOWS\system32\wly.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Port Emulator (Star) (PortEmulator) - Star Micronics Co., Ltd. - C:\Program Files\StarMicronics\TSP100\Software\20061130\portemu.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 4590 bytes

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:24 AM

Posted 27 May 2008 - 08:17 PM

Hi TheoSqua,

Good job! :thumbsup: We are making some progress but still have pleanty to remove.


Before we proceed, you need to realize that you are missing one important program on that computer: An antivirus.

This is somewhat suicidal in today's digital world! :)

You need to install an antivirus program as soon as you can and run a complete scan of the computer.

I recommend you download the free

Avast or
AntiVir or
AVG antivirus

Products from all three vendors received the Virus Bulletin's VB100% award and certification for virus detection from ICSA Labs.

Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!

Let me know which one you installed and I will give you the directions for disabling it before you run ComboFix.

Remember to disable your antivirus and registry protectors (like Teatimer, Spyware Doctor, SpySweeper) before you run ComboFix, as they will prevent it from running.

Now run ComboFix again and post the log it produces.

Edited by SifuMike, 27 May 2008 - 08:37 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 TheoSqua

TheoSqua
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:24 AM

Posted 27 May 2008 - 10:54 PM

Yeah I used to have AVG installed, and I generally do a scan from a disc for all the computers at the spa once a month or so. I fixed some spyware with avast BART, but my trial ran out. :thumbsup:

I'll be putting AVG back on all of the computers again after this though.

Here's the combofix log:

ComboFix 08-05-27.4 - Admin 2008-05-27 22:49:24.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.649 [GMT -5:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM133de534.xml
C:\WINDOWS\pskt.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-28 )))))))))))))))))))))))))))))))
.

2008-05-27 19:02 . 2008-05-27 19:02 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-27 18:57 . 2008-05-27 18:57 <DIR> d-------- C:\Program Files\SDFix
2008-05-26 23:02 . 2008-05-26 23:02 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-26 22:40 . 2008-05-26 22:40 90,896 --a------ C:\WINDOWS\system32\oxmrlsxn.dll
2008-05-24 14:41 . 2008-05-24 14:41 100,624 --a------ C:\WINDOWS\system32\jhaufyhc.dll
2008-05-24 14:32 . 2008-05-24 14:32 90,960 --a------ C:\WINDOWS\system32\dxbjnjwn.dll
2008-05-23 14:32 . 2008-05-23 14:32 100,608 --a------ C:\WINDOWS\system32\tidnvxay.dll
2008-05-23 14:32 . 2008-05-23 14:32 91,008 --a------ C:\WINDOWS\system32\utkyqxay.dll
2008-05-22 14:35 . 2008-05-22 14:35 100,016 --a------ C:\WINDOWS\system32\rebfsjcc.dll
2008-05-17 19:29 . 2008-05-17 19:29 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-17 19:29 . 2008-05-17 19:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-17 16:57 . 2008-05-17 16:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-17 16:41 . 2008-05-17 16:41 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-14 03:36 . 2008-05-14 15:45 894 --ahs---- C:\WINDOWS\system32\fykmrisf.ini
2008-05-13 15:42 . 2008-05-27 19:08 0 --a------ C:\WINDOWS\system32\NvApps.xml
2008-05-13 15:33 . 2008-05-13 17:21 774 --ahs---- C:\WINDOWS\system32\snodhjej.ini
2008-05-11 17:55 . 2008-05-11 17:55 5,120 --a------ C:\Documents and Settings\Administrator\ftp34.dll
2008-05-11 17:34 . 2008-05-11 18:19 5,120 --a------ C:\Documents and Settings\LocalService\ftp34.dll
2008-05-11 17:28 . 2008-05-11 17:28 80,384 --a------ C:\ydrvr.exe
2008-05-11 17:28 . 2008-05-11 17:28 40,960 --a------ C:\difkghmd.exe
2008-05-11 17:25 . 2008-05-11 17:25 80,384 --a------ C:\rssnel.exe
2008-05-11 17:25 . 2008-05-11 18:20 5,120 --a------ C:\WINDOWS\system32\ftp34.dll
2008-05-11 17:25 . 2008-05-11 18:20 5,120 --a------ C:\Documents and Settings\Admin\ftp34.dll
2008-05-11 17:22 . 2008-05-11 17:22 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-11 17:22 . 2008-05-11 17:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-11 17:22 . 2008-05-11 17:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-11 17:09 . 2008-05-11 17:09 401,969 --a------ C:\WINDOWS\system32\g67.exe
2008-05-11 17:09 . 2008-05-11 17:09 63,902 --a------ C:\WINDOWS\system32\{80ade23d-3639-f568-d1b0-00e29aa0301c}.dll-uninst.exe
2008-05-11 17:09 . 2008-05-11 17:09 49,189 --a------ C:\WINDOWS\system32\jpwnw64m.exe
2008-05-11 17:00 . 2008-05-11 17:00 <DIR> d-------- C:\WINDOWS\system32\winRem
2008-05-11 17:00 . 2008-05-11 17:00 <DIR> d-------- C:\WINDOWS\system32\spoolX
2008-05-11 17:00 . 2008-05-11 17:00 <DIR> d-------- C:\WINDOWS\system32\MUI2
2008-05-11 17:00 . 2008-05-11 17:44 <DIR> d-------- C:\WINDOWS\system32\1036a
2008-05-11 17:00 . 2008-05-11 17:29 <DIR> d--hs---- C:\WINDOWS\QWRtaW4
2008-05-11 17:00 . 2008-05-26 22:52 <DIR> d-------- C:\Temp
2008-05-11 17:00 . 2008-05-11 17:00 298,306 --a------ C:\WINDOWS\system32\gside.exe
2008-05-11 17:00 . 2008-05-11 17:00 200,772 --a------ C:\WINDOWS\system32\kcntqkdm.exe
2008-05-11 17:00 . 2008-05-11 17:00 88,961 --a------ C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
2008-05-11 17:00 . 2008-05-11 17:00 860 --a------ C:\WINDOWS\system32\winpfz33.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-16 23:17 --------- d-----w C:\Program Files\ICQ6
2008-05-11 22:17 --------- d-----w C:\Program Files\Java
2008-04-10 20:11 --------- d-----w C:\Documents and Settings\Admin\Application Data\Viewpoint
2008-03-27 15:35 333,824 ----a-w C:\WINDOWS\system32\mysidesearch_sidebar.dll
2003-02-21 10:42 348,160 ----a-w C:\Program Files\msvcr71.dll
2005-07-29 21:24 472 --sha-r C:\WINDOWS\QWRtaW4\kqlQuqb.vbs
.

