Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.agent.cfc


  • This topic is locked This topic is locked
52 replies to this topic

#1 rceleexpt

rceleexpt

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 17 February 2009 - 02:16 PM

http://www.bleepingcomputer.com/forums/ind...p;#entry1140148 original topic post.

backdoor.agent.cfc and trojan downloader and some other are on my infected computer, ive Malware and SDFix and no DDS.




DDS (Ver_09-02-01.01) - NTFSx86
Run by Me at 14:04:27.85 on Tue 02/17/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.458 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\mabidwe.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\soxpeca.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SYSTEM32\utilman.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\inf\rundll33.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\grcrt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\DOCUME~1\Me\LOCALS~1\Temp\vg6uda0kiblt2.exe
C:\DOCUME~1\Me\LOCALS~1\Temp\ux3jlrqkh0.exe
C:\DOCUME~1\Me\LOCALS~1\Temp\rnfjpa2e.exe
C:\DOCUME~1\Me\LOCALS~1\Temp\jjmkoyt5.exe
C:\DOCUME~1\Me\LOCALS~1\Temp\muxuz9.exe
C:\DOCUME~1\Me\LOCALS~1\Temp\tygwhk9tb.exe
C:\DOCUME~1\Me\LOCALS~1\Temp\s3w5fznot10oq.exe
C:\DOCUME~1\Me\LOCALS~1\Temp\pk6pmcvmsjqs.exe
C:\DOCUME~1\Me\LOCALS~1\Temp\jh45ky.exe
C:\DOCUME~1\Me\LOCALS~1\Temp\oa8bod45h2wnb.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\aol\aim toolbar 5.0\AolTbServer.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Me\Desktop\dds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: Software - No File
BHO: Microsoft - No File
BHO: Internet Explorer - No File
BHO: LowRegistry - No File
BHO: Extensions - No File
BHO: CmdMapping - No File
BHO: c:\windows\system32\hsfd83jfdg.dll: {c5bf49a2-94f3-42bd-f434-3604812c8955} - c:\windows\system32\hsfd83jfdg.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EA Core] c:\program files\electronic arts\eadm\Core.exe -silent
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [jsf8uiw3jnjgffght] c:\docume~1\me\locals~1\temp\winlognn.exe
uRun: [xn0jcrw85vec4r2dxj9tg8b9f25xo2w6zy9d6] c:\docume~1\me\locals~1\temp\bay8afi.exe
uRun: [i4pqvbsglfn0utd7mfo55b919h53r9rc] c:\docume~1\me\locals~1\temp\u1lkc4qvwrg.exe
uRun: [tgaz5rxjpguhaf] c:\docume~1\me\locals~1\temp\x9v0d4.exe
uRun: [qhb6ieltvwx4iw7kob6fcj8y02n3zro6kxzye] c:\docume~1\me\locals~1\temp\pwa52o7bwq.exe
uRun: [tgo3rmbczdfy] c:\docume~1\me\locals~1\temp\k9jve6ype.exe
uRun: [l1ii0wmzetej7fx3ksz] c:\docume~1\me\locals~1\temp\dpqea8.exe
uRun: [m01yrbjfcv4u425if37a5of63x7r1cn3k4q3pn7u] c:\docume~1\me\locals~1\temp\ygkvrwegffcy3.exe
uRun: [qq8ultwyes7nl64btu55g9sqwbshvo5lixro3qm] c:\docume~1\me\locals~1\temp\jeh1c3lnu.exe
uRun: [twi027bevmg9x87yeaaxsr9py3v39j1tnq14nunybfp6ypt] c:\docume~1\me\locals~1\temp\trnar25akr.exe
uRun: [tdnsrjzck5ays8q3victaffpynvceg4jn3a3ib885x6k2cj53] c:\docume~1\me\locals~1\temp\x1a5g1y.exe
uRun: [w4o1nftlw6d2k01] c:\docume~1\me\locals~1\temp\ucl879l.exe
uRun: [eee2f721cet05ejoo82rgqlt4c2ondd1r2l95ewgwbv4] c:\docume~1\me\locals~1\temp\i5gujg4wcsxz.exe
uRun: [at54y1z8ct2tph6u0gyu5zbx4765i9pzcvfso8v1] c:\docume~1\me\locals~1\temp\n40a17gpsz7g.exe
uRun: [qf5e5qqhvrs2lwknwoik3z] c:\docume~1\me\locals~1\temp\rtcsvm.exe
uRun: [deytyhrxkbubcq5bn3bsx0sxoxpva] c:\docume~1\me\locals~1\temp\t2ma793aawyc.exe
uRun: [tqfq4owpu7wtxsa8qrx7k8sfwfyqh] c:\docume~1\me\locals~1\temp\i0tbuhusx8zlk.exe
uRun: [vul7e3qynjg2tea8n69bvfvcmz30cv27g4mb85da] c:\docume~1\me\locals~1\temp\cc1bbdxcw92vz.exe
uRun: [ffskq1w181w6x6hdbvwuyxbfbknqw7c4smqbqo71u0] c:\docume~1\me\locals~1\temp\j1dto9a.exe
uRun: [ypot71267] c:\docume~1\me\locals~1\temp\b5nll9.exe
uRun: [s1gf81hgchlc2hz2cbrgc44vz2ui2j9t239xfoddu87] c:\docume~1\me\locals~1\temp\hv5w1ii5gcxcg.exe
uRun: [xkagspvalefvegmk] c:\docume~1\me\locals~1\temp\p903r6sr5y7.exe
uRun: [m4ud1495cy0bvq07egk7el] c:\docume~1\me\locals~1\temp\c7nr1f5jn1.exe
uRun: [iyom1dld8tpmkn425xz2hll0mb9oxfzlbx] c:\docume~1\me\locals~1\temp\qdo3vff.exe
uRun: [ruyqofl6zyuyqq18fgeka40ebv4jt0vmmb777fpc0z9bloin5] c:\docume~1\me\locals~1\temp\eg4t6kr1pm.exe
uRun: [xlymiwhgpfl0o6ygc19bt5gknj9ww0] c:\docume~1\me\locals~1\temp\jb2wk8p8hzdsy.exe
uRun: [wdpew2cu8qabh4280agxvpy7zqjveopf9pa601v0iw5riezu] c:\docume~1\me\locals~1\temp\c8c46bd1.exe
uRun: [csq7rpvzbdh9y36gj5i4pnz0mfp2mt5f] c:\docume~1\me\locals~1\temp\qh5ev2or2nbc7.exe
uRun: [m0tcpzvkgay0bm05dk6nzpb6pir] c:\docume~1\me\locals~1\temp\yzft6g.exe
uRun: [pwann4nzxfuzxwni2srhwn7z9] c:\docume~1\me\locals~1\temp\r088nlfa.exe
uRun: [d4tcn7u38q] c:\docume~1\me\locals~1\temp\efjkgqvyy.exe
uRun: [jyknwl8ddbgnlux7h2dzwj78onuaa20kps5ly6ugzszo6c9zs] c:\docume~1\me\locals~1\temp\mpkr0shgxgeo0.exe
uRun: [rya9tbyglzo1] c:\docume~1\me\locals~1\temp\nzppr9.exe
uRun: [mbu42fx6jzxxjijlr5btolfl984ht] c:\docume~1\me\locals~1\temp\mu3b9qmuxg1i.exe
uRun: [ngo8hcwtsyud] c:\docume~1\me\locals~1\temp\eqacpewlgadb.exe
uRun: [c3d8q0u8ubrchae0j5dnaozs85gcwwn4me2otaas] c:\docume~1\me\locals~1\temp\kbgqlae9l7.exe
uRun: [f7dbbbr1sml4w3t9v7v] c:\docume~1\me\locals~1\temp\aj55kvb.exe
uRun: [d0qtumoa99l46k0eu2pu8dka07i488lnhu90] c:\docume~1\me\locals~1\temp\w09vlb.exe
uRun: [vswvghfip2kq2iwgf6ujfvmxzqwwsxqpmqr5t3qgeubsn3ou] c:\docume~1\me\locals~1\temp\cud2m4s4y8.exe
uRun: [u20786o9y0ngb2fekiml898jg] c:\docume~1\me\locals~1\temp\uv36bq7sh.exe
uRun: [q4rlq524ofniu2gk] c:\docume~1\me\locals~1\temp\go8nphtwlxe.exe
uRun: [bxvpim7q7vb59vqxwd46ccwirzopr9dvqu42z] c:\docume~1\me\locals~1\temp\i6n2v7mmni6hl.exe
uRun: [ykc0br9ohqvf8tuk4qq8fx1wwbfj0zxs5eir18coi0q3pwt9] c:\docume~1\me\locals~1\temp\slhxot.exe
uRun: [edaay1r0nq73m4l2kmr48wdyc1b6vt1icjo1jifbzy3tghoomh] c:\docume~1\me\locals~1\temp\sq0heaookcn5f.exe
uRun: [mpt4swr5k1s6yp15br1e] c:\docume~1\me\locals~1\temp\u54q86qpoue.exe
uRun: [zwe2evl67nr6cykxlgs22ahfnalecl] c:\docume~1\me\locals~1\temp\q7ucyf1.exe
uRun: [zgv05agqg6kog1bq2nhermb1rxjxtj3a4tpag0] c:\docume~1\me\locals~1\temp\ht3ivc6w.exe
uRun: [fk7l3ottlvukeyuymuf2snk4r45at1est5] c:\docume~1\me\locals~1\temp\qcdw36.exe
uRun: [i8ddpa9rw7wymrz2pvg] c:\docume~1\me\locals~1\temp\kobgu17e.exe
uRun: [t2v7kji5usqpwsu4j2950pocvvo] c:\docume~1\me\locals~1\temp\ktu0kic.exe
uRun: [sjk1ohjpn9ltbng4oqttiogyekubbpxalmfpgz0mhln] c:\docume~1\me\locals~1\temp\i48452w3.exe
uRun: [orl0y8ynbm8ag7y7vp21] c:\docume~1\me\locals~1\temp\uxdljti7ik.exe
uRun: [u2zgr9xjiplpk] c:\docume~1\me\locals~1\temp\u1ee7j.exe
uRun: [ncdm3bzeq8lhzg7w836ls59] c:\docume~1\me\locals~1\temp\zno5rz.exe
uRun: [mfywkce3ev28zxhkswxhiufg952iks8xymqv4o] c:\docume~1\me\locals~1\temp\s3c7n1yap72.exe
uRun: [ni96jb7400rjdv9zuhny47j3jw8] c:\docume~1\me\locals~1\temp\gsehl1uww2.exe
uRun: [lzj6qp935a8pez7h4ozc4k7pikxpvq1m3l6] c:\docume~1\me\locals~1\temp\ejjftie7xwb.exe
uRun: [r7b9njq18qa5d2k6] c:\docume~1\me\locals~1\temp\d2k2nz.exe
uRun: [wsjg62dcivcfptykh6863h0zbi34xijxet1ymflcjh8p2w0cxe] c:\docume~1\me\locals~1\temp\ov589oh0tt2la.exe
uRun: [s7f8enlojnoxnwxgwjeuy0ojjmafv70rchtbub80keayxpkh7] c:\docume~1\me\locals~1\temp\yelxnfsteh0.exe
uRun: [q8nk9906fod4lku84mkdbtx9qsfv5slmqkkcx3q9i38m] c:\docume~1\me\locals~1\temp\tk41s04.exe
uRun: [ez8zwf0fmhgoi70mm3j66tnq3nha1ej7yop3h] c:\docume~1\me\locals~1\temp\er64o8q.exe
uRun: [sebv4kvg5xl] c:\docume~1\me\locals~1\temp\ay89q9z8.exe
uRun: [z6xuqdx8diuxm5yi5wt1bjxew5qwg9bi6y5ceflnghar] c:\docume~1\me\locals~1\temp\sp3a9few864.exe
uRun: [ud4lo9c3ifou74oyddggpdukuu689ind5] c:\docume~1\me\locals~1\temp\khvixg3c.exe
uRun: [li0ukza6l4joetjrz47] c:\docume~1\me\locals~1\temp\rgr37sin4yyz.exe
uRun: [kik2zjlu8t4no95x26hp0801npdludck39a5kwl0tpytgj] c:\docume~1\me\locals~1\temp\cdeje2yi22zc.exe
uRun: [vo87gutfk3] c:\docume~1\me\locals~1\temp\qmt032pq.exe
uRun: [jtgk1w3w6qg2] c:\docume~1\me\locals~1\temp\efo3f9r083x65.exe
uRun: [jnmbfwsqsifg8w3idwgdj93bbqu08um3t] c:\docume~1\me\locals~1\temp\t6jnfy67.exe
uRun: [fzfcwk3uqfx3yvhfimu59t7rjk04s0yjg9] c:\docume~1\me\locals~1\temp\l2qoe3xy.exe
uRun: [msy2h0s6knpjmg93jv04m37pp1bk3nmhv] c:\docume~1\me\locals~1\temp\ifrw1t51u8.exe
uRun: [y6ej9u7lp] c:\docume~1\me\locals~1\temp\lpmgq9.exe
uRun: [e5od572tw7nmi0jio5uzm] c:\docume~1\me\locals~1\temp\kpj5y7ci53f.exe
uRun: [o6uonlv5gbchcyj3dwbxjuumogaceahr3q4vcbmn8ivmk9y9t] c:\docume~1\me\locals~1\temp\dcv45cn1prm9.exe
uRun: [m8tzv0q5bjzasqis2ql1gqvfpmz2jl] c:\docume~1\me\locals~1\temp\gwlr084iu34n.exe
uRun: [xuufkr1whzen0n1xj3qd65qlnn4lztba33zt1s4g] c:\docume~1\me\locals~1\temp\j6gu6olz.exe
uRun: [wxbzmy8a283lbjjzult54zji9tz6memz6x] c:\docume~1\me\locals~1\temp\c3ugc8p.exe
uRun: [luqime2pm25q163q2hkux5y0at5xu2kqocvthlxq] c:\docume~1\me\locals~1\temp\n5dziirm.exe
uRun: [u2vbyzz1y5mhe4benhk7c9wig03] c:\docume~1\me\locals~1\temp\obg12rcff.exe
uRun: [s9uupyhvghjfisvs1ttip] c:\docume~1\me\locals~1\temp\wfsh33low.exe
uRun: [cjo8dfpkxsbquqncga79679kezenalhn2o78r] c:\docume~1\me\locals~1\temp\dp7de3g6um.exe
uRun: [lomhkrls6rql5h11hfgjm7ojt3] c:\docume~1\me\locals~1\temp\r9nkp8s89a3hc.exe
uRun: [s44nagxuvd] c:\docume~1\me\locals~1\temp\bgfsjyw4.exe
uRun: [in9mwqvhqyyjl0yevm5pbyemr26sify] c:\docume~1\me\locals~1\temp\p9avv5yejsd24.exe
uRun: [rydcwvswzadvta] c:\docume~1\me\locals~1\temp\qjftm5.exe
uRun: [et46mjj9h4n62r2koo8x8f9cgpicd] c:\docume~1\me\locals~1\temp\xi5e5hc10y7m.exe
uRun: [xucvfus7eojurnthvpeq3ch4qvnkmykp18t7agp] c:\docume~1\me\locals~1\temp\wr0ge0sqi4t.exe
uRun: [ll2ott2wuomgw] c:\docume~1\me\locals~1\temp\agchrw5l5ajno.exe
uRun: [zpyq4jf1j] c:\docume~1\me\locals~1\temp\t3ogyi.exe
uRun: [b5x2e52h4kxxmv64149gud86t371o1vikff2sg8kbl] c:\docume~1\me\locals~1\temp\p9hyonr.exe
uRun: [g29ql32zqmtt1qcbri2tyd30hjpxz5m00sabi0hxl16f] c:\docume~1\me\locals~1\temp\vg6uda0kiblt2.exe
uRun: [i3jpq001ots918clh1c2916] c:\docume~1\me\locals~1\temp\ux3jlrqkh0.exe
uRun: [sb5upm2vkoh8qq5dmnwopkyt6qorph] c:\docume~1\me\locals~1\temp\rnfjpa2e.exe
uRun: [o4yv6rdgilgvgpjt8urzf4jqe3uv9nv9] c:\docume~1\me\locals~1\temp\jjmkoyt5.exe
uRun: [j2uwjuc9nx12g8nme1xe406rs7pb2ic] c:\docume~1\me\locals~1\temp\muxuz9.exe
uRun: [ws1vrgb7z2h3298tcu6j4lx] c:\docume~1\me\locals~1\temp\tygwhk9tb.exe
uRun: [p05dyz6j5a4parjl3jc8qykwv3rd] c:\docume~1\me\locals~1\temp\s3w5fznot10oq.exe
uRun: [c88gf50vu5j91xgrjemt516qna] c:\docume~1\me\locals~1\temp\pk6pmcvmsjqs.exe
uRun: [hdkseie8lt7ftc71lctn5qg3th436z] c:\docume~1\me\locals~1\temp\jh45ky.exe
uRun: [vxpepl721f32ohs4wco0c1pef98e75q3a29k2323vqfro0] c:\docume~1\me\locals~1\temp\oa8bod45h2wnb.exe
uRun: [mjeem9ht6bpqezp08nrclloqiooptwkddp5ueu] c:\docume~1\me\locals~1\temp\t8707zl1phdyq.exe
uRun: [ffxcxosb9beoz9v1jzb4fjkjgaocacgbk81z0tnenj1] c:\docume~1\me\locals~1\temp\c8k35umy7.exe
uRun: [uz91wlcue8ozjh5lspho3xaiotzoupwqszcb6r] c:\docume~1\me\locals~1\temp\im9vsunt.exe
uRun: [ef9u1sgomnmjm911wihytobhs1qlq] c:\docume~1\me\locals~1\temp\svu005h5iu.exe
uRun: [qhmx3ifuht5sglvngyczwucgnntge0xjw5em339x4hvk5v7rc] c:\docume~1\me\locals~1\temp\c8fzn0o3wf.exe
uRun: [a7a3ikwd4nys34w7q5967zd3jizqu5ld736f] c:\docume~1\me\locals~1\temp\g85ahqaoq.exe
uRun: [d6aocjct2lvf542akgjmvm6pv6ql5eawwr68co5s] c:\docume~1\me\locals~1\temp\rr5tnhchtp.exe
uRun: [cmxeht376kz1tr5h] c:\docume~1\me\locals~1\temp\beoembifl71od.exe
uRun: [nwj6xkq69nite94a1glp81yayxfj8o7] c:\docume~1\me\locals~1\temp\a5zn0p.exe
uRun: [edpu4fjn7yvgkpgb6l62vnwchgw630yjas82qmtd] c:\docume~1\me\locals~1\temp\i9smkk.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Lqirakucad] rundll32.exe "c:\windows\Rnedadikuji.dll",e
mRun: [jsf8uiw3jnjgffght] c:\docume~1\me\locals~1\temp\winlognn.exe
mRun: [DeskTopSrv] c:\windows\system32\grcrt.exe
mRun: [Vnuloyivoqububuk] rundll32.exe "c:\windows\izamubaraxonug.dll",e
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mExplorerRun: [xccinit] c:\windows\system32\inf\rundll33.exe c:\windows\xccdf16_090131a.dll xccd16
StartupFolder: c:\docume~1\me\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: wmxrvz.dll
STS: c:\windows\system32\hsfd83jfdg.dll: {c5bf49a2-94f3-42bd-f434-3604812c8955} - c:\windows\system32\hsfd83jfdg.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\wvUMeEvs

