Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another Smitfraud Case


  • Please log in to reply
5 replies to this topic

#1 venderic

venderic

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 08 June 2008 - 06:34 PM

I have no idea how she got it, but my wife's computer suddenly started with the funky background and constant messages common to this smitfraud stuff.

So I've done the following so far:
Installed the windows recovery console.
Run the combofix as described in the guide on this site.

it came back up working a bit better.
Ran CCleaner removing everything it could
Installed Avast, it was finding things every couple of seconds for a long time, deleted it all.
Ran counterspy scan

Ran SDFix

I'm concerned as it keeps trying to run a 2180.exe (or was it 2880?). Counterspy caughtthis on the next boot and it quarentined it.

So here is the current hijack this log.
Is there anything left to do? Do i Need to run combofix again to get a fresh log?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:32:38, on 6/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {0421BA83-D010-452C-9874-C8104C9BE062} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: gooochi browser optimizer - {9159d0a0-f39c-8f23-f733-4ddd231102df} - C:\WINDOWS\system32\{b665ed59-912d-d1a8-c2c2-2c161891103c}.dll
O2 - BHO: (no name) - {DC14BC6C-288F-0F56-AC38-78A2E3EC42C4} - (no file)
O2 - BHO: (no name) - {F6D388A8-6849-4E4E-95BF-D843410F73A3} - \C:\WINDOWS\system32\expo\mtcon66225.exe.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.09\RivaTuner.exe" /S
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SBRegRebootCleaner] C:\Program Files\Sunbelt Software\CounterSpy\SBRC.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: http://www.nova.edu
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125953387510
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

--
End of file - 5561 bytes

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:47 AM

Posted 09 June 2008 - 03:42 AM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.

Do i Need to run combofix again to get a fresh log?

Yes please, I'll take a look at the log to see if anything else is lurking that is currently not visible in your HijackThis log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 venderic

venderic
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 09 June 2008 - 07:49 AM

Ok, Ive also since run about a dozen other scanners. Seems like each one finds something different, but the list is smaller each time.

The only thing I am noticing now is probably a leftover. Everytime it boots into XP normally, it starts off trying to do an install called "setup", it asks to insert the CD t complete the install. I have to kill it in task manager each time.

Here is the results from combofix when booted in safemode. Looks like it ran clean this time (a lot faster to), no messages that it found anything.

ComboFix 08-06-08.2 - Administrator 2008-06-09 8:34:58.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3320 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\Microsoft\dtsc
C:\Documents and Settings\Administrator\Application Data\Microsoft\dtsc\s
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\ENCSC-Download.com.2.5.1040.0.exe
C:\WINDOWS\mainms.vpi
C:\WINDOWS\system32\MSINET.oca

Infected copy of C:\WINDOWS\system32\userinit.exe was found & disinfected
Restored copy from - C:\WINDOWS\ServicePackFiles\i386\userinit.exe


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TNIDRIVER
-------\Service_TnIDriver


((((((((((((((((((((((((( Files Created from 2008-05-09 to 2008-06-09 )))))))))))))))))))))))))))))))
.

