Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus reappears on boot (in scanner and hjt)


  • This topic is locked This topic is locked
11 replies to this topic

#1 Preying to the Comp Gods

Preying to the Comp Gods

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:50 PM

Posted 08 December 2008 - 11:26 PM

Hi how are you doing?

So far in addition to following your steps, i've run a few scanners as well as HJT, and i cleared out a bunch of malware using hjt. I also went into msconfig and set a number of malicious things to not run on boot. My problem is that everytime i restart my computer, teh viruses that i previously removed seem to be reappering in the scanner, and new dll and exe's are found in hjt, and in msconfig startup.

(I am aware the 020 in my HJT is malicous but similar entrys reappear on every boot)

Also, some helpful entries from my spybot sd log:

Encountered and terminated Virtumonde.sdn in C:\WINDOWS\system32\~.exe!

Denied (based on user decision) value "wewujatama" (new data: "Rundll32.exe "C:\WINDOWS\system32\gesiwoha.dll",s") added in System Startup global entry!

Denied (based on user decision) value "40a3beb1" (new data: "rundll32.exe "C:\WINDOWS\system32\qvmqcokg.dll",b") added in System Startup global entry!

Denied (based on user blacklist) value "wewujatama" (new data: "Rundll32.exe "C:\WINDOWS\system32\barijatu.dll",s") added in System Startup global entry!

Denied (based on user decision) value "40a3beb1" (new data: "rundll32.exe "C:\WINDOWS\system32\yeuhcyca.dll",b") added in System Startup global entry!

Denied (based on user decision) value "40a3beb1" (new data: "rundll32.exe "C:\WINDOWS\system32\xvlclrdu.dll",b") added in System Startup global entry!

Denied (based on user decision) value "40a3beb1" (new data: "rundll32.exe "C:\WINDOWS\system32\loekowpf.dll",b") added in System Startup global entry!

Denied (based on user blacklist) value "UserInit" (new data: "C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\twext.exe,") changed in Winlogon!

Denied (based on user decision) value "40a3beb1" (new data: "rundll32.exe "C:\WINDOWS\system32\fjatkpqg.dll",b") added in System Startup global entry!

There are many more such entries, these are just the ones with dll's attached

There are also a number of entries like this


Allowed (based on user decision) value "{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" (new data: "") deleted in Browser Helper Object!

Thanks, :thumbsup:
John

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:17:25 PM, on 12/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.harmonyremote.tzo.com/easyzappe...wareVersion=3.4
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://customer.voodoopc.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-03.sun.com/s/ESD5/JSCDL/jdk...ows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C070D0A-2393-4A8F-99F1-AC57BD4D07C4}: NameServer = 66.75.160.63,66.75.160.64
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C070D0A-2393-4A8F-99F1-AC57BD4D07C4}: NameServer = 66.75.160.63,66.75.160.64
O17 - HKLM\System\CS2\Services\Tcpip\..\{0C070D0A-2393-4A8F-99F1-AC57BD4D07C4}: NameServer = 66.75.160.63,66.75.160.64
O20 - AppInit_DLLs: C:\WINDOWS\system32\vufurajo.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4895 bytes

Edited by Preying to the Comp Gods, 08 December 2008 - 11:43 PM.

Kick the computer

it's fun

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:50 PM

Posted 09 December 2008 - 07:17 AM

Hello there,

Okay, let's get this thing then. :thumbsup:

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with the fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Preying to the Comp Gods

Preying to the Comp Gods
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:50 PM

Posted 09 December 2008 - 11:08 PM

Hi teacup,

So after renaming combofix, i got it working and it seems to have doen its job.

Here's tha logs.

ComboFix 08-12-09.02 - John 2008-12-09 21:46:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1731 [GMT -8:00]

