Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Me!


  • This topic is locked This topic is locked
7 replies to this topic

#1 Hampshire178

Hampshire178

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 26 January 2009 - 04:37 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:18 PM, on 1/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1225033844\ee\aolsoftware.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Minute-Man Press\My Documents\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=1607
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll
O2 - BHO: (no name) - {68841D76-760B-4BB6-A4BB-6493137B76A6} - (no file)
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: {ca6caea5-f4f9-0d9b-6004-bee887891bea} - {aeb19878-8eeb-4006-b9d0-9f4f5aeac6ac} - (no file)
O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O2 - BHO: (no name) - {E0EA5A0A-96E2-4B60-8174-E0388F9D5C37} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Installer] C:\Documents and Settings\Minute-Man Press\Desktop\setup_241_3777_.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Cognac] C:\WINDOWS\TEMP\28.tmp.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDC Poker - {4f34c291-5837-4f45-ade1-da5502c69fef} - C:\Documents and Settings\Minute-Man Press\Start Menu\Programs\PDC Poker\PDC Poker.lnk (HKCU)
O9 - Extra button: Rasheed Jamal - {DAC360AF-9FD0-432D-B2F2-ED3220F4CAD9} - C:\Program Files\Free Download Manager\fdmcsbtn.dll (HKCU)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B4A60CA-9995-474E-8921-570A265C09C4}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{2B4A60CA-9995-474E-8921-570A265C09C4}: NameServer = 205.188.146.145
O20 - Winlogon Notify: efcBsQKA - efcBsQKA.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O24 - Desktop Component 0: (no name) - http://i165.photobucket.com/albums/u54/cle..._background.gif
O24 - Desktop Component 1: (no name) - http://lc.fdots.com/cc/lc/90/90f1456263ed4...e6bd69e8464.jpg
O24 - Desktop Component 2: (no name) - http://i165.photobucket.com/albums/u54/cle...as_tats_blk.jpg
O24 - Desktop Component 3: (no name) - http://i168.photobucket.com/albums/u175/BL...h20-20Color.gif
O24 - Desktop Component 4: (no name) - http://www.invertpaintball.com/ip/sites/al...en_1024x768.jpg

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:36 AM

Posted 27 January 2009 - 04:51 AM

Hi,

Your computer is not only slow, but also infected...

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Hampshire178

Hampshire178
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 28 January 2009 - 04:31 AM

Avira AntiVir Personal
Report file date: Wednesday, January 28, 2009 01:47

Scanning for 1038808 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: MINMPRESS-FEDX

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 15:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 14:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 19:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 14:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 18:30:36
ANTIVIR1.VDF : 7.1.0.56 411136 Bytes 11/9/2008 23:57:13
ANTIVIR2.VDF : 7.1.0.89 221184 Bytes 11/16/2008 23:16:47
ANTIVIR3.VDF : 7.1.0.97 45056 Bytes 11/17/2008 23:38:59
Engineversion : 8.2.0.31
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 17:05:56
AESCRIPT.DLL : 8.1.1.15 332156 Bytes 11/11/2008 21:00:07
AESCN.DLL : 8.1.1.5 123251 Bytes 11/7/2008 22:06:41
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 20:58:38
AEPACK.DLL : 8.1.3.4 393591 Bytes 11/11/2008 16:41:39
AEOFFICE.DLL : 8.1.0.30 196986 Bytes 11/7/2008 22:06:41
AEHEUR.DLL : 8.1.0.71 1487222 Bytes 11/7/2008 22:06:41
AEHELP.DLL : 8.1.1.3 119157 Bytes 11/7/2008 22:06:41
AEGEN.DLL : 8.1.1.0 319859 Bytes 11/7/2008 22:06:41
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 17:05:56
AECORE.DLL : 8.1.4.1 172405 Bytes 11/7/2008 22:06:41
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 17:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 15:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 16:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 19:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 18:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 15:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 19:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 00:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 19:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 19:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 20:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 20:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Wednesday, January 28, 2009 01:47

