Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Overclick.cn / Redirect virus / HD problem


  • This topic is locked This topic is locked
14 replies to this topic

#1 Talikira

Talikira

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 16 July 2009 - 01:49 PM

Hello. I have a few issues here, one being that when I search on google I am redirected to overclick.cn or other search engines which are not the true site. As well, I have run AVG Free 8.5 and I have found viruses that when I try to remove, get an error message like "Data is on a non-local harddrive," and cannot be gotten rid of. And one last thing that I believe is virus/malware related, recently one of my partitions stopped working. I get this message: "The disk in drive F is not formatted. Do you want to format now?" and even if I click yes it says that it can't be formatted, and none of my files show. Thing is, I'm on Windows XP now, but when I switch to Windows 2000 that partition works perfectly fine. Any help is appreciated.

Thanks in advance.


DDS (Ver_09-06-26.01) - NTFSx86
Run by Talikira at 12:27:27.04 on 17/07/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.1023.242 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

E:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
E:\WINDOWS\System32\svchost.exe -k netsvcs
E:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
E:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\PROGRA~1\AVG\AVG8\avgrsx.exe
E:\PROGRA~1\AVG\AVG8\avgnsx.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost.exe -k imgsvc
E:\WINDOWS\system32\Wacom_Tablet.exe
E:\PROGRA~1\AVG\AVG8\avgemc.exe
E:\Program Files\AVG\AVG8\avgcsrvx.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
E:\WINDOWS\system32\Wacom_Tablet.exe
E:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Java\jre6\bin\jusched.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program Files\AIM\aim.exe
E:\Program Files\DNA\btdna.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\System32\svchost.exe -k HTTPFilter
E:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Winamp\winamp.exe
E:\Program Files\AVG\AVG8\avgscanx.exe
E:\Program Files\AVG\AVG8\avgcsrvx.exe
E:\Program Files\Avant Browser\avant.exe
E:\Program Files\SpyNoMore\SNM.exe
E:\Documents and Settings\Talikira\Desktop\dds.scr
E:\DOCUME~1\Talikira\LOCALS~1\Temp\~nsu.tmp\Au_.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - e:\program files\avg\avg8\avgssie.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - e:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D0943516-5076-4020-A3B5-AEFAF26AB263} - No File
uRun: [NvMediaCenter] RUNDLL32.EXE e:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uRun: [MsnMsgr] "e:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [BitTorrent] "c:\program files\bittorrent\bittorrent.exe" --force_start_minimized
uRun: [AIM] e:\program files\aim\aim.exe -cnetwait.odl
uRun: [Tunebite] e:\program files\rapidsolution\tunebite\Tunebite.exe -tray
uRun: [BitTorrent DNA] "e:\program files\dna\btdna.exe"
uRun: [ctfmon.exe] e:\windows\system32\ctfmon.exe
uRunOnce: [Shockwave Updater] e:\windows\system32\adobe\shockwave 11\SwHelper_1150595.exe -Update -1150595 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser; .NET CLR 2.0.50727)" -"http://highered.mcgraw-hill.com/sites/0073031216/student_view0/exercise11/aerobic_cellular_respiration.html"
mRun: [PHIME2002ASync] e:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] e:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE e:\windows\system32\NvCpl.dll,NvStartup
mRun: [MSPY2002] e:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [IMJPMIG8.1] "e:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [AVG8_TRAY] e:\progra~1\avg\avg8\avgtray.exe
mRun: [EPSON Stylus CX4800 Series] e:\windows\system32\spool\drivers\w32x86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
mRun: [iTunesHelper] "e:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "e:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "e:\program files\java\jre6\bin\jusched.exe"
mRun: [SNM] e:\program files\spynomore\SNM.exe /startup
dRun: [CTFMON.EXE] e:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "e:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [RunNarrator] Narrator.exe
IE: Open In New Avant Browser - c:\program files\avant browser\OpenInNewBrowser.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - e:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - e:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - e:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;e:\windows\system32\drivers\Lbd.sys [2009-7-15 64160]
R0 viaraid;viaraid;e:\windows\system32\drivers\viaraid.sys [2007-2-23 70272]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;e:\windows\system32\drivers\avgldx86.sys [2008-8-9 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;e:\windows\system32\drivers\avgmfx86.sys [2008-8-9 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;e:\windows\system32\drivers\avgtdix.sys [2008-8-9 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;e:\progra~1\avg\avg8\avgemc.exe [2008-8-9 907032]
R2 avg8wd;AVG Free8 WatchDog;e:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-9 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;e:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
R2 TabletServiceWacom;TabletServiceWacom;e:\windows\system32\Wacom_Tablet.exe [2008-4-5 1373480]

