Ok...I'm infected, now what? - Free Antivirus Forum

Ok...I'm infected, now what?

BullGuard Antivirus Forum > Virus > Virus Questions > Ok...I'm infected, now what?

Forum Quick Jump

43 posts in this thread.
Viewing Page : 1 2

[ << Previous Thread | Next Thread >> ]

Zalen
New Member

Date Joined Nov 2008
Total Posts : 23

Posted 11-23-2008 12:23 (GMT +1)

Ok so I know one thing for sure, im infected with at least one virus. I know im supposed to post my logfile here but theres one small problem...I think the virus shut-down avast. It fails to scan each time. Any help is greatly appreciated.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14325

Posted 11-23-2008 9:49 (GMT +1)

Hello Zalen smile

Download this program: http://www.ctrlaltdel.dk/Fix_download.exe

and save it on the desktop. Then double click on it (Fix_download.exe).

You may have to allow the program to download files from the web!

The program download the necessary cleaning programs. Once the program
is downloaded, there will be a folder on your desktop named
Fix. – if the instructions not automatically opens, so
double-click "FIX_manual.htm" in Fix folder.

Please follow the instructions and copy the logs here, in this Topic.

Note : Fix_download.exe is detected by some antivirus programs as a "RiskTool" /infection; it is not a virus. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

If necessary, temporarily disable your anti-virus, real-time protection before downloading

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Zalen
New Member

Date Joined Nov 2008
Total Posts : 23

Posted 11-23-2008 9:31 (GMT +1)

One quick problem. When I double click on MalwarebytesAM (to install it) A prompt comes up saying that "MalewarebytesAm is not a valid Win32 application" Thanks for the help so far.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14325

Posted 11-24-2008 4:50 (GMT +1)

Ok. Post the logs you have then

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Zalen
New Member

Date Joined Nov 2008
Total Posts : 23

Posted 11-24-2008 5:24 (GMT +1)

This can't be good...both combofix and hijackthis came up withe the same prompt when I tried to install them. Sorry for all the trouble, hopefully you can guide me through this. Once again thanks for the help so far.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14325

Posted 11-24-2008 5:29 (GMT +1)

Seems to be a nasty one you´ve got there rolleyes

Boot machine, when it finishes booting, press ctrl+alt+del and click task manager.

go to the processes tab and end task on explorer.

go back to applications and click new task

type C:\

then click in the address bar, "Computer"

click unistall programs, and click on the windows safety alerts that DOES NOT have microsoft corp beside it.

It will tell you that the computer needs to be rebooted before the uninstallation and you must close all open applications. DO NOT click the close button on that window.

Hit the X in the corner of the control panel and wait for the computer to restart.

Please download OTViewIt by OldTimer to your desktop.
Double click on the OTViewIt.exe icon on your desktop. If you are using Windows Vista, right click the icon and select Run as Administrator.
Check the Scan All Users checkbox and leave Use Whitelist checked. Set the File Age to 30 days.
Click on the Run Scan button. Two reports that are located in the same location as OTViewIt will open.

OTViewIt.txt <-- Will be opened
Extra.txt <-- Will be minimized

Copy and Paste the logs into your next reply.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Zalen
New Member

Date Joined Nov 2008
Total Posts : 23

Posted 11-24-2008 5:43 (GMT +1)

The computer won't let me acces the website to download OTViewIT

(EDIT: Is there anyway to get around the command prompt that comes up when I try to install the programs included in the FIX file?)

Post Edited (Zalen) : 24-11-2008 04:46:50 GMT

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14325

Posted 11-24-2008 5:46 (GMT +1)

Ok. See if you can do this ->

Download malwarebyte

http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;pop&cdlPid=10878968

Save the file as setup.exe

Run the setup.exe file
When it gets to the final step of the installation it will seem like it froze....it hasn't but it will take anywhere from 15mins to an hour to get through that step so just let it do its thing.
Go into the Malware folder in through Program Files
Rename the mbam.exe or what not file to mab.exe and run it.
Do a full computer scan
Check all and remove/fix/delete them.

Restart your computer and post the log

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Zalen
New Member

Date Joined Nov 2008
Total Posts : 23

Posted 11-24-2008 6:31 (GMT +1)

It wont let me run the program, I'll try to find other dowload sources, maybe that will help.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14325

Posted 11-24-2008 6:39 (GMT +1)

Can you download it ?

