Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Exploit Code for the Kubernetes Flaw Is Now Available

Featured Deal: Get 99% off The The 2019 Ethical Hacker Master Class Bundle

Photo

worm.win32.netsky removal

Started by jonasauruz , Jan 31 2010 10:43 PM

  • Please log in to reply
30 replies to this topic

#1 jonasauruz

jonasauruz

  • Members
  • 18 posts
  • OFFLINE
    •  
  • Local time:05:29 AM

Posted 31 January 2010 - 10:43 PM

Hi all....

Please help... i dont know how the virus took total control... i was using my laptop as a wireless connection to my xbox and my screen went out and after replacing the part and getting it back from the repair shop i find my laptop which was just a bit buggy before is now fully infected. I use Comodo free but the virus has seemed to gotten a hold of it like a minion so it isnt functioning properly and it didnt delete it when i ran its scanner. it is the win32.netsky worm says my system... and i cant use regedit or task manager. i get pop ups etc.... here is my HJT log i hope i dont get dinged for posting it in the wrong are i dont really have forum experience so excuse my retardation!!

HJT log follows

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:32:12, on 30.01.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\winupdate86.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O2 - BHO: Comodo VerificationEngine Browser Helper NEW - {A968A4B4-C492-4834-B651-17602C3885C8} - C:\Program Files\Comodo\VEngine\VEngineIE32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe
O4 - HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 - HKLM\..\Run: [nowofezov] Rundll32.exe "c:\windows\system32\siruguhu.dll",a
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{018A4CF3-F1F4-4257-B9C7-A3A0AC70D8D0}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{0CF9B835-2D2E-459B-B2EF-EB665F28DE52}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{298477EC-847C-4C0A-8F61-E45B7E6283CF}: NameServer = 83.149.115.157,4.2.2.1,68.87.76.182 68.87.78.134
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6DD66E6-4A3D-491E-814D-5243AB1D8D0A}: NameServer = 83.149.115.157,4.2.2.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{018A4CF3-F1F4-4257-B9C7-A3A0AC70D8D0}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CS2\Services\Tcpip\..\{018A4CF3-F1F4-4257-B9C7-A3A0AC70D8D0}: NameServer = 156.154.70.22,156.154.71.22
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll c:\windows\system32\lolotawe.dll c:\windows\system32\humulese.dll juhofido.dll c:\windows\system32\siruguhu.dll c:\windows\system32\guhukene.dll c:\windows\system32\tifileze.dll c:\windows\system32\pedabara.dll
O21 - SSODL: wibemogog - {9bd3f3a5-72ad-489d-88b7-442882fa01ec} - c:\windows\system32\lolotawe.dll (file missing)
O21 - SSODL: zaviromuf - {1ab11b33-1d3e-4da8-a037-f26fc11cecd5} - c:\windows\system32\humulese.dll (file missing)
O21 - SSODL: pobabowup - {69df4313-fb4c-4430-bb1e-782c7f0fa088} - c:\windows\system32\tifileze.dll
O21 - SSODL: kiyokefut - {1a173481-e97f-4039-b2e0-95f5c3a8e009} - c:\windows\system32\pedabara.dll
O21 - SSODL: mewelafen - {4da7fb53-009e-4911-b32b-137b10e223a7} - c:\windows\system32\tifileze.dll
O21 - SSODL: yipafeyat - {cc1aba7d-6aab-4a09-b020-36c5db2b6c3e} - c:\windows\system32\guhukene.dll
O21 - SSODL: jajiruwoh - {5ab75997-f7fa-4523-a8d1-68a43e1da2d7} - c:\windows\system32\tifileze.dll
O21 - SSODL: votiseted - {a8c2f360-9ab8-44d4-9137-bb1f7b73261d} - c:\windows\system32\pedabara.dll
O22 - SharedTaskScheduler: gahurihor - {9bd3f3a5-72ad-489d-88b7-442882fa01ec} - c:\windows\system32\lolotawe.dll (file missing)
O22 - SharedTaskScheduler: tokatiluy - {1ab11b33-1d3e-4da8-a037-f26fc11cecd5} - c:\windows\system32\humulese.dll (file missing)
O22 - SharedTaskScheduler: jugezatag - {69df4313-fb4c-4430-bb1e-782c7f0fa088} - c:\windows\system32\tifileze.dll
O22 - SharedTaskScheduler: gahurihor - {1a173481-e97f-4039-b2e0-95f5c3a8e009} - c:\windows\system32\pedabara.dll
O22 - SharedTaskScheduler: mujuzedij - {4da7fb53-009e-4911-b32b-137b10e223a7} - c:\windows\system32\tifileze.dll
O22 - SharedTaskScheduler: gahurihor - {cc1aba7d-6aab-4a09-b020-36c5db2b6c3e} - c:\windows\system32\guhukene.dll
O22 - SharedTaskScheduler: tokatiluy - {5ab75997-f7fa-4523-a8d1-68a43e1da2d7} - c:\windows\system32\tifileze.dll
O22 - SharedTaskScheduler: jugezatag - {a8c2f360-9ab8-44d4-9137-bb1f7b73261d} - c:\windows\system32\pedabara.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 11302 bytes

Thanks for any help... ps i have found some site that seemed like it could help but i dont fully understand HJT so I dont wanna mess with it. PS. Malawarebytes installed but will not start.. post infection installation. and im using safe mode networking as of now. but on the good side i can still use it as a wireless for my 360!! last thing just popped up... Trojan spm/lx in a windows error box

BC AdBot (Login to Remove)

 

#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
    •  
  • Local time:09:29 PM

Posted 01 February 2010 - 06:47 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:






It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#3 jonasauruz

jonasauruz
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
    •  
  • Local time:05:29 AM

Posted 01 February 2010 - 02:38 PM

Here it is the combofix log... during setup it couldnt dl recovery console but had internet connectivity... i think its the virus' fault... but im gonna attempt to dl it manually now after it has ran.

log follows...

