Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hi Jacked And Need Help


  • This topic is locked This topic is locked
17 replies to this topic

#1 Damage

Damage

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 15 June 2007 - 11:49 AM

My browser seems to be hijacked, amongst other issues. Help would be greatly appreciated.

the following is my hijackthis log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:48:53 PM, on 15/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\program files\steam\steam.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Damage\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.mountaincable.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.mountaincable.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.mountaincable.net
O2 - BHO: (no name) - {267093FA-9868-4232-9142-3D99299529C2} - C:\WINDOWS\system32\urqrr.dll
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\ejxrxxbx.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\xxywutq.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\ebgnjbkw.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [svchost.exe] C:\WINDOWS\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/xiah/luncher/GamesCampus.cab
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://blueroof.no-ip.com:85/SysCamInst.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - http://blueroof.no-ip.com:83/kxhcm10.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105155907633
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (BL_Camera) - http://221.186.83.10/bl_camera.ocx
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O20 - Winlogon Notify: urqrr - C:\WINDOWS\system32\urqrr.dll
O20 - Winlogon Notify: wingqn32 - C:\WINDOWS\SYSTEM32\wingqn32.dll
O20 - Winlogon Notify: xxywutq - C:\WINDOWS\SYSTEM32\xxywutq.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6328 bytes


Please tell me the fix is nice and easy, cause I'm not that computer savy =\

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:45 PM

Posted 16 June 2007 - 12:48 AM

Hello,

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Damage

Damage
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 16 June 2007 - 05:32 AM

I have tried running combofix and it doesn't seem to actually run. A window flashes open then closes quickly, and nothing happens. No log is created... nothing. Same for Smitfraudfix.

I do have more info though. I seem to be infected with EVERYTHING evil. Vundo, Yazzle Cowabunga, Smitfraud, and Virtumonde. These are the problems that continue to be dectected and removed by various tools, but reappear almost immediately. I've not slept since this has began yesterday morning, so I may be a lil off my pace, but I'm determined to fix this.

All help is appreciated.

Another Hijackthis log follows.

Logfile of HijackThis v1.99.1
Scan saved at 6:31:55 AM, on 16/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Documents and Settings\All Users\Application Data\szarkrmf.exe
C:\WINDOWS\system32\scchk32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.mountaincable.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.mountaincable.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.mountaincable.net
O2 - BHO: (no name) - {4BFDF973-B8EE-4A09-91CE-DA5293D06EC8} - C:\WINDOWS\system32\iiihe.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\ejxrxxbx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\byxvsqn.dll (file missing)
O2 - BHO: (no name) - {FFD17CC9-3DD1-4117-BECB-B558C55E7F04} - C:\WINDOWS\system32\urqrr.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\dlvhmwtj.dll",realset
O4 - HKLM\..\Run: [szarkrmf.exe] C:\Documents and Settings\All Users\Application Data\szarkrmf.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SC2] C:\WINDOWS\system32\scchk32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

#4 Damage

Damage
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 16 June 2007 - 05:54 AM

sry for the bump, but I just noticed my log was truncated. Posting a full one now.



Logfile of HijackThis v1.99.1
Scan saved at 6:54:15 AM, on 16/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Documents and Settings\All Users\Application Data\szarkrmf.exe
C:\WINDOWS\system32\scchk32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.mountaincable.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.mountaincable.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.mountaincable.net
O2 - BHO: (no name) - {4BFDF973-B8EE-4A09-91CE-DA5293D06EC8} - C:\WINDOWS\system32\iiihe.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\ejxrxxbx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\byxvsqn.dll (file missing)
O2 - BHO: (no name) - {FFD17CC9-3DD1-4117-BECB-B558C55E7F04} - C:\WINDOWS\system32\urqrr.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\dlvhmwtj.dll",realset
O4 - HKLM\..\Run: [szarkrmf.exe] C:\Documents and Settings\All Users\Application Data\szarkrmf.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SC2] C:\WINDOWS\system32\scchk32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/xiah/luncher/GamesCampus.cab
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://blueroof.no-ip.com:85/SysCamInst.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - http://blueroof.no-ip.com:83/kxhcm10.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105155907633
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (BL_Camera) - http://221.186.83.10/bl_camera.ocx
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O20 - Winlogon Notify: wingqn32 - C:\WINDOWS\SYSTEM32\wingqn32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:45 PM

Posted 16 June 2007 - 05:54 AM

Ok, most probably you were also dealing with one of the Alcan/Alcra variants which puts some dummy com files - this to prevent tools to run.

