Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winantivirus, 0202, Coolweb, Dr.web +


  • Please log in to reply
71 replies to this topic

#1 Koops

Koops

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 05 October 2006 - 05:48 PM

Ok, short and quick, I have many virus and no antiviurs program. What I need is a way to eliminate those I have (known are WinAntivirus, 0202trojan, coolwebtrojan, Dr.Web) I also need a way to protect my computer in the futre for FREE. Cause I hate trying out antiviruss and finding I have to pay to remove the viruses. PLZ help me kill the viruses I have and protect my computer in the future

system scan:

Logfile of HijackThis v1.99.1
Scan saved at 6:40:48 PM, on 10/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\PROMon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\{A4EB4438-0702-1033-0212-031024200001}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs:
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

P.S. I cant run my comp in safe mode, the screen turns all black and displays "safemode" in the corners, best I can do is have the command prompt up.
nvm, I can run safe mode, just press ctrl+c

Edited by Koops, 06 October 2006 - 03:31 PM.


BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 07 October 2006 - 11:48 AM

Hi Koops and Welcome to the Bleeping Computer!


As requested:

Please install,update and scan the entire system with one of the following free Antivirus Software Programs

AntiVir® PersonalEdition Classic

AVG Free for Windows

BitDefender 8 Free Edition

avast! 4 Home Edition


You really should install one of these free firewalls as well since Microsofts Firewall leaves alot to be desired.

Sunbelt Kerio Personal Firewall

ZoneAlarm Free

Outpost Firewall FREE


From the lists above,AVG and Zone Alarm are what I would call,the most user friendly.



After your intial Virus Scan is completed and you have successfully installed one of the firewalls.


Please download Combofix to your desktop.
http://download.bleepingcomputer.com/sUBs/combofix.exe

Doubleclick combo.exe to launch the application.

Follow the prompts that will be displayed on the screen.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt

Please post that log in the next reply along with a fresh HijackThis log.

#3 Koops

Koops
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  

Posted 10 October 2006 - 04:33 PM

I am currently downloading the firewall and avg, but I cant use your link to combofix. Firefox cannot find the url. Thank you for taking the time to help me out so far though. I really appreciate it.

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 11 October 2006 - 03:07 PM

Try downloading ComboFix again and see what happens?

#5 Koops

Koops
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 12 October 2006 - 04:05 PM

Thanks, combo fix worked that time
I'm using it now and will post my hijackthis log once its done.

Thanks again!

#6 Koops

Koops
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  

Posted 12 October 2006 - 04:12 PM


Here's my combofix log


Eric W - 06-10-12 17:04:27.56 Service Pack 2
ComboFix 06.10.12 - Running from: "C:\Program Files\Mozilla Firefox"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\{A4EB4438-0702-1033-0212-031024200001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Eric W\My Documents\STEM~1
C:\QooBox\Purity\WINDOWS\SKS~1


((((((((((((((((((((((((((((((( Files Created from 2006-09-12 to 2006-10-12 ))))))))))))))))))))))))))))))))))