ComboFix 10-02-01.01 - Owner 01.02.2010 19:18:36.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.352.1033.18.2047.1758 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
c:\documents and settings\Custom Settings\TaskBarCmd v1.1.exe
c:\documents and settings\Owner\Start Menu\Programs\Startup\MagicDisc.lnk
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\Fonts\MyriadPro-Regular.otf
c:\windows\system32\10394.exe
c:\windows\system32\11413.exe
c:\windows\system32\11478.exe
c:\windows\system32\11822.exe
c:\windows\system32\11942.exe
c:\windows\system32\12382.exe
c:\windows\system32\14545.exe
c:\windows\system32\14604.exe
c:\windows\system32\15219.exe
c:\windows\system32\153.exe
c:\windows\system32\15724.exe
c:\windows\system32\16051.exe
c:\windows\system32\16827.exe
c:\windows\system32\17345.exe
c:\windows\system32\17421.exe
c:\windows\system32\17863.exe
c:\windows\system32\18467.exe
c:\windows\system32\18716.exe
c:\windows\system32\19169.exe
c:\windows\system32\19718.exe
c:\windows\system32\19798.exe
c:\windows\system32\19991.exe
c:\windows\system32\23281.exe
c:\windows\system32\24464.exe
c:\windows\system32\24587.exe
c:\windows\system32\25145.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\28451.exe
c:\windows\system32\29187.exe
c:\windows\system32\292.exe
c:\windows\system32\29358.exe
c:\windows\system32\2995.exe
c:\windows\system32\30018.exe
c:\windows\system32\30288.exe
c:\windows\system32\31121.exe
c:\windows\system32\32391.exe
c:\windows\system32\3902.exe
c:\windows\system32\404Fix.exe
c:\windows\system32\4409.exe
c:\windows\system32\4827.exe
c:\windows\system32\4904.exe
c:\windows\system32\491.exe
c:\windows\system32\5157.exe
c:\windows\system32\5436.exe
c:\windows\system32\5659.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\691.exe
c:\windows\system32\862.exe
c:\windows\system32\9226.exe
c:\windows\system32\9961.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\AVR10.exe
c:\windows\system32\baneyise.dll.tmp
c:\windows\system32\dapapifu.dll
c:\windows\system32\datufobu.dll
c:\windows\system32\dejufedu.dll
c:\windows\system32\detokaje.dll
c:\windows\system32\dumphive.exe
c:\windows\system32\dutosufa.dll.tmp
c:\windows\system32\duweweba.exe
c:\windows\system32\fomaruzu.dll
c:\windows\system32\getuhaye.dll
c:\windows\system32\gosofuwu.dll
c:\windows\system32\guhukene.dll
c:\windows\system32\hamohive.dll
c:\windows\system32\helper32.dll
c:\windows\system32\hodidona.exe
c:\windows\system32\holusifo.dll
c:\windows\system32\hutikovu.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\IS15.exe
c:\windows\system32\jokeyaza.dll
c:\windows\system32\juhofido.dll
c:\windows\system32\kevilasu.dll
c:\windows\system32\liwinise.exe
c:\windows\system32\meseleru.dll
c:\windows\system32\mesuraba.dll
c:\windows\system32\mofetoko.dll
c:\windows\system32\muvifedu.exe
c:\windows\system32\napolodu.dll
c:\windows\system32\nasorulu.exe
c:\windows\system32\nemulafu.dll
c:\windows\system32\nolopitu.dll
c:\windows\system32\nupihuse.dll
c:\windows\system32\nuvazege.dll
c:\windows\system32\o4Patch.exe
c:\windows\system32\pedabara.dll
c:\windows\system32\pipibuju.dll
c:\windows\system32\piyumezi.dll
c:\windows\system32\Process.exe
c:\windows\system32\rejogedi.dll
c:\windows\system32\rigebevu.dll
c:\windows\system32\rijenise.dll
c:\windows\system32\royotago.dll
c:\windows\system32\ruhefife.dll
c:\windows\system32\ruhegozi.dll
c:\windows\system32\sesotoja.dll
c:\windows\system32\silehoya.dll
c:\windows\system32\siruguhu.dll
c:\windows\system32\smss32.exe
c:\windows\system32\sofadeza.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\suduvumi.dll
c:\windows\system32\tamejube.dll
c:\windows\system32\tifileze.dll
c:\windows\system32\tmp.reg
c:\windows\system32\tumuwaku.dll
c:\windows\system32\twain_32.dll
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\vefavalo.dll
c:\windows\system32\vetidika.dll
c:\windows\system32\vihokaso.exe
c:\windows\system32\wepakezu.dll
c:\windows\system32\wifekeba.dll
c:\windows\system32\wifenoho.dll
c:\windows\system32\winhelper86.dll
c:\windows\system32\winlogon32.exe
c:\windows\system32\winlogon86.exe
c:\windows\system32\winupdate86.exe
c:\windows\system32\wisiwetu.dll
c:\windows\system32\wogirubi.dll
c:\windows\system32\wozajano.dll
c:\windows\system32\WS2Fix.exe
c:\windows\system32\yiyatuku.dll
c:\windows\system32\zefozawu.dll
c:\windows\system32\zesanido.dll
c:\windows\system32\zisafoje.dll
c:\windows\system32\zugedoge.dll.tmp
c:\windows\system32\zumidiba.dll
c:\windows\Tasks\tcgksuuo.job
c:\windows\Tasks\waixxcfh.job

----- BITS: Possible infected sites -----

hxxp://77.74.48.111
hxxp://82.98.231.102
hxxp://77.74.48.116
.
((((((((((((((((((((((((( Files Created from 2010-01-02 to 2010-02-02 )))))))))))))))))))))))))))))))
.