Do next first..


* Download Brute Force Uninstaller.
Unzip it to a folder of its own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script
( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.


Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program

Then try to run Combofix again.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 Damage

Damage
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 16 June 2007 - 06:01 AM

BFU script seemed to execute, but the combofix still does not. A DOS window seems to pop up, but vanishes before I can even see what's in it.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:45 PM

Posted 16 June 2007 - 06:04 AM

Ok, do next please..

Open notepad and copy and paste next present in the quotebox in it:

C:\Windows\system32\reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /s >> look.txt
start notepad look.txt

Save this as look.bat , choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and notepad should open.
Copy and paste the contents of it in your next reply.
(In case you are unsure how to create a bat file, take a look here with screenshots.)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 Damage

Damage
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 16 June 2007 - 06:09 AM

Coffee and cigarettes... Coffee and cigarettes.

and... the log.

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
ComSpec REG_EXPAND_SZ %SystemRoot%\system32\cmd.exe
Path REG_SZ %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;
windir REG_EXPAND_SZ %SystemRoot%
OS REG_SZ Windows_NT
PROCESSOR_ARCHITECTURE REG_SZ x86
PROCESSOR_LEVEL REG_SZ 15
PROCESSOR_IDENTIFIER REG_SZ x86 Family 15 Model 0 Stepping 10, GenuineIntel
PROCESSOR_REVISION REG_SZ 000a
NUMBER_OF_PROCESSORS REG_SZ 1
PATHEXT REG_SZ .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
TEMP REG_EXPAND_SZ %SystemRoot%\TEMP
TMP REG_EXPAND_SZ %SystemRoot%\TEMP
FP_NO_HOST_CHECK REG_SZ NO

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:45 PM

Posted 16 June 2007 - 06:22 AM

Ok, found the culprit why these tools won't work.

The valuedata of the pathvalue is no REG_EXPAND_SZ but a REG_SZ valuedata instead.

Path REG_SZ %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;


To fix this, do next please... in exactly the same way as I describe!

Download FIXPATH2.ZIP. Extract the files to a folder in C:\, like C:\FIXPATH2.

RUNNING THE PROGRAM:
  • Open a command prompt window by going to start > run and copy and type: cmd
    In the command prompt, type: cd C:\

    So you should get C:\>

    Then type: cd FIXPATH2

    So you should get: C:\>fixpath2

    Then type: FIXPATH.EXE
  • It will display some preliminary information, and ask if it should continue and check for errors. Click Yes.
  • If it successfully updates the Path value in the registry, you will need to
    reboot for the change to take effect.
Then try to run Combofix again.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Damage

Damage
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 16 June 2007 - 06:40 AM

Wow, you are just that good. Combofix has executed successfully and the log follows.

ComboFix 07-06-13.3 - C:\Documents and Settings\Damage\Desktop\ComboFix.exe
"Damage" - 2007-06-16 7:28:44 - Service Pack 2


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dlvhmwtj.dll
C:\WINDOWS\system32\ebgnjbkw.dll
C:\WINDOWS\system32\skhorwyc.dll
C:\WINDOWS\system32\wingqn32.dll
C:\WINDOWS\system32\jtwmhvld.ini
C:\WINDOWS\system32\wkbjngbe.ini
C:\WINDOWS\system32\cywrohks.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\fnts~1
C:\WINDOWS\system32\xpdx.sys