2008-06-08 21:43 . 2008-06-08 21:56 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-08 21:43 . 2008-06-08 21:43 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2008-06-08 21:43 . 2008-06-08 21:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-06-08 21:43 . 2008-06-08 21:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-08 21:41 . 2008-06-08 21:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-08 21:41 . 2008-06-08 21:41 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-06-08 21:41 . 2008-06-05 16:04 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-08 21:41 . 2008-06-05 16:04 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-08 19:53 . 2008-06-08 19:53 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-08 19:53 . 2008-06-08 19:53 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-06-08 19:30 . 2008-06-08 19:30 3,937,203 --a------ C:\WINDOWS\system32\SBSP.dat
2008-06-08 19:15 . 2008-06-08 19:15 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-08 19:12 . 2008-06-08 19:30 <DIR> d-------- C:\SDFix
2008-06-08 19:02 . 2008-06-08 19:30 322 --a------ C:\WINDOWS\system32\SBFC.dat
2008-06-08 18:48 . 2008-06-08 18:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-06-08 18:48 . 2008-06-08 18:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sunbelt Software
2008-06-08 18:29 . 2008-06-08 18:29 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2008-06-08 18:28 . 2008-06-08 18:33 <DIR> d-------- C:\Program Files\CCleaner
2008-06-08 18:27 . 2008-06-08 18:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-08 18:17 . 2008-06-08 18:17 369,284 --a------ C:\temp\ndcdll2.exe
2008-06-08 17:29 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-08 17:29 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-08 17:29 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-08 17:29 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-06-08 17:29 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-06-08 17:29 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-06-08 17:29 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-08 17:29 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-08 17:29 . 2008-06-08 17:29 2,988 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-08 15:15 . 2008-06-08 15:15 <DIR> d-------- C:\Program Files\Alwil Software
2008-06-08 15:05 . 2008-06-08 15:05 <DIR> d-------- C:\WINDOWS\system32\xrem
2008-06-08 15:05 . 2008-06-08 23:12 <DIR> d-------- C:\WINDOWS\system32\inet2
2008-06-08 15:05 . 2008-06-08 15:05 <DIR> d-------- C:\WINDOWS\system32\expo
2008-06-08 15:05 . 2008-06-08 18:17 <DIR> d-------- C:\WINDOWS\system32\btz
2008-06-08 15:05 . 2008-06-08 18:18 <DIR> d-------- C:\WINDOWS\system32\105772
2008-06-08 15:05 . 2008-06-08 15:05 <DIR> d-------- C:\Program Files\uTorrent
2008-05-25 21:45 . 2008-05-25 21:45 <DIR> d-------- C:\Program Files\RivaTuner v2.09
2008-05-25 09:38 . 2008-05-25 09:41 <DIR> d-------- C:\WINDOWS\NV27162720.TMP
2008-05-25 09:36 . 2008-05-25 09:41 <DIR> d-------- C:\WINDOWS\NV7481136.TMP
2008-05-25 09:36 . 2007-12-10 14:24 159,458 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-05-17 13:22 . 2008-05-17 13:22 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-17 13:22 . 2008-05-17 13:22 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-17 13:07 . 2008-06-08 21:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-08 22:28 --------- d-----w C:\Program Files\Yahoo!
2008-05-17 17:08 --------- d-----w C:\Program Files\Ventrilo
2008-05-14 16:41 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\media center programs
2008-05-04 14:38 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Funcom
2002-10-03 11:19 398,528 ----a-w C:\Program Files\Common Files\DCube.ocx
2002-04-19 19:15 61 ----a-w C:\Program Files\adobe photoshop 7.0 serial.txt
2001-12-01 01:07 266 --sh--w C:\Program Files\desktop.ini
2001-12-01 01:07 11,079 ---ha-w C:\Program Files\folder.htt
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((( snapshot@2008-06-08_18.09.26.78 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-08 22:00:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-09 12:39:56 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-08 06:22:14 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-06-08 23:15:49 4,542,464 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-06-08 23:15:49 102,400 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-06-08 06:22:14 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-06-08 23:15:48 4,542,464 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-06-08 23:15:48 102,400 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2008-06-09 01:43:31 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2008-06-09 01:43:31 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-06-09 01:43:31 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2003-02-21 11:16:08 49,152 ----a-w C:\WINDOWS\system32\REGTLIB.EXE
- 2001-06-26 17:28:38 397,856 ----a-w C:\WINDOWS\system32\XceedZip.dll
+ 2006-06-22 19:40:28 493,400 ----a-w C:\WINDOWS\system32\XceedZip.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0421BA83-D010-452C-9874-C8104C9BE062}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DC14BC6C-288F-0F56-AC38-78A2E3EC42C4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F6D388A8-6849-4E4E-95BF-D843410F73A3}]
\C:\WINDOWS\system32\expo\mtcon66225.exe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-08 21:56 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"RivaTunerStartupDaemon"="C:\Program Files\RivaTuner v2.09\RivaTuner.exe" [2008-04-28 14:25 2707456]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15 19:19 79224]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [2004-08-04 03:56 158208]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-06-08 21:56 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-06-08 21:56 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]
-r------- 2006-11-16 21:05 1953792 C:\WINDOWS\system32\JMRaidSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneV]
--a------ 2007-01-04 17:05 24576 C:\Program Files\Gigabyte\ET5\ETcall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Installer]
C:\Documents and Settings\Administrator\Application Data\Microsoft\dtsc\2180.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule17]
C:\Program Files\QdrModule\QdrModule17.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{7bf0a64c-ca59-d95a-fb03-cef1ce1ada5a}]
C:\WINDOWS\system32\{b665ed59-912d-d1a8-c2c2-2c161891103c}.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"\\\\jason\\g\\downloads\\AoC-US-EarlyAccess.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

S1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 19:20]
S1 mspclockk;mspclockk;C:\WINDOWS\system32\drivers\mspclockk.sys []
S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 19:16]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2007-06-23 15:40]
S3 PciCon;PciCon;D:\PciCon.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##jason#d]
\Shell\AutoRun\command - Z:\OblivionLauncher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##jasonlaptop#D]
\Shell\AutoRun\command - Z:\Installer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3c8d7a4-3d1d-11db-b1e2-005070264edb}]
\Shell\AutoRun\command - F:\Installer.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-09 08:40:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-09 8:47:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-09 12:47:34
ComboFix2.txt 2008-06-08 22:09:37

Pre-Run: 21,643,325,440 bytes free
Post-Run: 21,811,204,096 bytes free

187

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:47 AM

Posted 10 June 2008 - 02:00 PM

Sorry, what I meant was for you run another scan with the programme and post the log it produces in your reply, as opposed to just simply suppliyng an old one.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 venderic

venderic
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 10 June 2008 - 06:33 PM

That is a new run of the combolog, the date on it was from yesterday, as opposed to the one I ran on Sunday originally.

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:47 AM

Posted 13 June 2008 - 04:58 AM

Sorry, my apologies, I misread the scan time and date on your log.
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users