Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware Problem


  • Please log in to reply
23 replies to this topic

#1 dlandeen

dlandeen

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:29715
  • Local time:10:49 AM

Posted 05 June 2008 - 07:58 PM

I have a problem when my computer starts it disables task manager and regedit. I have run spybot, dr spyware adn smitfraud fix and rogue fix with no resolution...... when using IE i get redirected constantly.... I cannot get onto this web site from that computer or most sites that fix spyware.... I have run a log from hijackthis....
I would appreciate any help...

Thank you,

Doug

Attached Files



BC AdBot (Login to Remove)

 


#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:04:49 PM

Posted 06 June 2008 - 05:04 PM

Hi dlandeen and welcome to Bleeping Computer.

Before we start:
Please change the location of HijackThis.exe.
Create a new folder in your C: Drive
Name it C:\HJT or HijackThis and move the HijackThis.exe file into it.

Easiest way is to right click on the desktop icon for Hjt... select 'cut'
Then go to the newly created folder... open it ... then right click and select 'paste'


It's best for this tool NOT TO be located in your Desktop or in a TEMP folder.
This way you can undo any changes if something goes wrong and will prevent the tool placing shortcuts on your Desktop.

Step 1
Run Hijackthis again, click scan, and Put a checkmark next to each of these items.
O1 - Hosts file is located at: C:\WINDOWS\System32\drivers\etc\hosts
O2 - BHO: Microsoft copyright - {ffffffff-bbbb-4146-86fd-a722e8ab3489} - sockins32.dll (file missing)
O4 - HKUS\S-1-5-18\..\Run: [qiko] C:\PROGRA~1\COMMON~1\qiko\qikom.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [qiko] C:\PROGRA~1\COMMON~1\qiko\qikom.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - autorunsdisabled - (no file) (HKCU)
O18 - Filter: autorunsdisabled - (no CLSID) - (no file)
O20 - Winlogon Notify: autorunsdisabled - C:\WINDOWS\
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)

Then close all other windows, browers etc--you should only see HijackThis on your Desktop--and click the Fix Checked button.

Step 2
Next, please reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
You will need to use the 'keyboard arrow keys' to navigate on this menu.
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Then choose your usual account.

Step 3
Please navigate the folder in bold..... right click on it and select delete.
C:\Program Files\Common Files\qiko

Reboot back into normal mode.

Step 4
Please download ComboFix

**Note: It is important that it is saved directly to your desktop**

There are full instructions on how to download and run ComboFix here:
How to use ComboFix
Please follow all the instructions to the letter...(this is very important)

Please ensure that you install the Recovery Console.
If it's not already installed on your machine

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.
Note: Do not mouseclick combofix's window while its running. This may cause it to stall

When finished, it will produce a log for you. Post that log in your next reply

In your next reply, please submit:
ComboFix.txt
and a new Hjt log

Thanks

Edited by Starbuck, 06 June 2008 - 05:08 PM.

BBPP6nz.png


#3 dlandeen

dlandeen
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:29715
  • Local time:10:49 AM

Posted 07 June 2008 - 12:33 AM

Thanks for your help!!! I was not able to download combofix.... I kept getting redirected and said site was not available..Keep getting redirected... Did all instructions up till the combo fix... what should I do now? I really appreciate your help..


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:17:47 AM, on 6/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\hjt\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 5071 bytes

#4 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:04:49 PM

Posted 07 June 2008 - 03:56 AM

Hi dlandeen

Ok, let's see if we can find out what's causing this.
Let's see if this works:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, it will create two text files - main.txt <- this one will be maximized and extra.txt <-this one will be minimized on your Taskbar.
4. Copy/paste both logs back here please (they will also be located at C:\Deckard\System Scanner).

Make sure you notice the extra.txt second log that will show as minimized on your Task Bar, "Maximize" that and be sure to paste those contents here as well.

BBPP6nz.png


#5 dlandeen

dlandeen
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:29715
  • Local time:10:49 AM

Posted 07 June 2008 - 12:36 PM

Hi Starbuck,

I cannot get to the web site that downloads DSS. I cannot get to bleeingcomputer.com.. It redirects to various other sites. I am using a different computer to retrieve these messages from you... Is it possible to copy to a diskette and load dss ? Thanks again for your help

Doug

#6 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:04:49 PM

Posted 07 June 2008 - 05:06 PM

I cannot get to the web site that downloads DSS.

I had a nasty feeling you was going to say that.

Is it possible to copy to a diskette and load dss ?

Yes it is. but when you say 'diskette'.... what do you mean?
if you mean a cd.... then that's fine..... an old 'floppy diskette' won't have enough capacity to load DSS or even ComboFix on to.
If you could download a program to a cd.... then i'd go for 'ComboFix', Once it runs it will actually delete anything bad that it finds..... DSS will only give us a report.
If you could download ComboFix from another pc and then transfer it to a cd..... then install it and run it on the infected pc, that would be great.
See what you can do and i'll be waiting for your reply.