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\me\applic~1\mozilla\firefox\profiles\hx4eymxd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?src=aim
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - component: c:\progra~1\mozill~1\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - HiddenExtension: XUL Cache: {779FFE24-C169-49AC-AB5C-0CBB55184342} - c:\documents and settings\me\local settings\application data\{779FFE24-C169-49AC-AB5C-0CBB55184342}

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2007-10-20 42376]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2007-10-20 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2007-10-20 81288]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2008-7-17 160792]
R2 afisicx;afisicx Service;c:\windows\system32\afisicx.exe [2004-8-4 185344]
R2 mabidwe;mabidwe Service;c:\windows\system32\mabidwe.exe [2004-8-4 185344]
R2 noytcyr;noytcyr Service;c:\windows\system32\noytcyr.exe [2004-8-4 185344]
R2 roytctm;roytctm Service;c:\windows\system32\roytctm.exe [2004-8-4 184832]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-7-17 337800]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-7-17 1017224]
R2 soxpeca;soxpeca Service;c:\windows\system32\soxpeca.exe [2004-8-4 184832]
R2 tdydowkc;tdydowkc Service;c:\windows\system32\tdydowkc.exe [2004-8-4 184320]
R2 wsldoekd;wsldoekd Service;c:\windows\system32\wsldoekd.exe [2004-8-4 185344]
R3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [2008-1-16 17408]
R3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\pelusblf.sys [2008-1-16 7680]
S1 c1af54a2;c1af54a2;c:\windows\system32\drivers\c1af54a2.sys [2009-2-14 0]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-2-11 24652]
S3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\pavsrk.sys --> c:\windows\system32\PavSRK.sys [?]
S3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\pavtpk.sys --> c:\windows\system32\PavTPK.sys [?]

