Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I'm having quite a bit of difficulty with my system. I'm getting fake alert messages saying my av has been turned off by microsoft windows firewall. Also when I open the my computer icon it hangs for a few minutes before loading. In addition to this, my usb ports do not work and device manager is empty. Yesterday I had no internet access in regular windows and the system performance was topping at 100% but everything seemed fine in safe mode. So I'm assuming that it's due to a malicious process. Right now I have AVG AV, AVG Antispyware,Spyware Terminator,and Spybot Search&Destroy. I also found this really neat program called autprocesses that tells me which files and registry keys are running. I made a custom log from that and found some odd entries such as catchme.sys and a few others. Oh and when I shut down I get a BSOD in kbd.class
any help would be appreciated. I've posted on another site because you've helped me in the past and I didn't want to be a pest and post yet again so recently.
Please download SmitFraudFix from this link http://siri.urz.free.fr/Fix/Smitfra... Then extract the contents to your desktop.
!!!! Only run option #1 as runing the other options on an uninfected computer will damage the desktop.!!!!
Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd"
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.Please download and install the latest version of HijackThis v2.0.2:
Download the HijackThis Installer from this link: HijackThis
1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
0 
Thanks for such a quick response! Here are the two log files you've requested
Smit Fraud log»»»»»»»»»»»»»»»»»»»»»»»» Process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Berrelli
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Berrelli\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Berrelli\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock»»»»»»»»»»»»»»»»»»»»»»»» DNS
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» EndHijack This Log
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\PROGRA~1\SPYWAR~3\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\SPYWAR~3\SpywareTerminatorShield.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~3\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" -quiet
O4 - HKCU\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-299502267-1383384898-854245398-1003\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl (User '?')
O4 - HKUS\S-1-5-21-299502267-1383384898-854245398-1003\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" (User '?')
O4 - HKUS\S-1-5-21-299502267-1383384898-854245398-1003\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: D-Link AirPlus.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/englis...
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framewor...
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/h...
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yah...
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRA~1\SPYWAR~3\sp_rsser.exe--
End of file - 6386 bytes
0
Temporarily disable any of the following anti-spyware realtime protection programs that you may have Disable Realtime Protection or the fixes will not work. Be sure to turn yout anti-spyware programs back on once the computer is clean.
Please download ComboFix to the desktop from this link:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)Please post the log it produces.
0
Here is my Combo Fix log
((((((((((((((((((((((((( Files Created from 2007-10-10 to 2007-11-10 )))))))))))))))))))))))))))))))
.2007-11-10 04:12 <DIR> d-------- C:\Program Files\Cheat Engine
2007-11-02 13:30 1,270 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-02 13:29 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-02 13:29 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-02 13:29 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-02 13:29 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-02 13:29 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-02 00:43 <DIR> d-------- C:\Program Files\IE7Pro
2007-11-02 00:43 <DIR> d-------- C:\Documents and Settings\Berrelli\Application Data\IE7Pro
2007-11-02 00:01 <DIR> d-------- C:\Program Files\WMV9_VCM
2007-10-26 21:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-10-26 12:59 0 --a------ C:\$RJ$.DAT
2007-10-24 17:05 <DIR> d-------- C:\Documents and Settings\Berrelli\Application Data\Wal-Mart Digital Photo Manager
2007-10-24 17:02 <DIR> d-------- C:\Documents and Settings\Berrelli\Application Data\Wal-Mart Digital Photo Viewer
2007-10-24 01:50 <DIR> d-------- C:\Documents and Settings\Berrelli\Application Data\Grisoft
2007-10-24 01:50 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-23 23:44 138,624 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-10-22 09:29 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-22 09:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-22 01:44 164 --a------ C:\install.dat
2007-10-22 00:52 <DIR> d-------- C:\Program Files\Trojan Remover
2007-10-22 00:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2007-10-22 00:52 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-10-22 00:52 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2007-10-22 00:52 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-10-22 00:52 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2007-10-21 23:13 <DIR> d-------- C:\Program Files\Spyware Terminator