------- Sigcheck -------

2004-08-04 06:00 506368 910f2b52c0c94b3ff211eb9893c96d42 C:\WINDOWS\system32\winlogon.exe

2004-08-04 06:00 1034752 d1d920b3db684304c731f718521df3fb C:\WINDOWS\explorer.exe

2004-08-04 06:00 110592 9996eede31da5c1239447fd55051d6dc C:\WINDOWS\system32\services.exe

2004-08-04 06:00 14848 80a76019a063c7874a8d101e9568b39a C:\WINDOWS\system32\lsass.exe
.
((((((((((((((((((((((((((((( snapshot@2008-05-17_18.59.47.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-17 23:56:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-28 00:06:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-27 08:11:56 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-05-28 00:02:19 2,871,296 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-05-28 00:02:19 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-05-27 08:11:56 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-05-28 00:02:11 2,871,296 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-05-28 00:02:11 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2000-08-31 13:00:00 73,728 ----a-w C:\WINDOWS\fdsv.exe
+ 2000-08-31 13:00:00 89,504 ----a-w C:\WINDOWS\fdsv.exe
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{80fa7700-a0f6-46f7-962c-bb95a572af2e}]
2008-05-24 14:41 100624 --a------ C:\WINDOWS\system32\jhaufyhc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9506910A-0F94-4ea1-B567-7070428B8B2B}]
2008-03-27 10:35 333824 --a------ C:\WINDOWS\system32\mysidesearch_sidebar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-03 15:28 7630848]
"100ed6a8"="C:\WINDOWS\system32\qllckrdx.dll" [ ]
"BM133de534"="C:\WINDOWS\system32\oxmrlsxn.dll" [2008-05-26 22:40 90896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"rteKPyDJH"= {100ED608-BAA4-7CA2-FA87-A290519D6DD6} - C:\WINDOWS\system32\wly.dll [ ]