=============== Created Last 30 ================

2009-07-17 12:07 1,152 a------- e:\windows\system32\windrv.sys
2009-07-17 12:07 <DIR> --d----- e:\program files\SpyNoMore
2009-07-15 19:54 64,160 a------- e:\windows\system32\drivers\Lbd.sys
2009-07-15 19:53 <DIR> -cd-h--- e:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-15 03:20 44,544 a------- e:\windows\system32\msxml4a.dll
2009-07-15 03:20 <DIR> --d----- e:\program files\File Recover
2009-07-15 02:24 <DIR> --d----- e:\program files\GetData
2009-07-15 02:08 <DIR> --d----- e:\windows\system32\NtmsData

==================== Find3M ====================

2009-07-05 13:06 335,752 a------- e:\windows\system32\drivers\avgldx86.sys
2009-06-26 12:21 11,952 a------- e:\windows\system32\avgrsstx.dll
2009-05-21 11:33 410,984 a------- e:\windows\system32\deploytk.dll
2009-05-12 04:20 173,384 a------- e:\windows\system32\AVLibrary.dll
2007-02-23 21:59 448,640 a------- e:\windows\inf\EL2K_N64.sys
2007-02-23 21:59 147,328 a------- e:\windows\inf\EL2K_XP.sys
2007-02-23 21:59 147,328 a------- e:\windows\inf\EL2K_2K.sys
2007-02-12 19:10 2,682,880 -------- e:\documents and settings\all users\VCREDI~3.EXE
2004-10-01 15:00 40,960 a------- e:\program files\Uninstall_CDS.exe

============= FINISH: 12:29:41.73 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:25 PM

Posted 21 July 2009 - 09:07 PM

Hello Talikira,

And one last thing that I believe is virus/malware related, recently one of my partitions stopped working.


No, I dont think that is malware related.


Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

*******************


Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Edited by SifuMike, 21 July 2009 - 09:12 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Talikira

Talikira
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 23 July 2009 - 01:04 AM

Thank you so much for taking the time to reply and help me out. :>


Results of screen317's Security Check version 0.98.5
Windows XP Service Pack 2
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:

AVG Free 8.5


Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
Java™ 6 Update 14
Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent

Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
AVG avgemc.exe
``````````````````````````````
DNS Vulnerability Check:

[color]nslookup.exe missing![/color]
GREAT! (Very random)

`````````End of Log```````````



Malwarebytes' Anti-Malware 1.39
Database version: 2484
Windows 5.1.2600 Service Pack 2

22/07/2009 11:37:20 PM
mbam-log-2009-07-22 (23-37-20).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 270068
Time elapsed: 57 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\geyekrrooytbxm.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Illysoft (Rogue.SpyNoMore) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Illysoft (Rogue.SpyNoMore) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\geyekrrooytbxm.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINNT\system32\MSINET.oca (Rogue.Trace) -> Quarantined and deleted successfully.
e:\documents and settings\Talikira\local settings\Temp\mia3D.tmp\OFFLINE\ifgmgcemrafaknxeimmaxfnsdrffff0\memman.vxd (Rogue.sysCleanerPro) -> Quarantined and deleted successfully.
E:\WINDOWS\base64.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
E:\WINDOWS\zip1.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
E:\WINDOWS\zip2.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
E:\WINDOWS\zip3.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
E:\WINDOWS\zipped.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\hxiwlgpm.dat (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\taack.dat (Trojan.Agent) -> Quarantined and deleted successfully.
e:\documents and settings\Talikira\Desktop\spynomore.exe (Rogue.SpyNoMore) -> Quarantined and deleted successfully.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:08 PM, on 22/07/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Java\jre6\bin\jusched.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program Files\AIM\aim.exe
E:\Program Files\DNA\btdna.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\Wacom_Tablet.exe
E:\PROGRA~1\AVG\AVG8\avgemc.exe
E:\Program Files\AVG\AVG8\avgcsrvx.exe
E:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
E:\WINDOWS\system32\Wacom_Tablet.exe
E:\PROGRA~1\AVG\AVG8\avgrsx.exe
E:\PROGRA~1\AVG\AVG8\avgnsx.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Winamp\winamp.exe
E:\Program Files\Avant Browser\avant.exe
E:\Documents and Settings\Talikira\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file)
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSPY2002] E:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SNM] E:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Tunebite] E:\Program Files\RapidSolution\Tunebite\Tunebite.exe -tray
O4 - HKCU\..\Run: [BitTorrent DNA] "E:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] E:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1150595.exe -Update -1150595 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser; .NET CLR 2.0.50727)" -"http://highered.mcgraw-hill.com/sites/0073031216/student_view0/exercise11/aerobic_cellular_respiration.html"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - E:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - E:\WINDOWS\system32\Wacom_Tablet.exe

--
End of file - 8138 bytes

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:25 PM

Posted 23 July 2009 - 01:26 PM

Hi Talikira,

You have a nasty rootkit so we will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your AVG Antivirus before running ComboFix, as they will prevent it from running.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.



Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Talikira

Talikira
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 24 July 2009 - 05:12 PM

Ahh, thanks again! My HD Partition seems to be working now. Here's the ComboFix log:


ComboFix 09-07-23.04 - Talikira 24/07/2009 15:36.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.1023.576 [GMT -6:00]
Running from: e:\documents and settings\Talikira\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

e:\recycler\S-1-5-21-1275210071-1606980848-1343024091-1000
e:\windows\kb913800.exe
e:\windows\system32\drivers\geyekrvfgvmruf.sys
e:\windows\system32\geyekrcbiukadx.dat
e:\windows\system32\geyekrlstlwaqi.dat
e:\windows\system32\geyekrrooytbxm.dll
e:\windows\system32\geyekryypqjlvn.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_geyekrvcjmsodl


((((((((((((((((((((((((( Files Created from 2009-06-24 to 2009-07-24 )))))))))))))))))))))))))))))))
.

2009-07-23 04:32 . 2009-07-23 04:32 -------- d-----w- e:\documents and settings\Talikira\Application Data\Malwarebytes
2009-07-23 04:32 . 2009-07-13 19:36 38160 ----a-w- e:\windows\system32\drivers\mbamswissarmy.sys
2009-07-23 04:32 . 2009-07-23 04:32 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2009-07-23 04:32 . 2009-07-23 04:32 -------- d-----w- e:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-23 04:32 . 2009-07-13 19:36 19096 ----a-w- e:\windows\system32\drivers\mbam.sys
2009-07-17 18:07 . 2009-07-17 18:07 1152 ----a-w- e:\windows\system32\windrv.sys
2009-07-16 01:54 . 2009-07-03 14:49 64160 ----a-w- e:\windows\system32\drivers\Lbd.sys
2009-07-16 01:53 . 2009-07-16 01:53 -------- dc-h--w- e:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-15 09:20 . 2009-04-18 02:23 44544 ----a-w- e:\windows\system32\msxml4a.dll
2009-07-15 09:20 . 2009-07-15 10:52 -------- d-----w- e:\program files\File Recover
2009-07-15 08:24 . 2009-07-15 08:24 -------- d-----w- e:\program files\GetData
2009-07-15 08:08 . 2009-07-15 08:14 -------- d-----w- e:\windows\system32\NtmsData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-24 21:36 . 2008-04-05 06:21 -------- d-----w- e:\documents and settings\Talikira\Application Data\WTablet
2009-07-24 21:33 . 2009-01-06 03:08 -------- d-----w- e:\documents and settings\Talikira\Application Data\DNA
2009-07-24 19:33 . 2009-01-06 03:08 -------- d-----w- e:\program files\DNA
2009-07-24 19:22 . 2008-04-22 02:32 -------- d-----w- e:\documents and settings\LocalService\Application Data\WTablet
2009-07-16 06:02 . 2008-10-08 22:47 -------- d-----w- e:\program files\Avant Browser
2009-07-16 01:52 . 2008-10-10 03:54 -------- d-----w- e:\program files\Lavasoft
2009-07-16 01:52 . 2008-10-10 03:54 -------- d-----w- e:\docume~1\ALLUSE~1\APPLIC~1\Lavasoft
2009-07-16 01:21 . 2007-07-22 23:18 -------- d---a-w- e:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-07-16 01:19 . 2008-10-31 02:16 -------- d-----w- e:\program files\SpeedFan
2009-07-15 23:36 . 2007-02-24 02:18 -------- d--h--w- e:\program files\InstallShield Installation Information
2009-07-15 10:50 . 2008-08-09 05:48 -------- d-----w- e:\documents and settings\Talikira\Application Data\uTorrent
2009-07-08 04:06 . 2008-10-14 04:15 1 ----a-w- e:\documents and settings\Talikira\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-07-05 19:06 . 2008-08-09 06:13 335752 ----a-w- e:\windows\system32\drivers\avgldx86.sys
2009-06-26 18:21 . 2008-08-09 06:13 11952 ----a-w- e:\windows\system32\avgrsstx.dll
2009-06-26 18:21 . 2008-08-09 06:13 27784 ----a-w- e:\windows\system32\drivers\avgmfx86.sys
2009-06-15 03:50 . 2009-06-15 03:46 -------- d-----w- e:\program files\Hide The IP
2009-06-15 00:31 . 2008-10-30 05:31 -------- d-----w- e:\program files\eMule
2009-06-11 23:23 . 2009-06-11 23:23 -------- d-----w- e:\documents and settings\Talikira\Application Data\uk.co.planetside
2009-06-09 23:12 . 2007-02-24 04:06 -------- d-----w- e:\program files\Java
2009-06-09 23:11 . 2009-06-09 23:11 152576 ----a-w- e:\documents and settings\Talikira\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-06 04:24 . 2009-04-04 20:21 -------- d-----w- e:\documents and settings\Talikira\Application Data\Hamachi
2009-05-21 17:33 . 2008-11-28 22:10 410984 ----a-w- e:\windows\system32\deploytk.dll