BBPP6nz.png


#7 dlandeen

dlandeen
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:29715
  • Local time:10:49 AM

Posted 08 June 2008 - 09:37 PM

Thanks for your help... I will try to download to cd.... and then run.

#8 dlandeen

dlandeen
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:29715
  • Local time:10:49 AM

Posted 09 June 2008 - 05:14 PM

Hello.....

I copied combofix to a cd and installed it on the desktop of the virus ridden computer.. I tried to start it and it would not start. Copied combofix into its own folder still the same results.... It will not let me run spybot..... I can run hijackthis and dr spyware..... I will wait for your reply for further instruction....

Thanks again for your help...

DOug

#9 dlandeen

dlandeen
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:29715
  • Local time:10:49 AM

Posted 09 June 2008 - 06:15 PM

Hi Starbuck,

I ran Spyware Dr and got combofix to run after...... I will be send log report

#10 dlandeen

dlandeen
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:29715
  • Local time:10:49 AM

Posted 09 June 2008 - 06:42 PM

Hi Starbuck,

I am actually sending this from the infected machine , which I could not even get to the bleeping site before....
Thank you .... doug


ComboFix 08-06-08.5 - Owner 2008-06-09 18:08:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.133 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\wnsxs~1
C:\Program Files\RcvSystem
C:\Program Files\RcvSystem\httpdchk.dll
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\BM4794470a.xml
C:\WINDOWS\IA
C:\WINDOWS\index.html
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\AcJRuBeg.ini
C:\WINDOWS\system32\AcJRuBeg.ini2
C:\WINDOWS\system32\adult.txt
C:\WINDOWS\system32\b1
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\drivers\mouclasss.sys
C:\WINDOWS\system32\finance.txt
C:\WINDOWS\system32\fLlRBJlm.ini
C:\WINDOWS\system32\fLlRBJlm.ini2
C:\WINDOWS\system32\iavmjwei.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\n3
C:\WINDOWS\system32\nexkaqf.sys
C:\WINDOWS\system32\ooqponpo.ini
C:\WINDOWS\system32\ooqponpo.ini2
C:\WINDOWS\system32\other.txt
C:\WINDOWS\system32\pharma.txt
C:\WINDOWS\system32\qnigouhm.ini
C:\WINDOWS\system32\siphgeiv.ini
C:\WINDOWS\system32\sockins32.dll
C:\WINDOWS\system32\suxxbJlm.ini
C:\WINDOWS\system32\suxxbJlm.ini2
C:\WINDOWS\system32\tvovmwvk.ini
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\x4
C:\WINDOWS\winself.exe
C:\WINDOWS\ymante~1
C:\WINDOWS\ymante~1\?ymantec\
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER
-------\Legacy_MOUCLASSS
-------\Legacy_MSSECURITY1.209.4
-------\Legacy_WINDOWS_OVERLAY_COMPONENTS
-------\Service_clbdriver
-------\Service_mouclasss
-------\Service_MsSecurity1.209.4
-------\Service_nexkaqf


((((((((((((((((((((((((( Files Created from 2008-05-09 to 2008-06-09 )))))))))))))))))))))))))))))))
.

2008-06-06 23:49 . 2008-06-06 23:50 <DIR> d-------- C:\hjt
2008-05-28 18:43 . 2008-05-28 18:43 167,976 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-05-24 12:31 . 2008-05-24 12:31 <DIR> d-------- C:\Program Files\Netcom3 Cleaner
2008-05-23 21:41 . 2008-05-23 21:41 <DIR> d-------- C:\Documents and Settings\Doug\Application Data\Talkback
2008-05-22 18:51 . 2008-05-22 18:51 <DIR> d-------- C:\Program Files\CCleaner
2008-05-22 16:31 . 2008-06-09 16:32 2,720 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-19 18:46 . 2008-05-21 20:19 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-18 15:20 . 2008-05-18 15:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-05-18 14:36 . 2008-05-18 15:44 75 --a------ C:\WINDOWS\st_affiliate.ini
2008-05-18 12:08 . 2007-04-17 04:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-05-18 12:08 . 2007-03-08 00:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-05-18 12:08 . 2008-03-01 08:06 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-05-18 12:08 . 2008-03-01 08:06 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-05-18 12:08 . 2008-03-01 08:06 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-05-18 12:08 . 2008-03-01 08:06 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-05-18 12:08 . 2008-03-01 08:06 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-05-18 12:08 . 2008-02-22 05:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-05-18 12:07 . 2008-03-01 08:06 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-05-10 17:18 . 2004-01-20 22:48 <DIR> d-------- C:\Documents and Settings\Doug\WINDOWS
2008-05-10 17:18 . 2004-01-21 04:48 <DIR> d-------- C:\Documents and Settings\Doug\Application Data\Symantec
2008-05-10 17:18 . 2004-01-20 22:21 <DIR> d-------- C:\Documents and Settings\Doug\Application Data\Sonic
2008-05-10 17:18 . 2004-01-20 23:29 <DIR> d-------- C:\Documents and Settings\Doug\Application Data\SampleView
2008-05-10 17:18 . 2004-01-21 04:52 <DIR> d-------- C:\Documents and Settings\Doug\Application Data\interMute
2008-05-10 17:18 . 2008-05-10 17:34 <DIR> d-------- C:\Documents and Settings\Doug