2006-10-10 17:34 778,656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-10-10 17:34 4,992 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-10-10 17:34 4,288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-10-10 17:34 27,904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-10-10 17:34 23,104 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-10-07 08:36 94,208 --a------ C:\WINDOWS\system32\jranluc.dll
2006-10-07 08:36 73,216 --a------ C:\WINDOWS\system32\yhemrgk.dll
2006-10-04 20:55 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-10-04 20:25 970,752 --a------ C:\WINDOWS\system32\VchReg.dll
2006-10-04 17:58 741,396 --a------ C:\WINDOWS\system32\dsuxesfi.exe
2006-09-19 19:34 27,648 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-12 17:05 -------- d-------- C:\Program Files\Common Files
2006-10-12 17:02 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-11 18:34 -------- d-------- C:\Program Files\Warcraft III
2006-10-11 16:57 -------- d-------- C:\Program Files\Gpotato
2006-10-10 17:35 -------- d-------- C:\Documents and Settings\Eric W\Application Data\AVG7
2006-10-10 17:34 -------- d-------- C:\Program Files\Grisoft
2006-10-10 17:32 -------- d-------- C:\Program Files\Zone Labs
2006-10-06 16:46 -------- d-------- C:\Program Files\HijackThis
2006-10-05 20:15 617 --a------ C:\Documents and Settings\Eric W\Application Data\turing_files.ini
2006-10-04 20:42 -------- d-------- C:\Program Files\Java
2006-10-04 20:38 -------- d-------- C:\Program Files\Common Files\Java
2006-10-02 20:06 157 --a------ C:\Documents and Settings\Eric W\Application Data\turing.ini
2006-09-24 08:38 -------- d-------- C:\Program Files\Sony
2006-09-23 09:48 -------- d-------- C:\Program Files\Common Files\Logitech
2006-09-23 09:37 -------- d-------- C:\Documents and Settings\Eric W\Application Data\Macromedia
2006-09-23 09:35 -------- d-------- C:\Program Files\Common Files\DataViz
2006-09-18 16:27 -------- d-------- C:\Program Files\Turing
2006-08-29 17:12 13844 --a------ C:\WINDOWS\system32\kndlnptf.exe
2006-08-29 09:58 13844 --a------ C:\WINDOWS\system32\qitjdlwk.exe
2006-08-28 18:58 13844 --a------ C:\WINDOWS\system32\yhrmusmu.exe
2006-08-28 13:12 13844 --a------ C:\WINDOWS\system32\meukxucy.exe
2006-08-27 16:15 13844 --a------ C:\WINDOWS\system32\vhhhmpee.exe
2006-08-26 10:35 13844 --a------ C:\WINDOWS\system32\sibxuwwv.exe
2006-08-25 19:39 13844 --a------ C:\WINDOWS\system32\ccrxktjt.exe
2006-08-25 12:05 13844 --a------ C:\WINDOWS\system32\jeujaboj.exe
2006-08-25 11:59 13844 --a------ C:\WINDOWS\system32\uroujyde.exe
2006-08-23 17:17 13844 --a------ C:\WINDOWS\system32\ebvoqeqp.exe
2006-08-23 10:03 13844 --a------ C:\WINDOWS\system32\rrlrjrcy.exe
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 05:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-20 08:05 -------- d-------- C:\Program Files\Internet Explorer
2006-08-20 07:36 -------- d-------- C:\Program Files\Common Files\Companion Wizard
2006-08-20 07:31 -------- d-------- C:\Program Files\Common Files\WinAntiVirus Pro 2006
2006-08-19 20:49 -------- d-------- C:\Program Files\Common Files\GTK
2006-08-02 16:52 2 --a------ C:\WINDOWS\system32\wnscptr.exe
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"BluetoothAuthenticationAgent"="rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent"
"Smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smtray.exe"
"StorageGuard"="\"C:\\Program Files\\VERITAS Software\\Update Manager\\sgtray.exe\" /r"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"jranluc.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\jranluc.dll,nixncte"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDrives"=dword:00000000
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 06-10-12 17:05:53.20
ComboFix.txt















Here's my hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 5:09:30 PM, on 10/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {168D6C70-452B-83F8-3764-07FCD90466BF} - C:\WINDOWS\system32\yhemrgk.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\rqidlnlu.dll (file missing)
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\System32\smiehlp.dll
O2 - BHO: (no name) - {AA7FD8AC-83D0-4363-946C-7D8334583E5F} - C:\WINDOWS\Help\daent.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [jranluc.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\jranluc.dll,nixncte
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by Koops, 12 October 2006 - 04:13 PM.


#7 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 12 October 2006 - 04:25 PM

If you will,lets check a file real quick.

C:\WINDOWS\system32\wnscptr.exe

Have that file scanned Here please.

Copy any results you get to notepad and post them back here,please.