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\xpdx


((((((((((((((((((((((((( Files Created from 2007-05-16 to 2007-06-16 )))))))))))))))))))))))))))))))


2007-06-16 07:28 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-16 07:24 <DIR> d-------- C:\FIXPATH2
2007-06-16 06:59 <DIR> d-------- C:\bintheredunthat
2007-06-16 06:56 <DIR> d-------- C:\BFU
2007-06-16 06:49 <DIR> d-------- C:\WINDOWS\system32\mevqvvvb
2007-06-16 06:30 <DIR> d-------- C:\Hijackthis
2007-06-16 00:50 99,072 --a------ C:\mevqvvvb1.exe
2007-06-16 00:50 94,976 --a------ C:\mevqvvvb3.exe
2007-06-16 00:50 286,720 --a------ C:\WINDOWS\system32\scchk32.exe
2007-06-16 00:50 100,096 --a------ C:\mevqvvvb2.exe
2007-06-15 19:27 5,888 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2007-06-15 19:27 127,488 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2007-06-15 19:26 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2007-06-15 19:26 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2007-06-15 19:26 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2007-06-15 19:26 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2007-06-15 19:26 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-06-15 19:26 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2007-06-15 19:26 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2007-06-15 19:26 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-06-15 19:26 <DIR> d-------- C:\Program Files\Ahead
2007-06-15 15:06 56,832 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\szarkrmf.exe
2007-06-15 14:19 <DIR> d-------- C:\VundoFix Backups
2007-06-15 13:02 <DIR> d--hs---- C:\FOUND.001
2007-06-15 12:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-15 12:57 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-15 12:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-15 12:20 62,560 --a------ C:\WINDOWS\system32\ejxrxxbx.dll
2007-06-15 09:31 2 --a------ C:\WINDOWS\system32\wcpicomsv.exe
2007-06-15 09:27 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-06-15 09:27 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-15 09:27 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-15 09:27 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-15 09:27 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-15 09:27 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-15 09:26 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-15 09:26 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-06-15 09:26 <DIR> d-------- C:\Program Files\Alwil Software
2007-06-15 08:31 <DIR> d--hs---- C:\FOUND.000
2007-06-14 19:43 62,560 --a------ C:\WINDOWS\system32\nlargikq.dll
2007-06-14 08:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2007-06-14 08:14 <DIR> d-------- C:\WINDOWS\?sks
2007-06-14 08:14 <DIR> d-------- C:\Program Files\Common Files\?sks
2007-06-14 08:14 <DIR> d-------- C:\Program Files\Common Files\?pPatch
2007-06-14 07:39 <DIR> d-------- C:\DOCUME~1\Damage\.housecall6.6
2007-06-14 02:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-06-10 02:48 <DIR> d-------- C:\Program Files\PokerStars.NET
2007-06-08 15:51 <DIR> d-------- C:\Program Files\XoftSpySE
2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-23 20:04 77,312 --a------ C:\WINDOWS\ua2.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-14 12:14:34 -------- d-----w C:\Program Files\Common Files\??pPatch
2007-06-14 12:14:18 -------- d-----w C:\Program Files\Common Files\??sks
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:16 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:24 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-03-27 21:39:00 29 ----a-w C:\WINDOWS\popcinfo.dat
2007-03-17 13:43:02 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{4BFDF973-B8EE-4A09-91CE-DA5293D06EC8}=C:\WINDOWS\system32\iiihe.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}=C:\WINDOWS\system32\ejxrxxbx.dll [2007-06-15 12:20]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{FFD17CC9-3DD1-4117-BECB-B558C55E7F04}=C:\WINDOWS\system32\urqrr.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-12 04:10]
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [2000-07-13 15:00]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2000-07-13 15:00]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-13 15:00]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 11:42]
"szarkrmf.exe"="C:\Documents and Settings\All Users\Application Data\szarkrmf.exe" [2007-06-15 15:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"Steam"="" []

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]


Contents of the 'Scheduled Tasks' folder
2006-12-01 18:45:44 C:\WINDOWS\tasks\XoftSpy.job
2007-06-16 08:22:34 C:\WINDOWS\tasks\XoftSpySE.job
2007-06-16 11:34:20 C:\WINDOWS\tasks\XoftSpySE 2.job

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:45 PM

Posted 16 June 2007 - 06:51 AM

Hi,

Perform next in the right order please.

