Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What Do I Do After Using The Malwarebytes' Anti-malware To Scan The Pc?


  • This topic is locked This topic is locked
20 replies to this topic

#1 captaincrash

captaincrash

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 15 June 2008 - 09:01 AM

Hello, my PC got infected by a spyware called system-defender.com and I used the google to search for a cure and came across a posting on your site.

After following the instruction shown on this site I down loaded the Malware bytes' Anti-Malware.

I used the Malwarebytes' Anti-Malware to scan the PC and rebooted the PC and again scanned the PC with Malwarebytes' Anti-Malware

Thats where I stopped as I did not know what to do with the log created by mbam.

I am posting the mbam log below:

Malwarebytes' Anti-Malware 1.17
Database version: 856

17:05:32 15/06/2008
mbam-log-6-15-2008 (17-05-32).txt

Scan type: Quick Scan
Objects scanned: 36871
Time elapsed: 8 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 6
Registry Keys Infected: 18
Registry Values Infected: 7
Registry Data Items Infected: 2
Folders Infected: 6
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\fxculenw.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\iifecbxv.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\{1468f445-b90d-dca4-691e-b3979fcb7f03}.dll (Trojan.Agent) -> Unloaded module successfully.
C:\WINDOWS\system32\byXPFYPg.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\xkefqtgs.dll (Trojan.FakeAlert) -> Unloaded module successfully.
C:\WINDOWS\rtsplgob.dll (Trojan.FakeAlert) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d94fc65f-b3df-4161-b6b0-36d17a7e7b6b} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{d94fc65f-b3df-4161-b6b0-36d17a7e7b6b} (Trojan.Vundo) -> Delete on reboot.
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\adsonmedia (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2591ecc1-8b9a-7759-2552-9ce243214116} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2591ecc1-8b9a-7759-2552-9ce243214116} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Adsl Software Limited (Rogue.MalWarrior) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ba44cbc8-e16a-4f36-b066-4d75699e171d} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ba44cbc8-e16a-4f36-b066-4d75699e171d} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\byxpfypg (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3eb2dbd3-c225-40a5-abfe-34a86ca86ee6} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4de15b3f-84ee-4f6f-ba12-b0ab8229c2f1} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\rtsplgob.bsmk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\rtsplgob.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo (Trojan.Fakealert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f00dddfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0\Source (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{ef8d27de-881b-bf7e-6f93-3f1eeee8ee5b} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{ba44cbc8-e16a-4f36-b066-4d75699e171d} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\xkefqtgs (Trojan.FakeAlert) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{4de15b3f-84ee-4f6f-ba12-b0ab8229c2f1} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\iifecbxv -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\iifecbxv -> Delete on reboot.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\BASE (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\DELETED (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\SAVED (Rogue.MalWarrior) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\fxculenw.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wnelucxf.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iifecbxv.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\vxbcefii.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vxbcefii.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\winpole32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080615095205343.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\{1468f445-b90d-dca4-691e-b3979fcb7f03}.dll-uninst.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\{1468f445-b90d-dca4-691e-b3979fcb7f03}.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\byXPFYPg.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\xkefqtgs.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\rtsplgob.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\pebgkxwq.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


after that I re-booted the PC and used Malware to scan the PC again.


The next log that I got was:

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{38d8b15b-393e-4606-96b2-9703ec52c0f3} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{551dac2f-0329-4a3b-b015-273958b83caf} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\iifecbxv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vxbcefii.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\{1468f445-b90d-dca4-691e-b3979fcb7f03}.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\byXPFYPg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\xkefqtgs.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\rtsplgob.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.



What do I do now?

Regards,

Aashish

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:05 AM

Posted 15 June 2008 - 12:55 PM

Hello Aashish and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first (not for Windows Vista users !).
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you. (WinXP SP3 users, please download the appropriate SP2 file, Home or Pro, to install the RC)

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 captaincrash

captaincrash
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 16 June 2008 - 12:36 PM

Hello Thumder,

I followed ur advice and went to the link suggested by you and downloaded Combofix and Windows XP Recovery Console.