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^Deewoo.lnk]
path=C:\Documents and Settings\Admin\Start Menu\Programs\Startup\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Admin\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\Admin\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
backup=C:\WINDOWS\pss\autorun.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 10:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
C:\Documents and Settings\Admin\cftmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthorizationAgent]
C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 06:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2006-08-28 22:57 395776 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a------ 2005-09-08 06:20 122940 C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriveSystem]
C:\WINDOWS\system32\maxpaynowti1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-06-23 17:31 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
--a------ 2008-05-11 17:00 200772 C:\WINDOWS\system32\kcntqkdm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-12-27 08:24 169984 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\icasServ]
--a------ 2006-05-12 17:27 13824 C:\WINDOWS\system32\icasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 17:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 17:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mex]
C:\Documents and Settings\Admin\Application Data\?dobe\?hkdsk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]
C:\WINDOWS\system32\drivers\spools.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-10-03 15:28 7630848 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-03 15:28 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Printer]
C:\WINDOWS\system32\printer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule15]
C:\Program Files\QdrModule\QdrModule15.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack15]
C:\Program Files\QdrPack\QdrPack15.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runwinlogon]
C:\WINDOWS\winlogon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2006-08-30 02:32 282624 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
C:\WINDOWS\system32\spoolvs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemDrive]
C:\WINDOWS\system32\maxpaynow1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tair]
C:\WINDOWS\PPPATC~1\regedit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSUpdater]
C:\Program Files\winvi\wupda.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinUpdater]
C:\Program Files\winvi\update.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{787430f4-3e62-39fc-512d-c6b613300f4a}]
C:\WINDOWS\system32\{80ade23d-3639-f568-d1b0-00e29aa0301c}.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{ED-D6-60-07-DW}]
--a------ 2008-05-11 17:09 49189 C:\windows\system32\jpwnw64m.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=

R2 ASFIPmon;Broadcom ASF IP Monitor;"C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe" -service []
R2 PortEmulator;Port Emulator (Star);C:\Program Files\StarMicronics\TSP100\Software\20061130\portemu.exe [2006-11-28 12:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{159719ee-2ba0-11dd-9579-001a70a6d6c5}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aba78832-2cbf-11dc-950a-001a70a6d6c5}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - GTNDIS5
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 22:50:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-27 22:50:25
ComboFix-quarantined-files.txt 2008-05-28 03:50:22
ComboFix2.txt 2008-05-27 03:57:14
ComboFix3.txt 2008-05-18 01:29:09
ComboFix4.txt 2008-05-18 00:00:09

Pre-Run: 151,330,938,880 bytes free
Post-Run: 151,332,327,424 bytes free

211


in case you wanted a HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:39 PM, on 5/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\StarMicronics\TSP100\Software\20061130\portemu.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061227
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: {e2fa275a-59bb-c269-7f64-6f0a0077af08} - {80fa7700-a0f6-46f7-962c-bb95a572af2e} - C:\WINDOWS\system32\jhaufyhc.dll
O2 - BHO: MySidesearch Search Assistant - {9506910A-0F94-4ea1-B567-7070428B8B2B} - C:\WINDOWS\system32\mysidesearch_sidebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [100ed6a8] rundll32.exe "C:\WINDOWS\system32\qllckrdx.dll",b
O4 - HKLM\..\Run: [BM133de534] Rundll32.exe "C:\WINDOWS\system32\oxmrlsxn.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O21 - SSODL: rteKPyDJH - {100ED608-BAA4-7CA2-FA87-A290519D6DD6} - C:\WINDOWS\system32\wly.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Port Emulator (Star) (PortEmulator) - Star Micronics Co., Ltd. - C:\Program Files\StarMicronics\TSP100\Software\20061130\portemu.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 4540 bytes

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:24 AM

Posted 27 May 2008 - 11:05 PM

Hi,

I'll be putting AVG back on all of the computers again after this though

.

I cant continue until you have put an antivirus on this computer and run a full scan with it.

You have some malware magnets on this computer and they will come back faster than I can remove it. :thumbsup:

I generally do a scan from a disc for all the computers at the spa once a month or so

.