First I want you to manually delete some folders since we can't include them in a script to remove.

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.


Navigate to next folder:

C:\Program Files\Common Files

In there, you'll find two folders: ??pPatch and ??sks
You won't see the questionmarks in it, but logs display it with a questionmark since it uses foreign characters here.
Most probably these folders will look like AppPatch and Tasks. Delete these folders. Note, DO NOT delete the Tasks folder and AppPatch folder anywhere else!!!!

Then, Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\mevqvvvb1.exe
C:\mevqvvvb3.exe
C:\WINDOWS\system32\scchk32.exe
C:\mevqvvvb2.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\szarkrmf.exe
C:\WINDOWS\system32\ejxrxxbx.dll
C:\WINDOWS\system32\nlargikq.dll
C:\WINDOWS\system32\wcpicomsv.exe

Folder::
C:\WINDOWS\system32\mevqvvvb
C:\VundoFix Backups
C:\bintheredunthat
C:\BFU

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFD17CC9-3DD1-4117-BECB-B558C55E7F04}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4BFDF973-B8EE-4A09-91CE-DA5293D06EC8}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"szarkrmf.exe"=-


Save this as ComboFix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Edited by miekiemoes, 16 June 2007 - 06:53 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 Damage

Damage
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 16 June 2007 - 07:04 AM

Tasks were completed in order. Combfix did not require a reboot.

Logs follow.