2007-10-21 23:13 <DIR> d-------- C:\Documents and Settings\Berrelli\Application Data\Spyware Terminator
2007-10-21 23:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2007-10-17 21:39 <DIR> d-------- C:\Program Files\Steinberg
2007-10-17 03:22 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-17 03:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-17 03:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-17 02:47 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-16 01:08 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2007-10-15 21:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-10-15 21:03 <DIR> d-------- C:\Program Files\NCH Swift Sound
2007-10-15 21:03 <DIR> d-------- C:\Documents and Settings\Berrelli\Application Data\NCH Swift Sound
2007-10-15 11:48 <DIR> d-------- C:\_ok2delete
2007-10-14 20:26 <DIR> d-------- C:\Documents and Settings\Berrelli\Application Data\TrojanHunter
2007-10-14 19:01 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-10-14 14:48 <DIR> d-------- C:\Documents and Settings\Berrelli\Application Data\CheckPoint
2007-10-14 14:47 <DIR> d-------- C:\Program Files\CheckPoint
2007-10-11 02:00 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-10-10 22:46 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll
2007-10-10 22:29 <DIR> d-------- C:\Program Files\TotalAudioConverter
2007-10-10 22:29 <DIR> d-------- C:\Documents and Settings\Berrelli\Application Data\Softplicity
2007-10-10 01:46 <DIR> d-------- C:\Program Files\DSTools.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-10 13:00 --------- d-----w C:\Documents and Settings\Berrelli\Application Data\AVG7
2007-10-26 18:00 0 ----a-w C:\$RJ$.DAT
2007-10-24 06:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-22 14:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-22 05:55 --------- d-----w C:\Program Files\Trend Micro
2007-10-22 05:53 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-22 05:33 --------- d-----w C:\Program Files\D'Accord Music Software
2007-10-22 05:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-22 05:27 --------- d-----w C:\Program Files\Yahoo!
2007-10-22 05:21 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-18 01:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-10-18 00:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-16 05:58 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-16 05:37 --------- d-----w C:\Program Files\Java
2007-10-16 05:12 --------- d-----w C:\Program Files\AIM
2007-10-16 05:11 --------- d-----w C:\Program Files\iTunes
2007-10-16 05:11 --------- d-----w C:\Program Files\D-Link AirPlus
2007-10-16 05:11 --------- d-----w C:\Program Files\Cool Mp3 Converter
2007-10-11 03:49 --------- d-----w C:\Program Files\Replay Media Catcher
2007-10-09 18:24 --------- d-----w C:\Documents and Settings\Berrelli\Application Data\ActiveState
2007-10-09 18:21 --------- d-----w C:\Program Files\ActiveState Komodo IDE 4.2
2007-10-08 16:51 --------- d-----w C:\Program Files\LimeWire
2007-10-02 00:22 --------- d-----w C:\Program Files\Netflix
2007-09-18 03:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-09-18 02:58 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2005-04-28 21:36 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2004-10-03 02:58 667 ----a-w C:\Documents and Settings\Berrelli\Application Data\waver_2.81.dat
2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.((((((((((((((((((((((((((((( snapshot@2007-11-02_15.01.05.55 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-29 22:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-29 23:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2004-07-15 06:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1548\_aspnet_isapi.dll
+ 2004-07-15 05:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1548\_CORPerfMonExt.dll
+ 2004-07-15 05:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1548\_fusion.dll
+ 2004-07-15 05:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1548\_mscorjit.dll
+ 2004-07-15 19:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1548\_mscorlib.dll
+ 2003-02-21 00:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1548\_mscorsn.dll
+ 2004-07-15 05:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1548\_mscorsvr.dll
+ 2004-07-15 05:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1548\_mscorwks.dll
+ 2003-02-21 09:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1548\_msvcr71.dll
+ 2004-07-15 05:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW1548\_PerfCounter.dll
+ 2004-07-15 06:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2332\_aspnet_isapi.dll
+ 2004-07-15 05:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2332\_CORPerfMonExt.dll
+ 2004-07-15 05:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2332\_fusion.dll
+ 2004-07-15 05:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2332\_mscorjit.dll
+ 2004-07-15 19:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2332\_mscorlib.dll
+ 2003-02-21 00:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2332\_mscorsn.dll
+ 2004-07-15 05:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2332\_mscorsvr.dll
+ 2004-07-15 05:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2332\_mscorwks.dll
+ 2003-02-21 09:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2332\_msvcr71.dll
+ 2004-07-15 05:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2332\_PerfCounter.dll
+ 2004-07-15 06:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2584\_aspnet_isapi.dll