This is where I stop understanding the instructions



"Once the Microsoft file has finished downloading, you should drag it on top of the ComboFix icon and let your mouse button go.



ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper. "

How do I know if I should or should not choose the Windows Recovery Console option when I start my computer?

are they referring to you when they say helper?

What are the things I need to make sure of before proceeding further?

I thought I better seek your advice before proceding further, better safe than sorry :thumbsup:

Thanks again :)

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:05 AM

Posted 16 June 2008 - 03:55 PM

Hello Aashish,

Installing the Recovery Console is just a safety precaution and once installed you no longer to be concerned about it,
except if you ever get into severe trouble.
Then the presence on the Recovery Console is a means for a Qualified forum Helper to do some repairs. :thumbsup:
Once installed, it'll show up at every boot for about two seconds as an additional boot option,
but if you do nothing, in other words if you do not specifically select that option, your system will start as always.

All you have to do is drag the file on ComboFix, which will install it automatically for you.
Just follow the prompts and when asked to continue by running ComboFix, select "Yes/Continue".
This will start the ComboFix run and produce a log at the end.
That's the log I'm interested in. :)

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 captaincrash

captaincrash
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 17 June 2008 - 07:22 AM

Hello Thunder

I draged the microsoft file on the combofix icon and I got this msg saying 'this machine already has a recovery system installed aborting programme'

what do I do now?

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:05 AM

Posted 17 June 2008 - 07:26 AM

Hello Aashish,

In that case you double click on the ComboFix.exe icon and run ComboFix. :thumbsup:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 captaincrash

captaincrash
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 17 June 2008 - 07:42 AM

This the log after running combofix


ComboFix 08-06-16.2 - Owner 2008-06-17 18:00:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.73 [GMT 5.5:30]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\effnddxp.dll
C:\WINDOWS\system32\fxculenw.dll
C:\WINDOWS\system32\iAlmcoin.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 )))))))))))))))))))))))))))))))
.