2009-05-14 05:53 . 2009-05-14 05:53 45056 ----a-r- e:\documents and settings\Talikira\Application Data\Microsoft\Installer\{680B6877-75C2-4CEF-866D-7DBE26DBB772}\_597EDA5447AC_4DEE_A5F8_88EF195E1F22.exe
2009-05-14 05:53 . 2009-05-14 05:53 15086 ----a-r- e:\documents and settings\Talikira\Application Data\Microsoft\Installer\{680B6877-75C2-4CEF-866D-7DBE26DBB772}\oC4.exe
2009-05-12 10:20 . 2009-06-15 03:46 173384 ----a-w- e:\windows\system32\AVLibrary.dll
2009-05-10 19:00 . 2008-08-09 06:13 108552 ----a-w- e:\windows\system32\drivers\avgtdix.sys
2009-05-02 21:09 . 2009-04-04 20:20 25280 ----a-w- e:\windows\system32\drivers\hamachi.sys
2004-10-01 21:00 . 2008-08-16 11:24 40960 ----a-w- e:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="e:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"AIM"="e:\program files\AIM\aim.exe" [2004-08-10 61440]
"BitTorrent DNA"="e:\program files\DNA\btdna.exe" [2009-01-06 342848]
"ctfmon.exe"="e:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="e:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="e:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"NvCplDaemon"="e:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"MSPY2002"="e:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"IMJPMIG8.1"="e:\windows\IME\imjp8_1\IMJPMIG.EXE" [2007-05-21 208952]
"AVG8_TRAY"="e:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440]
"EPSON Stylus CX4800 Series"="e:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-01 98304]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"QuickTime Task"="e:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="e:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"nwiz"="nwiz.exe" - e:\windows\system32\nwiz.exe [2003-07-28 323584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="e:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
"DWQueuedReporting"="e:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - e:\windows\system32\narrator.exe [2007-01-16 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-26 18:21 11952 ----a-w- e:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\Messenger\\msmsgs.exe"=
"e:\\Program Files\\MSN\\MSNCoreFiles\\Install\\msnsusii.exe"=
"e:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Talikira Kyereon\\Desktop\\Skype.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\DNA\\btdna.exe"=
"f:\\Warcraft III\\Warcraft III.exe"=
"e:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"e:\\Program Files\\AIM\\aim.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:6112
"6112:UDP"= 6112:UDP:6112

R0 Lbd;Lbd;e:\windows\system32\drivers\Lbd.sys [15/07/2009 7:54 PM 64160]
R0 viaraid;viaraid;e:\windows\system32\drivers\viaraid.sys [23/02/2007 8:37 PM 70272]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;e:\windows\system32\drivers\avgldx86.sys [09/08/2008 12:13 AM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;e:\windows\system32\drivers\avgtdix.sys [09/08/2008 12:13 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;e:\progra~1\AVG\AVG8\avgemc.exe [09/08/2008 12:13 AM 907032]
R2 avg8wd;AVG Free8 WatchDog;e:\progra~1\AVG\AVG8\avgwdsvc.exe [09/08/2008 12:13 AM 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;e:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 8:49 AM 1029456]
R2 TabletServiceWacom;TabletServiceWacom;e:\windows\system32\Wacom_Tablet.exe [05/04/2008 12:20 AM 1373480]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]
e:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BitTorrent - c:\program files\BitTorrent\bittorrent.exe
HKCU-Run-Tunebite - e:\program files\RapidSolution\Tunebite\Tunebite.exe
HKCU-RunOnce-Shockwave Updater - e:\windows\system32\Adobe\Shockwave 11\SwHelper_1150595.exe -Update -1150595 -Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser; .NET
HKLM-Run-SNM - e:\program files\SpyNoMore\SNM.exe
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Open In New Avant Browser - c:\program files\Avant Browser\OpenInNewBrowser.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-24 15:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1275210071-616249376-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:c4,25,d7,2b,3f,d9,65,1a,8d,e2,b5,62,22,82,00,ef,b7,7e,35,b1,18,
d0,5d,e2,9a,e9,02,83,47,7c,22,7e,f1,c3,1d,0d,68,a4,81,90,9a,b6,ef,dc,07,55,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44