#8 Koops

Koops
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 12 October 2006 - 05:16 PM

Unfortunately
all the antiviruses say that it is not infected
A
ntivirus Version Update Result
AntiVir 7.2.0.30 10.12.2006 no virus found
Authentium 4.93.8 10.12.2006 no virus found
Avast 4.7.892.0 10.12.2006 no virus found
AVG 386 10.12.2006 no virus found
BitDefender 7.2 10.12.2006 no virus found
CAT-QuickHeal 8.00 10.12.2006 no virus found
ClamAV devel-20060426 10.12.2006 no virus found
DrWeb 4.33 10.12.2006 no virus found
eTrust-InoculateIT 23.73.21 10.12.2006 no virus found
eTrust-Vet 30.3.3129 10.12.2006 no virus found
Ewido 4.0 10.12.2006 no virus found
Fortinet 2.82.0.0 10.12.2006 no virus found
F-Prot 3.16f 10.12.2006 no virus found
F-Prot4 4.2.1.29 10.12.2006 no virus found
Ikarus 0.2.65.0 10.12.2006 no virus found
Kaspersky 4.0.2.24 10.12.2006 no virus found
McAfee 4872 10.12.2006 no virus found
Microsoft 1.1603 10.12.2006 no virus found
NOD32v2 1.1801 10.12.2006 no virus found
Norman 5.90.23 10.12.2006 no virus found
Panda 9.0.0.4 10.12.2006 no virus found
Sophos 4.10.0 10.05.2006 no virus found
TheHacker 6.0.1.096 10.11.2006 no virus found
UNA 1.83 10.12.2006 no virus found
VBA32 3.11.1 10.12.2006 no virus found
VirusBuster 4.3.7:9 10.12.2006 no virus found

#9 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 12 October 2006 - 06:35 PM

Thats OK,I believe its possible the file is OK.

Thats why I asked you to have it scanned.

Scans cant always be trusted,if you would like to look closer at the file,locate it in the System32 folder and right click on it,select properties.

Go through all the information you can find there and see if you are able to associate it with something on the machine.


Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {168D6C70-452B-83F8-3764-07FCD90466BF} - C:\WINDOWS\system32\yhemrgk.dll

O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\rqidlnlu.dll (file missing)

O2 - BHO: (no name) - {AA7FD8AC-83D0-4363-946C-7D8334583E5F} - C:\WINDOWS\Help\daent.dll (file missing)

O4 - HKLM\..\Run: [jranluc.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\jranluc.dll,nixncte

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button



Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\yhemrgk.dll
    C:\WINDOWS\system32\jranluc.dll
    C:\WINDOWS\system32\kndlnptf.exe
    C:\WINDOWS\system32\qitjdlwk.exe
    C:\WINDOWS\system32\yhrmusmu.exe
    C:\WINDOWS\system32\meukxucy.exe
    C:\WINDOWS\system32\vhhhmpee.exe
    C:\WINDOWS\system32\sibxuwwv.exe
    C:\WINDOWS\system32\ccrxktjt.exe
    C:\WINDOWS\system32\jeujaboj.exe
    C:\WINDOWS\system32\uroujyde.exe
    C:\WINDOWS\system32\ebvoqeqp.exe
    C:\WINDOWS\system32\rrlrjrcy.exe
    C:\WINDOWS\system32\dsuxesfi.exe


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Select Delete on Reboot and Unregister .dll before Deleting
  • then Click on the All Files button.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.



After restarting I want to check something please.


Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

#10 Koops

Koops
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 12 October 2006 - 07:52 PM

Thanks! Here is my hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 8:48:28 PM, on 10/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\System32\smiehlp.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe




















Vundo.fix


VundoFix V6.2.0

Checking Java version...

Java version is 1.5.0.6

Scan started at 8:46:11 AM 10/7/2006

Listing files found while scanning....

C:\WINDOWS\system32\arratmbi.dll
C:\WINDOWS\system32\khfcyww.dll
C:\WINDOWS\system32\lfsimbem.dll
C:\WINDOWS\system32\mvkibsim.dll
C:\WINDOWS\system32\srmgyrel.dll
C:\WINDOWS\system32\winbjt32.dll
C:\WINDOWS\system32\aeexkwsk.exe
C:\WINDOWS\Help\daent.dll
C:\WINDOWS\Help\tnead.ini
C:\WINDOWS\Help\tnead.bak1
C:\WINDOWS\Help\tnead.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\arratmbi.dll
C:\WINDOWS\system32\arratmbi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\khfcyww.dll
C:\WINDOWS\system32\khfcyww.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\lfsimbem.dll
C:\WINDOWS\system32\lfsimbem.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mvkibsim.dll
C:\WINDOWS\system32\mvkibsim.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\srmgyrel.dll
C:\WINDOWS\system32\srmgyrel.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\winbjt32.dll
C:\WINDOWS\system32\winbjt32.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\aeexkwsk.exe
C:\WINDOWS\system32\aeexkwsk.exe Has been deleted!