+ 2004-07-15 05:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2584\_CORPerfMonExt.dll
+ 2004-07-15 05:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2584\_fusion.dll
+ 2004-07-15 05:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2584\_mscorjit.dll
+ 2004-07-15 19:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2584\_mscorlib.dll
+ 2003-02-21 00:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2584\_mscorsn.dll
+ 2004-07-15 05:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2584\_mscorsvr.dll
+ 2004-07-15 05:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2584\_mscorwks.dll
+ 2003-02-21 09:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2584\_msvcr71.dll
+ 2004-07-15 05:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2584\_PerfCounter.dll
+ 2004-07-15 06:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3192\_aspnet_isapi.dll
+ 2004-07-15 05:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3192\_CORPerfMonExt.dll
+ 2004-07-15 05:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3192\_fusion.dll
+ 2004-07-15 05:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3192\_mscorjit.dll
+ 2004-07-15 19:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3192\_mscorlib.dll
+ 2003-02-21 00:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3192\_mscorsn.dll
+ 2004-07-15 05:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3192\_mscorsvr.dll
+ 2004-07-15 05:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3192\_mscorwks.dll
+ 2003-02-21 09:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3192\_msvcr71.dll
+ 2004-07-15 05:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3192\_PerfCounter.dll
+ 2004-07-15 06:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3288\_aspnet_isapi.dll
+ 2004-07-15 05:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3288\_CORPerfMonExt.dll
+ 2004-07-15 05:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3288\_fusion.dll
+ 2004-07-15 05:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3288\_mscorjit.dll
+ 2004-07-15 19:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3288\_mscorlib.dll
+ 2003-02-21 00:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3288\_mscorsn.dll
+ 2004-07-15 05:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3288\_mscorsvr.dll
+ 2004-07-15 05:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3288\_mscorwks.dll
+ 2003-02-21 09:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3288\_msvcr71.dll
+ 2004-07-15 05:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3288\_PerfCounter.dll
+ 2004-07-15 06:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3672\_aspnet_isapi.dll
+ 2004-07-15 05:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3672\_CORPerfMonExt.dll
+ 2004-07-15 05:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3672\_fusion.dll
+ 2004-07-15 05:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3672\_mscorjit.dll
+ 2004-07-15 19:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3672\_mscorlib.dll
+ 2003-02-21 00:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3672\_mscorsn.dll
+ 2004-07-15 05:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3672\_mscorsvr.dll
+ 2004-07-15 05:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3672\_mscorwks.dll
+ 2003-02-21 09:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3672\_msvcr71.dll
+ 2004-07-15 05:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3672\_PerfCounter.dll
+ 2004-07-15 06:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4060\_aspnet_isapi.dll
+ 2004-07-15 05:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4060\_CORPerfMonExt.dll
+ 2004-07-15 05:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4060\_fusion.dll
+ 2004-07-15 05:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4060\_mscorjit.dll
+ 2004-07-15 19:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4060\_mscorlib.dll
+ 2003-02-21 00:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4060\_mscorsn.dll
+ 2004-07-15 05:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4060\_mscorsvr.dll
+ 2004-07-15 05:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4060\_mscorwks.dll
+ 2003-02-21 09:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4060\_msvcr71.dll
+ 2004-07-15 05:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW4060\_PerfCounter.dll
- 2007-06-17 04:11:58 51,200 ----a-w C:\WINDOWS\nircmd.exe
+ 2007-06-17 05:11:58 51,200 ----a-w C:\WINDOWS\nircmd.exe
- 2007-10-17 07:48:48 60,210 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-07 02:55:41 60,210 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-10-17 07:48:48 398,180 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-07 02:55:41 398,180 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-07-22 22:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-07-22 23:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-25 08:50]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2003-03-20 19:13 C:\WINDOWS\system32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~3\SpywareTerminatorShield.exe" [2007-10-21 23:15]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-06-02 00:34]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 16:43]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 02:56 C:\WINDOWS\system32\rundll32.exe]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 15:46]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"
.