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\John\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\All Users\Application Data\A00A8806.exe
c:\documents and settings\John\Application Data\NI.GSCNS
c:\documents and settings\John\Application Data\NI.GSCNS\dl.ini
c:\documents and settings\John\Application Data\NI.GSCNS\settings.ini
c:\documents and settings\John\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\temp\FT62
c:\temp\FT62\teTU.log
c:\temp\tn3
c:\windows\system32\acychuey.ini
c:\windows\system32\adrnln.bin
c:\windows\system32\barijatu.dll
c:\windows\system32\byXRkJaB.dll
c:\windows\system32\cbgadhbb.dll
c:\windows\system32\cbXRiiJb.dll
c:\windows\system32\dcxdgj.dll
c:\windows\system32\ddcbXqPi.dll
c:\windows\system32\dimnmhds.ini
c:\windows\system32\dPI19
c:\windows\system32\dPI19\dPI191065.exe
c:\windows\system32\drivers\mrxdavv.sys
c:\windows\system32\drivers\TDSSmhlt.sys
c:\windows\system32\efccddcb.dll
c:\windows\system32\efcDSMCr.dll
c:\windows\system32\fjatkpqg.dll
c:\windows\system32\fpwokeol.ini
c:\windows\system32\fsopmc.dll
c:\windows\system32\gcmmqc.dll
c:\windows\system32\girgqr.dll
c:\windows\system32\gkocqmvq.ini
c:\windows\system32\gqpktajf.ini
c:\windows\system32\hazagebi.dll
c:\windows\system32\idpihghi.dll
c:\windows\system32\ihghipdi.ini
c:\windows\system32\jspioo.dll
c:\windows\system32\k86.bin
c:\windows\system32\kwave.sys
c:\windows\system32\kxxqfxpj.dll
c:\windows\system32\lkqcomyc.dll
c:\windows\system32\loekowpf.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\mjxrenvu.ini
c:\windows\system32\mlJYsQhH.dll
c:\windows\system32\mt49hub.dll
c:\windows\system32\mtnvablu.ini
c:\windows\system32\MVDdLRqr.ini
c:\windows\system32\MVDdLRqr.ini2
c:\windows\system32\oluxip.dll
c:\windows\system32\opkushem.dll
c:\windows\system32\pac.txt
c:\windows\system32\pnxxzi.dll
c:\windows\system32\prunnet.exe
c:\windows\system32\qrbfjjtd.dll
c:\windows\system32\qvmqcokg.dll
c:\windows\system32\qxoslk.dll
c:\windows\system32\rqRLdDVM.dll
c:\windows\system32\sdhmnmid.dll
c:\windows\system32\TDSSciou.dll
c:\windows\system32\TDSSfpmp.dll
c:\windows\system32\TDSSliqs.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnrse.dll
c:\windows\system32\TDSSoeqh.dll
c:\windows\system32\TDSSosvn.dat
c:\windows\system32\TDSSsbhc.dll
c:\windows\system32\TDSSthym.log
c:\windows\system32\TDSStkdv.log
c:\windows\system32\tgcjklmj.dll
c:\windows\system32\tsbbra.dll
c:\windows\system32\twain_32
c:\windows\system32\twain_32\local.ds
c:\windows\system32\twain_32\user.ds
c:\windows\system32\twext.exe
c:\windows\system32\udrlclvx.ini
c:\windows\system32\ulbavntm.dll
c:\windows\system32\urqpqonM.dll
c:\windows\system32\urqqOHyV.dll
c:\windows\system32\uvnerxjm.dll
c:\windows\system32\vkheqg.dll
c:\windows\system32\vufurajo.dll
c:\windows\system32\wefaaidu.dll
c:\windows\system32\winpfz33.sys
c:\windows\system32\wlmibeab.dll
c:\windows\system32\wrjdogaara.dll
c:\windows\system32\wvUlliGa.dll
c:\windows\system32\wvUoPhef.dll
c:\windows\system32\xbfugyax.dll
c:\windows\system32\xuhaxfpc.dll
c:\windows\system32\xvlclrdu.dll
c:\windows\system32\yeuhcyca.dll
c:\windows\system32\zedomoje.dll
c:\windows\system32\zxdnt3d.cfg
c:\windows\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
-------\Legacy_MSVTCH
-------\Service_msvtch


((((((((((((((((((((((((( Files Created from 2008-11-10 to 2008-12-10 )))))))))))))))))))))))))))))))
.