Attempting to delete C:\WINDOWS\Help\daent.dll
C:\WINDOWS\Help\daent.dll Could not be deleted.

Attempting to delete C:\WINDOWS\Help\tnead.ini
C:\WINDOWS\Help\tnead.ini Has been deleted!

Attempting to delete C:\WINDOWS\Help\tnead.bak1
C:\WINDOWS\Help\tnead.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\Help\tnead.bak2
C:\WINDOWS\Help\tnead.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\Help\daent.dll
C:\WINDOWS\Help\daent.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.1

Checking Java version...

Java version is 1.5.0.6

Scan started at 8:32:47 PM 10/12/2006

Listing files found while scanning....

C:\WINDOWS\system32\jranluc.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jranluc.dll
C:\WINDOWS\system32\jranluc.dll Has been deleted!

Performing Repairs to the registry.
Done!

I really appreciate the help. (appears that there is a lot of killbox and vundos going around :thumbsup:

#11 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 13 October 2006 - 04:10 AM

Now that looks alot better! :thumbsup:


Scan fresh with ComboFix and Save the log.


Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


#12 Koops

Koops
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  

Posted 13 October 2006 - 05:10 PM

Heres the online scanner report

Scanning Report
Friday, October 13, 2006 16:39:17 - 18:02:55

Computer name: CPU1
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
Result: 15 malware found
Tracking Cookie (spyware)

* System (Disinfected)

W32/Adload.BAU (virus)

* C:\WINDOWS\SYSTEM32\CCRXKTJT.EXE (Submitted)
* C:\WINDOWS\SYSTEM32\EBVOQEQP.EXE (Submitted)
* C:\WINDOWS\SYSTEM32\JEUJABOJ.EXE (Submitted)
* C:\WINDOWS\SYSTEM32\KNDLNPTF.EXE (Submitted)
* C:\WINDOWS\SYSTEM32\MEUKXUCY.EXE (Submitted)
* C:\WINDOWS\SYSTEM32\QITJDLWK.EXE (Submitted)
* C:\WINDOWS\SYSTEM32\RRLRJRCY.EXE (Submitted)
* C:\WINDOWS\SYSTEM32\SIBXUWWV.EXE (Submitted)
* C:\WINDOWS\SYSTEM32\UROUJYDE.EXE (Submitted)
* C:\WINDOWS\SYSTEM32\VHHHMPEE.EXE (Submitted)
* C:\WINDOWS\SYSTEM32\YHRMUSMU.EXE (Submitted)

W32/Malware (virus)

* C:\DOCUMENTS AND SETTINGS\ERIC W\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\E8KE32PX\45ATQ2V13X[1].EXE (Submitted)

W32/Stration.OT@mm (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP645\A0099468.EXE (Submitted)

WinAntiVirusPro (spyware)

* System (Disinfected)

Statistics
Scanned:

* Files: 22497
* System: 5015
* Not scanned: 10

Actions:

* Disinfected: 2
* Renamed: 0
* Deleted: 0
* None: 13
* Submitted: 13

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{6D3BD6B6-632F-4D5D-9F8E-CEB8668A120A}.BIN
* C:\WINDOWS\$NTUNINSTALLKB835732$\CALLCONT.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\RTCDLL.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRV.DLL
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP645\A0099464.DLL
* C:\DOCUMENTS AND SETTINGS\ERIC W\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{CC07687D-C456-48C0-97F9-6217E5D2ADB3}
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\DSS\MACHINEKEYS\A06BA9F23D02EABC8590DA4FFA29F2D7_1AA069DB-CEE5-4162-B387-106007A61B41

Options
Scanning engines:

* F-Secure AVP: 6.0.171, 2006-10-13
* F-Secure Libra: 2.4.1, 2006-10-13
* F-Secure Orion: 1.2.37, 2006-10-13
* F-Secure Blacklight: 1.0.31, 0000-00-00
* F-Secure Pegasus: 1.19.0, 2006-08-29
* F-Secure Draco: 1.0.35, 0259-24-212

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
* Use Advanced heuristics

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#13 Koops

Koops
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 13 October 2006 - 05:18 PM

