Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde, smitfraud, kill me, etc.


  • This topic is locked This topic is locked
13 replies to this topic

#1 jebzig

jebzig

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 18 January 2009 - 10:48 PM

So, a few weeks ago I began to receive massive amounts of crippling pop-ups ads through Internet Explorer, which I never even use. I ran virtually every virus protection/removal program I could get my hands on until I quickly discovered that it was Virtumonde and Smitfraud that were causing all of the trouble, as they were the only viruses I couldn't remove and the problems still persist. I've run SpyBot on start-up as I read Virtumonde just renames itself even after deleted, or something, and I'm still having problems.

Windows Automatic Updates have been disabled by the virus(es), and even when "On", it still won't start up. I have to keep my computer's ethernet cord unplugged if I'm away because it will literally destroy my machine with massive amounts of pop-ups in a very small amount of time, even if I put the computer to sleep. I've tried everything I can and still no dice, so I'm turning to you fine gents. Below is my DDS log, and I can provide a Hijackthis log if necessary.


DDS (Ver_09-01-18.01) - NTFSx86
Run by Owner at 22:37:31.38 on Sun 01/18/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.196 [GMT -5:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\AirPort\APAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\My Documents\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://octonaut.com/
uWindow Title = Microsoft Internet Explorer presented by Comcast
mWindow Title = Microsoft Internet Explorer presented by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: {ae662c03-7b56-cee9-7514-af0f2420c2ee}: {ee2c0242-f0fa-4157-9eec-65b730c266ea} - c:\windows\system32\rhrwfu.dll
BHO: {faed61f5-fe57-4a4f-a3f5-6d1dda49ff93} - c:\windows\system32\ddcBQGYP.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
TB: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [SunKistEM] c:\program files\emachines bay reader\shwiconem.exe
mRun: [SM1BG] c:\windows\SM1BG.EXE
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0\bin\jusched.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer
mRun: [tgcmd] c:\program files\support.com\bin\tgcmd.exe /server /startmonitor /deaf
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\ssmmgr.exe /autorun
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\BigFix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: antispyexpert.com
Trusted Zone: imageservr.com
Trusted Zone: antispyexpert.com
Trusted Zone: imageservr.com
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {73259091-9574-4ED8-A40F-7F65AFC28634} - No File
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\ddcBQGYP

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\norton antivirus\savrt.sys [2006-1-25 305288]
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton antivirus\savrtpel.sys [2006-1-25 37000]
R1 usbdd;usbdd;c:\windows\system32\drivers\usbdd.sys [2008-11-21 86272]
R3 CXAVSAUD;AVerMedia AVerTV AvStream Audio Capture;c:\windows\system32\drivers\A88AudBB.sys [2004-12-6 9216]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20060315.006\NAVENG.Sys [2006-3-15 77864]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20060315.006\NavEx15.Sys [2006-3-15 750952]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2003-11-10 255648]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2003-11-10 235168]
R4 CX88XBAR;AVerMedia AVerTV MPEG Crossbar (Dual-Input);c:\windows\system32\drivers\A88BarBB.sys [2004-12-6 10112]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R4 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton antivirus\NAVAPSVC.EXE [2003-11-24 158848]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2003-11-10 87712]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-12-1 40840]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-12-1 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-12-1 81288]
S3 SAVScan;SAVScan;c:\program files\norton antivirus\SAVSCAN.EXE [2003-11-7 194272]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-12-1 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-12-1 1079176]
S3 SM_sugo3_FUService;sugo3 Status Monitor Service;"c:\program files\samsung\samsung ml-2510 series\spanel\ssmsrvc /service --> c:\program files\samsung\samsung ml-2510 series\spanel\ssmsrvc [?]
S4 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2003-6-24 66784]

