Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Please!


  • This topic is locked This topic is locked
1 reply to this topic

#1 ASmyrnos

ASmyrnos

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 17 September 2009 - 08:28 PM

Here is my ComboFix log. I have run the program as well as my normal anti-virus but am still showing that I am infected. Can anybody help?

ComboFix 09-09-16.02 - Kate 09/16/2009 21:38.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.973 [GMT -4:00]
Running from: c:\documents and settings\Kate\Desktop\Combo-Fix.com.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\jewaweq.reg
c:\documents and settings\All Users\Documents\araxediqo.pif
c:\documents and settings\All Users\Documents\ixefozizy.vbs
c:\documents and settings\All Users\Documents\kyxynyv.vbs
c:\documents and settings\Kate\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Kate\Application Data\olymexera.vbs
c:\documents and settings\Kate\Application Data\susurygo.bat
c:\documents and settings\Kate\Cookies\enixazu.ban
c:\documents and settings\Kate\Cookies\igovoda.reg
c:\documents and settings\Kate\Cookies\sehigug.scr
c:\documents and settings\Kate\Cookies\vajofew.bin
c:\documents and settings\Kate\Cookies\yrawonyx.inf
c:\documents and settings\Kate\Desktop\AntivirusPro_2010.lnk
c:\documents and settings\Kate\Local Settings\Application Data\pyxahef.bat
c:\documents and settings\Kate\Local Settings\Temporary Internet Files\abeweryja.inf
c:\documents and settings\Kate\Local Settings\Temporary Internet Files\pyxudiqu.sys
c:\documents and settings\Kate\Local Settings\Temporary Internet Files\ufajebih.bat
c:\documents and settings\Kate\Local Settings\Temporary Internet Files\wobyw._dl
c:\documents and settings\Kate\Local Settings\Temporary Internet Files\xyzih.bin
c:\documents and settings\Kate\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\Kate\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\Kate\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.cfg
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
c:\program files\AntivirusPro_2010\AVEngn.dll
c:\program files\AntivirusPro_2010\data\daily.cvd
c:\program files\AntivirusPro_2010\htmlayout.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll
c:\program files\AntivirusPro_2010\pthreadVC2.dll
c:\program files\AntivirusPro_2010\wscui.cpl
c:\program files\Common Files\jejut.com
c:\program files\Common Files\jeworeb.bin
c:\windows\apanaru.bat
c:\windows\bilalozu.dl
c:\windows\braviax.exe
c:\windows\cru629.dat
c:\windows\dekih.ban
c:\windows\honisy.exe
c:\windows\Installer\1771f42e.msp
c:\windows\kb913800.exe
c:\windows\siva.bat
c:\windows\system32\_scui.cpl
c:\windows\system32\~.exe
c:\windows\system32\braviax.exe
c:\windows\system32\cru629.dat
c:\windows\system32\ikenur.sys
c:\windows\system32\wbem\proquota.exe
c:\windows\system32\wisdstr.exe
c:\windows\system32\ysegojyv.vbs

Infected copy of c:\windows\system32\drivers\beep.sys was found and disinfected
Restored copy from - c:\i386\beep.sys

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-08-17 to 2009-09-17 )))))))))))))))))))))))))))))))
.

2009-09-17 01:42 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-16 04:30 . 2009-09-16 04:30 18640 ----a-w- c:\windows\uwepa.com
2009-09-16 04:30 . 2009-09-16 04:30 11240 ----a-w- c:\program files\Common Files\edilywemib.dat
2009-09-16 04:26 . 2009-09-16 04:26 49066 ----a-w- C:\psiefutv.exe
2009-09-16 04:26 . 2009-09-16 04:26 73728 ----a-w- C:\xjehx.exe
2009-09-16 04:26 . 2009-09-16 04:26 49152 ----a-w- C:\scmhux.exe
2009-09-16 04:26 . 2009-09-16 04:26 79360 ----a-w- C:\wpfpqa.exe
2009-09-16 04:26 . 2009-09-16 04:26 19968 ----a-w- C:\udtcnn.exe
2009-09-16 04:26 . 2009-09-16 04:26 28672 ----a-w- c:\windows\system32\dllcache\beep.sys
2009-09-13 00:41 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-16 04:30 . 2009-09-16 04:30 18253 ----a-w- c:\documents and settings\All Users\Application Data\opih.dat
2009-09-16 04:28 . 2008-10-04 00:11 -------- d-----w- c:\documents and settings\Kate\Application Data\mjusbsp
2009-09-14 22:24 . 2008-10-03 00:25 -------- d-----w- c:\program files\Lx_cats
2009-09-13 07:11 . 2009-05-15 04:31 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-06 02:45 . 2008-12-11 22:25 -------- d-----w- c:\documents and settings\Kate\Application Data\dvdcss
2009-08-25 12:36 . 2009-05-21 01:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-25 12:36 . 2009-05-21 01:04 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-25 12:36 . 2009-05-21 01:04 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-14 02:55 . 2009-08-14 02:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
2009-08-14 02:55 . 2009-08-14 02:55 -------- d--h--r- c:\documents and settings\Kate\Application Data\SecuROM
2009-08-14 02:55 . 2009-02-23 14:27 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-08-14 02:54 . 2009-08-14 02:54 -------- d-----w- c:\program files\Games A Go-Go
2009-08-05 09:01 . 2005-08-16 10:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2005-08-16 10:19 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2005-08-16 10:18 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2005-08-16 10:18 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2005-08-16 10:18 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2005-08-16 10:18 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2005-08-16 10:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2005-08-16 10:18 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2005-08-16 10:18 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2005-08-16 10:18 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-01-17 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-17 98304]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"LXCJCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll" [2006-02-24 73728]
"lxcjmon.exe"="c:\program files\Lexmark 8300 Series\lxcjmon.exe" [2005-09-30 200704]
"EzPrint"="c:\program files\Lexmark 8300 Series\ezprint.exe" [2006-04-19 94208]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-25 2007832]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-1-17 24576]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-25 12:36 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Java\\j2re1.4.2_13\\bin\\javaw.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Documents and Settings\\Kate\\Application Data\\mjusbsp\\magicJack.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/20/2009 9:04 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/20/2009 9:05 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/20/2009 9:04 PM 297752]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-16 21:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCJCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-446829463-2410349525-3034656324-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:85,a0,2b,b4,ab,55,4a,cf,11,9f,b2,2d,10,4b,ec,e5,86,7d,24,ce,72,55,00,
df,b1,09,3a,64,df,18,9c,99,ba,ed,a2,ba,b7,38,06,00,55,6c,93,3d,a7,73,ff,25,\
"??"=hex:d8,e4,3e,63,48,cb,17,67,cf,c0,e3,47,a1,2d,2f,ed
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2648)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\lxcjcoms.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-09-17 21:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-17 01:47

Pre-Run: 47,490,555,904 bytes free
Post-Run: 47,507,419,136 bytes free

216 --- E O F --- 2009-09-13 07:04

BC AdBot (Login to Remove)

 


#2 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:06:03 PM

Posted 17 September 2009 - 10:08 PM

ComboFix logs should not to be posted outside the HijackThis forums. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic in the Am I infected? What do I do? forum, explaining the nature of your problem. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users