The reason you are so infected is that you did not have an antivirus program actively running on this computer.
You must run a complete virus scan every week, not every month.

Edited by SifuMike, 28 May 2008 - 12:43 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 TheoSqua

TheoSqua
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:24 AM

Posted 31 May 2008 - 02:28 PM

I installed Avast and did a pre-boot scan. It found a bunch of infected files and terminated them.

I'm trying to get a log file to post for you, but it isn't being cooperative. When I right click on Avast! Log Viewer nothing happens.

Here's a HJT scan:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:28:01 PM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashLogV.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061227
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: {e2fa275a-59bb-c269-7f64-6f0a0077af08} - {80fa7700-a0f6-46f7-962c-bb95a572af2e} - C:\WINDOWS\system32\jhaufyhc.dll
O2 - BHO: MySidesearch Search Assistant - {9506910A-0F94-4ea1-B567-7070428B8B2B} - C:\WINDOWS\system32\mysidesearch_sidebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [100ed6a8] rundll32.exe "C:\WINDOWS\system32\qllckrdx.dll",b
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BM133de534] Rundll32.exe "C:\WINDOWS\system32\oxmrlsxn.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O21 - SSODL: rteKPyDJH - {100ED608-BAA4-7CA2-FA87-A290519D6DD6} - C:\WINDOWS\system32\wly.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Port Emulator (Star) (PortEmulator) - Star Micronics Co., Ltd. - C:\Program Files\StarMicronics\TSP100\Software\20061130\portemu.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 5974 bytes

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:24 AM

Posted 31 May 2008 - 02:33 PM

Lets see if Avast killed all the viruses.

Please perform this online scan: Kaspersky Webscan

Note that you need to run this scan with Internet Explorer for it to work correctly.

If you have any problem running the scan to completion, disable your Antivirus and/or firewall temporarily, just refrain from surfing around while the scan is running and be sure to re-enable when done.

to disable avast antivirus:
Right click on the avast! icon in system tray (looks like this: Posted Image) and choose (Stop On-Access Protection)


Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appear asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat step 1.
3. Select "Install" to download the ActiveX controls that allows Kaspersky to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. Wait for the scanner to initialize and update its databases. When the download is complete it will say ready, click "Next"
6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE,
Scan Options:
Scan Archives
Scan Mail Bases


then click "OK"
7. Select a target to scan: Click on "My Computer" and the scan will begin.
8. Once the scan is complete it will display if your system has been infected.
Now click on the Save Report As... button:

Posted Image

Under Save as type select Text file write name for the file and save it to your Desktop.
Locate the file at the Desktop, open it, then copy and paste that information in your next post.
9. Post the Kaspersky scan results in your next reply.

Edited by SifuMike, 31 May 2008 - 02:35 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 TheoSqua

TheoSqua
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:24 AM

Posted 03 June 2008 - 08:05 PM

dun look good :thumbsup:

KASPERSKY ONLINE SCANNER REPORT
Tuesday, June 03, 2008 8:03:43 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/06/2008
Kaspersky Anti-Virus database records: 827143


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 43189
Number of viruses found 28
Number of infected objects 83
Number of suspicious objects 0
Duration of the scan process 00:31:16

Infected Object Name Virus Name Last Action
C:\difkghmd.exe Infected: Trojan-Proxy.Win32.Small.np skipped

C:\Documents and Settings\Admin\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Admin\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Admin\Local Settings\History\History.IE5\MSHist012008060320080604\index.dat Object is locked skipped

C:\Documents and Settings\Admin\Local Settings\Temp\00003DP56QFO.CDX Object is locked skipped

C:\Documents and Settings\Admin\Local Settings\Temp\00003DP58XOV.CDX Object is locked skipped

C:\Documents and Settings\Admin\Local Settings\Temp\00003DP58XOW.TMP Object is locked skipped

C:\Documents and Settings\Admin\Local Settings\Temp\00003DP59AV2.TMP Object is locked skipped

C:\Documents and Settings\Admin\Local Settings\Temp\00003DP5AF1G.TMP Object is locked skipped

C:\Documents and Settings\Admin\Local Settings\Temp\00003DP5AW6O.CDX Object is locked skipped

C:\Documents and Settings\Admin\Local Settings\Temp\00003DP5AW6P.CDX Object is locked skipped