=============== Created Last 30 ================

2009-01-18 22:20 <DIR> --d----- c:\program files\Trend Micro

==================== Find3M ====================

2009-01-18 22:37 4,862 a--sh--- c:\windows\system32\PYGQBcdd.ini2
2008-12-21 15:37 37,634 a------- c:\docume~1\owner\applic~1\wklnhst.dat
2008-12-09 05:06 72,704 a------- c:\windows\system32\trdoxctr.dll
2008-12-09 05:04 129,024 a------- c:\windows\system32\uplbposx.dll
2008-12-09 05:04 129,024 a------- c:\windows\system32\rxvngx.dll
2008-12-01 22:57 129,024 a------- c:\windows\system32\ufyrnd.dll
2008-12-01 22:57 129,024 a------- c:\windows\system32\thuxfhcn.dll
2008-12-01 02:39 4,120 a------- c:\windows\system32\tmp.reg
2008-11-30 22:56 129,024 a------- c:\windows\system32\qoujxd.dll
2008-11-30 22:56 129,024 a------- c:\windows\system32\ijgibfag.dll
2008-11-29 17:58 82,944 a------- c:\windows\system32\o4Patch.exe
2008-11-29 17:58 82,944 a------- c:\windows\system32\IEDFix.C.exe
2008-11-23 22:16 129,024 a------- c:\windows\system32\bqmrvmnf.dll
2008-11-23 22:11 72,704 a------- c:\windows\system32\vwsyutrf.dll
2008-11-21 18:36 129,024 a------- c:\windows\system32\xkttchoa.dll
2008-11-21 18:36 129,024 a------- c:\windows\system32\mschxa.dll
2008-11-21 18:34 72,704 a------- c:\windows\system32\ahvnhpbi.dll
2008-11-21 18:33 318,464 a------- c:\windows\system32\ddcBQGYP.dll
2008-11-21 18:28 167,976 -------- c:\windows\system32\drivers\core.cache.dsk
2008-11-21 18:28 86,272 a------- c:\windows\system32\drivers\usbdd.sys
2008-10-24 21:06 86,811 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-09-24 19:47 361,056 a------- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2003-08-27 17:19 36,963 a----r-- c:\program files\common files\SM1updtr.dll
2006-01-25 20:36 2 a--sh--- c:\windows\system32\ping.com

============= FINISH: 22:38:18.85 ===============




I'm not really sure what else to do. I just want to get rid of this! Thank you in advance for your assistance.

Attached Files


Edited by jebzig, 18 January 2009 - 10:49 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:25 AM

Posted 19 January 2009 - 03:13 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 jebzig

jebzig
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 19 January 2009 - 07:02 AM

Hi, thanks for the quick reply. Here's the Combofix log as requested:

ComboFix 09-01-18.03 - Owner 2009-01-19 6:21:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.185 [GMT -5:00]
Running from: c:\documents and settings\Owner\My Documents\ComboFix.exe
AV: Norton AntiVirus *On-access scanning enabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\winupdates
c:\program files\winupdates\a.zip
c:\temp\FT62
c:\temp\FT62\teTU.log
c:\temp\tn3
c:\windows\IA
c:\windows\system32\404Fix.exe
c:\windows\system32\bszip.dll
c:\windows\system32\ddcBQGYP.dll
c:\windows\system32\dim
c:\windows\system32\dumphive.exe
c:\windows\system32\gp2
c:\windows\system32\ID2
c:\windows\system32\ID2\CRAFE913.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\mcrh.tmp
c:\windows\system32\mp
c:\windows\system32\o4Patch.exe
c:\windows\system32\ping.com
c:\windows\system32\Process.exe
c:\windows\system32\PYGQBcdd.ini
c:\windows\system32\PYGQBcdd.ini2
c:\windows\system32\rtcxodrt.ini
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\urwlpaxw.ini
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\system32\wtjxbjpf.ini
c:\windows\system32\x4
c:\windows\wiaserviv.log
D:\Autorun.inf
c:\windows\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.