The scan of running processes will be started
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'nSr4UJMX.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'aoltpsd3.exe' - '1' Module(s) have been scanned
Scan process 'shellmon.exe' - '1' Module(s) have been scanned
Scan process 'waol.exe' - '1' Module(s) have been scanned
Scan process 'aolsoftware.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'SNDSrvc.exe' - '1' Module(s) have been scanned
Scan process 'Crypserv.exe' - '1' Module(s) have been scanned
Scan process 'AOLacsd.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
28 processes with 28 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '47' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Minute-Man Press\Local Settings\Temp\ert54607.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '49f41025.qua'!
C:\Documents and Settings\Minute-Man Press\Local Settings\Temp\~tmpa.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '49ed1031.qua'!
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
C:\WINDOWS\Temp\15.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '49ae220b.qua'!
C:\WINDOWS\Temp\15.tmp.exe
[DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted)
[NOTE] The file was moved to '49ae2210.qua'!
C:\WINDOWS\Temp\2C.tmp
[DETECTION] Is the TR/Downloader.Gen Trojan
[NOTE] The file was moved to '49ae2223.qua'!
C:\WINDOWS\Temp\2C.tmp.exe
[DETECTION] Is the TR/Downloader.Gen Trojan
[NOTE] The file was moved to '49ae2227.qua'!
C:\WINDOWS\Temp\6D.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '49ae2232.qua'!
C:\WINDOWS\Temp\6D.tmp.exe
[DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted)
[NOTE] The file was moved to '4b0de2f3.qua'!


End of the scan: Wednesday, January 28, 2009 03:14
Used time: 1:27:08 Hour(s)

The scan has been done completely.

3608 Scanning directories
103100 Files were scanned
8 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
8 files were moved to quarantine
0 files were renamed
3 Files cannot be scanned
103089 Files not concerned
837 Archives were scanned
3 Warnings
8 Notes

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:32:42 AM, on 1/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1225033844\ee\aolsoftware.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
c:\program files\avira\antivir personaledition classic\avcenter.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe
C:\Documents and Settings\Minute-Man Press\My Documents\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=1607
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll
O2 - BHO: (no name) - {68841D76-760B-4BB6-A4BB-6493137B76A6} - (no file)
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: {ca6caea5-f4f9-0d9b-6004-bee887891bea} - {aeb19878-8eeb-4006-b9d0-9f4f5aeac6ac} - (no file)
O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O2 - BHO: (no name) - {E0EA5A0A-96E2-4B60-8174-E0388F9D5C37} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Installer] C:\Documents and Settings\Minute-Man Press\Desktop\setup_241_3777_.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Cognac] C:\WINDOWS\TEMP\28.tmp.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDC Poker - {4f34c291-5837-4f45-ade1-da5502c69fef} - C:\Documents and Settings\Minute-Man Press\Start Menu\Programs\PDC Poker\PDC Poker.lnk (HKCU)
O9 - Extra button: Rasheed Jamal - {DAC360AF-9FD0-432D-B2F2-ED3220F4CAD9} - C:\Program Files\Free Download Manager\fdmcsbtn.dll (HKCU)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B4A60CA-9995-474E-8921-570A265C09C4}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{2B4A60CA-9995-474E-8921-570A265C09C4}: NameServer = 205.188.146.145
O20 - Winlogon Notify: efcBsQKA - efcBsQKA.dll (file missing)
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O24 - Desktop Component 0: (no name) - http://i165.photobucket.com/albums/u54/cle..._background.gif
O24 - Desktop Component 1: (no name) - http://lc.fdots.com/cc/lc/90/90f1456263ed4...e6bd69e8464.jpg
O24 - Desktop Component 2: (no name) - http://i165.photobucket.com/albums/u54/cle...as_tats_blk.jpg
O24 - Desktop Component 3: (no name) - http://i168.photobucket.com/albums/u175/BL...h20-20Color.gif
O24 - Desktop Component 4: (no name) - http://www.invertpaintball.com/ip/sites/al...en_1024x768.jpg

--
End of file - 7644 bytes

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:36 AM

Posted 28 January 2009 - 05:33 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Hampshire178

Hampshire178
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 29 January 2009 - 01:56 AM

ComboFix 09-01-21.04 - Minute-Man Press 2009-01-29 0:34:07.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.318.117 [GMT -6:00]
Running from: c:\documents and settings\Minute-Man Press\My Documents\Downloads\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Solt Lake Software
c:\windows\BMc77c1949.txt
c:\windows\BMc77c1949.xml
c:\windows\cookies.ini
c:\windows\pskt.ini
c:\windows\system32\GgiQtBeg.ini
c:\windows\system32\GgiQtBeg.ini2
c:\windows\system32\HOWvxyay.ini
c:\windows\system32\HOWvxyay.ini2
c:\windows\system32\HQstCcfe.ini
c:\windows\system32\HQstCcfe.ini2
c:\windows\system32\init.exe
c:\windows\system32\msxml71.dll
c:\windows\system32\nSr4UJMX.exe.a_a
c:\windows\system32\oXIRuBeg.ini
c:\windows\system32\oXIRuBeg.ini2
c:\windows\system32\PprqBcfe.ini
c:\windows\system32\PprqBcfe.ini2
c:\windows\system32\vtnrcltk.ini
c:\windows\system32\xtxdwcue.ini

.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-29 )))))))))))))))))))))))))))))))
.