2010-02-02 03:26 . 2010-02-02 03:26 -------- d-----w- c:\windows\system32\xircom
2010-02-02 03:26 . 2010-02-02 03:26 -------- d-----w- c:\windows\system32\wbem\snmp
2010-02-02 03:26 . 2010-02-02 03:26 -------- d-----w- c:\windows\system32\oobe
2010-02-02 03:26 . 2010-02-02 03:26 -------- d-----w- c:\program files\microsoft frontpage
2010-02-01 02:59 . 2010-02-01 02:59 1049096 ----a-w- c:\program files\wpp.exe
2010-01-31 15:21 . 2010-01-31 15:21 -------- d-----w- c:\windows\Sun
2010-01-31 00:30 . 2010-01-31 00:30 -------- d-----w- c:\program files\Trend Micro
2010-01-31 00:20 . 2010-01-31 00:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-01-31 00:15 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-31 00:15 . 2010-01-31 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-31 00:15 . 2010-01-31 11:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-31 00:15 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-15 21:05 . 2010-01-15 21:05 262144 ----a-w- c:\windows\system32\default_user_class.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-01 02:59 . 2009-11-07 00:55 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\MEGAUPLOADTOOLBAR
2010-02-01 00:04 . 2009-09-15 19:57 -------- d-----w- c:\documents and settings\Owner\Application Data\MegauploadToolbar
2010-01-30 20:57 . 2009-09-05 04:31 -------- d-----w- c:\program files\BitComet
2010-01-28 20:21 . 2009-09-05 05:18 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-01-28 19:08 . 2009-09-17 18:51 -------- d-----w- c:\documents and settings\Guest\Application Data\MEGAUPLOADTOOLBAR
2010-01-26 19:16 . 2009-09-05 17:41 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-11-09 20:16 . 2009-11-09 20:16 128 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\fusioncache.dat
2009-11-09 20:16 . 2009-11-09 20:16 91208 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-06 00:01 . 2009-09-16 19:32 177024 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2ao06ijg.default\FlashGot.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
1601-01-01 00:03 . 1601-01-01 00:03 60928 --sha-w- c:\windows\system32\dadutiwo.dll
2009-09-14 21:03 . 2009-09-14 21:03 3 --sha-w- c:\windows\system32\dikijowa.dll
2009-09-10 21:42 . 2009-09-10 21:42 3 --sha-w- c:\windows\system32\dodirabu.dll
2009-09-15 20:26 . 2009-09-15 20:26 3 --sha-w- c:\windows\system32\forasuho.dll
2009-09-20 19:59 . 2009-09-20 19:59 12288 --sha-w- c:\windows\system32\ganafihe.exe
2009-09-10 21:42 . 2009-09-10 21:42 3 --sha-w- c:\windows\system32\habuneki.dll
2009-09-20 19:59 . 2009-09-20 19:59 3 --sha-w- c:\windows\system32\hemodogo.dll
2009-09-18 19:30 . 2009-09-18 19:30 45568 --sha-w- c:\windows\system32\jatipife.dll
2009-09-12 22:58 . 2009-09-12 22:58 3 --sha-w- c:\windows\system32\jinuyeju.dll
2009-09-10 00:13 . 2009-09-10 00:13 3 --sha-w- c:\windows\system32\kawugevu.dll
2009-09-11 22:15 . 2009-09-11 22:15 3 --sha-w- c:\windows\system32\loyijofi.dll
2009-09-17 22:38 . 2009-09-17 22:38 3 --sha-w- c:\windows\system32\mokufumi.dll
2009-09-15 20:26 . 2009-09-15 20:26 3 --sha-w- c:\windows\system32\pusevuwo.dll
2009-09-10 00:13 . 2009-09-10 00:13 3 --sha-w- c:\windows\system32\rejipabe.dll
2009-09-11 22:15 . 2009-09-11 22:15 3 --sha-w- c:\windows\system32\rujaheyi.dll
2009-09-19 19:41 . 2009-09-19 19:41 3 --sha-w- c:\windows\system32\serehera.dll
2009-09-18 19:30 . 2009-09-18 19:30 3 --sha-w- c:\windows\system32\towoyila.dll
2009-09-12 22:58 . 2009-09-12 22:58 3 --sha-w- c:\windows\system32\vajapaso.dll
2009-09-18 19:30 . 2009-09-18 19:30 3 --sha-w- c:\windows\system32\yejenujo.dll
1601-01-01 00:03 . 1601-01-01 00:03 93184 --sha-w- c:\windows\system32\yireniye.dll
2009-09-19 19:41 . 2009-09-19 19:41 3 --sha-w- c:\windows\system32\yobaruzi.dll
1601-01-01 00:03 . 1601-01-01 00:03 25088 --sha-w- c:\windows\system32\yozekute.exe
2009-09-14 21:03 . 2009-09-14 21:03 3 --sha-w- c:\windows\system32\zakejoki.dll
.

------- Sigcheck -------

[-] 2009-04-20 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys


c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-23 294696]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-09-17 1799952]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"RRT-Auto"="c:\documents and settings\Owner\My Documents\Downloads\RRT.exe" [2010-01-31 1738240]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-04-20 128512]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-22 40048]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\Owner\\My Documents\\Downloads\\procexp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20996:TCP"= 20996:TCP:BitComet 20996 TCP
"20996:UDP"= 20996:UDP:BitComet 20996 UDP

R0 crpf;crpf;c:\windows\system32\drivers\crpf.sys [04.09.2009 21:54 36512]
R0 csdf;csdf;c:\windows\system32\drivers\csdf.sys [04.09.2009 21:54 39456]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [04.09.2009 20:34 25160]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [04.09.2009 20:34 132296]
.
Contents of the 'Scheduled Tasks' folder

2010-02-01 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 22:07]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: {018A4CF3-F1F4-4257-B9C7-A3A0AC70D8D0} = 156.154.70.22,156.154.71.22
TCP: {0CF9B835-2D2E-459B-B2EF-EB665F28DE52} = 156.154.70.22,156.154.71.22
TCP: {298477EC-847C-4C0A-8F61-E45B7E6283CF} = 83.149.115.157,4.2.2.1,68.87.76.182 68.87.78.134
TCP: {C6DD66E6-4A3D-491E-814D-5243AB1D8D0A} = 83.149.115.157,4.2.2.1
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2ao06ijg.default\
FF - component: c:\program files\Comodo\VEngine\VerificationEngine_ff3_5\components\VEngine.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{c4674018-1890-4adf-9f5d-5948b9c3d7fc} - nemulafu.dll
HKLM-Run-QuickTime Task - c:\program files\QuickTime Alternative\QTTask.exe
HKLM-Run-nowofezov - c:\windows\system32\tifileze.dll
HKLM-Run-rufewitapu - wisiwetu.dll
SharedTaskScheduler-{9bd3f3a5-72ad-489d-88b7-442882fa01ec} - c:\windows\system32\lolotawe.dll
SharedTaskScheduler-{1ab11b33-1d3e-4da8-a037-f26fc11cecd5} - c:\windows\system32\humulese.dll
SharedTaskScheduler-{69df4313-fb4c-4430-bb1e-782c7f0fa088} - c:\windows\system32\tifileze.dll
SharedTaskScheduler-{1a173481-e97f-4039-b2e0-95f5c3a8e009} - c:\windows\system32\pedabara.dll
SharedTaskScheduler-{4da7fb53-009e-4911-b32b-137b10e223a7} - c:\windows\system32\tifileze.dll
SharedTaskScheduler-{cc1aba7d-6aab-4a09-b020-36c5db2b6c3e} - c:\windows\system32\guhukene.dll
SharedTaskScheduler-{5ab75997-f7fa-4523-a8d1-68a43e1da2d7} - c:\windows\system32\tifileze.dll
SharedTaskScheduler-{a8c2f360-9ab8-44d4-9137-bb1f7b73261d} - c:\windows\system32\tifileze.dll
SharedTaskScheduler-{91730b6e-960e-45b7-8bfa-d3eac24aa4c6} - c:\windows\system32\guhukene.dll
SharedTaskScheduler-{537ace1e-6fa6-43ca-9f0c-d6a3b45a3dfe} - c:\windows\system32\pedabara.dll
SharedTaskScheduler-{f2ff08f6-72c1-4f44-aa67-856faf9503e7} - c:\windows\system32\pedabara.dll
SharedTaskScheduler-{cc726a7f-9e62-4cc7-a5b7-fe49edb3a016} - c:\windows\system32\guhukene.dll
SharedTaskScheduler-{16da045f-7593-4ebb-b6e3-bb9c5e5db19a} - c:\windows\system32\tifileze.dll
SharedTaskScheduler-{6bbfb3bc-1137-4771-a522-c65f0d31a59d} - c:\windows\system32\tifileze.dll
SSODL-wibemogog-{9bd3f3a5-72ad-489d-88b7-442882fa01ec} - c:\windows\system32\lolotawe.dll
SSODL-zaviromuf-{1ab11b33-1d3e-4da8-a037-f26fc11cecd5} - c:\windows\system32\humulese.dll
SSODL-pobabowup-{69df4313-fb4c-4430-bb1e-782c7f0fa088} - c:\windows\system32\tifileze.dll
SSODL-kiyokefut-{1a173481-e97f-4039-b2e0-95f5c3a8e009} - c:\windows\system32\pedabara.dll
SSODL-mewelafen-{4da7fb53-009e-4911-b32b-137b10e223a7} - c:\windows\system32\tifileze.dll
SSODL-yipafeyat-{cc1aba7d-6aab-4a09-b020-36c5db2b6c3e} - c:\windows\system32\guhukene.dll
SSODL-jajiruwoh-{5ab75997-f7fa-4523-a8d1-68a43e1da2d7} - c:\windows\system32\tifileze.dll
SSODL-votiseted-{a8c2f360-9ab8-44d4-9137-bb1f7b73261d} - c:\windows\system32\tifileze.dll
SSODL-rofufujez-{91730b6e-960e-45b7-8bfa-d3eac24aa4c6} - c:\windows\system32\guhukene.dll
SSODL-wejehalod-{537ace1e-6fa6-43ca-9f0c-d6a3b45a3dfe} - c:\windows\system32\pedabara.dll
SSODL-huhiwesiw-{f2ff08f6-72c1-4f44-aa67-856faf9503e7} - c:\windows\system32\pedabara.dll
SSODL-gufogewot-{cc726a7f-9e62-4cc7-a5b7-fe49edb3a016} - c:\windows\system32\guhukene.dll
SSODL-tahumugob-{16da045f-7593-4ebb-b6e3-bb9c5e5db19a} - c:\windows\system32\tifileze.dll
SSODL-ziriroral-{6bbfb3bc-1137-4771-a522-c65f0d31a59d} - c:\windows\system32\tifileze.dll
AddRemove-Atomic Front End 0.20 - c:\atomicfe_v020\Atomic_uninstal.exe
AddRemove-WinRAR archiver - e:\programs\Drive Installs\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-01 19:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,aa,fc,67,ce,cf,24,a2,41,b7,93,6f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,aa,fc,67,ce,cf,24,a2,41,b7,93,6f,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(224)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
.
Completion time: 2010-02-01 19:33:13 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-02 03:33