2008-12-09 21:49 . 2008-12-09 21:49 <DIR> d-------- c:\temp\tn3
2008-12-09 21:37 . 2008-12-09 21:37 <DIR> d-------- C:\assdededg2
2008-12-09 20:37 . 2008-12-09 20:37 0 --a------ c:\windows\nsreg.dat
2008-12-08 22:48 . 2008-12-08 22:48 268 --ah----- C:\sqmdata01.sqm
2008-12-08 22:48 . 2008-12-08 22:48 244 --ah----- C:\sqmnoopt01.sqm
2008-12-08 22:41 . 2008-12-08 22:41 268 --ah----- C:\sqmdata00.sqm
2008-12-08 22:41 . 2008-12-08 22:41 244 --ah----- C:\sqmnoopt00.sqm
2008-12-06 16:15 . 2008-12-06 16:15 <DIR> d-------- c:\documents and settings\John\Application Data\AdobeUM
2008-12-01 20:59 . 2008-12-01 20:59 8,640 --a------ c:\windows\system32\msvtch.sys
2008-11-27 11:51 . 2008-12-09 19:49 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-27 11:51 . 2008-12-09 19:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-26 20:57 . 2008-11-26 20:57 <DIR> d-------- c:\program files\Trend Micro
2008-11-26 20:25 . 2008-11-21 20:15 401,408 --a------ c:\windows\system32\windc77.dll
2008-11-26 20:11 . 2008-11-26 20:11 <DIR> d-------- c:\windows\system32\xin
2008-11-26 20:11 . 2008-11-26 20:11 <DIR> d-------- c:\windows\system32\oca
2008-11-26 20:11 . 2008-11-26 20:11 <DIR> d-------- c:\windows\system32\jec
2008-11-26 20:11 . 2008-11-26 20:11 <DIR> d-------- c:\windows\system32\GN
2008-11-26 20:11 . 2008-11-26 20:11 <DIR> d-------- c:\windows\system32\DEC
2008-11-26 20:11 . 2008-11-26 20:11 <DIR> d-------- c:\windows\system32\AI
2008-11-26 20:11 . 2008-12-09 21:49 <DIR> d-------- C:\Temp
2008-11-26 20:11 . 2008-11-26 20:11 548,928 --a------ c:\windows\system32\qcntssdl.exe
2008-11-26 20:11 . 2008-11-26 20:11 153,362 --a------ c:\windows\system32\g47.exe
2008-11-26 20:11 . 2008-11-26 20:11 86,272 --a------ c:\windows\system32\drivers\arp13944.sys
2008-11-26 20:11 . 2008-12-09 21:48 932 --------- c:\windows\system32\drivers\core.cache.dsk
2008-11-17 21:00 . 2008-11-17 21:00 30 --a------ c:\windows\CTWave32.ini
2008-11-17 20:36 . 2008-11-17 20:48 72 --a------ c:\windows\sbwin.ini
2008-11-17 20:17 . 2008-11-17 20:40 <DIR> d-------- c:\documents and settings\John\Application Data\Smart Recorder
2008-11-13 19:48 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-13 19:48 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-10 03:49 --------- d-----w c:\program files\Viewpoint
2008-12-10 03:49 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-09 06:46 --------- d-----w c:\program files\MSN Messenger
2008-12-09 06:32 --------- d-----w c:\program files\World of Warcraft
2008-10-26 18:06 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2008-10-26 04:26 --------- d-----w c:\program files\Java
2008-10-25 22:18 --------- d--h--r c:\documents and settings\John\Application Data\SecuROM
2008-10-25 22:18 --------- d-----w c:\documents and settings\John\Application Data\SPORE
2008-10-25 22:07 --------- d-----w c:\program files\Electronic Arts
2008-10-25 22:06 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-25 17:49 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-10-25 17:48 --------- d-----w c:\program files\WoW
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 06:17 --------- d-----w c:\documents and settings\John\Application Data\LimeWire
2008-10-22 05:33 --------- d-----w c:\program files\LimeWire
2008-10-22 05:32 --------- d-----w c:\program files\Common Files\Java
2008-10-22 05:07 --------- d-----w c:\documents and settings\John\Application Data\CopyTrans
2008-10-22 05:06 --------- d-----w c:\documents and settings\John\Application Data\CopyTransControlCenter
2008-10-22 04:44 --------- d-----w c:\program files\Common Files\Download Manager
2008-10-22 04:44 --------- d-----w c:\documents and settings\John\Application Data\BSD
2008-10-22 04:44 --------- d-----w c:\documents and settings\All Users\Application Data\MediaWidget
2008-10-22 04:30 --------- d-----w c:\program files\Common Files\eSellerate
2008-10-22 04:06 --------- d-----w c:\program files\AIM6
2008-10-22 04:06 --------- d-----w c:\documents and settings\John\Application Data\acccore
2008-10-22 04:06 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-10-22 04:05 --------- d-----w c:\program files\Common Files\AOL
2008-10-22 04:05 --------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP
2008-10-22 04:05 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-10-22 04:01 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-22 03:51 --------- d-----w c:\program files\Windows Media Connect 2
2008-10-22 03:49 --------- d-----w c:\program files\iTunes
2008-10-22 03:49 --------- d-----w c:\documents and settings\John\Application Data\Apple Computer
2008-10-22 03:49 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-22 03:48 --------- d-----w c:\program files\QuickTime
2008-10-22 03:48 --------- d-----w c:\program files\iPod
2008-10-22 03:48 --------- d-----w c:\program files\Common Files\Apple
2008-10-22 03:48 --------- d-----w c:\program files\Bonjour
2008-10-22 03:48 --------- d-----w c:\program files\Apple Software Update
2008-10-22 03:48 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-22 03:48 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-08-22 10:14 2,651,968 ----a-w c:\windows\inf\SET1EE.tmp
2004-10-01 23:00 40,960 ----a-w c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1528F9C6-3254-402A-A54A-119718C64BC0}"= "c:\windows\system32\windc77.dll" [2008-11-21 401408]