2009-01-29 00:05 . 2009-01-29 00:06 <DIR> d-------- C:\32788R22FWJFW
2009-01-28 01:33 . 2009-01-28 01:33 <DIR> d-------- c:\program files\Avira
2009-01-28 01:33 . 2009-01-28 01:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-01-27 11:20 . 2009-01-27 11:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\NCH Software
2009-01-27 03:11 . 2009-01-27 03:18 <DIR> d-------- c:\program files\Free FLV Converter
2009-01-27 03:11 . 2008-06-04 17:42 364,544 --a------ c:\windows\system32\PropertyGrid.ocx
2009-01-27 03:11 . 2008-12-24 08:02 274,432 --a------ c:\windows\system32\TubeFinder.exe
2009-01-27 03:11 . 2008-06-04 17:42 208,500 --a------ c:\windows\system32\ReyXpBasics.tlb
2009-01-27 03:11 . 2008-06-04 17:42 84,512 --a------ c:\windows\system32\PICCLP32.OCX
2009-01-27 03:11 . 2008-06-04 17:42 24,576 --a------ c:\windows\system32\ControlSubX.ocx
2009-01-27 03:11 . 2008-06-04 17:42 9,728 --a------ c:\windows\system32\PCCLPFR.DLL
2009-01-18 05:19 . 2009-01-20 07:04 73,728 --a------ c:\windows\system32\nSr4UJMX.exe
2008-12-31 19:27 . 2008-12-31 19:27 <DIR> d-------- c:\program files\BearShare Pro
2008-12-31 19:27 . 2009-01-28 15:10 <DIR> d-------- C:\!Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-28 07:35 --------- d-----w c:\documents and settings\Minute-Man Press\Application Data\Free Download Manager
2009-01-21 08:40 --------- d-----w c:\program files\GetFLV
2009-01-10 19:40 --------- d-----w c:\documents and settings\Minute-Man Press\Application Data\DNA
2008-12-30 19:44 --------- d-----w c:\program files\Zultrax P2P
2008-12-26 05:50 --------- d-----w c:\documents and settings\Minute-Man Press\Application Data\X-Chat 2
2008-12-25 22:28 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-25 22:28 --------- d-----w c:\program files\Philips
2008-12-25 22:28 --------- d-----w c:\documents and settings\Minute-Man Press\Application Data\InstallShield
2008-12-22 07:37 --------- d-----w c:\program files\xchat
2008-11-30 15:24 --------- d-----w c:\program files\WhiteSmoke
2008-11-28 16:33 --------- d-----w c:\program files\PDCPoker
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOL Fast Start"="c:\program files\AOL 9.0\AOL.EXE" [2007-04-18 50736]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-10-29 160592]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MSS-2000 Server Applet.lnk]
backup=c:\windows\pss\MSS-2000 Server Applet.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMc77c1949
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c44f2ad5
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cleanup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msci
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton SystemWorks
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Omnipage
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule16
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack16
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
--a------ 2007-04-18 00:48 50736 c:\program files\AOL 9.0\aol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
--a------ 2008-06-12 13:28 266497 c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-09-06 00:40 342848 c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a--c--- 2004-08-04 01:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Evidence Eliminator]
--a------ 2007-08-06 11:06 920124 c:\program files\Evidence Eliminator\Ee.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-09-25 18:52 50736 c:\program files\Common Files\AOL\1225033844\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 10:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2008-04-17 17:27 9117696 c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a--c--- 2001-08-06 12:03 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
--a--c--- 2008-10-29 22:36 160592 c:\program files\Siber Systems\AI RoboForm\robotaskbaricon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a--c--- 2004-12-06 01:59 95456 c:\progra~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
--a--c--- 2002-10-15 18:00 1818624 c:\windows\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Iartfn2pdhp"=3 (0x3)
"aawservice"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"AresChatServer"=3 (0x3)
"gusvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AOL\\RC\\regclient.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Common Files\\AOL\\1225033844\\ee\\aolsoftware.exe"=
"System Idle Process"=
"c:\\WINDOWS\\system32\\sysconfig.exe"=
"c:\\Program Files\\PDCPoker\\client.exe"=
"c:\\Program Files\\xchat\\xchat.exe"=
"c:\\Program Files\\BearShare Pro\\Bearshare.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

S4 Iartfn2pdhp;Iartfn2pdhp;c:\windows\system32\drivers\rasl2tp.sys [2003-03-31 51328]
.
Contents of the 'Scheduled Tasks' folder