2009-01-19 06:35 . 2009-01-19 06:35 <DIR> d-------- c:\temp\tn3
2009-01-18 22:20 . 2009-01-18 22:20 <DIR> d-------- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-19 11:33 167,976 ------w c:\windows\system32\drivers\core.cache.dsk
2009-01-19 03:06 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-21 20:37 37,634 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2008-12-01 20:40 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-01 20:38 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-01 20:26 --------- d-----w c:\program files\Spyware Doctor
2008-12-01 20:24 --------- d-----w c:\documents and settings\Owner\Application Data\PC Tools
2008-12-01 08:24 --------- d-----w c:\documents and settings\Owner\Application Data\BitTorrent
2008-12-01 07:39 --------- d-----w c:\program files\Google
2008-12-01 05:49 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-01 05:49 --------- d-----w c:\program files\Common Files\Filseclab
2008-12-01 04:40 --------- d-----w c:\program files\CONEXANT
2008-11-26 09:11 --------- d-----w c:\program files\Filseclab
2008-11-26 04:43 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-25 03:07 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-25 02:04 --------- d-----w c:\program files\Windows Live Safety Center
2008-11-24 16:13 --------- d-----w c:\program files\Coupons
2008-11-21 23:28 86,272 ----a-w c:\windows\system32\drivers\usbdd.sys
2008-09-25 00:47 361,056 ----a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2003-08-27 22:19 36,963 ----a-r c:\program files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 2321600]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SunKistEM"="c:\program files\eMachines Bay Reader\shwiconem.exe" [2004-03-11 135168]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-10 344064]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0\bin\jusched.exe" [2005-01-31 36972]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 71328]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2006-02-09 100056]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2007-03-07 1773568]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-01-20 217088]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2008-05-20 737280]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 c:\windows\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-09-28 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-09-28 c:\windows\ALCWZRD.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Starcraft\\starcraft.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\GlobalSCAPE\\CuteFTP Professional\\ftpte.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.5.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.5.1.4449-to-1.6.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.6.0.4500-to-1.6.1-enUS-downloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.10.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Soulseek-Test\\slsk.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.10.2.5302-to-1.11.0.5428-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.11.1.5462-to-1.11.2.5464-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.11.2.5464-to-1.12.0.5595-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\zsnesw142\\zsnesw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour

R1 usbdd;usbdd;c:\windows\system32\drivers\usbdd.sys [2008-11-21 86272]
R3 CXAVSAUD;AVerMedia AVerTV AvStream Audio Capture;c:\windows\system32\drivers\A88AudBB.sys [2004-12-06 9216]
R4 CX88XBAR;AVerMedia AVerTV MPEG Crossbar (Dual-Input);c:\windows\system32\drivers\A88BarBB.sys [2004-12-06 10112]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-01 356920]
S3 SM_sugo3_FUService;sugo3 Status Monitor Service;"c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc /Service --> c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{72d6e79a-a980-11db-86d7-0011117504b5}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-01-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1365980041-3287494817-3361841902-1005.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 16:15]

2008-11-25 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Owner.job
- c:\progra~1\NORTON~1\Navw32.exe [2003-11-24 17:46]
.
- - - - ORPHANS REMOVED - - - -

BHO-{5F10DCC3-AB2B-4A7B-956B-C77586F26771} - c:\windows\system32\ddcBQGYP.dll
BHO-{ee2c0242-f0fa-4157-9eec-65b730c266ea} - c:\windows\system32\rhrwfu.dll
WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
HKLM-Run-Samsung PanelMgr - c:\windows\Samsung\PanelMgr\ssmmgr.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://octonaut.com/
mWindow Title = Microsoft Internet Explorer presented by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
Trusted Zone: *.antispyexpert.com
Trusted Zone: *.imageservr.com
Trusted Zone: *.antispyexpert.com
Trusted Zone: *.imageservr.com
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\b73jizgx.Default User\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.octonaut.com/
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-19 06:36:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SM_sugo3_FUService]
"ImagePath"="\"c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc /Service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1727FC36-5D3D-4896-9DEE-AFE8A6A530BF}\Version*Version]
"Version"=hex:ac,6b,4e,f9,2e,07,46,fc,be,30,0c,b0,01,30,18,29,be,30,0c,b0,01,
30,18,29,be,30,0c,b0,01,30,18,29,be,30,0c,b0,01,30,18,29,be,30,0c,b0,01,30,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Norton AntiVirus\NAVAPSVC.EXE
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\ati2evxx.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc.exe
c:\program files\BigFix\BigFix.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Norton AntiVirus\NAVStub.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
.
**************************************************************************
.
Completion time: 2009-01-19 6:52:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-19 11:52:24