Pre-Run: 2 814 582 784 bytes free
Post-Run: 2 800 037 888 bytes free

- - End Of File - - CFFF206978C7EEF3F2E92B5EE0B62805

my dog hit my keyboard and opened windows search but i hope its not a big deal.... just tried to get rc.iso or recovery console from ms and no luck so if you have a dl link to that cool!!

Edited by jonasauruz, 01 February 2010 - 03:48 PM.

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
    •  
  • Local time:09:29 PM

Posted 02 February 2010 - 06:57 AM

Wow.. That's a lot of nasties!.. Can you tell me anything about this file? Looks suspicious to me..

c:\program files\wpp.exe



1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter

2. Now copy/paste the entire content of the codebox below into the Notepad window:

CODE
KillAll::

File::
c:\windows\system32\dadutiwo.dll
c:\windows\system32\dikijowa.dll
c:\windows\system32\dodirabu.dll
c:\windows\system32\forasuho.dll
c:\windows\system32\ganafihe.exe
c:\windows\system32\habuneki.dll
c:\windows\system32\hemodogo.dll
c:\windows\system32\jatipife.dll
c:\windows\system32\jinuyeju.dll
c:\windows\system32\kawugevu.dll
c:\windows\system32\loyijofi.dll
c:\windows\system32\mokufumi.dll
c:\windows\system32\pusevuwo.dll
c:\windows\system32\rejipabe.dll
c:\windows\system32\rujaheyi.dll
c:\windows\system32\serehera.dll
c:\windows\system32\towoyila.dll
c:\windows\system32\vajapaso.dll
c:\windows\system32\yejenujo.dll
c:\windows\system32\yireniye.dll
c:\windows\system32\yobaruzi.dll
c:\windows\system32\yozekute.exe
c:\windows\system32\zakejoki.dll


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe/KittyFix.exe as depicted in the animation below. This will start ComboFix/KittyFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#5 jonasauruz

jonasauruz
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
    •  
  • Local time:05:29 AM

Posted 02 February 2010 - 04:28 PM

Thank you so much for your help BTW...

HJT Log Follows

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:48:24, on 02.02.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Comodo VerificationEngine Browser Helper NEW - {A968A4B4-C492-4834-B651-17602C3885C8} - C:\Program Files\Comodo\VEngine\VEngineIE32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RRT-Auto] C:\Documents and Settings\Owner\My Documents\Downloads\RRT.exe auto
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{018A4CF3-F1F4-4257-B9C7-A3A0AC70D8D0}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6DD66E6-4A3D-491E-814D-5243AB1D8D0A}: NameServer = 83.149.115.157,4.2.2.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{018A4CF3-F1F4-4257-B9C7-A3A0AC70D8D0}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CS2\Services\Tcpip\..\{018A4CF3-F1F4-4257-B9C7-A3A0AC70D8D0}: NameServer = 156.154.70.22,156.154.71.22
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7445 bytes

-----------------------------------------------------------------------------------------------------------------------------------------------------------

CFix Log Follows...

ComboFix 10-02-01.01 - Owner 02.02.2010 0:41.2.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.352.1033.18.2047.1702 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2010-01-02 to 2010-02-02 )))))))))))))))))))))))))))))))
.