[HKEY_LOCAL_MACHINE\software\Microsoft\DirectPlay\Service Providers\D*i*r*e*c*t*P*l*a*y* *k0[Y00 *rpo *T*C*P*/*I*P* *c}\Address Types\{C4A54DA0-E0AF-11cf-9C4E-00A0C905425E}]
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\DirectPlay\Service Providers\D*i*r*e*c*t*P*l*a*y* *k0[Y00|qc}\Address Types\{F2F0CE00-E0AF-11cf-9C4E-00A0C905425E}]
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\DirectPlay\Service Providers\D*i*r*e*c*t*P*l*a*y* *k0[Y00c}\Address Types\{78EC89A0-E0AF-11cf-9C4E-00A0C905425E}]
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\DirectPlay\Service Providers\D*i*r*e*c*t*P*l*a*y* *k0[Y00c}\Address Types\{F6DCC200-A2FE-11d0-9C4F-00A0C905425E}]
@=""
.
Completion time: 2009-07-24 15:43
ComboFix-quarantined-files.txt 2009-07-24 21:43

Pre-Run: 419,450,880 bytes free
Post-Run: 2,626,416,640 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Professional" /fastdetect

180 --- E O F --- 2008-12-06 21:22

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:25 PM

Posted 24 July 2009 - 07:30 PM

Hi Talikira,

You need to disable your AVG Antivirus before running ComboFix, as it will prevent it from running.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

Registry:: 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

Edited by SifuMike, 24 July 2009 - 07:33 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Talikira

Talikira
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 26 July 2009 - 11:46 PM

Sorry for the late reply, but here it is:

ComboFix 09-07-26.01 - Talikira 26/07/2009 22:38.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.1023.632 [GMT -6:00]
Running from: e:\documents and settings\Talikira\Desktop\ComboFix.exe
Command switches used :: e:\documents and settings\Talikira\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-06-27 to 2009-07-27 )))))))))))))))))))))))))))))))
.