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-09 23:15 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-27 22:14 --------- d-----w C:\Program Files\Spyware Doctor
2008-05-24 01:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-22 23:54 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-05-18 19:42 --------- d-----w C:\Program Files\Yahoo!
2008-05-18 19:42 --------- d-----w C:\Program Files\interMute
2008-05-18 19:42 --------- d-----w C:\Program Files\Common Files\Scanner
2008-05-18 19:42 --------- d-----w C:\Documents and Settings\Owner\Application Data\interMute
2008-05-18 19:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-17 22:33 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVGTOOLBAR
2008-05-05 01:12 --------- d-----w C:\Program Files\AVG
2008-05-04 19:30 --------- d-----w C:\Program Files\MSXML 4.0
2008-05-04 17:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\PC Tools
2008-05-01 23:10 58,880 ---h--w C:\Documents and Settings\Owner\giha.exe
2008-05-01 23:10 58,880 ----a-w C:\d.exe
2008-05-01 23:10 44 ----a-w C:\p2hhr.bat
2008-05-01 23:09 64,512 ----a-w C:\rssnel.exe
2008-05-01 23:09 13,824 ----a-w C:\xvyr.exe
2008-04-28 22:27 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-27 01:53 --------- d-----w C:\Program Files\Lavasoft
2008-04-27 01:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-27 01:51 --------- d-----w C:\Program Files\Trend Micro
2008-04-26 23:43 104 ---ha-w C:\aaw7boot.cmd
2008-04-26 23:42 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2008-04-26 22:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-04-26 22:43 401,696 ----a-w C:\Documents and Settings\Owner\g88.exe
2008-04-25 01:23 298,358 ----a-w C:\Documents and Settings\Owner\gside.exe
2006-01-19 02:19 3,932 ----a-w C:\Documents and Settings\Owner\Application Data\LMLayout.dat
2006-01-19 02:19 268 ----a-w C:\Documents and Settings\Owner\Application Data\LMCPaper.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-18 00:09 67128]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-08-21 06:15 483328]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 18:57 81920]
"LMPDPSRV"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE" [2002-09-05 12:05 45056]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 04:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 06:10 49263]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-10-29 14:17 135168]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-04-10 15:14 1107848]
"combofix"="C:\WINDOWS\system32\CF29408.exe" [2004-08-04 02:56 388608]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"=" "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=C:\WINDOWS\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^lexmark x125 settings utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lexmark X125 Settings Utility.lnk
backup=C:\WINDOWS\pss\Lexmark X125 Settings Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\c:^documents and settings^owner^start menu^programs^startup^dw_start.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Organize.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Organize.lnk
backup=C:\WINDOWS\pss\Organize.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Palm Registration.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Palm Registration.lnk
backup=C:\WINDOWS\pss\Palm Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\acaprira]
C:\WINDOWS\acaprirA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-07 01:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-03-04 14:01 88209 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 16:47 57344 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
--a------ 2005-11-30 13:35 49152 C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
--a------ 2004-01-09 04:34 32768 c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM4794470a]
C:\WINDOWS\system32\liakhgki.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link RangeBooster G WUA-2340]
--a------ 2005-12-15 15:18 2490368 C:\Program Files\D-Link\RangeBooster G WUA-2340\AirPlusCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
--a------ 2005-11-15 15:12 473928 C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
--a------ 2003-08-21 06:23 49152 c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
--a------ 2008-04-10 15:14 1107848 C:\Program Files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Installer]
C:\DOCUME~1\Owner\LOCALS~1\Temp\ie.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NJv7jy]
C:\WINDOWS\system32\dgfgql.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2003-11-03 19:50 221184 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordNow!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spa_start]
C:\WINDOWS\system32\{3d37944e-eb60-4228-179a-3fb4647c7afd}.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spyclean]
--a------ 2008-03-11 22:06 4505600 C:\Program Files\Netcom3 Cleaner\SpyClean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\systray]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tkbellexe]
--a------ 2007-03-08 23:25 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 11:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2005-08-18 13:49 307200 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2004-10-22 14:53 53248 C:\WINDOWS\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ANIWZCSdService"=2 (0x2)
"ose"=3 (0x3)
"nmservice"=2 (0x2)
"nmraapache"=3 (0x3)
"Netcom3"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\LMpdpsrv.exe"=
"C:\\Program Files\\iMesh\\Client\\iMeshClient.exe"=
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"C:\\Program Files\\iMesh\\iMesh5\\iMesh.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1141234655\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1141234655\\ee\\aim6.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Documents and Settings\\Owner\\giha.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