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Zalen
New Member

Date Joined Nov 2008
Total Posts : 23

Posted 11-24-2008 6:45 (GMT +1)

Im not having any luck....Maybe it's not Compatible for window XP?

Zalen
New Member

Date Joined Nov 2008
Total Posts : 23

Posted 11-24-2008 6:56 (GMT +1)

Don't ask me how I did it but...Heres the HijackThis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 9:54:05 PM, on 11/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner.YOUR-CCD0E6383E\Desktop\CHAOTIC MIND\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: mxlivemedia - {aa5b2c2c-9ae7-d73c-402a-fcf23b5bf23c} - C:\WINDOWS\system32\nsi41.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Pro Antispyware 2009] "C:\Documents and Settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\proas2009.exe" /autorun
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Wireless Network Monitor.lnk = C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: c00BF824 - C:\WINDOWS\SYSTEM32\c00BF824.mat
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: sys32 - sys32.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14325

Posted 11-24-2008 7:41 (GMT +1)

Great

"Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and will typically cause your computer to crash, and will provide less protection.
Not more."

Remove/uninstall from "Programs and Features" in controlpanel:

One of Your antivirus programs

Reboot.

Please download Combofix:

Http://download.bleepingcomputer.com/subs/combofix.exe

And save to the desktop. <<<---- Save the file as - warrior exe

Close all other browser windows.

Important-> Temporarily disable your anti-virus, real-time protection before performing a scan. They can interfere with combofix or remove some of its embedded files which may cause "unpredictable results".

Double-click on the combofix icon found on your desktop.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When finished, it will produce a logfile located at C:\combofix.txt.

Post the contents of that log in your next reply with a new hijackthis log.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Zalen
New Member

Date Joined Nov 2008
Total Posts : 23

Posted 11-25-2008 4:51 (GMT +1)

Sorry for the long response time, I've been trying to find more sources for the combofix download, the link you gave me isn't working for some reason.

Zalen
New Member

Date Joined Nov 2008
Total Posts : 23

Posted 11-25-2008 5:13 (GMT +1)

Alright, I finnally managed to find a working download source...so heres the combofix logfile:

"Owner" - 11/24/2008 20:08:05 Service Pack 3
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\Owner.YOUR-CCD0E6383E\Desktop\"

((((((((((((((((((((((((((((((( Files Created from 2008-10-25 to 2008-11-25 ))))))))))))))))))))))))))))))))))