2008-06-15 16:39 . 2008-06-15 16:39 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-15 16:38 . 2008-06-15 16:39 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-15 16:38 . 2008-06-15 16:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-15 16:38 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-15 16:38 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-15 08:44 . 2008-06-15 08:44 <DIR> d-------- C:\Program Files\Alwil Software
2008-06-14 17:59 . 2008-06-14 17:59 803 --a------ C:\WINDOWS\EReg072.dat
2008-06-14 17:55 . 2008-06-14 17:55 <DIR> d-------- C:\Program Files\Electronic Arts
2008-06-14 17:54 . 1998-05-01 13:39 299,008 --a------ C:\WINDOWS\uninst.exe
2008-06-13 23:11 . 2008-06-13 23:11 19,456 --a------ C:\WINDOWS\system32\4v37r8C1.dll
2008-06-10 19:03 . 2008-06-10 19:03 <DIR> d-------- C:\Documents and Settings\Owner\New Folder (3)
2008-06-10 19:03 . 2008-06-10 19:03 <DIR> d-------- C:\Documents and Settings\Owner\New Folder (2)
2008-06-10 19:03 . 2008-06-10 19:03 <DIR> d-------- C:\Documents and Settings\Owner\New Folder
2008-05-30 12:13 . 2008-05-30 12:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-05-30 12:12 . 2008-05-30 12:12 <DIR> d-------- C:\Program Files\Yahoo!
2008-05-30 12:12 . 2008-05-30 12:12 10,465,520 --a------ C:\ymsgr8uk.exe
2008-05-30 12:05 . 2008-06-11 17:15 <DIR> d-------- C:\Program Files\Total Video Converter
2008-05-30 12:00 . 2008-05-30 12:00 443,952 --a------ C:\msgr8uk.exe
2008-05-29 18:06 . 2002-12-12 00:34 208,896 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-29 17:25 . 2008-05-29 17:25 1,427,520 --a------ C:\Silverlight.exe
2008-05-29 17:24 . 2008-05-29 17:24 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-29 17:23 . 2008-05-29 17:23 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-05-29 17:23 . 2005-02-25 09:05 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-05-29 10:20 . 2004-07-02 03:38 361,984 --a--c--- C:\WINDOWS\system32\dllcache\qmgr.dll
2008-05-29 10:20 . 2004-07-02 03:38 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2008-05-29 10:20 . 2004-07-02 03:38 331,776 --a--c--- C:\WINDOWS\system32\dllcache\winhttp.dll
2008-05-29 10:20 . 2004-07-01 05:29 158,720 --------- C:\WINDOWS\system32\xpob2res.dll
2008-05-29 10:20 . 2004-07-02 03:38 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-05-29 10:20 . 2004-07-02 03:38 17,408 --a--c--- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-05-29 10:20 . 2004-07-02 03:38 7,680 -----c--- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-05-29 10:20 . 2004-07-02 03:38 7,680 --------- C:\WINDOWS\system32\bitsprx2.dll
2008-05-29 10:20 . 2004-07-02 03:38 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-05-29 10:20 . 2004-07-02 03:38 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2008-05-28 19:48 . 2008-05-28 19:48 23,047,784 --a------ C:\setupeng.exe
2008-05-28 18:04 . 2008-06-05 23:15 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-05-28 18:04 . 2008-05-28 18:04 <DIR> d-------- C:\WINDOWS\Profiles
2008-05-28 18:04 . 2008-05-28 18:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InterTrust
2008-05-28 17:28 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-05-28 17:28 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-05-28 17:28 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-05-28 17:28 . 2007-07-30 19:19 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2008-05-28 17:28 . 2004-08-03 14:03 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dll
2008-05-28 17:28 . 2004-08-03 14:01 167,704 --a------ C:\WINDOWS\system32\wuauclt1.exe
2008-05-28 17:28 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-05-28 17:26 . 2008-05-28 17:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Motive
2008-05-28 17:23 . 2008-05-28 17:23 <DIR> d-------- C:\Compaq
2008-05-28 17:22 . 2008-05-28 18:04 37 --a------ C:\WINDOWS\Acroread.ini
2008-05-27 13:39 . 2002-08-29 01:32 21,760 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-05-27 13:14 . 2008-05-27 13:14 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-05-27 13:13 . 2008-05-28 18:04 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-05-27 12:32 . 2008-05-27 12:51 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Voip