Pre-Run: 61,046,652,928 bytes free
Post-Run: 60,865,609,728 bytes free

239 --- E O F --- 2008-11-13 00:40:24

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:25 AM

Posted 19 January 2009 - 09:23 AM

Hi,

We have to give this another run..

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\drivers\core.cache.dsk
c:\windows\system32\drivers\usbdd.sys
Folder::
c:\temp\tn3
Driver::
usbdd
DDS::
Trusted Zone: *.antispyexpert.com
Trusted Zone: *.imageservr.com
Trusted Zone: *.antispyexpert.com
Trusted Zone: *.imageservr.com


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 jebzig

jebzig
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 20 January 2009 - 12:48 AM

I did as you said, and here's what I got...


ComboFix 09-01-19.03 - Owner 2009-01-20 0:27:33.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.166 [GMT -5:00]
Running from: c:\documents and settings\Owner\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\drivers\core.cache.dsk
c:\windows\system32\drivers\usbdd.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\tn3
c:\windows\system32\drivers\core.cache.dsk
c:\windows\system32\drivers\usbdd.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_USBDD
-------\Service_usbdd


((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 )))))))))))))))))))))))))))))))
.

2009-01-18 22:20 . 2009-01-18 22:20 <DIR> d-------- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-20 05:08 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-21 20:37 37,634 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-01 20:40 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-01 20:38 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-01 20:26 --------- d-----w c:\program files\Spyware Doctor
2008-12-01 20:24 --------- d-----w c:\documents and settings\Owner\Application Data\PC Tools
2008-12-01 08:24 --------- d-----w c:\documents and settings\Owner\Application Data\BitTorrent
2008-12-01 07:39 --------- d-----w c:\program files\Google
2008-12-01 05:49 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-01 05:49 --------- d-----w c:\program files\Common Files\Filseclab
2008-12-01 04:40 --------- d-----w c:\program files\CONEXANT
2008-11-26 09:11 --------- d-----w c:\program files\Filseclab
2008-11-26 04:43 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-25 03:07 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-25 02:04 --------- d-----w c:\program files\Windows Live Safety Center
2008-11-24 16:13 --------- d-----w c:\program files\Coupons
2008-09-25 00:47 361,056 ----a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2003-08-27 22:19 36,963 ----a-r c:\program files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-19_ 6.44.49.82 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-23 12:36:14 286,720 -c----w c:\windows\system32\dllcache\gdi32.dll
- 2006-10-19 00:03:58 100,864 -c--a-w c:\windows\system32\dllcache\logagent.exe
+ 2008-06-18 06:09:22 100,864 -c--a-w c:\windows\system32\dllcache\logagent.exe
- 2008-08-20 05:30:53 3,067,904 -c--a-w c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-12 17:01:00 3,067,904 -c--a-w c:\windows\system32\dllcache\mshtml.dll
- 2008-04-14 10:42:02 1,306,624 -c--a-w c:\windows\system32\dllcache\msxml6.dll
+ 2008-09-10 01:14:56 1,307,648 -c--a-w c:\windows\system32\dllcache\msxml6.dll
- 2008-08-20 05:30:51 1,499,136 -c--a-w c:\windows\system32\dllcache\shdocvw.dll
+ 2008-10-16 01:00:10 1,499,136 -c--a-w c:\windows\system32\dllcache\shdocvw.dll
- 2008-09-08 10:41:42 333,824 -c--a-w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 10:57:09 333,952 -c--a-w c:\windows\system32\dllcache\srv.sys
- 2008-04-14 00:12:07 246,814 -c--a-w c:\windows\system32\dllcache\strmdll.dll
+ 2008-10-03 10:02:42 247,326 -c--a-w c:\windows\system32\dllcache\strmdll.dll
- 2008-08-20 05:30:52 619,520 -c--a-w c:\windows\system32\dllcache\urlmon.dll
+ 2008-10-16 01:00:11 619,520 -c--a-w c:\windows\system32\dllcache\urlmon.dll
- 2008-08-20 05:30:51 666,112 -c--a-w c:\windows\system32\dllcache\wininet.dll