=============== Created Last 30 ================

2009-02-16 20:35 108 a------- c:\windows\system32\xcchit32.ini.tmp
2009-02-16 20:30 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-16 20:30 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-16 20:30 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-16 20:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-16 19:26 <DIR> --d----- c:\program files\Advanced Spyware Remover
2009-02-16 19:00 141,824 a------- c:\windows\system32\w.exe
2009-02-15 21:48 131,584 a------- c:\windows\izamubaraxonug.dll
2009-02-15 21:38 40,960 a------- c:\windows\system32\grcrt.dll
2009-02-15 21:38 80,384 a------- c:\windows\system32\grcrt.exe
2009-02-15 21:38 26,624 a------- c:\windows\system32\grcrt2.exe
2009-02-15 21:38 389,120 a------- c:\windows\system32\tmpxccacj1.exe
2009-02-14 15:53 195 a------- c:\windows\system32\xcchit32.ini
2009-02-14 15:51 15,000 a------- c:\windows\system32\hsfd83jfdg.dll
2009-02-14 15:51 40,448 a------- c:\windows\Rnedadikuji.dll
2009-02-14 15:51 72,704 a------- c:\windows\system32\nwnuhldc.dll
2009-02-14 15:51 129,024 a------- c:\windows\system32\wmxrvz.dll
2009-02-14 15:51 129,024 a------- c:\windows\system32\rgsmrkfw.dll
2009-02-14 15:50 31,449 a--sh--- c:\windows\system32\svEeMUvw.ini
2009-02-14 15:50 368 a--sh--- c:\windows\system32\svEeMUvw.ini2
2009-02-14 15:50 302,592 a------- c:\windows\system32\wvUMeEvs.dll.vir
2009-02-14 15:45 48,128 a------- c:\windows\system32\urqOEUmj.dll
2009-02-14 15:45 36,352 a------- c:\windows\system32\nnnnOiiJ.dll
2009-02-12 11:28 <DIR> --d----- c:\docume~1\me\applic~1\Unity
2009-02-12 10:44 <DIR> --d----- c:\program files\Unity

==================== Find3M ====================

2009-02-17 14:02 251,392 a------- c:\windows\xccdf32_090131a.dll
2009-02-16 18:37 0 a------- c:\windows\system32\drivers\c1af54a2.sys
2009-02-14 15:52 3,182 a------- c:\windows\ios.dat
2009-02-14 15:52 106,496 a------- c:\windows\system32\fejokt.dll
2009-02-14 15:52 578,560 a------- c:\windows\system32\user32.DLL
2009-02-14 15:52 172,032 a------- c:\windows\system32\nvaux32.dll
2009-02-14 15:52 215,552 a------- c:\windows\system32\termsrv.dll
2009-02-14 15:52 36,352 a------- c:\windows\xccdf16_090131a.dll
2008-12-20 18:15 826,368 a------- c:\windows\system32\wininet.dll
2008-08-17 18:05 24 a------- c:\documents and settings\me\jagex_runescape_preferences.dat
2008-09-16 17:28 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091620080917\index.dat

============= FINISH: 14:06:22.60 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 18 February 2009 - 06:46 AM

Please download Dr.Web CureIt to the Desktop:
  • Double-click the launch.exe or cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, please do a re-scan.. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Move incurable
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit. Reboot your PC in Normal Mode, and post DrWeb.csv in your next reply (Open it as Notepad)



NEXT


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall




Please post these logs in your next reply... Post each log in separate post

1. Dr. Web CureIt
2. ComboFix
3. A fresh HijackThis log

Edited by fenzodahl512, 18 February 2009 - 06:49 AM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 rceleexpt

rceleexpt
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 18 February 2009 - 02:58 PM

Alright I burned both Cureit and Combofix to a cd and moved them to the infected computer. When i tried to run cureit it would load and when i click ok to start scan an error comes up and says that setup.exe encoutered a proble and needs to close, then it asks if i want to download the full free trial. As for Conbofix i click on it and the loading sign comes up for half a second and nothing happens.

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 18 February 2009 - 04:13 PM

rename ComboFix into Combo-Fix and try to run it.. Post the log here after that.. If it fails, just tell me :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 rceleexpt

rceleexpt
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 19 February 2009 - 06:48 PM

No it didn't work.

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 20 February 2009 - 04:56 AM

Lets to this first :thumbup2:


Please download RUNSCANNER to your desktop and run it.
  • When the first page comes up select Beginner Mode
  • On the next page select Save a binary .Run file (Recommended) then click Start full scan at the top.
  • At this time Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes.
  • It will then ask you to save two files, the .run file and the log. Save both of them in your Desktop.
  • You will see the .run file on your desktop. Please zip the .run file and attach it in your next reply
Then upload that as an attachment in your next post.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 rceleexpt

rceleexpt
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 20 February 2009 - 02:59 PM

I had to run the scan in safe mode, because computer wouldn't work in normal operation.

Here is the log:
Runscanner logfile

* = signed file
- = file not found

General info
------------
Computer name : BLUEPC
Creation time : 2/20/2009 2:54:10 PM
Hosts <> 127.0.0.1 : 0
Hosts file location : %SystemRoot%\System32\drivers\etc
IE version : 7.0.5730.11
OS : Microsoft Windows XP
OS Build : 2600
OS SP : Service Pack 3
RunScanner Version : 1.8.0.0
User Language : English (United States)
User rights : Administrator
Windows folder : C:\WINDOWS

Running processes
-----------------
* C:\WINDOWS\system32\csrss.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\lsass.exe (Microsoft Corporation)
* C:\Program Files\Spyware Doctor\pctsAuxs.exe (PC Tools)
* C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools)
* C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools)
* C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for runscanner.zip\RunScanner.exe (Runscanner.net)
* C:\WINDOWS\system32\services.exe (Microsoft Corporation)
* C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
* C:\WINDOWS\SYSTEM32\winlogon.exe (Microsoft Corporation)
* c:\windows\System32\smss.exe (Microsoft Corporation)

Unrated items
-------------
002 C:\WINDOWS\CTHELPER.EXE (Creative Technology Ltd)
002 C:\WINDOWS\system32\CTXFIHLP.EXE (Creative Technology Ltd)
002 C:\WINDOWS\system32\grcrt.exe
002 C:\DOCUME~1\Me\LOCALS~1\Temp\winlognn.exe
002 C:\WINDOWS\Rnedadikuji.dll (Johnson-Grace Company)
002 C:\WINDOWS\system32\ICO.EXE (Primax Electronics Ltd.)
002 C:\WINDOWS\izamubaraxonug.dll (Mozilla Foundation)
010 C:\WINDOWS\system32\afisicx.exe (afisicx Service)
010 C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (InstallDriver Table Manager)
010 C:\WINDOWS\system32\mabidwe.exe (mabidwe Service)
010 C:\WINDOWS\system32\noytcyr.exe (noytcyr Service)
010 C:\WINDOWS\system32\roytctm.exe (roytctm Service)
010 C:\WINDOWS\system32\soxpeca.exe (soxpeca Service)
010 C:\WINDOWS\system32\tdydowkc.exe (tdydowkc Service)
010 C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Manager Service)
010 C:\WINDOWS\system32\wsldoekd.exe (wsldoekd Service)
011 c:\windows\System32\drivers\c1af54a2.sys (c1af54a2)
011 C:\WINDOWS\system32\DRIVERS\usbsermpt.sys (Motorola USB Modem Driver for MPT)
041 * C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (AOL LLC) {DE9C389F-3316-41A7-809B-AA305ED9D922}
051 C:\WINDOWS\system32\hsfd83jfdg.dll {C5BF49A2-94F3-42BD-F434-3604812C8955}
052 C:\WINDOWS\system32\hsfd83jfdg.dll {C5BF49A2-94F3-42BD-F434-3604812C8955}
052 GUID / CLSID not found Software
062 C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll (Adobe Systems, Inc.) {F9DB5320-233E-11D1-9F84-707F02C10627}
064 C:\WINDOWS\system32\user32.dll (Microsoft Corporation)
105 E&xport to Microsoft Excel : res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
121 C:\WINDOWS\system32\wmxrvz.dll
231 C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll (Adobe Systems, Inc.) PDF Column Info