[HKEY_CLASSES_ROOT\clsid\{1528f9c6-3254-402a-a54a-119718c64bc0}]
[HKEY_CLASSES_ROOT\TypeLib\{3A8F8250-D07B-4248-A530-7F7B8F7252C4}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--------- 2005-07-08 07:25 1397760 c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 17:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=
"c:\\Program Files\\Common Files\\LightScribe\\LSSrvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:wow
"6112:TCP"= 6112:TCP:wow2

R1 arp13944;arp13944;c:\windows\system32\drivers\arp13944.sys [2008-11-26 86272]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-10-21 24652]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{640d9741-a7f5-11db-8f84-806d6172696f}]
\Shell\AutoRun\command - d:\autorun\Demo.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{0b2f4e96-696f-4ce0-81c1-b6b25ab81cbf} - c:\windows\system32\oluxip.dll
BHO-{2ABA4E76-A597-4D5C-93F6-D3AC6DA5202F} - (no file)
BHO-{5521DCAB-A857-4F64-8A11-CAB2FD336E75} - c:\windows\system32\rqRLdDVM.dll
BHO-{596DF76E-2E49-45A0-A089-CCA8B184C904} - (no file)
BHO-{6A34BA72-0D25-4418-B5E2-84E970C093D2} - (no file)
BHO-{73259091-9574-4ED8-A40F-7F65AFC28634} - c:\windows\system32\wvUoPhef.dll
BHO-{9088AC94-E890-4775-8F19-7DDC475763E1} - (no file)
BHO-{AC1AD4B0-3855-4014-A837-E6FC6214C605} - (no file)
BHO-{ACC3080F-5C0F-48DB-9DC4-AC990E010488} - (no file)
BHO-{bd9d5f67-ced5-4e99-92bf-05170bbdf6a7} - c:\windows\system32\hazagebi.dll
BHO-{CC0EE3F0-542E-41C9-A3C5-E1666F458854} - (no file)
BHO-{DC7006CF-500D-4FA7-BB03-062826E76CCE} - (no file)
BHO-{EBE26A9A-B6C9-4CD2-9409-8EDB53D6ABCB} - (no file)
HKCU-Run-Aim6 - (no file)
ShellExecuteHooks-{73259091-9574-4ED8-A40F-7F65AFC28634} - c:\windows\system32\wvUoPhef.dll
SafeBoot-msvtch.sys
MSConfigStartUp-{90BF8224-CD63-4081-A4C7-EF9A2CF6596F} - c:\documents and settings\All Users\Application Data\A00A8806.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.harmonyremote.tzo.com/easyzapper/WizardNewUser/NewUser_Start.asp?ClientSoftwareVersion=3.4
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
TCP: {0C070D0A-2393-4A8F-99F1-AC57BD4D07C4} = 66.75.160.63,66.75.160.64
FireFox -: Profile - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\wbo81ypn.default\
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 21:49:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-09 21:51:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-10 05:51:15

Pre-Run: 214,009,061,376 bytes free
Post-Run: 214,019,661,824 bytes free

295 --- E O F --- 2008-11-14 06:40:15





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:55 PM, on 12/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.harmonyremote.tzo.com/easyzappe...wareVersion=3.4
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O14 - IERESET.INF: START_PAGE_URL=http://customer.voodoopc.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-03.sun.com/s/ESD5/JSCDL/jdk...ows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C070D0A-2393-4A8F-99F1-AC57BD4D07C4}: NameServer = 66.75.160.63,66.75.160.64
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C070D0A-2393-4A8F-99F1-AC57BD4D07C4}: NameServer = 66.75.160.63,66.75.160.64
O17 - HKLM\System\CS2\Services\Tcpip\..\{0C070D0A-2393-4A8F-99F1-AC57BD4D07C4}: NameServer = 66.75.160.63,66.75.160.64
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 3847 bytes

Edited by Preying to the Comp Gods, 10 December 2008 - 12:56 AM.