C:\Documents and Settings\Admin\Local Settings\Temp\00003DP5AXB7.CDX Object is locked skipped

C:\Documents and Settings\Admin\Local Settings\Temp\~DF3672.tmp Object is locked skipped

C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\4HYJSPE3\bind[1].htm Object is locked skipped

C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Admin\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Admin\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\selfdef.log Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped

C:\Program Files\Harms\Millennium Workstation\harmsremotesupport.exe/vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped

C:\Program Files\Harms\Millennium Workstation\harmsremotesupport.exe 7-Zip: infected - 1 skipped

C:\Program Files\Harms\Millennium Workstation\harmsremotesupport.exe UPX: infected - 1 skipped

C:\Program Files\Harms\Millennium Workstation\localsettings.DBF Object is locked skipped

C:\Program Files\Harms\Millennium Workstation\localsettings.FPT Object is locked skipped

C:\Program Files\SDFix\SDFix\backups\backups.zip/backups/dFrnx061083.exe Infected: Trojan-Downloader.Win32.VB.ehl skipped

C:\Program Files\SDFix\SDFix\backups\backups.zip ZIP: infected - 1 skipped

C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1552OinAdmin.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.gb skipped

C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1552OinUninstaller.exe.vir/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped

C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1552OinUninstaller.exe.vir NSIS: infected - 1 skipped

C:\QooBox\Quarantine\C\Program Files\QdrModule\QdrModule15.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.y skipped

C:\QooBox\Quarantine\C\Program Files\QdrPack\QdrPack15.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.z skipped

C:\QooBox\Quarantine\C\WINDOWS\default.htm.vir Infected: not-virus:Hoax.HTML.Secureinvites.b skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\000080.exe.vir/data0002 Infected: Trojan-Downloader.Win32.PurityScan.gb skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\000080.exe.vir NSIS: infected - 1 skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\crypts.dll.vir Infected: Trojan-Downloader.Win32.Satray.bo skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\dllgh8jkd1q1.exe.vir Infected: Email-Worm.Win32.Zhelatin.ys skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\dllgh8jkd1q2.exe.vir Infected: Email-Worm.Win32.Zhelatin.ys skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\dllgh8jkd1q5.exe.vir Infected: Email-Worm.Win32.Zhelatin.ys skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\dllgh8jkd1q6.exe.vir Infected: Email-Worm.Win32.Zhelatin.ys skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\dllgh8jkd1q7.exe.vir Infected: Email-Worm.Win32.Zhelatin.ys skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\Ltc10.sys.zip/Ltc10.sys Infected: Trojan-Dropper.Win32.Agent.rek skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\Ltc10.sys.zip ZIP: infected - 1 skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\tcpsr.sys.vir Infected: SpamTool.Win32.Agent.jn skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\maxpaynow1.exe.vir Infected: Email-Worm.Win32.Zhelatin.ys skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\maxpaynowti1.exe.vir Infected: Email-Worm.Win32.Zhelatin.ys skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\rqRKdETL.dll.vir Infected: Trojan.Win32.Monder.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\vedxga1me4t1.exe.vir Infected: Email-Worm.Win32.Zhelatin.ys skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\wind32.exe.vir Infected: Trojan-Downloader.Win32.Tibs.zs skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\wmsdkns.exe.vir Infected: not-virus:Hoax.Win32.Renos.cda skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\yaYQHXNd.dll.vir Infected: Trojan.Win32.Monder.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\{80ade23d-3639-f568-d1b0-00e29aa0301c}.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.byy skipped