Missing files
-------------
011 C:\WINDOWS\system32\drivers\Abiosdsk.sys
011 C:\WINDOWS\system32\drivers\abp480n5.sys
011 C:\WINDOWS\system32\drivers\adpu160m.sys
011 C:\WINDOWS\system32\drivers\Aha154x.sys
011 C:\WINDOWS\system32\drivers\aic78u2.sys
011 C:\WINDOWS\system32\drivers\aic78xx.sys
011 C:\WINDOWS\system32\drivers\AliIde.sys
011 C:\WINDOWS\system32\drivers\amsint.sys
011 C:\WINDOWS\system32\drivers\asc.sys
011 C:\WINDOWS\system32\drivers\asc3350p.sys
011 C:\WINDOWS\system32\drivers\asc3550.sys
011 C:\WINDOWS\system32\drivers\Atdisk.sys
011 C:\WINDOWS\system32\drivers\cd20xrnt.sys
011 C:\WINDOWS\system32\drivers\Changer.sys
011 C:\WINDOWS\system32\drivers\CmdIde.sys
011 C:\WINDOWS\system32\drivers\Cpqarray.sys
011 C:\WINDOWS\system32\drivers\dac2w2k.sys
011 C:\WINDOWS\system32\drivers\dac960nt.sys
011 C:\WINDOWS\system32\drivers\dpti2o.sys
011 C:\WINDOWS\system32\drivers\hpn.sys
011 C:\WINDOWS\system32\drivers\i2omgmt.sys
011 C:\WINDOWS\system32\drivers\i2omp.sys
011 C:\WINDOWS\system32\drivers\ini910u.sys
011 C:\WINDOWS\system32\drivers\IntelIde.sys
011 C:\WINDOWS\system32\drivers\lbrtfdc.sys
011 C:\WINDOWS\system32\drivers\mraid35x.sys
011 C:\WINDOWS\system32\PavSRK.sys
011 C:\WINDOWS\system32\PavTPK.sys
011 C:\WINDOWS\system32\drivers\PCIDump.sys
011 C:\WINDOWS\system32\drivers\PDCOMP.sys
011 C:\WINDOWS\system32\drivers\PDFRAME.sys
011 C:\WINDOWS\system32\drivers\PDRELI.sys
011 C:\WINDOWS\system32\drivers\PDRFRAME.sys
011 C:\WINDOWS\system32\drivers\perc2.sys
011 C:\WINDOWS\system32\drivers\perc2hib.sys
011 C:\WINDOWS\system32\drivers\ql1080.sys
011 C:\WINDOWS\system32\drivers\Ql10wnt.sys
011 C:\WINDOWS\system32\drivers\ql12160.sys
011 C:\WINDOWS\system32\drivers\ql1240.sys
011 C:\WINDOWS\system32\drivers\ql1280.sys
011 C:\WINDOWS\system32\drivers\Simbad.sys
011 C:\WINDOWS\system32\drivers\Sparrow.sys
011 C:\WINDOWS\system32\drivers\sym_hi.sys
011 C:\WINDOWS\system32\drivers\sym_u3.sys
011 C:\WINDOWS\system32\drivers\symc810.sys
011 C:\WINDOWS\system32\drivers\symc8xx.sys
011 C:\WINDOWS\system32\drivers\TosIde.sys
011 C:\WINDOWS\system32\drivers\ultra.sys
011 C:\WINDOWS\system32\drivers\WDICA.sys
041 C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
061 deskpan.dll
070 C:\WINDOWS\system32\wvUMeEvs
073 C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe

Attached Files

  • Attached File  .run.zip   124.15KB   5 downloads


#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 20 February 2009 - 03:53 PM

Delete your version of ComboFix and do below....


Download the zipped attachment at the end of this post (this will be your runscanner as fixed by me)
  • Unzip it to your desktop then double click the runscanner icon this will run the program.
  • Click on the "Item Fixer" tab
  • You will notice several entries with a tick in red, click Fix checked or Fix selected items.
  • Accept the warning then repeat until they are all gone.



NEXT


Please download The Avenger by Swandog46 and unzip it to your Desktop


Please open The Avenger. Then, please copy/paste the script inside the codebox into the Input script here: box..

Begin copying here:
Drivers to disable:
afisicx
mabidwe
noytcyr
roytctm
soxpeca
tdydowkc
wsldoekd
c1af54a2

Drivers to delete:
afisicx
mabidwe
noytcyr
roytctm
soxpeca
tdydowkc
wsldoekd
c1af54a2

Files to delete:
c:\windows\system32\afisicx.exe
c:\windows\system32\mabidwe.exe
c:\windows\system32\noytcyr.exe
c:\windows\system32\roytctm.exe
c:\windows\system32\soxpeca.exe
c:\windows\system32\tdydowkc.exe
c:\windows\system32\wsldoekd.exe
c:\windows\system32\drivers\c1af54a2.sys
c:\windows\system32\xcchit32.ini.tmp
c:\windows\system32\w.exe
c:\windows\izamubaraxonug.dll
c:\windows\system32\grcrt.dll
c:\windows\system32\grcrt.exe
c:\windows\system32\grcrt2.exe
c:\windows\system32\tmpxccacj1.exe
c:\windows\system32\xcchit32.ini
c:\windows\system32\hsfd83jfdg.dll
c:\windows\Rnedadikuji.dll
c:\windows\system32\nwnuhldc.dll
c:\windows\system32\wmxrvz.dll
c:\windows\system32\rgsmrkfw.dll
c:\windows\system32\svEeMUvw.ini
c:\windows\system32\svEeMUvw.ini2
c:\windows\system32\wvUMeEvs.dll.vir
c:\windows\system32\urqOEUmj.dll
c:\windows\system32\nnnnOiiJ.dll
c:\windows\xccdf32_090131a.dll
c:\windows\ios.dat
c:\windows\system32\fejokt.dll
c:\windows\system32\nvaux32.dll
c:\windows\xccdf16_090131a.dll
C:\Documents and Settings\Me\Local Settings\temp\winlognn.exe
C:\WINDOWS\Rnedadikuji.dll
C:\WINDOWS\izamubaraxonug.dll
C:\WINDOWS\system32\hsfd83jfdg.dll
C:\WINDOWS\system32\wmxrvz.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
  • Now, click on Execute. Just say Yes at every prompted
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your reply.




NEXT


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..



Post me these logs in your next reply..

1. The Avenger
2. Combo-Fix

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 rceleexpt

rceleexpt
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 20 February 2009 - 05:29 PM

Ok I downloaded the fixthis to the desktop, but when i try to run it the Application is not found. I tried it again and it said Invalid menu handle.

Edited by rceleexpt, 20 February 2009 - 05:42 PM.


#10 rceleexpt

rceleexpt
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 20 February 2009 - 11:03 PM

Alright i ran the other two scans successfully.

Avenger:
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not open driver "afisicx"
Disablement of driver "afisicx" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open driver "mabidwe"
Disablement of driver "mabidwe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open driver "noytcyr"
Disablement of driver "noytcyr" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open driver "roytctm"
Disablement of driver "roytctm" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open driver "soxpeca"
Disablement of driver "soxpeca" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open driver "tdydowkc"
Disablement of driver "tdydowkc" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open driver "wsldoekd"
Disablement of driver "wsldoekd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open driver "c1af54a2"
Disablement of driver "c1af54a2" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\afisicx" not found!
Deletion of driver "afisicx" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\mabidwe" not found!
Deletion of driver "mabidwe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\noytcyr" not found!
Deletion of driver "noytcyr" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\roytctm" not found!
Deletion of driver "roytctm" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\soxpeca" not found!
Deletion of driver "soxpeca" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdydowkc" not found!
Deletion of driver "tdydowkc" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\wsldoekd" not found!
Deletion of driver "wsldoekd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\c1af54a2" not found!
Deletion of driver "c1af54a2" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\afisicx.exe" not found!
Deletion of file "c:\windows\system32\afisicx.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\mabidwe.exe" not found!
Deletion of file "c:\windows\system32\mabidwe.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\noytcyr.exe" not found!
Deletion of file "c:\windows\system32\noytcyr.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\roytctm.exe" not found!
Deletion of file "c:\windows\system32\roytctm.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\soxpeca.exe" not found!
Deletion of file "c:\windows\system32\soxpeca.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\tdydowkc.exe" not found!
Deletion of file "c:\windows\system32\tdydowkc.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\wsldoekd.exe" not found!
Deletion of file "c:\windows\system32\wsldoekd.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\drivers\c1af54a2.sys" deleted successfully.

Error: file "c:\windows\system32\xcchit32.ini.tmp" not found!
Deletion of file "c:\windows\system32\xcchit32.ini.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\w.exe" not found!
Deletion of file "c:\windows\system32\w.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\izamubaraxonug.dll" not found!
Deletion of file "c:\windows\izamubaraxonug.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\grcrt.dll" deleted successfully.
File "c:\windows\system32\grcrt.exe" deleted successfully.
File "c:\windows\system32\grcrt2.exe" deleted successfully.

Error: file "c:\windows\system32\tmpxccacj1.exe" not found!
Deletion of file "c:\windows\system32\tmpxccacj1.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\xcchit32.ini" not found!
Deletion of file "c:\windows\system32\xcchit32.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\hsfd83jfdg.dll" not found!
Deletion of file "c:\windows\system32\hsfd83jfdg.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\Rnedadikuji.dll" not found!
Deletion of file "c:\windows\Rnedadikuji.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\nwnuhldc.dll" deleted successfully.

Error: file "c:\windows\system32\wmxrvz.dll" not found!
Deletion of file "c:\windows\system32\wmxrvz.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\rgsmrkfw.dll" not found!
Deletion of file "c:\windows\system32\rgsmrkfw.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\svEeMUvw.ini" not found!
Deletion of file "c:\windows\system32\svEeMUvw.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\svEeMUvw.ini2" not found!
Deletion of file "c:\windows\system32\svEeMUvw.ini2" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\wvUMeEvs.dll.vir" deleted successfully.

Error: file "c:\windows\system32\urqOEUmj.dll" not found!
Deletion of file "c:\windows\system32\urqOEUmj.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\nnnnOiiJ.dll" deleted successfully.