+ 2008-10-16 01:00:11 666,112 -c--a-w c:\windows\system32\dllcache\wininet.dll
- 2006-10-19 01:47:20 937,984 -c--a-w c:\windows\system32\dllcache\WMNetMgr.dll
+ 2008-06-18 10:03:08 938,496 -c--a-w c:\windows\system32\dllcache\WMNetmgr.dll
- 2006-10-19 01:47:22 2,450,944 -c--a-w c:\windows\system32\dllcache\wmvcore.dll
+ 2008-06-18 10:03:14 2,458,112 -c--a-w c:\windows\system32\dllcache\WMVCore.dll
- 2008-04-14 00:11:54 285,184 ----a-w c:\windows\system32\gdi32.dll
+ 2008-10-23 12:36:14 286,720 ----a-w c:\windows\system32\gdi32.dll
- 2006-10-19 00:03:58 100,864 ----a-w c:\windows\system32\logagent.exe
+ 2008-06-18 06:09:22 100,864 ----a-w c:\windows\system32\logagent.exe
- 2008-11-04 00:10:25 17,318,336 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-09 22:35:30 20,853,704 ----a-w c:\windows\system32\MRT.exe
- 2008-08-20 05:30:53 3,067,904 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-12 17:01:00 3,067,904 ----a-w c:\windows\system32\mshtml.dll
- 2008-04-14 10:42:02 1,306,624 ----a-w c:\windows\system32\msxml6.dll
+ 2008-09-10 01:14:56 1,307,648 ----a-w c:\windows\system32\msxml6.dll
- 2008-08-20 05:30:51 1,499,136 ----a-w c:\windows\system32\shdocvw.dll
+ 2008-10-16 01:00:10 1,499,136 ----a-w c:\windows\system32\shdocvw.dll
- 2008-04-14 00:12:07 246,814 ----a-w c:\windows\system32\strmdll.dll
+ 2008-10-03 10:02:42 247,326 ----a-w c:\windows\system32\strmdll.dll
- 2008-04-14 00:12:38 60,416 ----a-w c:\windows\system32\tzchange.exe
+ 2008-10-23 10:06:59 62,976 ----a-w c:\windows\system32\tzchange.exe
- 2008-08-20 05:30:52 619,520 ----a-w c:\windows\system32\urlmon.dll
+ 2008-10-16 01:00:11 619,520 ----a-w c:\windows\system32\urlmon.dll
- 2008-08-20 05:30:51 666,112 ----a-w c:\windows\system32\wininet.dll
+ 2008-10-16 01:00:11 666,112 ----a-w c:\windows\system32\wininet.dll
- 2006-10-19 01:47:20 937,984 ----a-w c:\windows\system32\WMNetMgr.dll
+ 2008-06-18 10:03:08 938,496 ----a-w c:\windows\system32\WMNetmgr.dll
- 2006-10-19 01:47:22 2,450,944 ----a-w c:\windows\system32\wmvcore.dll
+ 2008-06-18 10:03:14 2,458,112 ----a-w c:\windows\system32\WMVCore.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 2321600]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SunKistEM"="c:\program files\eMachines Bay Reader\shwiconem.exe" [2004-03-11 135168]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-10 344064]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0\bin\jusched.exe" [2005-01-31 36972]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 71328]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2006-02-09 100056]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2007-03-07 1773568]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-01-20 217088]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2008-05-20 737280]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 c:\windows\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-09-28 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-09-28 c:\windows\ALCWZRD.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-15 110592]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2004-12-06 1742384]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Starcraft\\starcraft.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\GlobalSCAPE\\CuteFTP Professional\\ftpte.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.5.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.5.1.4449-to-1.6.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.6.0.4500-to-1.6.1-enUS-downloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.10.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Soulseek-Test\\slsk.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.10.2.5302-to-1.11.0.5428-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.11.1.5462-to-1.11.2.5464-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.11.2.5464-to-1.12.0.5595-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\zsnesw142\\zsnesw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour

R3 CXAVSAUD;AVerMedia AVerTV AvStream Audio Capture;c:\windows\system32\drivers\A88AudBB.sys [2004-12-06 9216]
R4 CX88XBAR;AVerMedia AVerTV MPEG Crossbar (Dual-Input);c:\windows\system32\drivers\A88BarBB.sys [2004-12-06 10112]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-01 356920]
S3 SM_sugo3_FUService;sugo3 Status Monitor Service;"c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc /Service --> c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{72d6e79a-a980-11db-86d7-0011117504b5}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-01-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1365980041-3287494817-3361841902-1005.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 16:15]

2008-11-25 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Owner.job
- c:\progra~1\NORTON~1\Navw32.exe [2003-11-24 17:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://octonaut.com/
mWindow Title = Microsoft Internet Explorer presented by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
Trusted Zone: *.antispyexpert.com
Trusted Zone: *.imageservr.com
Trusted Zone: *.antispyexpert.com
Trusted Zone: *.imageservr.com
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\b73jizgx.Default User\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.octonaut.com/
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-20 00:35:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SM_sugo3_FUService]
"ImagePath"="\"c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc /Service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1727FC36-5D3D-4896-9DEE-AFE8A6A530BF}\Version*Version]
"Version"=hex:ac,6b,4e,f9,2e,07,46,fc,be,30,0c,b0,01,30,18,29,be,30,0c,b0,01,
30,18,29,be,30,0c,b0,01,30,18,29,be,30,0c,b0,01,30,18,29,be,30,0c,b0,01,30,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Norton AntiVirus\NAVAPSVC.EXE
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\ati2evxx.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-20 0:46:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-20 05:45:00
ComboFix2.txt 2009-01-19 11:52:30

Pre-Run: 60,716,404,736 bytes free
Post-Run: 60,698,460,160 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

263 --- E O F --- 2009-01-19 12:08:05

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:25 AM

Posted 20 January 2009 - 02:18 AM

Hi,

This looks OK again. Just a small registry fix we'll have to do, so...

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\antispyexpert.com]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\imageservr.com]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\antispyexpert.com]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\imageservr.com]

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Then,

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 11.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 11".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • Java™ 6 Update 5
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
Then * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 jebzig

jebzig
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 20 January 2009 - 06:27 AM

Well, that fixed everything, or so I thought...


Everything was running smoothly and back to normal until about 2 hours later when the computer completely shut down and rebooted, and this appeared:

"Windows XP could not start because the following file is missing or corrupt: \WINDOWS\SYSTEM32\CONFIG\SYSTEM

You can attempt to repair this file by starting Windows Setup using the original Setup CD-ROM.
Select 'r' at the first screen to start repair."

I put the CD in and did as it said but it keeps booting to this screen. Any ideas?

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:25 AM

Posted 20 January 2009 - 07:04 AM

Hi,

Everything was running smoothly and back to normal until about 2 hours later when the computer completely shut down and rebooted, and this appeared

Well, that's really strange how that could suddenly happen while everything was OK for 2 hours after my latest instructions.
I really don't see anything that could cause this. Malware was gone anyway, so the only causes that make sense is a power failure, file Corruption and faulty hardware, bad ram..... or a failing disk/drive.
Or you performed anything else in between, deleted something etc - for example Registry Cleaners could cause this as well. Because this is mainly a result from a corrupted registry.