2010-02-02 05:15 . 2009-10-12 13:28 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2010-02-02 05:13 . 2009-10-21 05:38 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2010-02-02 05:13 . 2009-10-21 05:38 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2010-02-02 05:13 . 2009-10-20 16:20 265728 ------w- c:\windows\system32\dllcache\http.sys
2010-02-02 05:13 . 2009-10-13 10:38 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2010-02-02 05:13 . 2009-08-25 09:27 354816 ------w- c:\windows\system32\dllcache\winhttp.dll
2010-02-02 05:10 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-02-02 05:03 . 2009-07-31 04:24 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2010-02-02 05:03 . 2009-07-31 04:24 1447424 ------w- c:\windows\system32\dllcache\msxml6.dll
2010-02-02 03:26 . 2010-02-02 03:26 -------- d-----w- c:\windows\system32\xircom
2010-02-02 03:26 . 2010-02-02 03:26 -------- d-----w- c:\windows\system32\wbem\snmp
2010-02-02 03:26 . 2010-02-02 03:26 -------- d-----w- c:\windows\system32\oobe
2010-02-02 03:26 . 2010-02-02 03:26 -------- d-----w- c:\program files\microsoft frontpage
2010-01-31 15:21 . 2010-01-31 15:21 -------- d-----w- c:\windows\Sun
2010-01-31 00:30 . 2010-01-31 00:30 -------- d-----w- c:\program files\Trend Micro
2010-01-31 00:20 . 2010-01-31 00:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-01-31 00:15 . 2010-01-31 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-31 00:15 . 2010-02-02 08:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-15 21:05 . 2010-01-15 21:05 262144 ----a-w- c:\windows\system32\default_user_class.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-02 07:54 . 2009-09-05 04:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-02 07:42 . 2009-09-05 00:01 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-01 02:59 . 2009-11-07 00:55 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\MEGAUPLOADTOOLBAR
2010-01-30 20:57 . 2009-09-05 04:31 -------- d-----w- c:\program files\BitComet
2010-01-28 20:21 . 2009-09-05 05:18 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-01-28 19:08 . 2009-09-17 18:51 -------- d-----w- c:\documents and settings\Guest\Application Data\MEGAUPLOADTOOLBAR
2010-01-26 19:16 . 2009-09-05 17:41 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-12-21 19:14 . 2009-04-20 18:19 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 15:51 . 2008-04-14 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-09 20:16 . 2009-11-09 20:16 128 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\fusioncache.dat
2009-11-09 20:16 . 2009-11-09 20:16 91208 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-06 00:01 . 2009-09-16 19:32 177024 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2ao06ijg.default\FlashGot.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
1601-01-01 00:03 . 1601-01-01 00:03 60928 --sha-w- c:\windows\system32\dadutiwo.dll
2009-09-14 21:03 . 2009-09-14 21:03 3 --sha-w- c:\windows\system32\dikijowa.dll
2009-09-10 21:42 . 2009-09-10 21:42 3 --sha-w- c:\windows\system32\dodirabu.dll
2009-09-15 20:26 . 2009-09-15 20:26 3 --sha-w- c:\windows\system32\forasuho.dll
2009-09-20 19:59 . 2009-09-20 19:59 12288 --sha-w- c:\windows\system32\ganafihe.exe
2009-09-10 21:42 . 2009-09-10 21:42 3 --sha-w- c:\windows\system32\habuneki.dll
2009-09-20 19:59 . 2009-09-20 19:59 3 --sha-w- c:\windows\system32\hemodogo.dll
2009-09-18 19:30 . 2009-09-18 19:30 45568 --sha-w- c:\windows\system32\jatipife.dll
2009-09-12 22:58 . 2009-09-12 22:58 3 --sha-w- c:\windows\system32\jinuyeju.dll
2009-09-10 00:13 . 2009-09-10 00:13 3 --sha-w- c:\windows\system32\kawugevu.dll
2009-09-11 22:15 . 2009-09-11 22:15 3 --sha-w- c:\windows\system32\loyijofi.dll
2009-09-17 22:38 . 2009-09-17 22:38 3 --sha-w- c:\windows\system32\mokufumi.dll
2009-09-15 20:26 . 2009-09-15 20:26 3 --sha-w- c:\windows\system32\pusevuwo.dll
2009-09-10 00:13 . 2009-09-10 00:13 3 --sha-w- c:\windows\system32\rejipabe.dll
2009-09-11 22:15 . 2009-09-11 22:15 3 --sha-w- c:\windows\system32\rujaheyi.dll
2009-09-19 19:41 . 2009-09-19 19:41 3 --sha-w- c:\windows\system32\serehera.dll
2009-09-18 19:30 . 2009-09-18 19:30 3 --sha-w- c:\windows\system32\towoyila.dll
2009-09-12 22:58 . 2009-09-12 22:58 3 --sha-w- c:\windows\system32\vajapaso.dll
2009-09-18 19:30 . 2009-09-18 19:30 3 --sha-w- c:\windows\system32\yejenujo.dll
1601-01-01 00:03 . 1601-01-01 00:03 93184 --sha-w- c:\windows\system32\yireniye.dll
2009-09-19 19:41 . 2009-09-19 19:41 3 --sha-w- c:\windows\system32\yobaruzi.dll
1601-01-01 00:03 . 1601-01-01 00:03 25088 --sha-w- c:\windows\system32\yozekute.exe
2009-09-14 21:03 . 2009-09-14 21:03 3 --sha-w- c:\windows\system32\zakejoki.dll
.