Error: file "c:\windows\xccdf32_090131a.dll" not found!
Deletion of file "c:\windows\xccdf32_090131a.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\ios.dat" not found!
Deletion of file "c:\windows\ios.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\fejokt.dll" not found!
Deletion of file "c:\windows\system32\fejokt.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\nvaux32.dll" not found!
Deletion of file "c:\windows\system32\nvaux32.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\xccdf16_090131a.dll" not found!
Deletion of file "c:\windows\xccdf16_090131a.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Documents and Settings\Me\Local Settings\temp\winlognn.exe" not found!
Deletion of file "C:\Documents and Settings\Me\Local Settings\temp\winlognn.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\Rnedadikuji.dll" not found!
Deletion of file "C:\WINDOWS\Rnedadikuji.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\izamubaraxonug.dll" not found!
Deletion of file "C:\WINDOWS\izamubaraxonug.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\hsfd83jfdg.dll" not found!
Deletion of file "C:\WINDOWS\system32\hsfd83jfdg.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\wmxrvz.dll" not found!
Deletion of file "C:\WINDOWS\system32\wmxrvz.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

Combo-Fix:
ComboFix 09-02-19.01 - Administrator 2009-02-20 22:26:34.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.831 [GMT -5:00]
Running from: D:\Combo-Fix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Me\Favorites\Cheap Pharmacy Online.url
c:\documents and settings\Me\Favorites\Search Online.url
c:\documents and settings\Me\Favorites\SMS TRAP.url
c:\documents and settings\Me\Favorites\VIP Casino.url
c:\documents and settings\Me\Start Menu\Cheap Pharmacy Online.url
c:\documents and settings\Me\Start Menu\Search Online.url
c:\documents and settings\Me\Start Menu\SMS TRAP.url
c:\documents and settings\Me\Start Menu\VIP Casino.url
c:\recycler\ADAPT_Installer.exe
c:\windows\Install.txt
c:\windows\system32\afisicx.exe
c:\windows\system32\c.ico
c:\windows\system32\comsa32.sys
c:\windows\system32\drivers\UACxvrgkvxf.sys
c:\windows\system32\fejokt.dll
c:\windows\system32\inf\rundll33.exe
c:\windows\system32\inf\xccdfb16_090131.dll
c:\windows\system32\inf\xccefb090131.scr
c:\windows\system32\m.ico
c:\windows\system32\m3.ico
c:\windows\system32\mabidwe.exe
c:\windows\system32\noytcyr.exe
c:\windows\system32\nvaux32.dll
c:\windows\system32\p.ico
c:\windows\system32\rgsmrkfw.dll
c:\windows\system32\roytctm.exe
c:\windows\system32\s.ico
c:\windows\system32\sf.ico
c:\windows\system32\soxpeca.exe
c:\windows\system32\svEeMUvw.ini
c:\windows\system32\svEeMUvw.ini2
c:\windows\system32\tdydowkc.exe
c:\windows\system32\tmpxccacj1.exe
c:\windows\system32\tpszxyd.sys
c:\windows\system32\UACaoydkrjl.dll
c:\windows\system32\UACecymujxv.dll
c:\windows\system32\UACmpybwwep.dll
c:\windows\system32\UACpjdalnmf.log
c:\windows\system32\UACqqhfatjb.dll
c:\windows\system32\UACqxqqaaac.log
c:\windows\system32\UACtmdpmppa.dat
c:\windows\system32\UACvdgkdubh.log
c:\windows\system32\udxfytw.sys
c:\windows\system32\urqOEUmj.dll
c:\windows\system32\w.exe
c:\windows\system32\wsldoekd.exe
c:\windows\system32\xcchit32.ini
c:\windows\Tasks\emrcxmte.job
c:\windows\Temp\3750265640.exe
c:\windows\Temp\3760265640.exe
c:\windows\xccdf16_090131a.dll
c:\windows\xccdf32_090131a.dll
c:\windows\xccwinsys.ini

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_uacd.sys
-------\Legacy_afisicx
-------\Legacy_mabidwe
-------\Legacy_noytcyr
-------\Legacy_roytctm
-------\Legacy_soxpeca
-------\Legacy_tdydowkc
-------\Legacy_wsldoekd


((((((((((((((((((((((((( Files Created from 2009-01-21 to 2009-02-21 )))))))))))))))))))))))))))))))
.

2009-02-20 21:46 . 2009-02-20 21:46 135,168 --a------ C:\zip.exe
2009-02-20 21:46 . 2009-02-20 21:46 19,286 --a------ C:\cleanup.exe
2009-02-20 21:46 . 2009-02-20 21:46 16,268 --a------ C:\backup.reg
2009-02-20 21:46 . 2009-02-20 21:46 574 --a------ C:\cleanup.bat
2009-02-16 20:30 . 2009-02-17 11:08 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-16 20:30 . 2009-02-16 20:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-16 20:30 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-16 20:30 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-16 19:26 . 2009-02-16 19:45 <DIR> d-------- c:\program files\Advanced Spyware Remover
2009-02-16 18:13 . 2009-02-16 18:13 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Talkback
2009-02-15 21:38 . 2009-02-15 21:38 80,384 --a------ c:\windows\system32\grcrt.exe
2009-02-15 21:38 . 2009-02-20 21:49 40,960 --a------ c:\windows\system32\grcrt.dll
2009-02-15 21:38 . 2009-02-15 21:38 26,624 --a------ c:\windows\system32\grcrt2.exe
2009-02-14 15:54 . 2009-02-15 21:47 5,189 --a------ c:\windows\system32\uacinit.dll
2009-02-14 15:52 . 2009-02-20 22:27 <DIR> d-------- c:\windows\system32\inf
2009-02-14 15:52 . 2009-02-14 15:52 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-02-14 15:52 . 2009-02-14 15:52 215,552 --a--c--- c:\windows\system32\dllcache\termsrv.dll
2009-02-14 15:52 . 2009-02-14 15:52 204,800 --a------ c:\windows\system32\azton.mt
2009-02-14 15:52 . 2009-02-14 15:52 155,156 --a------ c:\windows\system\xccef090131.exe
2009-02-14 15:52 . 2009-02-14 15:52 64,512 --a------ c:\windows\system32\wer3.pf
2009-02-14 15:52 . 2009-02-14 15:52 32,768 --a------ c:\windows\system32\febbn.wa
2009-02-14 15:52 . 2009-02-16 18:37 0 --a------ c:\windows\system32\drivers\c1af54a2.sys
2009-02-14 15:51 . 2009-02-14 15:51 72,704 --a------ c:\windows\system32\nwnuhldc.dll
2009-02-14 15:50 . 2009-02-14 15:50 302,592 --a------ c:\windows\system32\wvUMeEvs.dll.vir
2009-02-14 15:45 . 2009-02-14 15:45 36,352 --a------ c:\windows\system32\nnnnOiiJ.dll
2009-02-12 11:28 . 2009-02-12 11:28 <DIR> d-------- c:\documents and settings\Me\Application Data\Unity
2009-02-12 10:44 . 2009-02-12 10:44 <DIR> d-------- c:\program files\Unity

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-21 02:57 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-21 02:56 --------- d-----w c:\program files\Spyware Doctor
2009-02-12 05:34 --------- d-----w c:\program files\World of Warcraft
2009-02-12 02:37 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-24 04:41 --------- d-----w c:\documents and settings\Me\Application Data\Ventrilo
2009-01-16 14:33 --------- d-----w c:\documents and settings\Me\Application Data\Viewpoint
2009-01-04 22:05 --------- d-----w c:\program files\Ventrilo
2009-01-04 22:03 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-22 20:06 --------- d-----w c:\documents and settings\Me\Application Data\SPORE
2008-08-17 23:05 24 ----a-w c:\documents and settings\Me\jagex_runescape_preferences.dat
2008-11-25 04:49 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-11-25 04:49 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-25 04:49 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-11-25 04:49 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-11-25 04:49 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-09-16 22:28 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091620080917\index.dat
.
c:\windows\system32\user32.dll ... is infected !!
577,024 2005-03-02 18:19:56 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
578,048 2007-03-08 15:48:36 c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
577,536 2007-03-08 15:36:28 c:\windows\$NtServicePackUninstall$\user32.dll
577,024 2004-08-04 12:00:00 c:\windows\$NtUninstallKB890859$\user32.dll
577,024 2005-03-02 18:09:30 c:\windows\$NtUninstallKB925902$\user32.dll
578,560 2008-04-14 00:12:08 c:\windows\ServicePackFiles\i386\user32.dll
578,560 2009-02-14 20:52:25 c:\windows\system32\user32.DLL
578,560 2009-02-14 20:52:25 c:\windows\system32\dllcache\user32.dll


------- Sigcheck -------

2005-03-02 13:19 577024 1800f293bccc8ede8a70e12b88d80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 10:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
2007-03-08 10:36 577536 b409909f6e2e8a7067076ed748abf1e7 c:\windows\$NtServicePackUninstall$\user32.dll
2004-08-04 07:00 577024 c72661f8552ace7c5c85e16a3cf505c4 c:\windows\$NtUninstallKB890859$\user32.dll
2005-03-02 13:09 577024 de2db164bbb35db061af0997e4499054 c:\windows\$NtUninstallKB925902$\user32.dll
2008-04-13 19:12 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\ServicePackFiles\i386\user32.dll
2009-02-14 15:52 578560 9914af11e07710e2caf26c0ea07d4649 c:\windows\system32\user32.DLL
2009-02-14 15:52 578560 9914af11e07710e2caf26c0ea07d4649 c:\windows\system32\dllcache\user32.dll