2008-05-27 12:31 . 2008-05-27 12:31 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-05-27 12:31 . 2008-05-27 12:31 <DIR> d-------- C:\Program Files\SifyTalk
2008-05-27 12:13 . 2008-05-27 12:14 <DIR> d-------- C:\I386
2008-05-27 12:06 . 2008-06-15 17:08 <DIR> dr------- C:\Program Files
2008-05-27 12:06 . 2008-05-27 12:11 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2008-05-27 12:04 . 2008-05-29 17:24 <DIR> dr-hsc--- C:\WINDOWS\system32\dllcache
2008-05-27 12:01 . 2003-09-24 10:58 3,440,660 --a------ C:\WINDOWS\system32\drivers\gm.dls
2008-05-27 11:26 . 2003-09-24 15:43 3,374,640 --a--c--- C:\WINDOWS\system32\dllcache\tourP.exe
2008-05-27 11:25 . 2003-09-24 23:58 2,178,131 --a--c--- C:\WINDOWS\system32\dllcache\shvlres.dll
2008-05-27 11:24 . 2003-09-24 17:51 13,107,200 --a------ C:\WINDOWS\system32\oembios.bin
2008-05-27 10:32 . 2008-06-15 12:18 <DIR> d-------- C:\WINDOWS\wt
2008-05-27 10:32 . 2008-05-27 10:32 <DIR> d-------- C:\WINDOWS\Sun
2008-05-27 00:01 . 2002-05-30 15:11 86,016 --------- C:\WINDOWS\UninstSatyam.exe
2008-05-27 00:00 . 2003-04-07 07:05 155,648 --a------ C:\WINDOWS\system32\igfxres.dll
2008-05-27 00:00 . 2003-02-15 14:19 81,920 --a------ C:\WINDOWS\UninstallInstall.exe
2008-05-26 23:59 . 2008-05-26 23:59 3,734 -rahs---- C:\WINDOWS\system32\drivers\HP_DT382A-ACJ S6150IN IN410_YC_Pres_QINI402_E41INheREG3_4_IGamila Giovani Neon series_SMICRO-STAR INTERNATIONAL CO., LTD_V030_B3.05_T031125_WXH1_L409_M248_J40_7Intel_8Pentium 4_92.6_111063044_N10EC8139_P_Z14F12F00_K.MRK
2008-05-26 23:58 . 2003-10-21 19:41 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2008-05-26 23:58 . 2003-10-21 21:17 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec
2008-05-26 23:58 . 2003-10-21 19:30 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Sonic
2008-05-26 23:58 . 2003-10-21 20:21 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\SampleView
2008-05-26 23:56 . 2008-05-26 23:56 <DIR> d-------- C:\Program Files\ArcSoft
2008-05-26 23:56 . 1995-07-31 13:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2008-05-26 23:55 . 2002-08-29 01:09 62,976 --a------ C:\WINDOWS\system32\drivers\pci.sys
2008-05-26 23:54 . 2002-08-29 02:06 51,072 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys
2008-05-26 23:54 . 2001-08-17 13:58 35,840 --a------ C:\WINDOWS\system32\drivers\isapnp.sys
2008-05-26 23:54 . 2002-08-29 01:27 23,424 --a------ C:\WINDOWS\system32\drivers\kbdclass.sys
2008-05-26 23:53 . 2003-10-21 19:41 <DIR> d-------- C:\Documents and Settings\Default User\WINDOWS
2008-05-26 23:49 . 2008-06-17 18:03 182 --a------ C:\WINDOWS\system\hpsysdrv.DAT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-15 06:47 --------- d-----w C:\Program Files\WildTangent
2008-05-28 11:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-27 05:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7C3EEFC-96AD-4A86-B0E1-3E298BB95ECD}]
C:\WINDOWS\kvsdpfeafbq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"Acme.PCHButton"="C:\PROGRA~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe" [2003-10-21 19:53 159744]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2003-09-25 00:32 208953]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2003-09-25 03:51 59392]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2003-09-24 23:27 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2003-09-24 23:27 455168]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 07:07 114688]
"CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 07:23 90112]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 02:55 483328]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 20:02 61440]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 08:01 110592]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-10-21 19:31 151597]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 21:42 212992]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-03 20:35 50176 C:\WINDOWS\ALCXMNTR.EXE]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-07-31 20:28 81920]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2003-06-17 18:13 118784]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-07-23 16:37 53248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"rnopbfgt"= {7E910036-4D54-40F1-9105-BA11ED1A4231} - C:\WINDOWS\rnopbfgt.dll [ ]