Kick the computer

it's fun

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:50 PM

Posted 10 December 2008 - 07:58 AM

Hello,

Wow......you are one lucky dude. :thumbsup: That is some really nasty stuff you have going on. Most of it was shaken loose, but still some hanging in there :

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

Folder::
c:\windows\system32\xin
c:\windows\system32\oca
c:\windows\system32\jec
c:\windows\system32\GN
c:\windows\system32\DEC
c:\windows\system32\AI
c:\temp\tn3
C:\assdededg2

File::
c:\windows\system32\windc77.dll
c:\windows\system32\qcntssdl.exe
c:\windows\system32\g47.exe
c:\windows\system32\drivers\arp13944.sys
c:\windows\system32\drivers\core.cache.dsk

Registry::
[-HKEY_CLASSES_ROOT\clsid\{1528f9c6-3254-402a-a54a-119718c64bc0}]
[-HKEY_CLASSES_ROOT\TypeLib\{3A8F8250-D07B-4248-A530-7F7B8F7252C4}]

Driver::
arp13944


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

How is it running now please?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Preying to the Comp Gods

Preying to the Comp Gods
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:50 PM

Posted 10 December 2008 - 09:58 PM

Hey,

Yea, it is running a lot better.

Just letting you know i ran ad-aware, spybot sd, and avg scans, and cleanned off a llot of malware.

Heres tha logs


HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:57:16 PM, on 12/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\UPHClean\uphclean.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.harmonyremote.tzo.com/easyzappe...wareVersion=3.4
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O14 - IERESET.INF: START_PAGE_URL=http://customer.voodoopc.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-03.sun.com/s/ESD5/JSCDL/jdk...ows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C070D0A-2393-4A8F-99F1-AC57BD4D07C4}: NameServer = 66.75.160.63,66.75.160.64
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C070D0A-2393-4A8F-99F1-AC57BD4D07C4}: NameServer = 66.75.160.63,66.75.160.64
O17 - HKLM\System\CS2\Services\Tcpip\..\{0C070D0A-2393-4A8F-99F1-AC57BD4D07C4}: NameServer = 66.75.160.63,66.75.160.64
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4240 bytes





Combofix:

ComboFix 08-12-07.04 - John 2008-12-10 18:47:52.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1602 [GMT -8:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\John\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\drivers\arp13944.sys
c:\windows\system32\drivers\core.cache.dsk
c:\windows\system32\g47.exe
c:\windows\system32\qcntssdl.exe
c:\windows\system32\windc77.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\assdededg2
c:\assdededg2\023.dat
c:\assdededg2\023v.dat
c:\assdededg2\appinit.bad
c:\assdededg2\Assoc.cmd
c:\assdededg2\Attrib.cfexe
c:\assdededg2\badclsid
c:\assdededg2\Boot.bat
c:\assdededg2\BootSect
c:\assdededg2\C.bat
c:\assdededg2\catchme.cfexe
c:\assdededg2\CHCP.bat
c:\assdededg2\clsid.dat
c:\assdededg2\Combobatch.bat
c:\assdededg2\ComboFix-Download.exe
c:\assdededg2\Creg.dat
c:\assdededg2\CregC.cmd
c:\assdededg2\CregC.dat
c:\assdededg2\dd.cfexe
c:\assdededg2\ddsDo.sed
c:\assdededg2\DelClsid.bat
c:\assdededg2\DPF.sed
c:\assdededg2\DPF.str
c:\assdededg2\dumphive.cfexe
c:\assdededg2\embedded.sed
c:\assdededg2\ERDNT.e_e
c:\assdededg2\ERDNTDOS.LOC
c:\assdededg2\ERDNTWIN.LOC
c:\assdededg2\ERUNT.cfexe
c:\assdededg2\erunt.dat
c:\assdededg2\ERUNT.LOC
c:\assdededg2\Exe.reg
c:\assdededg2\executables.dat
c:\assdededg2\extract.cfexe
c:\assdededg2\fdsv.cfexe
c:\assdededg2\fi.cfexe
c:\assdededg2\Fin.dat
c:\assdededg2\FIND3M.bat
c:\assdededg2\FINDSTR.cfexe
c:\assdededg2\FIXLSP.bat
c:\assdededg2\ForeignWht
c:\assdededg2\FProps.vbs
c:\assdededg2\grep.cfexe
c:\assdededg2\gsar.cfexe
c:\assdededg2\handle.cfexe
c:\assdededg2\hidec.exe
c:\assdededg2\history.bat
c:\assdededg2\image001.gif
c:\assdededg2\katch.cmd
c:\assdededg2\kmd.dat
c:\assdededg2\Lang.bat
c:\assdededg2\List-C.bat
c:\assdededg2\lnkread.vbs
c:\assdededg2\LocalService.dat
c:\assdededg2\LocalServiceNetworkRestricted.dat
c:\assdededg2\LocalSystemNetworkRestricted.dat
c:\assdededg2\md5deep.cfexe
c:\assdededg2\moveex.cfexe
c:\assdededg2\MoveIt.bat
c:\assdededg2\mtee.cfexe
c:\assdededg2\mynul
c:\assdededg2\N_\11387
c:\assdededg2\N_\14955
c:\assdededg2\N_\18263
c:\assdededg2\N_\18271
c:\assdededg2\N_\22063
c:\assdededg2\N_\26751
c:\assdededg2\N_\30795
c:\assdededg2\N_\4999
c:\assdededg2\N_\8610
c:\assdededg2\ND_.bat
c:\assdededg2\ndis_combofix.dat
c:\assdededg2\netsvc.bad.dat
c:\assdededg2\netsvc.dat
c:\assdededg2\netsvc.vista.dat
c:\assdededg2\netsvc.xp.dat
c:\assdededg2\NetworkService.dat
c:\assdededg2\NirCmd.cfexe
c:\assdededg2\nircmd.com
c:\assdededg2\NirCmd.inf
c:\assdededg2\NirCmdC.cfexe
c:\assdededg2\NlsLanguageDefault
c:\assdededg2\NULL
c:\assdededg2\OSid.vbs
c:\assdededg2\OsVer
c:\assdededg2\Policies.dat
c:\assdededg2\Prep.cmd
c:\assdededg2\psexec.cfexe
c:\assdededg2\Purity.dat
c:\assdededg2\pv.cfexe
c:\assdededg2\RCLink
c:\assdededg2\RegDo.sed
c:\assdededg2\region.dat
c:\assdededg2\restore_pt.vbs
c:\assdededg2\RestoreO4.bat
c:\assdededg2\rogues.dat
c:\assdededg2\run2.sed
c:\assdededg2\safeboot.dat
c:\assdededg2\safeboot.def.dat
c:\assdededg2\safeboot.def.vista.dat
c:\assdededg2\SafeBootRepair.bat
c:\assdededg2\sed.cfexe
c:\assdededg2\setcsum.cfexe
c:\assdededg2\SetEnvmt.bat
c:\assdededg2\setpath.cfexe
c:\assdededg2\SF.cfexe
c:\assdededg2\sfx.cmd
c:\assdededg2\srizbi.md5
c:\assdededg2\svc_wht.dat
c:\assdededg2\SvcDrv.vbs
c:\assdededg2\svchost.dat
c:\assdededg2\svchost.vista.dat
c:\assdededg2\SWREG.cfexe
c:\assdededg2\swreg.exe
c:\assdededg2\swsc.cfexe
c:\assdededg2\swxcacls.cfexe
c:\assdededg2\system_ini.dat
c:\assdededg2\toolbar.sed
c:\assdededg2\unzip.cfexe
c:\assdededg2\vfind.cfexe
c:\assdededg2\whitedirB.dat
c:\assdededg2\WhiteLegacy.dat
c:\assdededg2\WRP.cfexe
c:\assdededg2\zDomain.dat
c:\assdededg2\zhsvc.dat
c:\assdededg2\zip.cfexe
c:\windows\system32\AI
c:\windows\system32\DEC
c:\windows\system32\GN
c:\windows\system32\jec
c:\windows\system32\oca
c:\windows\system32\xin

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ARP13944
-------\Service_arp13944


((((((((((((((((((((((((( Files Created from 2008-11-11 to 2008-12-11 )))))))))))))))))))))))))))))))
.