2004-08-04 07:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-13 19:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll
2009-02-14 15:52 215552 a77219a971029dc2fb683e8513713803 c:\windows\system32\termsrv.dll
2009-02-14 15:52 215552 a77219a971029dc2fb683e8513713803 c:\windows\system32\dllcache\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NeroHomeFirstStart"="c:\program files\Common Files\Ahead\Lib\NMFirstStart.exe" [2007-04-24 16432]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-15 153136]
"DeskTopSrv"="c:\windows\system32\grcrt.exe" [2009-02-15 80384]
"CTHelper"="CTHELPER.EXE" [2006-08-11 c:\windows\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 c:\windows\system32\CTXFIHLP.EXE]
"Mouse Suite 98 Daemon"="ICO.EXE" [2007-05-16 c:\windows\system32\ico.exe]

c:\documents and settings\Me\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wmxrvz.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\matrix31290.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpa.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpb.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpc.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"= 80:TCP:*:Disabled:HTTP
"21:TCP"= 21:TCP:*:Disabled:FTP
"443:TCP"= 443:TCP:*:Disabled:HTTPS
"6112:TCP"= 6112:TCP:Blizzard Downloader
"6881:TCP"= 6881:TCP:Blizzard downloader
"6882:TCP"= 6882:TCP:Blizzard downloader
"6883:TCP"= 6883:TCP:Blizzard downloader
"6884:TCP"= 6884:TCP:Blizzard downloader
"6885:TCP"= 6885:TCP:Blizzard downloader
"6886:TCP"= 6886:TCP:Blizzard downloader
"6887:UDP"= 6887:UDP:Blizzard downloader
"6888:TCP"= 6888:TCP:Blizzard downloader
"6889:UDP"= 6889:UDP:Blizzard downloader
"6890:UDP"= 6890:UDP:Blizzard downloader
"6891:TCP"= 6891:TCP:Blizzard downloader
"6892:TCP"= 6892:TCP:Blizzard downloader
"6893:TCP"= 6893:TCP:Blizzard downloader
"6894:TCP"= 6894:TCP:Blizzard downloader
"6895:TCP"= 6895:TCP:Blizzard downloader
"6896:TCP"= 6896:TCP:Blizzard downloader
"6897:TCP"= 6897:TCP:Blizzard downloader
"6898:TCP"= 6898:TCP:Blizzard downloader
"6899:TCP"= 6899:TCP:Blizzard downloader
"6990:TCP"= 6990:TCP:Blizzard downloader
"6900:TCP"= 6900:TCP:Blizzard downloader
"6901:TCP"= 6901:TCP:Blizzard downloader
"6902:TCP"= 6902:TCP:Blizzard downloader
"6903:TCP"= 6903:TCP:Blizzard downloader
"6904:TCP"= 6904:TCP:Blizzard downloader
"6905:TCP"= 6905:TCP:Blizzard downloader
"6906:TCP"= 6906:TCP:Blizzard downloader
"6907:TCP"= 6907:TCP:Blizzard downloader
"6908:TCP"= 6908:TCP:Blizzard downloader
"6909:TCP"= 6909:TCP:Blizzard downloader
"6910:TCP"= 6910:TCP:Blizzard downloader
"6911:TCP"= 6911:TCP:Blizzard downloader
"6912:TCP"= 6912:TCP:Blizzard downloader
"6913:TCP"= 6913:TCP:Blizzard downloader
"6914:TCP"= 6914:TCP:Blizzard downloader
"6916:TCP"= 6916:TCP:Blizzard downloader
"6915:TCP"= 6915:TCP:Blizzard downloader
"6917:TCP"= 6917:TCP:Blizzard downloader
"6918:TCP"= 6918:TCP:Blizzard downloader
"6919:UDP"= 6919:UDP:Blizzard downloader
"6920:TCP"= 6920:TCP:Blizzard downloader
"6921:UDP"= 6921:UDP:Blizzard downloader
"6922:UDP"= 6922:UDP:Blizzard downloader
"6923:TCP"= 6923:TCP:Blizzard downloader
"6924:TCP"= 6924:TCP:Blizzard downloader
"6925:TCP"= 6925:TCP:Blizzard downloader
"6926:TCP"= 6926:TCP:Blizzard downloader
"6927:TCP"= 6927:TCP:Blizzard downloader
"6928:TCP"= 6928:TCP:Blizzard downloader
"6929:TCP"= 6929:TCP:Blizzard downloader
"6930:TCP"= 6930:TCP:Blizzard downloader
"6931:TCP"= 6931:TCP:Blizzard downloader
"6932:TCP"= 6932:TCP:Blizzard downloader
"6933:TCP"= 6933:TCP:Blizzard downloader
"6934:TCP"= 6934:TCP:Blizzard downloader
"6935:TCP"= 6935:TCP:Blizzard downloader
"6936:TCP"= 6936:TCP:Blizzard downloader
"6937:TCP"= 6937:TCP:Blizzard downloader
"6938:TCP"= 6938:TCP:Blizzard downloader
"6939:TCP"= 6939:TCP:Blizzard downloader
"6940:TCP"= 6940:TCP:Blizzard downloader
"6941:TCP"= 6941:TCP:Blizzard downloader
"6942:TCP"= 6942:TCP:Blizzard downloader
"6943:TCP"= 6943:TCP:Blizzard downloader
"6944:TCP"= 6944:TCP:Blizzard downloader
"6945:TCP"= 6945:TCP:Blizzard downloader
"6946:TCP"= 6946:TCP:Blizzard downloader
"6947:TCP"= 6947:TCP:Blizzard downloader
"6948:TCP"= 6948:TCP:Blizzard downloader
"6949:TCP"= 6949:TCP:Blizzard downloader
"6950:TCP"= 6950:TCP:Blizzard downloader
"6951:TCP"= 6951:TCP:Blizzard downloader
"6952:UDP"= 6952:UDP:Blizzard downloader
"6953:TCP"= 6953:TCP:Blizzard downloader
"6954:TCP"= 6954:TCP:Blizzard downloader
"6955:TCP"= 6955:TCP:Blizzard downloader
"6956:TCP"= 6956:TCP:Blizzard downloader
"6957:TCP"= 6957:TCP:Blizzard downloader
"6958:TCP"= 6958:TCP:Blizzard downloader
"6959:TCP"= 6959:TCP:Blizzard downloader
"6960:TCP"= 6960:TCP:Blizzard downloader
"6961:TCP"= 6961:TCP:Blizzard downloader
"6962:TCP"= 6962:TCP:Blizzard downloader
"6963:TCP"= 6963:TCP:Blizzard downloader
"6964:TCP"= 6964:TCP:Blizzard downloader
"6965:TCP"= 6965:TCP:Blizzard downloader
"6966:TCP"= 6966:TCP:Blizzard downloader
"6967:TCP"= 6967:TCP:Blizzard downloader
"6968:TCP"= 6968:TCP:Blizzard downloader
"6969:TCP"= 6969:TCP:Blizzard downloader
"6970:TCP"= 6970:TCP:Blizzard downloader
"6971:TCP"= 6971:TCP:Blizzard downloader
"6972:TCP"= 6972:TCP:Blizzard downloader
"6973:TCP"= 6973:TCP:Blizzard downloader
"6974:TCP"= 6974:TCP:Blizzard downloader
"6975:TCP"= 6975:TCP:Blizzard downloader
"6976:TCP"= 6976:TCP:Blizzard downloader
"6977:TCP"= 6977:TCP:Blizzard downloader
"6978:TCP"= 6978:TCP:Blizzard downloader
"6980:TCP"= 6980:TCP:Blizzard downloader
"6981:TCP"= 6981:TCP:Blizzard downloader
"6982:TCP"= 6982:TCP:Blizzard downloader
"6983:TCP"= 6983:TCP:Blizzard downloader
"6984:TCP"= 6984:TCP:Blizzard downloader
"6985:TCP"= 6985:TCP:Blizzard downloader
"6986:TCP"= 6986:TCP:Blizzard downloader
"6987:TCP"= 6987:TCP:Blizzard downloader
"6988:TCP"= 6988:TCP:Blizzard downloader
"6989:TCP"= 6989:TCP:Blizzard downloader
"6991:TCP"= 6991:TCP:Blizzard downloader
"6992:TCP"= 6992:TCP:Blizzard downloader
"6993:TCP"= 6993:TCP:Blizzard downloader
"6994:TCP"= 6994:TCP:Blizzard downloader
"6995:TCP"= 6995:TCP:Blizzard downloader
"6996:TCP"= 6996:TCP:Blizzard downloader
"6997:TCP"= 6997:TCP:Blizzard downloader
"6998:TCP"= 6998:TCP:Blizzard downloader
"6999:TCP"= 6999:TCP:Blizzard downloader
"1394:TCP"= 1394:TCP:internet
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2008-07-17 160792]
R3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [2008-01-16 17408]
R3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\pelusblf.sys [2008-01-16 7680]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-02-11 24652]
S3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\PavSRK.sys --> c:\windows\system32\PavSRK.sys [?]
S3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\PavTPK.sys --> c:\windows\system32\PavTPK.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-07-17 337800]
.
Contents of the 'Scheduled Tasks' folder

2007-06-18 c:\windows\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{C5BF49A2-94F3-42BD-F434-3604812C8955} - c:\windows\system32\hsfd83jfdg.dll
HKLM-Run-Lqirakucad - c:\windows\Rnedadikuji.dll
HKLM-Run-jsf8uiw3jnjgffght - c:\docume~1\Me\LOCALS~1\Temp\winlognn.exe
HKLM-Run-Vnuloyivoqububuk - c:\windows\izamubaraxonug.dll
HKLM-Explorer_Run-xccinit - c:\windows\system32\inf\rundll33.exe
SharedTaskScheduler-{C5BF49A2-94F3-42BD-F434-3604812C8955} - c:\windows\system32\hsfd83jfdg.dll


.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\5v8fbuhj.default\
FF - component: c:\documents and settings\All Users\Application Data\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\documents and settings\All Users\Application Data\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-20 22:35:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(600)
c:\windows\SYSTEM32\Ati2evxx.dll
.
Completion time: 2009-02-20 22:38:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-21 03:38:01

Pre-Run: 61,361,864,704 bytes free
Post-Run: 62,668,177,408 bytes free

378 --- E O F --- 2009-02-12 02:38:59

#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 21 February 2009 - 01:20 AM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

FCopy::
c:\windows\ServicePackFiles\i386\user32.dll | c:\windows\system32\user32.DLL

Driver::
c1af54a2

File::
C:\zip.exe
C:\cleanup.exe
C:\backup.reg
C:\cleanup.bat
c:\windows\system32\grcrt.exe
c:\windows\system32\grcrt.dll
c:\windows\system32\grcrt2.exe
c:\windows\system32\uacinit.dll
c:\windows\system\xccef090131.exe
c:\windows\system32\wer3.pf
c:\windows\system32\febbn.wa
c:\windows\system32\drivers\c1af54a2.sys
c:\windows\system32\nwnuhldc.dll
c:\windows\system32\wvUMeEvs.dll.vir
c:\windows\system32\nnnnOiiJ.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\matrix31290.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpa.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpb.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpc.exe]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 rceleexpt

rceleexpt
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 21 February 2009 - 07:39 AM

ComboFix 09-02-19.01 - Administrator 2009-02-21 7:31:08.3 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.800 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)

FILE ::
C:\backup.reg
C:\cleanup.bat
C:\cleanup.exe
c:\windows\system\xccef090131.exe
c:\windows\system32\drivers\c1af54a2.sys
c:\windows\system32\febbn.wa
c:\windows\system32\grcrt.dll
c:\windows\system32\grcrt.exe
c:\windows\system32\grcrt2.exe
c:\windows\system32\nnnnOiiJ.dll
c:\windows\system32\nwnuhldc.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\wer3.pf
c:\windows\system32\wvUMeEvs.dll.vir
C:\zip.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\user32.dll --> c:\windows\system32\user32.DLL
.
((((((((((((((((((((((((( Files Created from 2009-01-21 to 2009-02-21 )))))))))))))))))))))))))))))))
.