2009-07-23 04:32 . 2009-07-23 04:32 -------- d-----w- e:\documents and settings\Talikira\Application Data\Malwarebytes
2009-07-23 04:32 . 2009-07-13 19:36 38160 ----a-w- e:\windows\system32\drivers\mbamswissarmy.sys
2009-07-23 04:32 . 2009-07-23 04:32 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2009-07-23 04:32 . 2009-07-23 04:32 -------- d-----w- e:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-23 04:32 . 2009-07-13 19:36 19096 ----a-w- e:\windows\system32\drivers\mbam.sys
2009-07-19 19:09 . 2009-06-26 18:21 2301208 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-07-19 19:09 . 2009-06-26 18:21 353048 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-07-17 18:07 . 2009-07-17 18:07 1152 ----a-w- e:\windows\system32\windrv.sys
2009-07-16 01:54 . 2009-07-03 14:49 64160 ----a-w- e:\windows\system32\drivers\Lbd.sys
2009-07-16 01:53 . 2009-07-16 01:53 -------- dc-h--w- e:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-16 01:53 . 2009-07-08 17:28 2920112 -c--a-w- e:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-07-15 09:20 . 2009-04-18 02:23 44544 ----a-w- e:\windows\system32\msxml4a.dll
2009-07-15 09:20 . 2009-07-15 10:52 -------- d-----w- e:\program files\File Recover
2009-07-15 08:24 . 2009-07-15 08:24 -------- d-----w- e:\program files\GetData
2009-07-15 08:08 . 2009-07-15 08:14 -------- d-----w- e:\windows\system32\NtmsData
2009-07-05 19:07 . 2009-07-05 19:06 2054424 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-05 19:07 . 2009-07-05 19:06 2167576 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-07-05 19:07 . 2009-06-26 18:21 327688 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-07-05 19:07 . 2009-06-26 18:21 906520 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgemc.exe
2009-07-05 19:07 . 2009-07-05 19:06 3403032 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-05 19:07 . 2009-06-26 18:21 1204504 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll
2009-07-05 19:07 . 2009-06-26 18:21 337176 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avglogx.dll
2009-07-05 19:07 . 2009-06-26 18:21 829208 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-07-05 19:07 . 2009-06-26 18:21 3298072 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-07-05 19:05 . 2009-06-26 18:18 1454360 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-07-05 19:05 . 2009-06-26 18:18 1085208 ----a-w- e:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-27 04:37 . 2009-01-06 03:08 -------- d-----w- e:\documents and settings\Talikira\Application Data\DNA
2009-07-27 04:27 . 2008-04-05 06:21 -------- d-----w- e:\documents and settings\Talikira\Application Data\WTablet
2009-07-27 04:27 . 2009-01-06 03:08 -------- d-----w- e:\program files\DNA
2009-07-24 19:22 . 2008-04-22 02:32 -------- d-----w- e:\documents and settings\LocalService\Application Data\WTablet
2009-07-16 06:02 . 2008-10-08 22:47 -------- d-----w- e:\program files\Avant Browser
2009-07-16 01:52 . 2008-10-10 03:54 -------- d-----w- e:\program files\Lavasoft
2009-07-16 01:52 . 2008-10-10 03:54 -------- d-----w- e:\documents and settings\All Users\Application Data\Lavasoft
2009-07-16 01:21 . 2007-07-22 23:18 -------- d---a-w- e:\documents and settings\All Users\Application Data\TEMP
2009-07-16 01:19 . 2008-10-31 02:16 -------- d-----w- e:\program files\SpeedFan
2009-07-15 23:36 . 2007-02-24 02:18 -------- d--h--w- e:\program files\InstallShield Installation Information
2009-07-15 10:50 . 2008-08-09 05:48 -------- d-----w- e:\documents and settings\Talikira\Application Data\uTorrent
2009-07-08 04:06 . 2008-10-14 04:15 1 ----a-w- e:\documents and settings\Talikira\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-07-05 19:06 . 2008-08-09 06:13 335752 ----a-w- e:\windows\system32\drivers\avgldx86.sys
2009-06-26 18:21 . 2008-08-09 06:13 11952 ----a-w- e:\windows\system32\avgrsstx.dll
2009-06-26 18:21 . 2008-08-09 06:13 27784 ----a-w- e:\windows\system32\drivers\avgmfx86.sys
2009-06-15 03:50 . 2009-06-15 03:46 -------- d-----w- e:\program files\Hide The IP
2009-06-15 00:31 . 2008-10-30 05:31 -------- d-----w- e:\program files\eMule
2009-06-11 23:23 . 2009-06-11 23:23 -------- d-----w- e:\documents and settings\Talikira\Application Data\uk.co.planetside
2009-06-09 23:12 . 2007-02-24 04:06 -------- d-----w- e:\program files\Java
2009-06-09 23:11 . 2009-06-09 23:11 152576 ----a-w- e:\documents and settings\Talikira\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-06 04:24 . 2009-04-04 20:21 -------- d-----w- e:\documents and settings\Talikira\Application Data\Hamachi
2009-05-21 17:33 . 2008-11-28 22:10 410984 ----a-w- e:\windows\system32\deploytk.dll
2009-05-14 05:53 . 2009-05-14 05:53 45056 ----a-r- e:\documents and settings\Talikira\Application Data\Microsoft\Installer\{680B6877-75C2-4CEF-866D-7DBE26DBB772}\_597EDA5447AC_4DEE_A5F8_88EF195E1F22.exe
2009-05-14 05:53 . 2009-05-14 05:53 15086 ----a-r- e:\documents and settings\Talikira\Application Data\Microsoft\Installer\{680B6877-75C2-4CEF-866D-7DBE26DBB772}\oC4.exe
2009-05-12 10:20 . 2009-06-15 03:46 173384 ----a-w- e:\windows\system32\AVLibrary.dll
2009-05-10 19:00 . 2008-08-09 06:13 108552 ----a-w- e:\windows\system32\drivers\avgtdix.sys
2009-05-02 21:09 . 2009-04-04 20:20 25280 ----a-w- e:\windows\system32\drivers\hamachi.sys
2004-10-01 21:00 . 2008-08-16 11:24 40960 ----a-w- e:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-07-24_21.42.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-27 04:27 . 2009-07-27 04:27 16384 e:\windows\Temp\Perflib_Perfdata_17c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="e:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"AIM"="e:\program files\AIM\aim.exe" [2004-08-10 61440]
"BitTorrent DNA"="e:\program files\DNA\btdna.exe" [2009-01-06 342848]
"ctfmon.exe"="e:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="e:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="e:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"NvCplDaemon"="e:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"MSPY2002"="e:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"IMJPMIG8.1"="e:\windows\IME\imjp8_1\IMJPMIG.EXE" [2007-05-21 208952]
"AVG8_TRAY"="e:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440]
"EPSON Stylus CX4800 Series"="e:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-01 98304]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"QuickTime Task"="e:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="e:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"nwiz"="nwiz.exe" - e:\windows\system32\nwiz.exe [2003-07-28 323584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="e:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
"DWQueuedReporting"="e:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - e:\windows\system32\narrator.exe [2007-01-16 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-26 18:21 11952 ----a-w- e:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\Messenger\\msmsgs.exe"=
"e:\\Program Files\\MSN\\MSNCoreFiles\\Install\\msnsusii.exe"=
"e:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Talikira Kyereon\\Desktop\\Skype.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\DNA\\btdna.exe"=
"f:\\Warcraft III\\Warcraft III.exe"=
"e:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"e:\\Program Files\\AIM\\aim.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:6112
"6112:UDP"= 6112:UDP:6112