2008-12-09 23:05 . 2008-12-09 23:25 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-09 23:04 . 2008-12-10 18:40 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-09 23:04 . 2008-12-09 23:04 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-09 23:04 . 2008-12-09 23:04 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-09 23:04 . 2008-12-09 23:04 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-09 23:03 . 2008-12-09 23:03 <DIR> d-------- c:\program files\AVG
2008-12-09 23:03 . 2008-12-09 23:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-09 22:42 . 2008-12-09 22:42 <DIR> d-------- c:\program files\Lavasoft
2008-12-09 22:42 . 2008-12-09 22:42 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-09 22:42 . 2008-12-09 22:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-09 20:37 . 2008-12-09 20:37 0 --a------ c:\windows\nsreg.dat
2008-12-08 22:48 . 2008-12-08 22:48 268 --ah----- C:\sqmdata01.sqm
2008-12-08 22:48 . 2008-12-08 22:48 244 --ah----- C:\sqmnoopt01.sqm
2008-12-08 22:41 . 2008-12-08 22:41 268 --ah----- C:\sqmdata00.sqm
2008-12-08 22:41 . 2008-12-08 22:41 244 --ah----- C:\sqmnoopt00.sqm
2008-12-06 16:15 . 2008-12-06 16:15 <DIR> d-------- c:\documents and settings\John\Application Data\AdobeUM
2008-12-01 20:59 . 2008-12-01 20:59 8,640 --a------ c:\windows\system32\msvtch.sys
2008-11-27 11:51 . 2008-12-09 22:55 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-27 11:51 . 2008-12-09 23:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-26 20:57 . 2008-11-26 20:57 <DIR> d-------- c:\program files\Trend Micro
2008-11-26 20:11 . 2008-12-09 23:33 <DIR> d-------- C:\Temp
2008-11-17 21:00 . 2008-11-17 21:00 30 --a------ c:\windows\CTWave32.ini
2008-11-17 20:36 . 2008-11-17 20:48 72 --a------ c:\windows\sbwin.ini
2008-11-17 20:17 . 2008-11-17 20:40 <DIR> d-------- c:\documents and settings\John\Application Data\Smart Recorder
2008-11-13 19:48 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-13 19:48 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-10 03:49 --------- d-----w c:\program files\Viewpoint
2008-12-10 03:49 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-09 06:46 --------- d-----w c:\program files\MSN Messenger
2008-12-09 06:32 --------- d-----w c:\program files\World of Warcraft
2008-10-26 18:06 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2008-10-26 04:26 --------- d-----w c:\program files\Java
2008-10-25 22:18 --------- d--h--r c:\documents and settings\John\Application Data\SecuROM
2008-10-25 22:18 --------- d-----w c:\documents and settings\John\Application Data\SPORE
2008-10-25 22:07 --------- d-----w c:\program files\Electronic Arts
2008-10-25 22:06 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-25 17:49 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-10-25 17:48 --------- d-----w c:\program files\WoW
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 06:17 --------- d-----w c:\documents and settings\John\Application Data\LimeWire
2008-10-22 05:33 --------- d-----w c:\program files\LimeWire
2008-10-22 05:32 --------- d-----w c:\program files\Common Files\Java
2008-10-22 05:07 --------- d-----w c:\documents and settings\John\Application Data\CopyTrans
2008-10-22 05:06 --------- d-----w c:\documents and settings\John\Application Data\CopyTransControlCenter
2008-10-22 04:44 --------- d-----w c:\program files\Common Files\Download Manager
2008-10-22 04:44 --------- d-----w c:\documents and settings\John\Application Data\BSD
2008-10-22 04:44 --------- d-----w c:\documents and settings\All Users\Application Data\MediaWidget
2008-10-22 04:30 --------- d-----w c:\program files\Common Files\eSellerate
2008-10-22 04:06 --------- d-----w c:\program files\AIM6
2008-10-22 04:06 --------- d-----w c:\documents and settings\John\Application Data\acccore
2008-10-22 04:06 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-10-22 04:05 --------- d-----w c:\program files\Common Files\AOL
2008-10-22 04:05 --------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP
2008-10-22 04:05 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-10-22 04:01 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-22 03:51 --------- d-----w c:\program files\Windows Media Connect 2
2008-10-22 03:49 --------- d-----w c:\program files\iTunes
2008-10-22 03:49 --------- d-----w c:\documents and settings\John\Application Data\Apple Computer
2008-10-22 03:49 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-22 03:48 --------- d-----w c:\program files\QuickTime
2008-10-22 03:48 --------- d-----w c:\program files\iPod
2008-10-22 03:48 --------- d-----w c:\program files\Common Files\Apple
2008-10-22 03:48 --------- d-----w c:\program files\Apple Software Update
2008-10-22 03:48 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-22 03:48 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2004-10-01 23:00 40,960 ----a-w c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-09 1261336]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--------- 2005-07-08 07:25 1397760 c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 17:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=
"c:\\Program Files\\Common Files\\LightScribe\\LSSrvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:wow
"6112:TCP"= 6112:TCP:wow2