------- Sigcheck -------

[-] 2009-04-20 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys


c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2010-02-02_03.28.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-04-20 18:18 . 2009-07-14 11:03 46080 c:\windows\system32\tzchange.exe
+ 2009-04-20 18:18 . 2009-10-28 15:07 46080 c:\windows\system32\tzchange.exe
- 2008-04-14 12:00 . 2008-04-14 12:00 75776 c:\windows\system32\strmfilt.dll
+ 2008-04-14 12:00 . 2009-10-21 05:38 75776 c:\windows\system32\strmfilt.dll
+ 2008-04-14 12:00 . 2009-10-12 13:28 79872 c:\windows\system32\raschap.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 79872 c:\windows\system32\raschap.dll
+ 2008-04-14 12:00 . 2010-02-02 08:37 71904 c:\windows\system32\perfc009.dat
- 2008-04-14 12:00 . 2010-02-01 03:08 71904 c:\windows\system32\perfc009.dat
- 2009-04-20 18:22 . 2009-08-29 08:08 55296 c:\windows\system32\msfeedsbs.dll
+ 2009-04-20 18:22 . 2009-12-21 19:14 55296 c:\windows\system32\msfeedsbs.dll
+ 2009-04-20 18:17 . 2009-12-21 19:14 25600 c:\windows\system32\jsproxy.dll
- 2009-04-20 18:17 . 2009-08-29 08:08 25600 c:\windows\system32\jsproxy.dll
+ 2008-04-14 12:00 . 2009-10-21 05:38 25088 c:\windows\system32\httpapi.dll
- 2008-04-14 12:00 . 2009-07-29 04:37 81920 c:\windows\system32\fontsub.dll
+ 2008-04-14 12:00 . 2009-10-15 16:28 81920 c:\windows\system32\fontsub.dll
+ 2009-09-21 05:45 . 2009-12-21 19:14 12800 c:\windows\system32\dllcache\xpshims.dll
- 2009-09-21 05:45 . 2009-08-29 08:08 12800 c:\windows\system32\dllcache\xpshims.dll
- 2009-09-21 05:45 . 2009-08-29 08:08 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2009-09-21 05:45 . 2009-12-21 19:14 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2009-09-21 05:45 . 2009-12-21 19:14 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2009-09-21 05:45 . 2009-08-29 08:08 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2009-09-21 05:47 . 2009-10-15 16:28 81920 c:\windows\system32\dllcache\fontsub.dll
- 2009-09-21 05:47 . 2009-07-29 04:37 81920 c:\windows\system32\dllcache\fontsub.dll
+ 2009-09-06 05:50 . 2010-02-02 07:54 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-09-06 05:50 . 2009-11-03 23:16 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-09-06 05:50 . 2009-11-03 23:16 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-09-06 05:50 . 2010-02-02 07:54 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-09-06 05:50 . 2010-02-02 07:54 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2009-09-06 05:50 . 2009-11-03 23:16 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2010-02-02 07:56 . 2009-08-29 08:08 12800 c:\windows\ie8updates\KB978207-IE8\xpshims.dll
+ 2010-02-02 07:56 . 2009-08-29 08:08 55296 c:\windows\ie8updates\KB978207-IE8\msfeedsbs.dll
+ 2010-02-02 07:56 . 2009-08-29 08:08 25600 c:\windows\ie8updates\KB978207-IE8\jsproxy.dll
+ 2009-04-20 18:19 . 2009-08-25 09:27 354816 c:\windows\system32\winhttp.dll
- 2008-04-14 12:00 . 2009-07-29 04:37 119808 c:\windows\system32\t2embed.dll
+ 2008-04-14 12:00 . 2009-10-15 16:28 119808 c:\windows\system32\t2embed.dll
+ 2010-02-02 07:33 . 2008-12-10 18:56 187392 c:\windows\system32\ReinstallBackups\0001\DriverFiles\b57xp32.sys
+ 2009-04-20 18:18 . 2009-10-13 02:58 150016 c:\windows\system32\rastls.dll
+ 2008-04-14 12:00 . 2010-02-02 08:37 444028 c:\windows\system32\perfh009.dat
- 2008-04-14 12:00 . 2010-02-01 03:08 444028 c:\windows\system32\perfh009.dat
- 2009-04-20 18:18 . 2009-08-29 08:08 206848 c:\windows\system32\occache.dll
+ 2009-04-20 18:18 . 2009-12-21 19:14 206848 c:\windows\system32\occache.dll
+ 2009-04-20 18:18 . 2009-10-13 10:38 270336 c:\windows\system32\oakley.dll
- 2009-04-20 18:18 . 2009-04-20 18:18 270336 c:\windows\system32\oakley.dll
+ 2009-04-20 18:22 . 2009-12-21 19:14 594432 c:\windows\system32\msfeeds.dll
- 2009-04-20 18:22 . 2009-08-29 08:08 594432 c:\windows\system32\msfeeds.dll
+ 2009-04-20 18:17 . 2009-12-21 19:14 184320 c:\windows\system32\iepeers.dll
- 2009-04-20 18:17 . 2009-08-29 08:08 184320 c:\windows\system32\iepeers.dll
+ 2009-04-20 18:17 . 2009-12-21 19:14 387584 c:\windows\system32\iedkcs32.dll
- 2009-04-20 18:17 . 2009-08-29 08:08 387584 c:\windows\system32\iedkcs32.dll
+ 2009-04-20 18:17 . 2009-12-21 13:19 173056 c:\windows\system32\ie4uinit.exe
- 2009-04-20 18:17 . 2009-08-28 10:35 173056 c:\windows\system32\ie4uinit.exe
+ 2008-04-14 12:00 . 2009-10-20 16:20 265728 c:\windows\system32\drivers\http.sys
+ 2009-09-04 18:49 . 2009-02-23 17:40 195072 c:\windows\system32\drivers\b57xp32.sys
+ 2009-09-21 05:45 . 2009-12-21 19:14 916480 c:\windows\system32\dllcache\wininet.dll
- 2009-09-21 05:45 . 2009-08-29 08:08 916480 c:\windows\system32\dllcache\wininet.dll
- 2009-09-21 05:47 . 2009-07-29 04:37 119808 c:\windows\system32\dllcache\t2embed.dll
+ 2009-09-21 05:47 . 2009-10-15 16:28 119808 c:\windows\system32\dllcache\t2embed.dll
+ 2009-10-13 02:58 . 2009-10-13 02:58 150016 c:\windows\system32\dllcache\rastls.dll
- 2009-09-21 05:45 . 2009-08-29 08:08 206848 c:\windows\system32\dllcache\occache.dll
+ 2009-09-21 05:45 . 2009-12-21 19:14 206848 c:\windows\system32\dllcache\occache.dll
- 2009-09-21 05:45 . 2009-08-29 08:08 594432 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-09-21 05:45 . 2009-12-21 19:14 594432 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-09-21 05:45 . 2009-12-21 19:14 246272 c:\windows\system32\dllcache\ieproxy.dll
- 2009-09-21 05:45 . 2009-08-29 08:08 246272 c:\windows\system32\dllcache\ieproxy.dll
+ 2009-09-21 05:45 . 2009-12-21 19:14 184320 c:\windows\system32\dllcache\iepeers.dll
- 2009-09-21 05:45 . 2009-08-29 08:08 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2009-09-21 05:45 . 2009-12-21 19:14 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2009-09-21 05:45 . 2009-08-29 08:08 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2009-09-21 05:45 . 2009-12-21 13:19 173056 c:\windows\system32\dllcache\ie4uinit.exe
- 2009-09-21 05:45 . 2009-08-28 10:35 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2009-09-04 18:49 . 2009-02-23 17:40 195072 c:\windows\system32\dllcache\b57xp32.sys
+ 2010-02-02 05:14 . 2010-02-02 05:14 499712 c:\windows\Installer\9c818.msi