R1 aswSP;avast! Self Protection;C:\WINDOWS\System32\drivers\aswSP.sys [2008-05-16 04:50]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-12 13:37:16 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\System32\L2321PnW.exe
"2008-06-15 04:30:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\System32\L2321PnW.exe
"2008-06-15 05:30:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\System32\L2321PnW.exe
"2008-06-15 06:30:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\System32\L2321PnW.exe
"2008-06-15 07:30:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\System32\L2321PnW.exe
"2008-06-15 08:30:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\System32\L2321PnW.exe
"2008-06-15 09:30:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\System32\L2321PnW.exe
"2008-06-15 10:30:06 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\System32\L2321PnW.exe
"2008-06-15 11:30:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\System32\L2321PnW.exe
"2008-06-17 12:30:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\System32\L2321PnW.exe
"2008-06-14 19:30:02 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\System32\L2321PnW.exe
"2008-06-15 13:30:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\System32\L2321PnW.exe
"2008-06-15 14:30:44 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\System32\L2321PnW.exe
"2008-06-14 15:30:03 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\System32\L2321PnW.exe
"2008-06-16 16:30:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\System32\L2321PnW.exe
"2008-06-16 17:30:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\System32\L2321PnW.exe
"2008-06-14 19:01:11 C:\WINDOWS\Tasks\At25.job"
- C:\WINDOWS\System32\4a37v8G1.exe
"2008-06-14 19:30:10 C:\WINDOWS\Tasks\At26.job"
- C:\WINDOWS\System32\4a37v8G1.exe
"2008-06-13 17:41:44 C:\WINDOWS\Tasks\At27.job"
- C:\WINDOWS\System32\4a37v8G1.exe
"2008-06-13 17:41:44 C:\WINDOWS\Tasks\At28.job"
- C:\WINDOWS\System32\4a37v8G1.exe
"2008-06-13 17:41:44 C:\WINDOWS\Tasks\At29.job"
- C:\WINDOWS\System32\4a37v8G1.exe
"2008-06-12 13:37:16 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\System32\L2321PnW.exe
"2008-06-13 17:41:44 C:\WINDOWS\Tasks\At30.job"
- C:\WINDOWS\System32\4a37v8G1.exe
"2008-06-13 17:41:44 C:\WINDOWS\Tasks\At31.job"
- C:\WINDOWS\System32\4a37v8G1.exe
"2008-06-17 01:30:00 C:\WINDOWS\Tasks\At32.job"
- C:\WINDOWS\System32\4a37v8G1.exe
"2008-06-15 04:21:04 C:\WINDOWS\Tasks\At33.job"
- C:\WINDOWS\System32\4a37v8G1.exe
"2008-06-13 17:41:44 C:\WINDOWS\Tasks\At34.job"
- C:\WINDOWS\System32\4a37v8G1.exe
"2008-06-15 05:02:48 C:\WINDOWS\Tasks\At35.job"
- C:\WINDOWS\System32\4a37v8G1.exe
"2008-06-15 05:33:42 C:\WINDOWS\Tasks\At36.job"
- C:\WINDOWS\System32\4a37v8G1.exe
"2008-06-15 06:30:00 C:\WINDOWS\Tasks\At37.job"
- C:\WINDOWS\System32\4a37v8G1.exe
"2008-06-15 07:30:01 C:\WINDOWS\Tasks\At38.job"
- C:\WINDOWS\System32\4a37v8G1.exe
"2008-06-15 08:30:00 C:\WINDOWS\Tasks\At39.job"
- C:\WINDOWS\System32\4a37v8G1.exe
"2008-06-12 13:37:16 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\System32\L2321PnW.exe
"2008-06-15 09:30:00 C:\WINDOWS\Tasks\At40.job"
- C:\WINDOWS\System32\4a37v8G1.exe
"2008-06-15 10:30:07 C:\WINDOWS\Tasks\At41.job"
- C:\WINDOWS\System32\4a37v8G1.exe
"2008-06-15 11:30:00 C:\WINDOWS\Tasks\At42.job"
- C:\WINDOWS\System32\4a37v8G1.exe
"2008-06-17 12:30:00 C:\WINDOWS\Tasks\At43.job"
- C:\WINDOWS\System32\4a37v8G1.exe
"2008-06-15 13:30:00 C:\WINDOWS\Tasks\At44.job"
- C:\WINDOWS\System32\4a37v8G1.exe
"2008-06-15 14:31:25 C:\WINDOWS\Tasks\At45.job"
- C:\WINDOWS\System32\4a37v8G1.exe
"2008-06-14 15:30:11 C:\WINDOWS\Tasks\At46.job"
- C:\WINDOWS\System32\4a37v8G1.exe
"2008-06-16 16:30:00 C:\WINDOWS\Tasks\At47.job"
- C:\WINDOWS\System32\4a37v8G1.exe
"2008-06-16 17:30:00 C:\WINDOWS\Tasks\At48.job"
- C:\WINDOWS\System32\4a37v8G1.exe
"2008-06-12 13:37:16 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\System32\L2321PnW.exe
"2008-06-12 13:37:16 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\System32\L2321PnW.exe
"2008-06-12 13:37:16 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\System32\L2321PnW.exe
"2008-06-17 01:30:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\System32\L2321PnW.exe
"2008-06-15 02:30:02 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\System32\L2321PnW.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 18:03:50
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-06-17 18:07:13 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-06-17 12:37:07