2009-02-16 20:30 . 2009-02-17 11:08 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-16 20:30 . 2009-02-16 20:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-16 20:30 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-16 20:30 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-16 19:26 . 2009-02-16 19:45 <DIR> d-------- c:\program files\Advanced Spyware Remover
2009-02-16 18:13 . 2009-02-16 18:13 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Talkback
2009-02-14 15:52 . 2009-02-20 22:27 <DIR> d-------- c:\windows\system32\inf
2009-02-14 15:52 . 2009-02-14 15:52 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-02-14 15:52 . 2009-02-14 15:52 215,552 --a--c--- c:\windows\system32\dllcache\termsrv.dll
2009-02-14 15:52 . 2009-02-14 15:52 204,800 --a------ c:\windows\system32\azton.mt
2009-02-12 11:28 . 2009-02-12 11:28 <DIR> d-------- c:\documents and settings\Me\Application Data\Unity
2009-02-12 10:44 . 2009-02-12 10:44 <DIR> d-------- c:\program files\Unity

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-21 02:57 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-21 02:56 --------- d-----w c:\program files\Spyware Doctor
2009-02-12 05:34 --------- d-----w c:\program files\World of Warcraft
2009-02-12 02:37 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-24 04:41 --------- d-----w c:\documents and settings\Me\Application Data\Ventrilo
2009-01-16 14:33 --------- d-----w c:\documents and settings\Me\Application Data\Viewpoint
2009-01-04 22:05 --------- d-----w c:\program files\Ventrilo
2009-01-04 22:03 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-22 20:06 --------- d-----w c:\documents and settings\Me\Application Data\SPORE
2008-08-17 23:05 24 ----a-w c:\documents and settings\Me\jagex_runescape_preferences.dat
2008-11-25 04:49 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-11-25 04:49 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-25 04:49 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-11-25 04:49 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-11-25 04:49 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-09-16 22:28 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091620080917\index.dat
.

------- Sigcheck -------

2004-08-04 07:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-13 19:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll
2009-02-14 15:52 215552 a77219a971029dc2fb683e8513713803 c:\windows\system32\termsrv.dll
2009-02-14 15:52 215552 a77219a971029dc2fb683e8513713803 c:\windows\system32\dllcache\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NeroHomeFirstStart"="c:\program files\Common Files\Ahead\Lib\NMFirstStart.exe" [2007-04-24 16432]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-15 153136]
"CTHelper"="CTHELPER.EXE" [2006-08-11 c:\windows\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 c:\windows\system32\CTXFIHLP.EXE]
"Mouse Suite 98 Daemon"="ICO.EXE" [2007-05-16 c:\windows\system32\ico.exe]

c:\documents and settings\Me\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"= 80:TCP:*:Disabled:HTTP
"21:TCP"= 21:TCP:*:Disabled:FTP
"443:TCP"= 443:TCP:*:Disabled:HTTPS
"6112:TCP"= 6112:TCP:Blizzard Downloader
"6881:TCP"= 6881:TCP:Blizzard downloader
"6882:TCP"= 6882:TCP:Blizzard downloader
"6883:TCP"= 6883:TCP:Blizzard downloader
"6884:TCP"= 6884:TCP:Blizzard downloader
"6885:TCP"= 6885:TCP:Blizzard downloader
"6886:TCP"= 6886:TCP:Blizzard downloader
"6887:UDP"= 6887:UDP:Blizzard downloader
"6888:TCP"= 6888:TCP:Blizzard downloader
"6889:UDP"= 6889:UDP:Blizzard downloader
"6890:UDP"= 6890:UDP:Blizzard downloader
"6891:TCP"= 6891:TCP:Blizzard downloader
"6892:TCP"= 6892:TCP:Blizzard downloader
"6893:TCP"= 6893:TCP:Blizzard downloader
"6894:TCP"= 6894:TCP:Blizzard downloader
"6895:TCP"= 6895:TCP:Blizzard downloader
"6896:TCP"= 6896:TCP:Blizzard downloader
"6897:TCP"= 6897:TCP:Blizzard downloader
"6898:TCP"= 6898:TCP:Blizzard downloader
"6899:TCP"= 6899:TCP:Blizzard downloader
"6990:TCP"= 6990:TCP:Blizzard downloader
"6900:TCP"= 6900:TCP:Blizzard downloader
"6901:TCP"= 6901:TCP:Blizzard downloader
"6902:TCP"= 6902:TCP:Blizzard downloader
"6903:TCP"= 6903:TCP:Blizzard downloader
"6904:TCP"= 6904:TCP:Blizzard downloader
"6905:TCP"= 6905:TCP:Blizzard downloader
"6906:TCP"= 6906:TCP:Blizzard downloader
"6907:TCP"= 6907:TCP:Blizzard downloader
"6908:TCP"= 6908:TCP:Blizzard downloader
"6909:TCP"= 6909:TCP:Blizzard downloader
"6910:TCP"= 6910:TCP:Blizzard downloader
"6911:TCP"= 6911:TCP:Blizzard downloader
"6912:TCP"= 6912:TCP:Blizzard downloader
"6913:TCP"= 6913:TCP:Blizzard downloader
"6914:TCP"= 6914:TCP:Blizzard downloader
"6916:TCP"= 6916:TCP:Blizzard downloader
"6915:TCP"= 6915:TCP:Blizzard downloader
"6917:TCP"= 6917:TCP:Blizzard downloader
"6918:TCP"= 6918:TCP:Blizzard downloader
"6919:UDP"= 6919:UDP:Blizzard downloader
"6920:TCP"= 6920:TCP:Blizzard downloader
"6921:UDP"= 6921:UDP:Blizzard downloader
"6922:UDP"= 6922:UDP:Blizzard downloader
"6923:TCP"= 6923:TCP:Blizzard downloader
"6924:TCP"= 6924:TCP:Blizzard downloader
"6925:TCP"= 6925:TCP:Blizzard downloader
"6926:TCP"= 6926:TCP:Blizzard downloader
"6927:TCP"= 6927:TCP:Blizzard downloader
"6928:TCP"= 6928:TCP:Blizzard downloader
"6929:TCP"= 6929:TCP:Blizzard downloader
"6930:TCP"= 6930:TCP:Blizzard downloader
"6931:TCP"= 6931:TCP:Blizzard downloader
"6932:TCP"= 6932:TCP:Blizzard downloader
"6933:TCP"= 6933:TCP:Blizzard downloader
"6934:TCP"= 6934:TCP:Blizzard downloader
"6935:TCP"= 6935:TCP:Blizzard downloader
"6936:TCP"= 6936:TCP:Blizzard downloader
"6937:TCP"= 6937:TCP:Blizzard downloader
"6938:TCP"= 6938:TCP:Blizzard downloader
"6939:TCP"= 6939:TCP:Blizzard downloader
"6940:TCP"= 6940:TCP:Blizzard downloader
"6941:TCP"= 6941:TCP:Blizzard downloader
"6942:TCP"= 6942:TCP:Blizzard downloader
"6943:TCP"= 6943:TCP:Blizzard downloader
"6944:TCP"= 6944:TCP:Blizzard downloader
"6945:TCP"= 6945:TCP:Blizzard downloader
"6946:TCP"= 6946:TCP:Blizzard downloader
"6947:TCP"= 6947:TCP:Blizzard downloader
"6948:TCP"= 6948:TCP:Blizzard downloader
"6949:TCP"= 6949:TCP:Blizzard downloader
"6950:TCP"= 6950:TCP:Blizzard downloader
"6951:TCP"= 6951:TCP:Blizzard downloader
"6952:UDP"= 6952:UDP:Blizzard downloader
"6953:TCP"= 6953:TCP:Blizzard downloader
"6954:TCP"= 6954:TCP:Blizzard downloader
"6955:TCP"= 6955:TCP:Blizzard downloader
"6956:TCP"= 6956:TCP:Blizzard downloader
"6957:TCP"= 6957:TCP:Blizzard downloader
"6958:TCP"= 6958:TCP:Blizzard downloader
"6959:TCP"= 6959:TCP:Blizzard downloader
"6960:TCP"= 6960:TCP:Blizzard downloader
"6961:TCP"= 6961:TCP:Blizzard downloader
"6962:TCP"= 6962:TCP:Blizzard downloader
"6963:TCP"= 6963:TCP:Blizzard downloader
"6964:TCP"= 6964:TCP:Blizzard downloader
"6965:TCP"= 6965:TCP:Blizzard downloader
"6966:TCP"= 6966:TCP:Blizzard downloader
"6967:TCP"= 6967:TCP:Blizzard downloader
"6968:TCP"= 6968:TCP:Blizzard downloader
"6969:TCP"= 6969:TCP:Blizzard downloader
"6970:TCP"= 6970:TCP:Blizzard downloader
"6971:TCP"= 6971:TCP:Blizzard downloader
"6972:TCP"= 6972:TCP:Blizzard downloader
"6973:TCP"= 6973:TCP:Blizzard downloader
"6974:TCP"= 6974:TCP:Blizzard downloader
"6975:TCP"= 6975:TCP:Blizzard downloader
"6976:TCP"= 6976:TCP:Blizzard downloader
"6977:TCP"= 6977:TCP:Blizzard downloader
"6978:TCP"= 6978:TCP:Blizzard downloader
"6980:TCP"= 6980:TCP:Blizzard downloader
"6981:TCP"= 6981:TCP:Blizzard downloader
"6982:TCP"= 6982:TCP:Blizzard downloader
"6983:TCP"= 6983:TCP:Blizzard downloader
"6984:TCP"= 6984:TCP:Blizzard downloader
"6985:TCP"= 6985:TCP:Blizzard downloader
"6986:TCP"= 6986:TCP:Blizzard downloader
"6987:TCP"= 6987:TCP:Blizzard downloader
"6988:TCP"= 6988:TCP:Blizzard downloader
"6989:TCP"= 6989:TCP:Blizzard downloader
"6991:TCP"= 6991:TCP:Blizzard downloader
"6992:TCP"= 6992:TCP:Blizzard downloader
"6993:TCP"= 6993:TCP:Blizzard downloader
"6994:TCP"= 6994:TCP:Blizzard downloader
"6995:TCP"= 6995:TCP:Blizzard downloader
"6996:TCP"= 6996:TCP:Blizzard downloader
"6997:TCP"= 6997:TCP:Blizzard downloader
"6998:TCP"= 6998:TCP:Blizzard downloader
"6999:TCP"= 6999:TCP:Blizzard downloader
"1394:TCP"= 1394:TCP:internet
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2008-07-17 160792]
R3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [2008-01-16 17408]
R3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\pelusblf.sys [2008-01-16 7680]
S0 gpzmlee;gpzmlee;c:\windows\system32\drivers\rjlftkf.sys --> c:\windows\system32\drivers\rjlftkf.sys [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-02-11 24652]
S3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\PavSRK.sys --> c:\windows\system32\PavSRK.sys [?]
S3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\PavTPK.sys --> c:\windows\system32\PavTPK.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-07-17 337800]
.
Contents of the 'Scheduled Tasks' folder