Anyway... You actually don't really need your CD though. Because you mainly need it for the Recovery Console.
We have already installed the Recovery console, so normally, when you boot up your computer, at the beginning, you'll see the bootoptions.
One will say "Microsoft Windows Recovery Console" and the other one will say "Windows XP Media Center Edition".
You'll only see this for 2 seconds though and then it starts to boot normally (it won't in your case, since you'll get that error)
So, at that screen, select the first option for the recoveru console.

Then, in the recovery console, you can use commands to restore it..
See here how to deal with your problem:
http://support.microsoft.com/default.aspx?...kb;en-us;307545 - (this includes using the Recovery Console from the cd, but in your case, you already have it installed)


But before you do, try to run the command chkdsk /r from the Recovery console first.

If one of above solutions solved it, then check the following site to troubleshoot the cause: http://support.microsoft.com/default.aspx?...kb;en-us;822705

If the instructions via the recovery console didn't solve it, then I suggest you perform a Windows repair install. This won't delete your data though.
http://www.michaelstevenstech.com/XPrepairinstall.htm
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 jebzig

jebzig
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 20 January 2009 - 07:16 AM

Okay, before I do any of this, is there something I should be aware of in terms of losing all of the data on my computer? I know my way around computers, but for something like this, I don't want to risk destroying anything or, in the worst case scenario, everything.

Thanks!

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:25 AM

Posted 20 January 2009 - 07:25 AM

Hi,

Only a format and reinstall will delete all your data. A repair install won't - although it shouldn't.
I don't know if you have a backup already... because I always recommend people to backup their data at least once a year. If you don't have a backup yet (and since you can't access the "damaged" computer now anyway) - you can use BartPe to back up files and transfer them to your D:\ or removable drive (if any).
See here how to use BartPe: http://www.nu2.nu/pebuilder/
You can build the boot cd from your working computer and then use it on the damaged computer.
It also contains command line options and you will even be able to browse to files / folders etc.. so you can also use this Bootcd to run the repair commands on)
But still, it is no guarantee that this will fix it. This all depends what the cause is. (failing drive / bad ram)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 jebzig

jebzig
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 20 January 2009 - 07:34 AM

I can't do anything. Before I can move the arrow keys up or down to select it, it jumps right into that error screen. Pressing any buttons doesn't do anything.

Any clue?

EDIT: Nevermind. Computer didn't recognize my USB keyboard. I'll let you know what happens.

Edited by jebzig, 20 January 2009 - 07:45 AM.


#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:25 AM

Posted 20 January 2009 - 07:49 AM

Ok, then it may be easier to use your CD.
You may need to change the boot order in the system BIOS so the CD boots before the hard drive. Check your system documentation for steps to access the BIOS and change the boot order. In most cases it's F2, del or escape. See here for instructions: http://www.michaelstevenstech.com/bios_manufacturer.htm

Edit

EDIT: Nevermind. Computer didn't recognize my USB keyboard. I'll let you know what happens.

Ok, so ignore above :thumbup2:

Edited by miekiemoes, 20 January 2009 - 07:49 AM.
Edited after I read other edit

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 jebzig

jebzig
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 20 January 2009 - 08:04 AM

All right, so, I got into the Recovery Console, and I'm given two options:

1: H:\MiniNT
2: C:\WINDOWS

If I choose Windows, I'm given a blue screen with BAD_POOL_CALLER. It tells me to restart my computer if this is the first time I've ever seen it, and if it appears again, follow some steps.

I have no idea what's going on anymore.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:25 AM

Posted 20 January 2009 - 08:25 AM

Hi,

This looks like a bad memory - bad ram issue.
Can you try to get to the recovery via the Windows CD? See if you get the same..
If not, then run the chkdsk /r from recovery console first.
Anyway, this looks like a common problem though - I've found a thread here with exactly the same scenario.

Since this is a hardware related issue, I suggest that you start a new thread in the hardware forum here. This because Hardware is not my expertise. They will guide you through the steps what you can do to fix it (if possible).
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users