Pre-Run: 24,450,441,216 bytes free
Post-Run: 24,421,797,888 bytes free

252 --- E O F --- 2008-05-29 11:54:49

#8 captaincrash

captaincrash
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 17 June 2008 - 07:51 AM

I had forgotten to mention one thing, every time I would start my computer the my documents folder would open on its on and the background of the desktop which was a blank dark blue has turned white and all the icons look as if they have been selected.

after the combofix rebooted the computer the my documents folder did not open but the desk top appears the same after returning to normal for a while

#9 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:05 AM

Posted 17 June 2008 - 08:04 AM

Hello Aashish,

We're not there yet. :thumbsup:

Could you upload some files please ?
Can you zip the folder C:\Qoobox using WinZip (or a similar program) to Qoobox.zip and upload the zipped file to :

http://www.bleepingcomputer.com/submit-malware.php?channel=9

How ? : 1. In the first window (Link to topic where this file was requested:) copy and past this link :http://www.bleepingcomputer.com/forums/t/151546/possible-virtumonde-and-other-malware-infection/
2. In the second window (Browse to the file you want to submit: ) browse to the Qoobox.zip file

3. Click the Send file button :)
[/list]Then, let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:http://www.bleepingcomputer.com/forums/t/152357/what-do-i-do-after-using-the-malwarebytes-anti-malware-to-scan-the-pc/
Collect::[9]
C:\WINDOWS\system32\4v37r8C1.dll
C:\WINDOWS\System32\L2321PnW.exe
C:\WINDOWS\System32\4a37v8G1.exe
File::
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7C3EEFC-96AD-4A86-B0E1-3E298BB95ECD}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"rnopbfgt"=-

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

When CF finishes running, the ComboFix log will open along with a message box, --do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open.
Simply follow the instructions to copy/paste/send the requested file [9]-Submit_Date_Time.zip.

Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#10 captaincrash

captaincrash
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 17 June 2008 - 08:31 AM

Got it done :thumbsup:
This is the log report and the Computer did not reboot


ComboFix 08-06-16.2 - Owner 2008-06-17 18:56:09.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.76 [GMT 5.5:30]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\4v37r8C1.dll
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 )))))))))))))))))))))))))))))))
.