2008-11-24 20:04 49,152 --a------ C:\WINDOWS\nircmd.exe
2008-11-23 12:28 <DIR> d-------- C:\Program Files\CCleaner
2008-11-22 16:11 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-21 20:28 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-11-21 19:45 <DIR> d-------- C:\Program Files\AVG
2008-11-21 19:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\avg8
2008-11-21 19:06 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-11-11 16:45 <DIR> d-------- C:\Program Files\Insaniquarium Deluxe
2008-11-09 02:25 <DIR> d-------- C:\Program Files\uTorrent
2008-11-08 23:40 53,973 --a------ C:\WINDOWS\system32\cont_mxlivemedia-remove.exe
2008-11-08 20:21 <DIR> d-------- C:\New Folder
2008-11-08 17:58 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-11-08 11:43 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\IUpd721
2008-11-08 11:31 150,528 --a------ C:\qjpirgg.exe
2008-11-08 11:31 <DIR> d-------- C:\WINDOWS\system32\MX5
2008-11-08 11:31 <DIR> d-------- C:\WINDOWS\system32\drt
2008-11-08 11:31 <DIR> d-------- C:\Temp\1cb
2008-11-08 11:30 34,816 --a------ C:\WINDOWS\system32\prun.exe
2008-11-08 11:30 <DIR> d-------- C:\WINDOWS\system32\zb
2008-11-08 11:30 <DIR> d-------- C:\WINDOWS\system32\u2
2008-11-08 11:30 <DIR> d-------- C:\WINDOWS\system32\sX3i19
2008-11-08 11:30 <DIR> d-------- C:\WINDOWS\system32\svm
2008-11-08 11:30 <DIR> d-------- C:\Temp\PRE45
2008-11-08 11:30 <DIR> d-------- C:\Temp
2008-11-08 11:30 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\NI.GSCNS
2008-11-08 06:41 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\uTorrent
2008-11-05 11:24 8,704 --a------ C:\WINDOWS\system32\infoctrs.dll
2008-11-05 11:24 7,168 --a------ C:\WINDOWS\system32\wamregps.dll
2008-11-05 11:24 7,168 --a------ C:\WINDOWS\system32\snprfdll.dll
2008-11-05 11:24 6,144 --a------ C:\WINDOWS\system32\ftpsapi2.dll
2008-11-05 11:24 6,144 --a------ C:\WINDOWS\system32\admxprox.dll
2008-11-05 11:24 56,320 --a------ C:\WINDOWS\system32\convlog.exe
2008-11-05 11:24 5,632 --a------ C:\WINDOWS\system32\w3svapi.dll
2008-11-05 11:24 5,632 --a------ C:\WINDOWS\system32\iisrstap.dll
2008-11-05 11:24 5,632 --a------ C:\WINDOWS\system32\adsiisex.dll
2008-11-05 11:24 43,520 --a------ C:\WINDOWS\system32\fcachdll.dll
2008-11-05 11:24 4,608 --a------ C:\WINDOWS\system32\w3ctrs.dll
2008-11-05 11:24 3,584 --a------ C:\WINDOWS\system32\iismui.dll
2008-11-05 11:24 23,040 --a------ C:\WINDOWS\system32\regtrace.exe
2008-11-05 11:24 19,968 --a------ C:\WINDOWS\system32\inetsloc.dll
2008-11-05 11:24 14,336 --a------ C:\WINDOWS\system32\iisreset.exe
2008-11-05 11:24 12,288 --a------ C:\WINDOWS\system32\smtpctrs.dll
2008-11-05 11:24 10,240 --a------ C:\WINDOWS\system32\aspperf.dll
2008-11-05 11:24 <DIR> d-------- C:\WINDOWS\system32\Cache
2008-11-05 11:24 <DIR> d-------- C:\WINDOWS\IIS Temporary Compressed Files
2008-11-05 11:23 <DIR> d-------- C:\Inetpub
2008-11-04 07:34 555,008 --a------ C:\WINDOWS\system32\nsi41.dll
2008-10-23 20:25 21,419 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-10-23 20:25 <DIR> d-------- C:\Program Files\Linksys
2008-10-23 16:18 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-10-23 16:17 <DIR> d-------- C:\62936cc5ac266991e0d02d
2008-10-23 16:16 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-10-21 20:01 5,767,168 --a------ C:\Documents and Settings\OWNER~1.YOU\ntuser.dat
2008-10-21 20:01 5,767,168 --a------ C:\DOCUME~1\OWNER~1.YOU\ntuser.dat
2008-10-21 14:13 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-10-17 16:54 <DIR> d-------- C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\BitDownload
2008-10-17 16:53 <DIR> d-------- C:\Program Files\BitDownload

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-11-25 00:51:38 -------- d-----w C:\Program Files\BigFix
2008-11-24 00:59:52 -------- d-----w C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\LimeWire
2008-11-13 05:58:49 53 ----a-w C:\WINDOWS\popcinfo.dat
2008-11-12 00:44:57 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-11-12 00:43:24 -------- d-----w C:\Program Files\PopCap Games
2008-11-09 04:19:51 -------- d-----w C:\Program Files\LimeWire
2008-10-24 11:21:09 455,296 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-10-17 00:51:52 -------- d-----w C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\Canon
2008-10-16 22:13:40 202,776 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-10-16 22:13:40 1,809,944 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-10-16 22:12:22 323,608 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-10-16 22:12:20 561,688 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-10-16 22:09:44 92,696 ----a-w C:\WINDOWS\system32\cdm.dll
2008-10-16 22:09:44 51,224 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-10-16 22:09:44 43,544 ----a-w C:\WINDOWS\system32\wups2.dll
2008-10-16 22:08:58 34,328 ----a-w C:\WINDOWS\system32\wups.dll
2008-10-14 03:10:34 -------- d-----w C:\Program Files\McAfee.com
2008-10-12 01:00:12 -------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-01 00:43:34 1,286,152 ----a-w C:\WINDOWS\system32\msxml4.dll
2008-09-28 04:35:58 -------- d-----w C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\U3
2008-09-23 04:13:01 4,394 ----a-w C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\wklnhst.dat
2008-09-15 12:12:56 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-10 01:14:56 1,307,648 ------w C:\WINDOWS\system32\msxml6.dll
2008-09-04 17:15:04 1,106,944 ----a-w C:\WINDOWS\system32\msxml3.dll
2008-08-28 07:46:02 74,752 ----a-w C:\WINDOWS\system32\msw3prt.dll
2008-08-28 07:46:02 104,960 ----a-w C:\WINDOWS\system32\win32spl.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [06/10/2008 03:27 AM]
{aa5b2c2c-9ae7-d73c-402a-fcf23b5bf23c}=C:\WINDOWS\system32\nsi41.dll [11/04/2008 07:34 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" []
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [11/02/2004 08:24 PM]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [08/27/2005 05:09 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/23/2005 09:19 AM]
"nwiz"="nwiz.exe" [09/18/2005 08:32 AM C:\WINDOWS\system32\nwiz.exe]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [01/11/2006 11:05 AM]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [09/22/2005 05:29 PM]
"@"="" []
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 03:27 AM]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [09/10/2008 04:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [04/13/2008 04:12 PM]
"Pro Antispyware 2009"="C:\Documents and Settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\proas2009.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"Lsass Service"=C:\Documents and Settings\Owner.YOUR-CCD0E6383E\Application Data\Microsoft\Windows\lsass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\c00BF824]
c00BF824.mat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
%SystemRoot%\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sys32]
sys32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
napagent