Heres the F-Secure online scanner report

Scanning Report
Friday, October 13, 2006 16:39:17 - 18:02:55

Computer name: CPU1
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
Result: 15 malware found
Tracking Cookie (spyware)

* System (Disinfected)

W32/Adload.BAU (virus)

* C:\WINDOWS\SYSTEM32\CCRXKTJT.EXE (Submitted)
* C:\WINDOWS\SYSTEM32\EBVOQEQP.EXE (Submitted)
* C:\WINDOWS\SYSTEM32\JEUJABOJ.EXE (Submitted)
* C:\WINDOWS\SYSTEM32\KNDLNPTF.EXE (Submitted)
* C:\WINDOWS\SYSTEM32\MEUKXUCY.EXE (Submitted)
* C:\WINDOWS\SYSTEM32\QITJDLWK.EXE (Submitted)
* C:\WINDOWS\SYSTEM32\RRLRJRCY.EXE (Submitted)
* C:\WINDOWS\SYSTEM32\SIBXUWWV.EXE (Submitted)
* C:\WINDOWS\SYSTEM32\UROUJYDE.EXE (Submitted)
* C:\WINDOWS\SYSTEM32\VHHHMPEE.EXE (Submitted)
* C:\WINDOWS\SYSTEM32\YHRMUSMU.EXE (Submitted)

W32/Malware (virus)

* C:\DOCUMENTS AND SETTINGS\ERIC W\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\E8KE32PX\45ATQ2V13X[1].EXE (Submitted)

W32/Stration.OT@mm (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP645\A0099468.EXE (Submitted)

WinAntiVirusPro (spyware)

* System (Disinfected)

Statistics
Scanned:

* Files: 22497
* System: 5015
* Not scanned: 10

Actions:

* Disinfected: 2
* Renamed: 0
* Deleted: 0
* None: 13
* Submitted: 13

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{6D3BD6B6-632F-4D5D-9F8E-CEB8668A120A}.BIN
* C:\WINDOWS\$NTUNINSTALLKB835732$\CALLCONT.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\RTCDLL.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRV.DLL
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP645\A0099464.DLL
* C:\DOCUMENTS AND SETTINGS\ERIC W\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{CC07687D-C456-48C0-97F9-6217E5D2ADB3}
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\DSS\MACHINEKEYS\A06BA9F23D02EABC8590DA4FFA29F2D7_1AA069DB-CEE5-4162-B387-106007A61B41

Options
Scanning engines:

* F-Secure AVP: 6.0.171, 2006-10-13
* F-Secure Libra: 2.4.1, 2006-10-13
* F-Secure Orion: 1.2.37, 2006-10-13
* F-Secure Blacklight: 1.0.31, 0000-00-00
* F-Secure Pegasus: 1.19.0, 2006-08-29
* F-Secure Draco: 1.0.35, 0259-24-212

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
* Use Advanced heuristics

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#14 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 13 October 2006 - 05:22 PM

See if you can locate these files for me?

Be sure Windows is Showing Hidden Files
http://www.bleepingcomputer.com/tutorials/...al62.html#winxp

C:\WINDOWS\SYSTEM32\CCRXKTJT.EXE

C:\WINDOWS\SYSTEM32\EBVOQEQP.EXE

C:\WINDOWS\SYSTEM32\JEUJABOJ.EXE

C:\WINDOWS\SYSTEM32\KNDLNPTF.EXE

C:\WINDOWS\SYSTEM32\MEUKXUCY.EXE

C:\WINDOWS\SYSTEM32\QITJDLWK.EXE

C:\WINDOWS\SYSTEM32\RRLRJRCY.EXE

C:\WINDOWS\SYSTEM32\SIBXUWWV.EXE

C:\WINDOWS\SYSTEM32\UROUJYDE.EXE

C:\WINDOWS\SYSTEM32\VHHHMPEE.EXE

C:\WINDOWS\SYSTEM32\YHRMUSMU.EXE


If you have any luck finding these files,please right click the desktop and select New--> Select Compressed(zipped) Folder

Place a copy of any files found into the zip and upload Here


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.



Restart and Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
  • Post the contents of the ActiveScan report along with a fresh HijackThis log.