**************************************************************************catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-10 15:58:15
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Sophos Message Router]
"ImagePath"="\"C:\Program Files\Sophos\SCC\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
.
Completion time: 2007-11-10 15:58:59
C:\ComboFix-quarantined-files.txt ... 2007-08-15 14:04
C:\ComboFix2.txt ... 2007-11-02 14:02
C:\ComboFix3.txt ... 2007-10-15 02:41
.
--- E O F ---
0
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\catchme.exe
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXGo to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".Post a new Hijack This log and a new Combofix log please.
0
Here is the Combofix log file. While it was loading the log report, it kept saying: "cannot open catch log".
unning from: C:\Documents and Settings\Berrelli\Desktop\ComboFix(2).exe
Command switches used :: C:\Documents and Settings\Berrelli\Desktop\CFScript.txtFILE::
C:\WINDOWS\catchme.exe
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\WINDOWS\catchme.exe
.
((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
.2007-11-10 04:12 <DIR> d-------- C:\Program Files\Cheat Engine
2007-11-02 13:30 1,270 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-02 13:29 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-02 13:29 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-02 13:29 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-02 13:29 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-02 13:29 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-02 00:43 <DIR> d-------- C:\Program Files\IE7Pro
2007-11-02 00:43 <DIR> d-------- C:\Documents and Settings\Berrelli\Application Data\IE7Pro
2007-11-02 00:01 <DIR> d-------- C:\Program Files\WMV9_VCM
2007-10-26 21:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-10-26 12:59 0 --a------ C:\$RJ$.DAT
2007-10-24 17:05 <DIR> d-------- C:\Documents and Settings\Berrelli\Application Data\Wal-Mart Digital Photo Manager
2007-10-24 17:02 <DIR> d-------- C:\Documents and Settings\Berrelli\Application Data\Wal-Mart Digital Photo Viewer
2007-10-24 01:50 <DIR> d-------- C:\Documents and Settings\Berrelli\Application Data\Grisoft
2007-10-24 01:50 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-23 23:44 138,624 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-10-22 09:29 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-22 09:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-22 01:44 164 --a------ C:\install.dat
2007-10-22 00:52 <DIR> d-------- C:\Program Files\Trojan Remover
2007-10-22 00:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2007-10-22 00:52 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-10-22 00:52 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2007-10-22 00:52 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-10-22 00:52 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2007-10-21 23:13 <DIR> d-------- C:\Program Files\Spyware Terminator
2007-10-21 23:13 <DIR> d-------- C:\Documents and Settings\Berrelli\Application Data\Spyware Terminator
2007-10-21 23:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2007-10-17 21:39 <DIR> d-------- C:\Program Files\Steinberg
2007-10-17 03:22 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-17 03:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-17 03:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-17 02:47 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-16 01:08 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2007-10-15 21:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-10-15 21:03 <DIR> d-------- C:\Program Files\NCH Swift Sound
2007-10-15 21:03 <DIR> d-------- C:\Documents and Settings\Berrelli\Application Data\NCH Swift Sound
2007-10-15 11:48 <DIR> d-------- C:\_ok2delete
2007-10-14 20:26 <DIR> d-------- C:\Documents and Settings\Berrelli\Application Data\TrojanHunter
2007-10-14 19:01 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-10-14 14:48 <DIR> d-------- C:\Documents and Settings\Berrelli\Application Data\CheckPoint
2007-10-14 14:47 <DIR> d-------- C:\Program Files\CheckPoint
2007-10-11 02:00 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-10 13:00 --------- d-----w C:\Documents and Settings\Berrelli\Application Data\AVG7
2007-10-26 18:00 0 ----a-w C:\$RJ$.DAT
2007-10-24 06:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-22 14:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-22 05:55 --------- d-----w C:\Program Files\Trend Micro
2007-10-22 05:53 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-22 05:33 --------- d-----w C:\Program Files\D'Accord Music Software
2007-10-22 05:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-22 05:27 --------- d-----w C:\Program Files\Yahoo!