2009-01-28 c:\windows\Tasks\At1.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At10.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At11.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At12.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At13.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At14.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At15.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At16.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At17.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At18.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-29 c:\windows\Tasks\At19.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At2.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-29 c:\windows\Tasks\At20.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-29 c:\windows\Tasks\At21.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-29 c:\windows\Tasks\At22.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-29 c:\windows\Tasks\At23.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-29 c:\windows\Tasks\At24.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At25.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At26.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At27.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At28.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At29.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At3.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-27 c:\windows\Tasks\At30.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-27 c:\windows\Tasks\At31.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-27 c:\windows\Tasks\At32.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At33.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At34.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At35.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At36.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At37.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At38.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At39.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At4.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At40.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At41.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At42.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-29 c:\windows\Tasks\At43.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-29 c:\windows\Tasks\At44.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-29 c:\windows\Tasks\At45.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-29 c:\windows\Tasks\At46.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-29 c:\windows\Tasks\At47.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-29 c:\windows\Tasks\At48.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At49.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At5.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At50.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At51.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At52.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At53.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-27 c:\windows\Tasks\At54.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-27 c:\windows\Tasks\At55.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-27 c:\windows\Tasks\At56.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At57.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At58.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At59.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-27 c:\windows\Tasks\At6.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At60.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At61.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At62.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At63.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At64.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At65.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At66.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-29 c:\windows\Tasks\At67.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-29 c:\windows\Tasks\At68.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-29 c:\windows\Tasks\At69.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-27 c:\windows\Tasks\At7.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-29 c:\windows\Tasks\At70.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-29 c:\windows\Tasks\At71.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-29 c:\windows\Tasks\At72.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-27 c:\windows\Tasks\At8.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]

2009-01-28 c:\windows\Tasks\At9.job
- c:\windows\system32\nSr4UJMX.exe [2009-01-20 07:04]
.
- - - - ORPHANS REMOVED - - - -

BHO-{68841D76-760B-4BB6-A4BB-6493137B76A6} - (no file)
BHO-{aeb19878-8eeb-4006-b9d0-9f4f5aeac6ac} - (no file)
BHO-{E0EA5A0A-96E2-4B60-8174-E0388F9D5C37} - (no file)
HKLM-RunServices-System Idle Process - (no file)
HKU-Default-Run-Cognac - c:\windows\TEMP\A0.tmp.exe
Notify-efcBsQKA - efcBsQKA.dll
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-Cognac - c:\docume~1\MINUTE~1\LOCALS~1\Temp\~tmpa.exe
MSConfigStartUp-Eraser RiskMonitor - c:\program files\East-Tec Eraser 2008\Launch.exe
MSConfigStartUp-Installer - c:\documents and settings\Minute-Man Press\Desktop\setup_241_3777_.exe
MSConfigStartUp-MSFox - c:\docume~1\MINUTE~1\LOCALS~1\Temp\ert54607.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-Startup Manager - startUp manager.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=1607
uSearchMigratedDefaultURL = hxxp://search.aol.com/aolcom/search?query={searchTerms}&invocationType=msie70a
mStart Page = hxxp://www.aol.com/?src=customie7
uInternet Connection Wizard,ShellNext = iexplore
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
TCP: {2B4A60CA-9995-474E-8921-570A265C09C4} = 205.188.146.145
FF - ProfilePath - c:\documents and settings\Minute-Man Press\Application Data\Mozilla\Firefox\Profiles\ocww1xlu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://aolsearch.aol.com/aol/search?invocationType=client_searchbox&query=
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-29 00:49:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\AOL\acs\AOLacsd.exe
c:\windows\system32\Crypserv.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\AOL 9.0\waol.exe
c:\program files\AOL 9.0\shellmon.exe
.
**************************************************************************
.
Completion time: 2009-01-29 0:53:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-29 06:53:18

Pre-Run: 9,682,427,904 bytes free
Post-Run: 9,769,566,208 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

370

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:36 AM

Posted 29 January 2009 - 04:01 AM

Hi,

I see you had AVG, Norton, McAfee previously but disabled it via msconfig. I also see a reference to Avira disabled via msconfig + on top, I see your Avira is outdated!!
Is there any reason why you disable your realtime scanner and don't update it? How are you supposed to prevent malware if you disable the scanner that may already block the installer? Most people think that an Antivirus is only needed to remove malware already present. In that case, it's actually already too late. An antivirus is mainly needed to prevent malware in the first place.
It also looks like it isn't the first time you got infected...

Anyway...

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\nSr4UJMX.exe
DDS::
uStart Page = hxxp://www.ask.com?o=1607
AtJob::
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMc77c1949]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c44f2ad5]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule16]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack16]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:36 AM

Posted 05 February 2009 - 06:57 AM

Still with us?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:36 AM

Posted 11 February 2009 - 07:18 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users