2007-06-18 c:\windows\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe []
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\5v8fbuhj.default\
FF - component: c:\documents and settings\All Users\Application Data\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\documents and settings\All Users\Application Data\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-21 07:34:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(608)
c:\windows\SYSTEM32\Ati2evxx.dll
.
Completion time: 2009-02-21 7:37:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-21 12:37:28
ComboFix2.txt 2009-02-21 12:26:56
ComboFix3.txt 2009-02-21 03:38:04

Pre-Run: 62,655,750,144 bytes free
Post-Run: 62,640,168,960 bytes free

281 --- E O F --- 2009-02-12 02:38:59

#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 21 February 2009 - 11:01 AM

Please download Dr.Web CureIt to the Desktop:
  • Please reboot into Safe Mode
  • Once you are in Safe Mode, double-click the launch.exe or cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, please do a re-scan.. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Move incurable
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit. Reboot your PC in Normal Mode, and post DrWeb.csv in your next reply (Open it as Notepad)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#14 rceleexpt

rceleexpt
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 21 February 2009 - 08:13 PM

ADAPT_Installer.exe.vir\data032;C:\Qoobox\Quarantine\C\RECYCLER\ADAPT_Installer.exe.vir;Probably SCRIPT.Virus;;
ADAPT_Installer.exe.vir;C:\Qoobox\Quarantine\C\RECYCLER;Archive contains infected objects;Moved.;
xccdf16_090131a.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS;Trojan.Hitpop.1898;Deleted.;
xccdf32_090131a.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS;Trojan.Hitpop.1899;Deleted.;
rgsmrkfw.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.Juan.78;Deleted.;
UACaoydkrjl.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.Packed.365;Deleted.;
UACecymujxv.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.Packed.365;Deleted.;
UACmpybwwep.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.Packed.365;Deleted.;
UACqqhfatjb.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.Packed.365;Deleted.;
udxfytw.sys.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.Click.24630;Deleted.;
urqOEUmj.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod.1634;Deleted.;
xccdfb16_090131.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\inf;Trojan.Hitpop.1898;Deleted.;
A0317093.vbs;C:\System Volume Information\_restore{B962208D-3EFD-467F-ABA3-5281C1FBCF2C}\RP451;Probably SCRIPT.Virus;;
A0336609.dll;C:\System Volume Information\_restore{B962208D-3EFD-467F-ABA3-5281C1FBCF2C}\RP500;Trojan.Virtumod.855;Deleted.;
A0341603.dll;C:\System Volume Information\_restore{B962208D-3EFD-467F-ABA3-5281C1FBCF2C}\RP500;Trojan.Packed.365;Deleted.;
A0341604.dll;C:\System Volume Information\_restore{B962208D-3EFD-467F-ABA3-5281C1FBCF2C}\RP500;Trojan.Packed.365;Deleted.;
A0341605.dll;C:\System Volume Information\_restore{B962208D-3EFD-467F-ABA3-5281C1FBCF2C}\RP500;Trojan.Packed.365;Deleted.;
A0341606.dll;C:\System Volume Information\_restore{B962208D-3EFD-467F-ABA3-5281C1FBCF2C}\RP500;Trojan.Packed.365;Deleted.;
A0341636.sys;C:\System Volume Information\_restore{B962208D-3EFD-467F-ABA3-5281C1FBCF2C}\RP500;Trojan.Click.24630;Deleted.;
A0341642.dll;C:\System Volume Information\_restore{B962208D-3EFD-467F-ABA3-5281C1FBCF2C}\RP500;Trojan.Hitpop.1898;Deleted.;
A0341646.dll;C:\System Volume Information\_restore{B962208D-3EFD-467F-ABA3-5281C1FBCF2C}\RP500;Trojan.Hitpop.1898;Deleted.;
A0341647.dll;C:\System Volume Information\_restore{B962208D-3EFD-467F-ABA3-5281C1FBCF2C}\RP500;Trojan.Hitpop.1899;Deleted.;
A0341648.exe\data032;C:\System Volume Information\_restore{B962208D-3EFD-467F-ABA3-5281C1FBCF2C}\RP500\A0341648.exe;Probably SCRIPT.Virus;;
A0341648.exe;C:\System Volume Information\_restore{B962208D-3EFD-467F-ABA3-5281C1FBCF2C}\RP500;Archive contains infected objects;Moved.;
A0341649.dll;C:\System Volume Information\_restore{B962208D-3EFD-467F-ABA3-5281C1FBCF2C}\RP500;Trojan.Juan.78;Deleted.;
A0341651.dll;C:\System Volume Information\_restore{B962208D-3EFD-467F-ABA3-5281C1FBCF2C}\RP500;Trojan.Virtumod.1634;Deleted.;
A0341664.bat;C:\System Volume Information\_restore{B962208D-3EFD-467F-ABA3-5281C1FBCF2C}\RP500;Probably BATCH.Virus;;
A0341665.dll;C:\System Volume Information\_restore{B962208D-3EFD-467F-ABA3-5281C1FBCF2C}\RP500;Trojan.DownLoad.28089;Deleted.;
A0341668.exe;C:\System Volume Information\_restore{B962208D-3EFD-467F-ABA3-5281C1FBCF2C}\RP500;Trojan.DownLoad.29328;Deleted.;
A0341669.dll;C:\System Volume Information\_restore{B962208D-3EFD-467F-ABA3-5281C1FBCF2C}\RP500;Trojan.Juan.78;Deleted.;
A0341670.dll;C:\System Volume Information\_restore{B962208D-3EFD-467F-ABA3-5281C1FBCF2C}\RP500;Trojan.Hitpop.1899;Deleted.;
A0341682.EXE;C:\System Volume Information\_restore{B962208D-3EFD-467F-ABA3-5281C1FBCF2C}\RP500;Program.PsExec.170;;
A0341687.exe;C:\System Volume Information\_restore{B962208D-3EFD-467F-ABA3-5281C1FBCF2C}\RP500;Trojan.MulDrop.30279;Deleted.;
A0342751.exe;C:\System Volume Information\_restore{B962208D-3EFD-467F-ABA3-5281C1FBCF2C}\RP500;Probably MULDROP.Trojan;;
A0342753.dll;C:\System Volume Information\_restore{B962208D-3EFD-467F-ABA3-5281C1FBCF2C}\RP500;Trojan.Virtumod.1596;Deleted.;
A0342768.DLL;C:\System Volume Information\_restore{B962208D-3EFD-467F-ABA3-5281C1FBCF2C}\RP500;BackDoor.Zapinit;Cured.;
A0342786.bat;C:\System Volume Information\_restore{B962208D-3EFD-467F-ABA3-5281C1FBCF2C}\RP500;Probably BATCH.Virus;;
A0342798.EXE;C:\System Volume Information\_restore{B962208D-3EFD-467F-ABA3-5281C1FBCF2C}\RP500;Program.PsExec.170;;
A0342867.bat;C:\System Volume Information\_restore{B962208D-3EFD-467F-ABA3-5281C1FBCF2C}\RP500;Probably BATCH.Virus;;
A0342879.EXE;C:\System Volume Information\_restore{B962208D-3EFD-467F-ABA3-5281C1FBCF2C}\RP500;Program.PsExec.170;;
A0342923.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{B962208D-3EFD-467F-ABA3-5281C1FBCF2C}\RP500\A0342923.exe;Tool.Prockill;;
A0342923.exe;C:\System Volume Information\_restore{B962208D-3EFD-467F-ABA3-5281C1FBCF2C}\RP500;Archive contains infected objects;Moved.;
A0342924.exe;C:\System Volume Information\_restore{B962208D-3EFD-467F-ABA3-5281C1FBCF2C}\RP500;Win95.SK;Incurable.Moved.;
user32.dll;C:\WINDOWS\system32\dllcache;BackDoor.Zapinit;Cured.;
SDFix.exe\SDFix\apps\Process.exe;D:\SDFix.exe;Tool.Prockill;;
SDFix.exe;D:\;Archive contains infected objects;;

#15 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 22 February 2009 - 02:45 AM

Please show hidden files and folders
Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • c:\windows\system32\dllcache\user32.dll
      c:\windows\system32\dllcache\termsrv.dll
  • Click on the submit button. You can submit only one file at a time.
  • Please post the results in your next reply.
If Jotti server is too busy, please submit the file to VirusTotal instead.




NEXT


Delete all version of ComboFix that you have and download a fresh one from below..

Link 1
Link 2
Link 3




Then do this..


1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
gpzmlee

Rootkit::
c:\windows\system32\drivers\rjlftkf.sys

File::
c:\windows\system32\azton.mt

DirLook::
c:\windows\system32\inf

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • Jotti results.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users