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-09 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-09 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-09 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-09 76040]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-10-21 24652]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{640d9741-a7f5-11db-8f84-806d6172696f}]
\Shell\AutoRun\command - d:\autorun\Demo.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.harmonyremote.tzo.com/easyzapper/WizardNewUser/NewUser_Start.asp?ClientSoftwareVersion=3.4
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
TCP: {0C070D0A-2393-4A8F-99F1-AC57BD4D07C4} = 66.75.160.63,66.75.160.64
FireFox -: Profile - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\wbo81ypn.default\
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-10 18:50:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-10 18:51:51 - machine was rebooted [John]
ComboFix-quarantined-files.txt 2008-12-11 02:51:48
ComboFix2.txt 2008-12-10 07:37:36
ComboFix3.txt 2008-12-10 06:03:58
ComboFix4.txt 2008-12-10 05:51:18

Pre-Run: 213,249,593,344 bytes free
Post-Run: 213,235,654,656 bytes free

322 --- E O F --- 2008-12-10 07:27:11
Kick the computer

it's fun

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:50 PM

Posted 10 December 2008 - 10:24 PM

Hello,

Just letting you know i ran ad-aware, spybot sd, and avg scans, and cleanned off a llot of malware.

Was this after you ran ComboFix? It was all likely in Qoobox or a quarantine if so. :thumbsup:

One more scan to be sure, after all that mess.

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Preying to the Comp Gods

Preying to the Comp Gods
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:50 PM

Posted 10 December 2008 - 11:04 PM

It was before my 2nd combofix.



heres tha logs:

Malwarebytes' Anti-Malware 1.31
Database version: 1486
Windows 5.1.2600 Service Pack 3

12/10/2008 7:57:59 PM
mbam-log-2008-12-10 (19-57-59).txt

Scan type: Quick Scan
Objects scanned: 50321
Time elapsed: 2 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\msvtch.sys (Trojan.Agent) -> Quarantined and deleted successfully.



hjt:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:04:09 PM, on 12/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.harmonyremote.tzo.com/easyzappe...wareVersion=3.4
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O14 - IERESET.INF: START_PAGE_URL=http://customer.voodoopc.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-03.sun.com/s/ESD5/JSCDL/jdk...ows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C070D0A-2393-4A8F-99F1-AC57BD4D07C4}: NameServer = 66.75.160.63,66.75.160.64
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C070D0A-2393-4A8F-99F1-AC57BD4D07C4}: NameServer = 66.75.160.63,66.75.160.64
O17 - HKLM\System\CS2\Services\Tcpip\..\{0C070D0A-2393-4A8F-99F1-AC57BD4D07C4}: NameServer = 66.75.160.63,66.75.160.64
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4319 bytes



Edit: just scanned a 2nd time and it came up clear

Edited by Preying to the Comp Gods, 10 December 2008 - 11:08 PM.

Kick the computer

it's fun

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:50 PM

Posted 10 December 2008 - 11:19 PM

Hello,

That looks all right..........you want to scan with Spybot before I give you the all clear? :thumbsup:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 Preying to the Comp Gods

Preying to the Comp Gods
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:50 PM

Posted 10 December 2008 - 11:20 PM

ALL CLEAR :thumbsup:

just had one more question..
how can i learn all this stuff?

Edited by Preying to the Comp Gods, 10 December 2008 - 11:31 PM.

Kick the computer

it's fun

#10 Preying to the Comp Gods

Preying to the Comp Gods
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:50 PM

Posted 10 December 2008 - 11:37 PM

oh and thanks again for your helpp :thumbsup:
Kick the computer

it's fun

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:50 PM

Posted 12 December 2008 - 01:05 PM

Most excellent, and you're most welcome. :thumbsup:

There is a classroom right here at BC if you really want to learn how to do this. :) http://www.bleepingcomputer.com/forums/t/86678/malware-removal-training-program/

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

You should definitely maintain a firewall. Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. http://comodo.com
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:50 PM

Posted 15 December 2008 - 07:46 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users