Combofix Log follows-------


ComboFix 07-06-13.3 - C:\Documents and Settings\Damage\Desktop\ComboFix.exe
"Damage" - 2007-06-16 7:56:39 - Service Pack 2
Command switches used :: C:\Documents and Settings\Damage\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\BFU
C:\BFU\alcanshorty.bfu
C:\BFU\BFU.exe
C:\BFU\bfu.zip
C:\bintheredunthat
C:\DOCUME~1\ALLUSE~1\APPLIC~1\szarkrmf.exe
C:\mevqvvvb1.exe
C:\mevqvvvb2.exe
C:\mevqvvvb3.exe
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\awtuvuu.dll.bad
C:\VundoFix Backups\byxvsqn.dll.bad
C:\VundoFix Backups\ehiii.bak1.bad
C:\VundoFix Backups\ehiii.ini.bad
C:\VundoFix Backups\iiihe.dll.bad
C:\VundoFix Backups\ljjjjhi.dll.bad
C:\VundoFix Backups\rrqru.bak1.bad
C:\VundoFix Backups\rrqru.bak2.bad
C:\VundoFix Backups\rrqru.ini.bad
C:\VundoFix Backups\rrqru.ini2.bad
C:\VundoFix Backups\rrqru.tmp.bad
C:\VundoFix Backups\urqrr.dll.bad
C:\VundoFix Backups\wvuturs.dll.bad
C:\VundoFix Backups\xxywutq.dll.bad
C:\WINDOWS\system32\ejxrxxbx.dll
C:\WINDOWS\system32\mevqvvvb
C:\WINDOWS\system32\mevqvvvb\bg1.gif
C:\WINDOWS\system32\mevqvvvb\bgtop.gif
C:\WINDOWS\system32\mevqvvvb\bottom1.gif
C:\WINDOWS\system32\mevqvvvb\essentials.gif
C:\WINDOWS\system32\mevqvvvb\icon1.ico
C:\WINDOWS\system32\mevqvvvb\install1.gif
C:\WINDOWS\system32\mevqvvvb\left1.gif
C:\WINDOWS\system32\mevqvvvb\li.gif
C:\WINDOWS\system32\mevqvvvb\logo.gif
C:\WINDOWS\system32\mevqvvvb\main.htm
C:\WINDOWS\system32\mevqvvvb\mainframe.htm
C:\WINDOWS\system32\mevqvvvb\reinstall1.gif
C:\WINDOWS\system32\mevqvvvb\right1.gif
C:\WINDOWS\system32\mevqvvvb\s1.htm
C:\WINDOWS\system32\mevqvvvb\s2.htm
C:\WINDOWS\system32\mevqvvvb\s3.htm
C:\WINDOWS\system32\mevqvvvb\SMTop1.gif
C:\WINDOWS\system32\mevqvvvb\SMTop2.gif
C:\WINDOWS\system32\mevqvvvb\SMTop3.gif
C:\WINDOWS\system32\mevqvvvb\SMTop4.gif
C:\WINDOWS\system32\mevqvvvb\soft1_off.gif
C:\WINDOWS\system32\mevqvvvb\soft1_off_ext.gif
C:\WINDOWS\system32\mevqvvvb\soft1_on.gif
C:\WINDOWS\system32\mevqvvvb\soft1_on_ext.gif
C:\WINDOWS\system32\mevqvvvb\soft2_off.gif
C:\WINDOWS\system32\mevqvvvb\soft2_off_ext.gif
C:\WINDOWS\system32\mevqvvvb\soft2_on.gif
C:\WINDOWS\system32\mevqvvvb\soft2_on_ext.gif
C:\WINDOWS\system32\mevqvvvb\soft3_off.gif
C:\WINDOWS\system32\mevqvvvb\soft3_off_ext.gif
C:\WINDOWS\system32\mevqvvvb\soft3_on.gif
C:\WINDOWS\system32\mevqvvvb\soft3_on_ext.gif
C:\WINDOWS\system32\mevqvvvb\softbottom_off.gif
C:\WINDOWS\system32\mevqvvvb\softbottom_on.gif
C:\WINDOWS\system32\mevqvvvb\softleft_off.gif
C:\WINDOWS\system32\mevqvvvb\softleft_on.gif
C:\WINDOWS\system32\mevqvvvb\top1.gif
C:\WINDOWS\system32\mevqvvvb\top2.gif
C:\WINDOWS\system32\mevqvvvb\turnoff1.gif
C:\WINDOWS\system32\mevqvvvb\turnon1.gif
C:\WINDOWS\system32\nlargikq.dll
C:\WINDOWS\system32\scchk32.exe
C:\WINDOWS\system32\wcpicomsv.exe


((((((((((((((((((((((((( Files Created from 2007-05-16 to 2007-06-16 )))))))))))))))))))))))))))))))


2007-06-16 07:28 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-16 07:24 <DIR> d-------- C:\FIXPATH2
2007-06-16 06:30 <DIR> d-------- C:\Hijackthis
2007-06-15 19:27 5,888 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2007-06-15 19:27 127,488 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2007-06-15 19:26 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2007-06-15 19:26 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2007-06-15 19:26 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2007-06-15 19:26 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2007-06-15 19:26 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-06-15 19:26 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2007-06-15 19:26 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2007-06-15 19:26 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-06-15 19:26 <DIR> d-------- C:\Program Files\Ahead
2007-06-15 13:02 <DIR> d--hs---- C:\FOUND.001
2007-06-15 12:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-15 12:57 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-15 12:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-15 09:27 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-06-15 09:27 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-15 09:27 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-15 09:27 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-15 09:27 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-15 09:27 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-15 09:26 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-15 09:26 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-06-15 09:26 <DIR> d-------- C:\Program Files\Alwil Software
2007-06-15 08:31 <DIR> d--hs---- C:\FOUND.000
2007-06-14 08:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2007-06-14 08:14 <DIR> d-------- C:\WINDOWS\?sks
2007-06-14 07:39 <DIR> d-------- C:\DOCUME~1\Damage\.housecall6.6
2007-06-14 02:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-06-10 02:48 <DIR> d-------- C:\Program Files\PokerStars.NET
2007-06-08 15:51 <DIR> d-------- C:\Program Files\XoftSpySE
2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-23 20:04 77,312 --a------ C:\WINDOWS\ua2.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:16 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:24 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-03-27 21:39:00 29 ----a-w C:\WINDOWS\popcinfo.dat
2007-03-17 13:43:02 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-12 04:10]
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [2000-07-13 15:00]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2000-07-13 15:00]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-13 15:00]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 11:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"Steam"="" []