R0 Lbd;Lbd;e:\windows\system32\drivers\Lbd.sys [15/07/2009 7:54 PM 64160]
R0 viaraid;viaraid;e:\windows\system32\drivers\viaraid.sys [23/02/2007 8:37 PM 70272]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;e:\windows\system32\drivers\avgldx86.sys [09/08/2008 12:13 AM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;e:\windows\system32\drivers\avgtdix.sys [09/08/2008 12:13 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;e:\progra~1\AVG\AVG8\avgemc.exe [09/08/2008 12:13 AM 907032]
R2 avg8wd;AVG Free8 WatchDog;e:\progra~1\AVG\AVG8\avgwdsvc.exe [09/08/2008 12:13 AM 298776]
R2 TabletServiceWacom;TabletServiceWacom;e:\windows\system32\Wacom_Tablet.exe [05/04/2008 12:20 AM 1373480]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;e:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 8:49 AM 1029456]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]
e:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2009-07-23 e:\windows\Tasks\Ad-Aware Update (Weekly).job
- e:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Open In New Avant Browser - c:\program files\Avant Browser\OpenInNewBrowser.htm
.

**************************************************************************

catchme 0.3.1398.3 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-26 22:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1275210071-616249376-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:c4,25,d7,2b,3f,d9,65,1a,8d,e2,b5,62,22,82,00,ef,b7,7e,35,b1,18,
d0,5d,e2,9a,e9,02,83,47,7c,22,7e,f1,c3,1d,0d,68,a4,81,90,9a,b6,ef,dc,07,55,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44

[HKEY_LOCAL_MACHINE\software\Microsoft\DirectPlay\Service Providers\D*i*r*e*c*t*P*l*a*y* *k0[Y00 *rpo *T*C*P*/*I*P* *c}\Address Types\{C4A54DA0-E0AF-11cf-9C4E-00A0C905425E}]
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\DirectPlay\Service Providers\D*i*r*e*c*t*P*l*a*y* *k0[Y00|qc}\Address Types\{F2F0CE00-E0AF-11cf-9C4E-00A0C905425E}]
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\DirectPlay\Service Providers\D*i*r*e*c*t*P*l*a*y* *k0[Y00c}\Address Types\{78EC89A0-E0AF-11cf-9C4E-00A0C905425E}]
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\DirectPlay\Service Providers\D*i*r*e*c*t*P*l*a*y* *k0[Y00c}\Address Types\{F6DCC200-A2FE-11d0-9C4F-00A0C905425E}]
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2016)
e:\windows\system32\WPDShServiceObj.dll
e:\windows\system32\PortableDeviceTypes.dll
e:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-07-27 22:44
ComboFix-quarantined-files.txt 2009-07-27 04:44
ComboFix2.txt 2009-07-24 21:43

Pre-Run: 2,499,194,880 bytes free
Post-Run: 2,634,113,024 bytes free

176 --- E O F --- 2008-12-06 21:22

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:25 PM

Posted 27 July 2009 - 12:20 AM

Hi Talikira,


Now lets check for lingering malware.