2008-06-17 18:49 . 2008-06-17 18:49 286,744 --a------ C:\QooBox.zip
2008-06-15 16:39 . 2008-06-15 16:39 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-15 16:38 . 2008-06-15 16:39 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-15 16:38 . 2008-06-15 16:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-15 16:38 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-15 16:38 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-15 08:44 . 2008-06-15 08:44 <DIR> d-------- C:\Program Files\Alwil Software
2008-06-14 17:59 . 2008-06-14 17:59 803 --a------ C:\WINDOWS\EReg072.dat
2008-06-14 17:55 . 2008-06-14 17:55 <DIR> d-------- C:\Program Files\Electronic Arts
2008-06-14 17:54 . 1998-05-01 13:39 299,008 --a------ C:\WINDOWS\uninst.exe
2008-06-10 19:03 . 2008-06-10 19:03 <DIR> d-------- C:\Documents and Settings\Owner\New Folder (3)
2008-06-10 19:03 . 2008-06-10 19:03 <DIR> d-------- C:\Documents and Settings\Owner\New Folder (2)
2008-06-10 19:03 . 2008-06-10 19:03 <DIR> d-------- C:\Documents and Settings\Owner\New Folder
2008-05-30 12:13 . 2008-05-30 12:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-05-30 12:12 . 2008-05-30 12:12 <DIR> d-------- C:\Program Files\Yahoo!
2008-05-30 12:12 . 2008-05-30 12:12 10,465,520 --a------ C:\ymsgr8uk.exe
2008-05-30 12:05 . 2008-06-11 17:15 <DIR> d-------- C:\Program Files\Total Video Converter
2008-05-30 12:00 . 2008-05-30 12:00 443,952 --a------ C:\msgr8uk.exe
2008-05-29 18:06 . 2002-12-12 00:34 208,896 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-29 17:25 . 2008-05-29 17:25 1,427,520 --a------ C:\Silverlight.exe
2008-05-29 17:24 . 2008-05-29 17:24 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-29 17:23 . 2008-05-29 17:23 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-05-29 17:23 . 2005-02-25 09:05 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-05-29 10:20 . 2004-07-02 03:38 361,984 --a--c--- C:\WINDOWS\system32\dllcache\qmgr.dll
2008-05-29 10:20 . 2004-07-02 03:38 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2008-05-29 10:20 . 2004-07-02 03:38 331,776 --a--c--- C:\WINDOWS\system32\dllcache\winhttp.dll
2008-05-29 10:20 . 2004-07-01 05:29 158,720 --------- C:\WINDOWS\system32\xpob2res.dll
2008-05-29 10:20 . 2004-07-02 03:38 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-05-29 10:20 . 2004-07-02 03:38 17,408 --a--c--- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-05-29 10:20 . 2004-07-02 03:38 7,680 -----c--- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-05-29 10:20 . 2004-07-02 03:38 7,680 --------- C:\WINDOWS\system32\bitsprx2.dll
2008-05-29 10:20 . 2004-07-02 03:38 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-05-29 10:20 . 2004-07-02 03:38 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2008-05-28 19:48 . 2008-05-28 19:48 23,047,784 --a------ C:\setupeng.exe
2008-05-28 18:04 . 2008-06-05 23:15 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-05-28 18:04 . 2008-05-28 18:04 <DIR> d-------- C:\WINDOWS\Profiles
2008-05-28 18:04 . 2008-05-28 18:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InterTrust
2008-05-28 17:28 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-05-28 17:28 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-05-28 17:28 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-05-28 17:28 . 2007-07-30 19:19 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2008-05-28 17:28 . 2004-08-03 14:03 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dll
2008-05-28 17:28 . 2004-08-03 14:01 167,704 --a------ C:\WINDOWS\system32\wuauclt1.exe
2008-05-28 17:28 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-05-28 17:26 . 2008-05-28 17:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Motive
2008-05-28 17:23 . 2008-05-28 17:23 <DIR> d-------- C:\Compaq
2008-05-28 17:22 . 2008-05-28 18:04 37 --a------ C:\WINDOWS\Acroread.ini
2008-05-27 13:39 . 2002-08-29 01:32 21,760 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-05-27 13:14 . 2008-05-27 13:14 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-05-27 13:13 . 2008-05-28 18:04 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-05-27 12:32 . 2008-05-27 12:51 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Voip
2008-05-27 12:31 . 2008-05-27 12:31 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-05-27 12:31 . 2008-05-27 12:31 <DIR> d-------- C:\Program Files\SifyTalk
2008-05-27 12:13 . 2008-05-27 12:14 <DIR> d-------- C:\I386
2008-05-27 12:06 . 2008-06-15 17:08 <DIR> dr------- C:\Program Files
2008-05-27 12:06 . 2008-05-27 12:11 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2008-05-27 12:04 . 2008-05-29 17:24 <DIR> dr-hsc--- C:\WINDOWS\system32\dllcache
2008-05-27 12:01 . 2003-09-24 10:58 3,440,660 --a------ C:\WINDOWS\system32\drivers\gm.dls
2008-05-27 11:26 . 2003-09-24 15:43 3,374,640 --a--c--- C:\WINDOWS\system32\dllcache\tourP.exe
2008-05-27 11:25 . 2003-09-24 23:58 2,178,131 --a--c--- C:\WINDOWS\system32\dllcache\shvlres.dll
2008-05-27 11:24 . 2003-09-24 17:51 13,107,200 --a------ C:\WINDOWS\system32\oembios.bin
2008-05-27 10:32 . 2008-06-15 12:18 <DIR> d-------- C:\WINDOWS\wt
2008-05-27 10:32 . 2008-05-27 10:32 <DIR> d-------- C:\WINDOWS\Sun
2008-05-27 00:01 . 2002-05-30 15:11 86,016 --------- C:\WINDOWS\UninstSatyam.exe
2008-05-27 00:00 . 2003-04-07 07:05 155,648 --a------ C:\WINDOWS\system32\igfxres.dll
2008-05-27 00:00 . 2003-02-15 14:19 81,920 --a------ C:\WINDOWS\UninstallInstall.exe
2008-05-26 23:59 . 2008-05-26 23:59 3,734 -rahs---- C:\WINDOWS\system32\drivers\HP_DT382A-ACJ S6150IN IN410_YC_Pres_QINI402_E41INheREG3_4_IGamila Giovani Neon series_SMICRO-STAR INTERNATIONAL CO., LTD_V030_B3.05_T031125_WXH1_L409_M248_J40_7Intel_8Pentium 4_92.6_111063044_N10EC8139_P_Z14F12F00_K.MRK
2008-05-26 23:58 . 2003-10-21 19:41 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2008-05-26 23:58 . 2003-10-21 21:17 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec
2008-05-26 23:58 . 2003-10-21 19:30 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Sonic
2008-05-26 23:58 . 2003-10-21 20:21 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\SampleView
2008-05-26 23:56 . 2008-05-26 23:56 <DIR> d-------- C:\Program Files\ArcSoft
2008-05-26 23:56 . 1995-07-31 13:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2008-05-26 23:55 . 2002-08-29 01:09 62,976 --a------ C:\WINDOWS\system32\drivers\pci.sys
2008-05-26 23:54 . 2002-08-29 02:06 51,072 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys
2008-05-26 23:54 . 2001-08-17 13:58 35,840 --a------ C:\WINDOWS\system32\drivers\isapnp.sys
2008-05-26 23:54 . 2002-08-29 01:27 23,424 --a------ C:\WINDOWS\system32\drivers\kbdclass.sys
2008-05-26 23:53 . 2003-10-21 19:41 <DIR> d-------- C:\Documents and Settings\Default User\WINDOWS
2008-05-26 23:49 . 2008-06-17 18:03 182 --a------ C:\WINDOWS\system\hpsysdrv.DAT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-15 06:47 --------- d-----w C:\Program Files\WildTangent
2008-05-28 11:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-27 05:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"Acme.PCHButton"="C:\PROGRA~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe" [2003-10-21 19:53 159744]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2003-09-25 00:32 208953]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2003-09-25 03:51 59392]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2003-09-24 23:27 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2003-09-24 23:27 455168]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 07:07 114688]
"CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 07:23 90112]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 02:55 483328]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 20:02 61440]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 08:01 110592]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-10-21 19:31 151597]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 21:42 212992]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-03 20:35 50176 C:\WINDOWS\ALCXMNTR.EXE]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-07-31 20:28 81920]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2003-06-17 18:13 118784]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-07-23 16:37 53248]