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]


Contents of the 'Scheduled Tasks' folder
2006-12-01 18:45:44 C:\WINDOWS\tasks\XoftSpy.job
2007-06-16 08:22:34 C:\WINDOWS\tasks\XoftSpySE.job
2007-06-16 11:34:20 C:\WINDOWS\tasks\XoftSpySE 2.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-16 07:58:03
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

CMD.EXE [804]


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Files hidden from API:
C:\WINDOWS\?sks

Completion time: 2007-06-16 7:59:33
C:\ComboFix-quarantined-files.txt ... 2007-06-16 07:58

--- E O F ---



Hijackthis log follows----------------------


Logfile of HijackThis v1.99.1
Scan saved at 8:01:32 AM, on 16/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Documents and Settings\All Users\Application Data\szarkrmf.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\explorer.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.mountaincable.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.mountaincable.net
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/xiah/luncher/GamesCampus.cab
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://blueroof.no-ip.com:85/SysCamInst.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - http://blueroof.no-ip.com:83/kxhcm10.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105155907633
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (BL_Camera) - http://221.186.83.10/bl_camera.ocx
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe






You know, I just suddenly realised that I have absolutely no clue what I've done and I've never been happier about it. You are very quickly becoming my favourite person!

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:45 PM

Posted 16 June 2007 - 07:14 AM

Hi,

Ok, I explained you previously about these folders with odd characters which are displayed in logs with questionmarks..
You also have this one present: C:\WINDOWS\?sks
This one is present in your C:\Windows- folder.
This one is a bit more advanced. The reason is, most probably this folder will look like tasks. BE CAREFUL here, there will also be a legit/good folder present there in that same folder (C:\Windows) with the name tasks.
So actually, there should be 2 folders in your C:\Windows folder with the name tasks. A good one and a bad one.
The GOOD one contains some files like XoftSpy.job, XoftSpySE.job, XoftSpySE 2.job.... So don't delete that folder.
It's the other folder which looks like tasks you have to delete.
So let me know if you were able to find it. If you're not sure, ask first. :thumbsup:

I also see next file is still present and running:

C:\Documents and Settings\All Users\Application Data\szarkrmf.exe

So open your taskmanager and end next process: szarkrmf.exe

Then, navigate to and delete next file: C:\Documents and Settings\All Users\Application Data\szarkrmf.exe

Post a new HijackThislog in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 Damage

Damage
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:45 PM

Posted 16 June 2007 - 07:28 AM

Ended process on Szarkrmf.exe successfully, but was unable to find the progam at C:\Documents and Settings\All Users\Application Data\szarkrmf.exe. It just wasn't there anymore.


New Hijack this log follows.


Logfile of HijackThis v1.99.1
Scan saved at 8:23:43 AM, on 16/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\explorer.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.mountaincable.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.mountaincable.net
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/xiah/luncher/GamesCampus.cab
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://blueroof.no-ip.com:85/SysCamInst.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - http://blueroof.no-ip.com:83/kxhcm10.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105155907633
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (BL_Camera) - http://221.186.83.10/bl_camera.ocx
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe



Things seem to be looking up! (Actually, I have no idea if they are or not, but my faith in you is strong)

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:45 PM

Posted 16 June 2007 - 07:52 AM

Hi,

Yes, that's possible that you couldn't find the file anymore. I have seen this behavior before with this file. Combofix deletes it, but it stays running. Then when you end the process, the file just disappears.

Delete next folder:

C:\Qoobox

Your log looks clean again. How are things now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users