+ 2009-05-27 02:53 . 2009-05-27 02:53 579072 c:\windows\Installer\9c7e4.msp
+ 2009-09-06 05:50 . 2010-02-02 07:54 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-09-06 05:50 . 2009-11-03 23:16 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-09-06 05:50 . 2010-02-02 07:54 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2009-09-06 05:50 . 2009-11-03 23:16 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-09-06 05:50 . 2010-02-02 07:54 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2009-09-06 05:50 . 2009-11-03 23:16 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-09-06 05:50 . 2010-02-02 07:54 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2009-09-06 05:50 . 2009-11-03 23:16 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2009-09-06 05:50 . 2009-11-03 23:16 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2009-09-06 05:50 . 2010-02-02 07:54 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2009-09-06 05:50 . 2009-11-03 23:16 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-09-06 05:50 . 2010-02-02 07:54 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2009-09-06 05:50 . 2009-11-03 23:16 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-09-06 05:50 . 2010-02-02 07:54 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2010-02-02 07:56 . 2009-08-29 08:08 916480 c:\windows\ie8updates\KB978207-IE8\wininet.dll
+ 2010-02-02 07:56 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB978207-IE8\spuninst\updspapi.dll
+ 2010-02-02 07:56 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB978207-IE8\spuninst\spuninst.exe
+ 2010-02-02 07:56 . 2009-08-29 08:08 206848 c:\windows\ie8updates\KB978207-IE8\occache.dll
+ 2010-02-02 07:56 . 2009-08-29 08:08 594432 c:\windows\ie8updates\KB978207-IE8\msfeeds.dll
+ 2010-02-02 07:56 . 2009-08-29 08:08 246272 c:\windows\ie8updates\KB978207-IE8\ieproxy.dll
+ 2010-02-02 07:56 . 2009-08-29 08:08 184320 c:\windows\ie8updates\KB978207-IE8\iepeers.dll
+ 2010-02-02 07:56 . 2009-08-29 08:08 387584 c:\windows\ie8updates\KB978207-IE8\iedkcs32.dll
+ 2010-02-02 07:56 . 2009-08-28 10:35 173056 c:\windows\ie8updates\KB978207-IE8\ie4uinit.exe
+ 2010-02-02 05:13 . 2009-10-20 16:20 265728 c:\windows\Driver Cache\i386\http.sys
+ 2009-07-21 06:14 . 2009-07-21 06:14 1393480 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.30.2107.0_x-ww_bd5ca85e\msxml4.dll
+ 2009-04-20 18:19 . 2009-08-15 01:49 1859712 c:\windows\system32\win32k.sys
- 2009-04-20 18:18 . 2009-08-29 08:08 1208832 c:\windows\system32\urlmon.dll
+ 2009-04-20 18:18 . 2009-12-21 19:14 1208832 c:\windows\system32\urlmon.dll
+ 2009-04-20 18:18 . 2009-07-31 04:24 1447424 c:\windows\system32\msxml6.dll
+ 2009-07-21 06:16 . 2009-07-21 06:16 1393480 c:\windows\system32\msxml4.dll
+ 2009-04-20 18:18 . 2009-07-31 04:24 1172480 c:\windows\system32\msxml3.dll
+ 2009-04-20 18:18 . 2009-12-21 19:14 5942784 c:\windows\system32\mshtml.dll
+ 2009-04-20 18:21 . 2009-12-21 19:14 1985536 c:\windows\system32\iertutil.dll
- 2009-04-20 18:21 . 2009-08-29 08:08 1985536 c:\windows\system32\iertutil.dll
+ 2009-09-04 18:48 . 2010-02-01 18:47 1638128 c:\windows\system32\FNTCACHE.DAT
+ 2009-08-18 07:33 . 2009-08-18 07:33 1193832 c:\windows\system32\FM20.DLL
+ 2009-04-17 23:20 . 2009-08-15 01:49 1859712 c:\windows\system32\dllcache\win32k.sys
+ 2009-09-21 05:45 . 2009-12-21 19:14 1208832 c:\windows\system32\dllcache\urlmon.dll
- 2009-09-21 05:45 . 2009-08-29 08:08 1208832 c:\windows\system32\dllcache\urlmon.dll
+ 2009-09-21 05:45 . 2009-12-21 19:14 5942784 c:\windows\system32\dllcache\mshtml.dll
- 2009-09-21 05:45 . 2009-08-29 08:08 1985536 c:\windows\system32\dllcache\iertutil.dll
+ 2009-09-21 05:45 . 2009-12-21 19:14 1985536 c:\windows\system32\dllcache\iertutil.dll
+ 2009-08-18 20:58 . 2009-08-18 20:58 8301056 c:\windows\Installer\9c82d.msp
+ 2009-08-18 20:57 . 2009-08-18 20:57 9122304 c:\windows\Installer\9c810.msp
+ 2009-10-16 15:09 . 2009-10-16 15:09 2518016 c:\windows\Installer\9c7fa.msp
+ 2009-08-18 21:08 . 2009-08-18 21:08 1373696 c:\windows\Installer\9c7cf.msp
+ 2009-04-24 20:29 . 2009-04-24 20:29 9013760 c:\windows\Installer\9aa9f.msp
+ 2009-12-03 22:15 . 2009-12-03 22:15 5004288 c:\windows\Installer\8b741e.msp
- 2009-09-06 05:50 . 2009-11-03 23:16 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-09-06 05:50 . 2010-02-02 07:54 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2009-09-06 05:50 . 2009-11-03 23:16 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-09-06 05:50 . 2010-02-02 07:54 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-03-06 12:26 . 2009-03-06 12:26 5291376 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\IPEDITOR.DLL
+ 2008-11-21 07:06 . 2008-11-21 07:06 1194848 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\FM20.DLL
+ 2010-02-02 07:56 . 2009-08-29 08:08 1208832 c:\windows\ie8updates\KB978207-IE8\urlmon.dll
+ 2010-02-02 07:56 . 2009-08-29 08:08 5940224 c:\windows\ie8updates\KB978207-IE8\mshtml.dll
+ 2010-02-02 07:56 . 2009-08-29 08:08 1985536 c:\windows\ie8updates\KB978207-IE8\iertutil.dll
+ 2010-02-01 18:54 . 2010-01-05 00:17 29634504 c:\windows\system32\MRT.exe
+ 2009-04-20 18:21 . 2009-12-21 19:14 11070464 c:\windows\system32\ieframe.dll
+ 2009-07-20 01:48 . 2009-12-21 19:14 11070464 c:\windows\system32\dllcache\ieframe.dll
+ 2009-08-18 20:50 . 2009-08-18 20:50 12022272 c:\windows\Installer\9c7b9.msp
+ 2010-02-02 05:21 . 2010-02-02 05:21 15710720 c:\windows\Installer\8b7409.msp
+ 2010-02-02 07:56 . 2009-08-29 08:08 11069440 c:\windows\ie8updates\KB978207-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-23 294696]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-09-17 1799952]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"RRT-Auto"="c:\documents and settings\Owner\My Documents\Downloads\RRT.exe" [2010-01-31 1738240]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-04-20 128512]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-22 40048]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\Owner\\My Documents\\Downloads\\procexp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20996:TCP"= 20996:TCP:BitComet 20996 TCP
"20996:UDP"= 20996:UDP:BitComet 20996 UDP