C:\rssnel.exe Infected: Trojan-Downloader.Win32.Injecter.qr skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0020748.exe Infected: not-a-virus:AdWare.Win32.AdBand.y skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0020749.exe Infected: not-a-virus:AdWare.Win32.AdBand.z skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0020751.dll Infected: Trojan-Downloader.Win32.Satray.bo skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0020767.exe Infected: Trojan-Downloader.Win32.Tibs.zs skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0020790.exe Infected: not-virus:Hoax.Win32.Renos.cda skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0020792.sys Infected: SpamTool.Win32.Agent.jn skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0020793.exe Infected: Trojan-Downloader.Win32.PurityScan.gb skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0020794.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0020794.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0020798.exe Infected: Email-Worm.Win32.Zhelatin.ys skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0020803.exe Infected: Email-Worm.Win32.Zhelatin.ys skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0020804.exe Infected: Email-Worm.Win32.Zhelatin.ys skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0020805.exe Infected: Email-Worm.Win32.Zhelatin.ys skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0020806.exe Infected: Email-Worm.Win32.Zhelatin.ys skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0020807.exe Infected: Email-Worm.Win32.Zhelatin.ys skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0020809.exe Infected: Email-Worm.Win32.Zhelatin.ys skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0020811.exe Infected: Email-Worm.Win32.Zhelatin.ys skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0020824.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.gb skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0020824.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0020825.dll Infected: not-a-virus:AdWare.Win32.Agent.byy skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0020826.dll Infected: Trojan.Win32.Monder.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0020827.dll Infected: Trojan.Win32.Monder.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0020858.dll Infected: Trojan.Win32.Vapsup.gab skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0020886.exe Infected: Trojan-Proxy.Win32.Small.np skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0020888.exe Infected: Email-Worm.Win32.Zhelatin.ys skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0020890.exe Infected: Trojan.Win32.Vapsup.fbg skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0020899.exe Infected: Trojan-Downloader.Win32.Agent.otg skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0020900.exe Infected: not-virus:Hoax.Win32.Renos.cda skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0020903.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP317\A0022345.exe Infected: Trojan-Downloader.Win32.VB.ehl skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP317\A0022351.exe Infected: Trojan-Downloader.Win32.VB.ehl skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP319\A0023485.dll Infected: Trojan-Downloader.Win32.Small.vem skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP319\A0023486.exe Infected: Trojan-Clicker.Win32.Small.pe skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP319\A0023487.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP319\A0023488.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP319\A0023489.exe Infected: Trojan.Win32.Patched.aa skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP319\A0023490.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP319\A0023497.exe Infected: Trojan.Win32.Patched.aa skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP319\A0023500.exe Infected: Trojan.Win32.Patched.aa skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP319\A0023510.exe Infected: Trojan.Win32.Patched.aa skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP319\A0023511.exe Infected: Trojan.Win32.Patched.aa skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP319\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\g67.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.byy skipped

C:\WINDOWS\system32\g67.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.byy skipped

C:\WINDOWS\system32\g67.exe NSIS: infected - 2 skipped

C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped

C:\WINDOWS\system32\MUI2\GI-dot4c.exe Infected: Trojan.Win32.Agent.lom skipped

C:\WINDOWS\system32\spoolX\NsDatdsrv.exe/stream/data0007/stream/Script Infected: Trojan.NSIS.StartPage.c skipped

C:\WINDOWS\system32\spoolX\NsDatdsrv.exe/stream/data0007/stream Infected: Trojan.NSIS.StartPage.c skipped

C:\WINDOWS\system32\spoolX\NsDatdsrv.exe/stream/data0007 Infected: Trojan.NSIS.StartPage.c skipped

C:\WINDOWS\system32\spoolX\NsDatdsrv.exe/stream Infected: Trojan.NSIS.StartPage.c skipped

C:\WINDOWS\system32\spoolX\NsDatdsrv.exe NSIS: infected - 4 skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\TEMP\Perflib_Perfdata_638.dat Object is locked skipped

C:\WINDOWS\TEMP\_avast4_\unp41326341.tmp Object is locked skipped

C:\WINDOWS\TEMP\_avast4_\Webshlock.txt Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\ydrvr.exe Infected: Trojan-Downloader.Win32.Injecter.qr skipped

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:24 AM

Posted 03 June 2008 - 09:59 PM

Hi,

You posted a partial Kaspersky scan log. The last line of the log will be "Scan process completed". I need to see the entire log.

If you cant post the entire log due to the size, then attach it. :thumbsup:

Edited by SifuMike, 03 June 2008 - 10:42 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 TheoSqua

TheoSqua
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:24 AM

Posted 04 June 2008 - 04:42 PM

That's the entire log, I just didn't paste in the last line stating the log was complete. My apologies.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users