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51808b16-1f07-11dd-8bdb-0015581e370a}]
AutoRun\command- K:\LaunchU3.exe -a

Contents of the 'Scheduled Tasks' folder
2008-11-22 03:25:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2008-01-18 19:50:32 C:\WINDOWS\tasks\System Diagnostic.job

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-24 20:09:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Lsass Service = C:\Documents and Settings\Owner.YOUR-CCD0E6383E\Application Data\Microsoft\Windows\lsass.exe???????????????????????????????????

scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

********************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSmqlt.sys"

Completion time: 11/24/2008 20:10:21
C:\ComboFix-quarantined-files.txt ... 11/24/2008 08:09 PM
C:\ComboFix2.txt ... 11/24/2008 08:04 PM

--- E O F ---

And here's the Hijackthis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 8:13:07 PM, on 11/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner.YOUR-CCD0E6383E\Desktop\CHAOTIC MIND\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: mxlivemedia - {aa5b2c2c-9ae7-d73c-402a-fcf23b5bf23c} - C:\WINDOWS\system32\nsi41.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Pro Antispyware 2009] "C:\Documents and Settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\proas2009.exe" /autorun
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Wireless Network Monitor.lnk = C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O20 - Winlogon Notify: c00BF824 - C:\WINDOWS\SYSTEM32\c00BF824.mat
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: sys32 - sys32.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14325

Posted 11-25-2008 8:39 (GMT +1)

Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Copy the entire contents of the Quote Box below to Notepad.
Name the file as CFScript
and Save it on the desktop

QUOTE

Killall::

Snapshot::

File::
C:\qjpirgg.exe

C:\WINDOWS\system32\prun.exe

C:\WINDOWS\system32\nsi41.dll
C:\Documents and Settings\Owner.YOUR-CCD0E6383E\Application Data\Microsoft\Windows\lsass.exe

C:\WINDOWS\SYSTEM32\c00BF824.mat

Folder::

C:\WINDOWS\system32\MX5
C:\WINDOWS\system32\drt
C:\Temp\1cb
C:\WINDOWS\system32\zb
C:\WINDOWS\system32\u2
C:\WINDOWS\system32\sX3i19
C:\WINDOWS\system32\svm
C:\Temp\PRE45

C:\Documents and Settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009

http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

If you can run Malwarebyte now, please do it, and post that log as well

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Zalen
New Member

Date Joined Nov 2008
Total Posts : 23

Posted 11-25-2008 11:08 (GMT +1)

Still no luck with Malwarebytes...but here's the combpfix log:

"Owner" - 2008-11-25 14:01:45 Service Pack 3
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\Owner.YOUR-CCD0E6383E\"
Command switches used :: ""C:\Documents and Settings\Owner.YOUR-CCD0E6383E\Desktop\CFScript.txt""

((((((((((((((((((((((((((((((( Files Created from 2008-10-25 to 2008-11-25 ))))))))))))))))))))))))))))))))))

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-11-25 00:51:38 -------- d-----w&n