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post even if it finds nothing.
You can refer to this animation by sundavis if needed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Talikira

Talikira
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 27 July 2009 - 11:05 PM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, July 27, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, July 28, 2009 00:42:13
Records in database: 2556121
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 180082
Threat name: 4
Infected objects: 15
Suspicious objects: 0
Duration of the scan: 04:24:48


File name / Threat name / Threats count
C:\Documents and Settings\Talikira Kyereon\Local Settings\Temporary Internet Files\Content.IE5\01QNGHIJ\1[1].htm Infected: Trojan-Downloader.JS.FraudLoad.c 1
C:\Documents and Settings\Talikira Kyereon\Local Settings\Temporary Internet Files\Content.IE5\0J2LM5O7\1[1].htm Infected: Trojan-Downloader.JS.FraudLoad.c 1
C:\Documents and Settings\Talikira Kyereon\Local Settings\Temporary Internet Files\Content.IE5\7MBDHXJZ\smain[1].php Infected: Trojan-Downloader.JS.Agent.dyw 1
C:\Documents and Settings\Talikira Kyereon\Local Settings\Temporary Internet Files\Content.IE5\7MBDHXJZ\smain[2].php Infected: Trojan-Downloader.JS.Agent.dyw 1
C:\Documents and Settings\Talikira Kyereon\Local Settings\Temporary Internet Files\Content.IE5\7MBDHXJZ\smain[3].php Infected: Trojan-Downloader.JS.Agent.dyw 1
C:\Documents and Settings\Talikira Kyereon\Local Settings\Temporary Internet Files\Content.IE5\7MBDHXJZ\smain[4].php Infected: Trojan-Downloader.JS.Agent.dyw 1
C:\Documents and Settings\Talikira Kyereon\Local Settings\Temporary Internet Files\Content.IE5\7MBDHXJZ\smain[5].php Infected: Trojan-Downloader.JS.Agent.dyw 1
C:\Documents and Settings\Talikira Kyereon\Local Settings\Temporary Internet Files\Content.IE5\KHMB81AZ\smain[1].php Infected: Trojan-Downloader.JS.Agent.dyw 1
C:\Documents and Settings\Talikira Kyereon\Local Settings\Temporary Internet Files\Content.IE5\KHMB81AZ\smain[2].php Infected: Trojan-Downloader.JS.Agent.dyw 1
C:\Documents and Settings\Talikira Kyereon\Local Settings\Temporary Internet Files\Content.IE5\KHMB81AZ\smain[3].php Infected: Trojan-Downloader.JS.Agent.dyw 1
C:\Documents and Settings\Talikira Kyereon\Local Settings\Temporary Internet Files\Content.IE5\KLINO9MF\1[1].htm Infected: Trojan-Downloader.JS.FraudLoad.c 1
C:\Documents and Settings\Talikira Kyereon\Local Settings\Temporary Internet Files\Content.IE5\KLINO9MF\smain[1].php Infected: Trojan-Downloader.JS.Agent.dyw 1
C:\Program Files\mIRC\backup\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 1
E:\Qoobox\Quarantine\E\WINDOWS\system32\geyekrrooytbxm.dll.vir Infected: Trojan.Win32.Agent.crez 1

The selected area was scanned.

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:25 PM

Posted 28 July 2009 - 12:12 AM

Hi Talikira,

Most of the files Kaspersky found were in your temp folder. It also found a file previosly quarantined by ComboFix.

We will get rid of those files in the temp folder with ATF.

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


I think we have you clean. :thumbup2:
Please tell me how your computer is running.
We still have one more step to do and that is the program clean up.

Edited by SifuMike, 28 July 2009 - 12:13 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Talikira

Talikira
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 28 July 2009 - 08:26 PM

Everything's running smoothly! Thank you so much! I haven't run into that overclick site or anything related to it, and my HD partition is still working. :> That last step freed up around 160mb too, which surprised me, haha.

If I run into any troubles, I'll make sure to come back here. You guys are great. c:

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:25 PM

Posted 28 July 2009 - 10:01 PM

Hi Talikira,

Now quite done yet. :thumbup2:
We still have one more step to do and that is the program clean up.

Delete Security Check from your desktop.

Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete any of its related folders and files (Qoobox
VundoFix Backups, Avenger, _OTM3), reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Please read and follow

Simple and easy ways to keep your computer safe and secure on the Internet
as well
Groovicus' Guide to Simple PC Security to help keep yourself from becoming infected again, as well as
How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes

If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Talikira

Talikira
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 31 July 2009 - 01:22 AM

Sorry for the late reply again! I deleted Security check and uninstalled ComboFix. Is that all?

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:25 PM

Posted 31 July 2009 - 11:02 AM

Yes, you are good to go. :thumbup2:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:25 PM

Posted 06 August 2009 - 09:40 PM

Since your problem appears to be resolved, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users