R0 crpf;crpf;c:\windows\system32\drivers\crpf.sys [04.09.2009 21:54 36512]
R0 csdf;csdf;c:\windows\system32\drivers\csdf.sys [04.09.2009 21:54 39456]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [04.09.2009 20:34 25160]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [04.09.2009 20:34 132296]
.
Contents of the 'Scheduled Tasks' folder

2010-02-01 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 22:07]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: {018A4CF3-F1F4-4257-B9C7-A3A0AC70D8D0} = 156.154.70.22,156.154.71.22
TCP: {C6DD66E6-4A3D-491E-814D-5243AB1D8D0A} = 83.149.115.157,4.2.2.1
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2ao06ijg.default\
FF - component: c:\program files\Comodo\VEngine\VerificationEngine_ff3_5\components\VEngine.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-02 00:45
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,aa,fc,67,ce,cf,24,a2,41,b7,93,6f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,aa,fc,67,ce,cf,24,a2,41,b7,93,6f,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\guard32.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(780)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(992)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3079_x-ww_b811a94e\MSVCR80.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\ShellExt\CmdOpen.dll
c:\program files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll
c:\program files\ATI Technologies\ATI.ACE\Core-Static\atiamenu.dll
.
Completion time: 2010-02-02 00:47:28
ComboFix-quarantined-files.txt 2010-02-02 08:47
ComboFix2.txt 2010-02-02 03:33

Pre-Run: 5 688 745 984 bytes free
Post-Run: 5 709 639 680 bytes free

- - End Of File - - B084910A545BE2592FE591AFB91479A4



I had a little quark when dragging... it said some HIRCMD or something like that could not be found or executed etc.... and spammed it a bit, but i believe it completed whatever it needed. When i redid the drag it ran cf normally and made the log file that i have posted!!

Thanks Again so much.. and can you explain how combofix works... this has been the only infection i have had where ive needed to consult the forums, and ps if i have a bunch of unnamed numbered and wired folderc in c:/ thay have files in them... like sys files possibly from my antivirus etc and these scans can i delete them??

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
    •  
  • Local time:09:29 PM

Posted 03 February 2010 - 08:07 AM

First of all, can you enter Normal Mode instead of Safe Mode with Networking? And can you re-run ComboFix (the CFSCript step) again as you did before (must be in Normal Mode) and this time, make sure you install the "Recovery Console"..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#7 jonasauruz

jonasauruz
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
    •  
  • Local time:05:29 AM

Posted 03 February 2010 - 02:37 PM

cf wont install recovery cons and i cant find it online....cf says i dont appear to be connected to the internet. i will disable my xbox bridge to see if this is the problem
.

#8 jonasauruz

jonasauruz
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
    •  
  • Local time:05:29 AM

Posted 03 February 2010 - 10:39 PM

ok so no good still and i had let cf run since i wasnt quite sure what it was supposed to do exactly, however no problems yet... and i dont know if the kill script worked or not. when the pc starts in normal mode however cf says access denied over and over again and kinda hangs. i can repost new logs if you like. im sorry this seems to be taking so long i figured safe mode would cut all processes in autostart which would not conflict with cf. i dont mean to be a pain and i have been following your instructions and no doing extra but how can i get this recovery console??

#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
    •  
  • Local time:09:29 PM

Posted 04 February 2010 - 06:59 AM

Forget Recovery Console for now.. I have two questions..

1. Can you boot into Normal Mode?
2. Is this your personal computer or company computer?

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#10 jonasauruz

jonasauruz
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
    •  
  • Local time:05:29 AM

Posted 07 February 2010 - 04:20 PM

yes i can boot to normal mode and it is personal laptop...

#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
    •  
  • Local time:09:29 PM

Posted 08 February 2010 - 06:56 AM

Then please run ComboFix in Normal Mode and post the log here.. Just double-click it..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#12 jonasauruz

jonasauruz
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
    •  
  • Local time:05:29 AM

Posted 09 February 2010 - 02:35 AM

when i run it... it says it some files could not be created... and stalls.... thats why i an it in safe mode along with reading its best to run av programs in safe mode... but ???.. its like this thing has me by the ballz... i dont have enough space on my external to back up my pc either or by now i would have done that...

#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
    •  
  • Local time:09:29 PM

Posted 09 February 2010 - 07:10 AM

QUOTE
with reading its best to run av programs in safe mode


Not necessarily true..

Delete your version of ComboFix >> download a fresh one from below >> run it and post the log here..


IF you can't run ComboFix in Normal Mode, do below...

Please download avz4.zip and unzip it to your Desktop
  • Double click on avz.exe to run it.
  • From the "File" menu, choose "Standard Scripts"
  • Put a check next to item 2: Advanced System Analysis
  • Click Execute selected scripts
  • At the next prompt, click the OK button
  • Let the scan run and click "OK" when the completion prompt pops up
  • Now Close out of the Standard Scripts window, and exit AVZ
  • Navigate to the avz4 folder and locate the folder LOG
  • Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip
  • Attach virusinfo_syscheck.htm AND virusinfo_syscure.htm to your next reply

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#14 jonasauruz

jonasauruz
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
    •  
  • Local time:05:29 AM

Posted 09 February 2010 - 06:12 PM

no syscure file was in the log folder after the av ran it only had 2 syscheck files... one i htm and one xml, and another zip file with no syscure in it... just a thought too i am having trouble installing new programs... like windows waas installing updates and couldnt install the malware update... and i had also tried bbefore installing something and it wouldnt install... oh yeah it was malwarbytes!! ok thanks. i will run again after my classes tonight...thanks!!

Attached Files


#15 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
    •  
  • Local time:09:29 PM

Posted 10 February 2010 - 05:58 AM

Uninstall COMODO for now and do below... Please do it in Normal Mode..


Please download The Comedian.exe by Rorschach112 to your desktop
  • Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished
STOP! if you can't complete this step.. Tell me more about it..




NEXT


Please download OTS by OldTimer and unzip it to your Desktop..

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • At the top, tick on Scan All Users section
  • At File Age set it to 90 Days
  • In the Processes, Modules, Services, Drivers and Registry section, please set on Safe List.
  • In the Files Created Within and Files Modified Within section, set it to File Age
  • At the bottom, tick on all Safe List and Use Company Name WhiteList option
  • Under Additional Scans, tick on the "Extras" button and then click the checkboxes in front of the following items to select them:
      Reg - Disabled MS Config Items
      Reg - Drivers32
      Reg - Ext
      Reg - IE Explorer Bar
      Reg - NetSvcs
      Reg - Safeboot Minimal
      Reg - Safeboot Network
      File - Lop Check
      File - Purity Scan
    • Please copy/paste below script into Custom Scans box
      CODE
      netsvcs
      %SYSTEMDRIVE%\*.exe
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      symmpi.sys
      adp3132.sys
      /md5stop
      %systemroot%\*. /mp /s
      CREATERESTOREPOINT
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %systemroot%\System32\config\*.sav
  • Do NOT change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Attach the log in your next replies.. Don't post it.. It will be too large to fit into a single post..




NEXT


Please download GMER and unzip it to your Desktop. <<mirror>>
Please rename the random filename or GMER into GAMERS
  • Open the renamed program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.

IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results




ATTACH these logs in your next reply

1. OTS
2. GMER


Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

Back to Virus, Trojan, Spyware, and Malware Removal Help


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Help
  4. Privacy Policy
  5. Rules ·