S1 mouclasss;mouclasss;C:\WINDOWS\system32\drivers\mouclasss.sys []
S1 nexkaqf;nexkaqf;C:\WINDOWS\system32\nexkaqf.sys []
S3 A5AGU;D-Link USB Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\A5AGU.sys [2005-07-26 01:32]
S3 ATHFMWDL;D-Link predator Bootloader driver;C:\WINDOWS\system32\Drivers\ATHFMWDL.sys [2005-07-26 01:35]
S4 Netcom3;NetCom3 Service;C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe [2006-11-18 19:36]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
rundll32 sockins32.dll,InitModule
.
Contents of the 'Scheduled Tasks' folder
"2008-05-18 18:49:23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-09 18:16:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
.
**************************************************************************
.
Completion time: 2008-06-09 18:25:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-09 23:25:47

Pre-Run: 57,298,964,480 bytes free
Post-Run: 57,204,113,408 bytes free

293 --- E O F --- 2008-05-28 23:47:04


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:17:47 AM, on 6/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\hjt\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 5071 bytes

#11 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:04:49 PM

Posted 09 June 2008 - 07:09 PM

Hi dlandeen

You have done well :thumbsup:
This is what i wanted to see....
Give me some time to go through this log and i'll get back to you shortly..

Pete

BBPP6nz.png


#12 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:04:49 PM

Posted 09 June 2008 - 09:16 PM

Hi dlandeen

Ok, we've made a bit of a breakthrough.... now let's hit this a bit more.

Step 1
Close any open browsers.
Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix:

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text and pressing Ctrl+C
File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\Documents and Settings\Owner\giha.exe
C:\d.exe
C:\p2hhr.bat
C:\rssnel.exe
C:\xvyr.exe
C:\Documents and Settings\Owner\g88.exe
C:\Documents and Settings\Owner\gside.exe
C:\WINDOWS\acaprirA.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\liakhgki.dll
C:\WINDOWS\system32\dgfgql.exe
C:\WINDOWS\system32\{3d37944e-eb60-4228-179a-3fb4647c7afd}.dll
C:\WINDOWS\system32\drivers\mouclasss.sys
C:\WINDOWS\system32\nexkaqf.sys

Folder::
C:\Program Files\Netcom3 Cleaner

Driver::
mouclasss
nexkaqf
Netcom3

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\acaprira]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM4794470a]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NJv7jy]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spa_start]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spyclean]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Owner\\giha.exe"=-
Go to the Notepad window and click Edit >> Paste
Then click File >> Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

The main ComboFix.exe program should be on your Desktop
Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon
as below.
Posted Image

Now please wait for ComboFix to finish running.

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash

Step 2
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u6...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
Step 3
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will now start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report as button: (see below)
    Posted Image
  • In the Save as... prompt, select Desktop
  • In the File name box, name the file KasScan-ddmmyy (or similar)
  • In the Save as type prompt, select Text file (see below)

    Posted Image
  • Copy and paste that information in your next post.
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and to speed up scan time.

In your next reply, please submit:
New ComboFix.txt
Kaspersky scan report
and a new Hjt Log

Thanks.

BBPP6nz.png


#13 dlandeen

dlandeen
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:29715
  • Local time:10:49 AM

Posted 10 June 2008 - 10:16 AM

Good Morning....

I am at work.... when I get home I will run your instructions... I really want to thank you... I had tried everything...

Doug

#14 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:04:49 PM

Posted 10 June 2008 - 02:31 PM

Hi dlandeen

I really want to thank you... I had tried everything...

It's no problem at all. That's what we are here for.
But thank you anyway.
Just post back when you have the time... i'll be waiting.

BBPP6nz.png


#15 dlandeen

dlandeen
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:29715
  • Local time:10:49 AM

Posted 11 June 2008 - 06:42 AM

Hi Starbuck,

Update

I was able to run combofix as requested and update Java... I did not get the Kaspersky Online Scanner done because we had a terrible storm and I signed off just in time... The power went out so I will finish this evening.

Doug

Edited by dlandeen, 11 June 2008 - 06:43 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users