#15 Koops

Koops
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  

Posted 13 October 2006 - 05:29 PM

LOL fast replys! Here is my combofix log, and I'll get started on the rest

Eric W - 06-10-13 18:22:23.07 Service Pack 2
ComboFix 06.10.14 - Running from: "C:\Program Files\Mozilla Firefox"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Eric W\My Documents\STEM~1
C:\QooBox\Purity\WINDOWS\SKS~1


((((((((((((((((((((((((((((((( Files Created from 2006-09-13 to 2006-10-13 ))))))))))))))))))))))))))))))))))


2006-10-10 17:34 778,656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-10-10 17:34 4,992 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-10-10 17:34 4,288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-10-10 17:34 27,904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-10-10 17:34 23,104 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-10-04 20:55 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-10-04 20:25 970,752 --a------ C:\WINDOWS\system32\VchReg.dll
2006-10-04 17:58 741,396 --a------ C:\WINDOWS\system32\dsuxesfi.exe
2006-09-19 19:34 27,648 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-13 18:16 541 --a------ C:\Documents and Settings\Eric W\Application Data\turing_files.ini
2006-10-13 18:11 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-13 18:02 -------- d-------- C:\Program Files\Common Files
2006-10-12 20:48 -------- d-------- C:\Program Files\HijackThis
2006-10-12 19:29 202 --a------ C:\Documents and Settings\Eric W\Application Data\turing.ini
2006-10-12 18:03 -------- d-------- C:\Program Files\Warcraft III
2006-10-10 17:35 -------- d-------- C:\Documents and Settings\Eric W\Application Data\AVG7
2006-10-10 17:34 -------- d-------- C:\Program Files\Grisoft
2006-10-10 17:32 -------- d-------- C:\Program Files\Zone Labs
2006-10-04 20:42 -------- d-------- C:\Program Files\Java
2006-10-04 20:38 -------- d-------- C:\Program Files\Common Files\Java
2006-09-24 08:38 -------- d-------- C:\Program Files\Sony
2006-09-23 09:48 -------- d-------- C:\Program Files\Common Files\Logitech
2006-09-23 09:37 -------- d-------- C:\Documents and Settings\Eric W\Application Data\Macromedia
2006-09-23 09:35 -------- d-------- C:\Program Files\Common Files\DataViz
2006-09-18 16:27 -------- d-------- C:\Program Files\Turing
2006-08-29 17:12 13844 --a------ C:\WINDOWS\system32\kndlnptf.exe
2006-08-29 09:58 13844 --a------ C:\WINDOWS\system32\qitjdlwk.exe
2006-08-28 18:58 13844 --a------ C:\WINDOWS\system32\yhrmusmu.exe
2006-08-28 13:12 13844 --a------ C:\WINDOWS\system32\meukxucy.exe
2006-08-27 16:15 13844 --a------ C:\WINDOWS\system32\vhhhmpee.exe
2006-08-26 10:35 13844 --a------ C:\WINDOWS\system32\sibxuwwv.exe
2006-08-25 19:39 13844 --a------ C:\WINDOWS\system32\ccrxktjt.exe
2006-08-25 12:05 13844 --a------ C:\WINDOWS\system32\jeujaboj.exe
2006-08-25 11:59 13844 --a------ C:\WINDOWS\system32\uroujyde.exe
2006-08-23 17:17 13844 --a------ C:\WINDOWS\system32\ebvoqeqp.exe
2006-08-23 10:03 13844 --a------ C:\WINDOWS\system32\rrlrjrcy.exe
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 05:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-20 08:05 -------- d-------- C:\Program Files\Internet Explorer
2006-08-20 07:36 -------- d-------- C:\Program Files\Common Files\Companion Wizard
2006-08-19 20:49 -------- d-------- C:\Program Files\Common Files\GTK
2006-08-02 16:52 2 --a------ C:\WINDOWS\system32\wnscptr.exe
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"BluetoothAuthenticationAgent"="rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent"
"Smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smtray.exe"
"StorageGuard"="\"C:\\Program Files\\VERITAS Software\\Update Manager\\sgtray.exe\" /r"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDrives"=dword:00000000
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 06-10-13 18:23:32.81
C:\ComboFix.txt ... 06-10-13 18:23
C:\ComboFix2.txt ... 06-10-12 17:05




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users