R1 aswSP;avast! Self Protection;C:\WINDOWS\System32\drivers\aswSP.sys [2008-05-16 04:50]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 18:57:13
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-17 18:58:23
ComboFix-quarantined-files.txt 2008-06-17 13:28:20
ComboFix2.txt 2008-06-17 12:37:14

Pre-Run: 24,389,709,824 bytes free
Post-Run: 24,385,667,072 bytes free

237 --- E O F --- 2008-05-29 11:54:49

#11 captaincrash

captaincrash
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 17 June 2008 - 08:35 AM

I think I should restart the Computer to know whether the problem is solved?

#12 captaincrash

captaincrash
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 17 June 2008 - 12:32 PM

:thumbsup:

Everything seems to be going well now!! Even the my documents has stopped opening on its own!!! :thumbup2:

Only the desktop is still the same, I even tried using some other desktop but it doesn't work :spacer:

Thanks a million Thunder!! I dont know what I would do with out your help and thanks a zillion to this site and the idea behind it!!! :) 12 Thumps up 4 all of u!! Will try to get as much donation as possible for you!

One more thing, is spyware terminator a reliable antispyware to down load and keep my computer safe? what should I do to keep it safe from virus, spyware and other such pests??

#13 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:05 AM

Posted 18 June 2008 - 06:18 AM

Hello Aashish,

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Can I see a fresh HijackThis log for final control please ?

For reliable antispyware advise, please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#14 captaincrash

captaincrash
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 18 June 2008 - 07:27 AM

Whats a final control?

#15 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:05 AM

Posted 18 June 2008 - 08:45 AM

Hello Aashish,

That's just to look for invalid or empty leftovers in your HijackThis log.

I like to send off everyone with a system that's as clean as possible. :thumbsup:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users