2007-10-22 05:21 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-18 01:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-10-18 00:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-16 05:58 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-16 05:37 --------- d-----w C:\Program Files\Java
2007-10-16 05:12 --------- d-----w C:\Program Files\AIM
2007-10-16 05:11 --------- d-----w C:\Program Files\iTunes
2007-10-16 05:11 --------- d-----w C:\Program Files\D-Link AirPlus
2007-10-16 05:11 --------- d-----w C:\Program Files\Cool Mp3 Converter
2007-10-13 17:30 --------- d-----w C:\Program Files\DSTools
2007-10-11 08:38 --------- d-----w C:\Program Files\TotalAudioConverter
2007-10-11 03:49 --------- d-----w C:\Program Files\Replay Media Catcher
2007-10-11 03:46 356,352 ----a-w C:\WINDOWS\eSellerateEngine.dll
2007-10-11 03:29 --------- d-----w C:\Documents and Settings\Berrelli\Application Data\Softplicity
2007-10-09 18:24 --------- d-----w C:\Documents and Settings\Berrelli\Application Data\ActiveState
2007-10-09 18:21 --------- d-----w C:\Program Files\ActiveState Komodo IDE 4.2
2007-10-08 16:51 --------- d-----w C:\Program Files\LimeWire
2007-10-02 00:22 --------- d-----w C:\Program Files\Netflix
2007-09-18 03:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-09-18 02:58 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2005-04-28 21:36 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2004-10-03 02:58 667 ----a-w C:\Documents and Settings\Berrelli\Application Data\waver_2.81.dat
2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-25 08:50]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2003-03-20 19:13 C:\WINDOWS\system32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~3\SpywareTerminatorShield.exe" [2007-10-21 23:15]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-06-02 00:34]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 16:43]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 02:56 C:\WINDOWS\system32\rundll32.exe]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 15:46]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"
.
**************************************************************************
scanning hidden processes ...scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Sophos Message Router]
"ImagePath"="\"C:\Program Files\Sophos\SCC\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
.
Completion time: 2007-11-11 2:10:57
C:\ComboFix-quarantined-files.txt ... 2007-08-15 14:04
C:\ComboFix2.txt ... 2007-11-10 15:59
C:\ComboFix3.txt ... 2007-11-02 14:02Here is the Hijack This Report
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\PROGRA~1\SPYWAR~3\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\SPYWAR~3\SpywareTerminatorShield.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~3\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-299502267-1383384898-854245398-1003\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl (User '?')
O4 - HKUS\S-1-5-21-299502267-1383384898-854245398-1003\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" (User '?')
O4 - HKUS\S-1-5-21-299502267-1383384898-854245398-1003\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: D-Link AirPlus.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/englis...
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framewor...
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/h...
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yah...
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRA~1\SPYWAR~3\sp_rsser.exeNow I also am including a 3rd log. Catchme has a hidden system file in my temp folder called catchme.sys Also for some reason the my computer hang has stopped as of early this morning. I dunno if this log may be useful but here goes:
HKLM\System\CurrentControlSet\Services:
catchme File not found: C:\DOCUME~1\Berrelli\LOCALS~1\Temp\catchme.sys
Changer File not found: C:\WINDOWS\System32\Drivers\Changer.sys
GEARAspiWDM File not found: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
i2omgmt File not found: C:\WINDOWS\System32\Drivers\i2omgmt.sys
lbrtfdc File not found: C:\WINDOWS\System32\Drivers\lbrtfdc.sys
LVUSBSta File not found: C:\WINDOWS\System32\Drivers\LVUSBSta.sys
PCIDump File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys
PDCOMP File not found: C:\WINDOWS\System32\Drivers\PDCOMP.sys
PDFRAME File not found: C:\WINDOWS\System32\Drivers\PDFRAME.sys
PDRELI File not found: C:\WINDOWS\System32\Drivers\PDRELI.sys
PDRFRAME File not found: C:\WINDOWS\System32\Drivers\PDRFRAME.sys
pepifilter File not found: C:\WINDOWS\System32\Drivers\pepifilter.sys
PID_08A0 File not found: C:\WINDOWS\System32\Drivers\PID_08A0.sys
WDICA File not found: C:\WINDOWS\System32\Drivers\WDICA.sys
ZSMC301b File not found: C:\WINDOWS\System32\Drivers\ZSMC301b.sysHKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components:
0 File not found: About:HomeHKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved:
Display Panning CPL Extension File not found: deskpan.dll
0
Catchme.exe is a Gmer tool in Combofix but catchme.sys is a legit file.
Reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Uninstall Combofix.
Restart the computer to normal mode.
0
I'm not sure how to remove combofix. In addition, I ran Kaspersky Online Scanner and it picked up a virus that hijack this couldn't find. I think it might be a stealth rootkit.
0
Just right click on the combofix icon then click delete.
What was the name of the file Kasperky found?
0
Kaspersky found these:
Trojan-Downloader.Win32.Small.gmx
Trojan-Downloader.Win32.Agent.dlu
Trojan.Win32.Dialer.qn
Virus.Win32.Virut.avand AVG picked up these:
Trojan Horse Generic2.V0Gl
Trojan Horse Downloader.Generic3.QLL
0
We would need the full path as they may be in quarantine or system restore an not be harmful to the computer but need to be deleted.
Can you post the entire Kaspersky scan results?
0
Surely
---------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, November 27, 2007 2:40:52 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/11/2007
Kaspersky Anti-Virus database records: 437716
---------------------Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: trueScan Target - My Computer:
A:\
C:\
D:\
E:\Scan Statistics:
Total number of scanned objects: 84509
Number of viruses found: 4
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 02:15:42Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Berrelli\Application Data\Aim\ftfctiyd\laisseseperdre\cert8.db Object is locked skipped
C:\Documents and Settings\Berrelli\Application Data\Aim\ftfctiyd\laisseseperdre\key3.db Object is locked skipped
C:\Documents and Settings\Berrelli\Application Data\AVG7\l_000222.log Object is locked skipped
C:\Documents and Settings\Berrelli\Application Data\Mozilla\Firefox\Profiles\axolf1vu.default\cert8.db Object is locked skipped
C:\Documents and Settings\Berrelli\Application Data\Mozilla\Firefox\Profiles\axolf1vu.default\history.dat Object is locked skipped
C:\Documents and Settings\Berrelli\Application Data\Mozilla\Firefox\Profiles\axolf1vu.default\key3.db Object is locked skipped
C:\Documents and Settings\Berrelli\Application Data\Mozilla\Firefox\Profiles\axolf1vu.default\parent.lock Object is locked skipped
C:\Documents and Settings\Berrelli\Application Data\Mozilla\Firefox\Profiles\axolf1vu.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Berrelli\Application Data\Mozilla\Firefox\Profiles\axolf1vu.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Berrelli\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Berrelli\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Berrelli\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Berrelli\Local Settings\Application Data\Mozilla\Firefox\Profiles\axolf1vu.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Berrelli\Local Settings\Application Data\Mozilla\Firefox\Profiles\axolf1vu.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Berrelli\Local Settings\Application Data\Mozilla\Firefox\Profiles\axolf1vu.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Berrelli\Local Settings\Application Data\Mozilla\Firefox\Profiles\axolf1vu.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Berrelli\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Berrelli\Local Settings\History\History.IE5\MSHist012007112720071128\index.dat Object is locked skipped
C:\Documents and Settings\Berrelli\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Berrelli\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Berrelli\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{29150F25-0AFD-4DC9-A0B7-869AAB3F52F4}\RP26\change.log Object is locked skipped
C:\System Volume Information\_restore{29150F25-0AFD-4DC9-A0B7-869AAB3F52F4}\RP6\A0000139.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Small.gmx skipped
C:\System Volume Information\_restore{29150F25-0AFD-4DC9-A0B7-869AAB3F52F4}\RP6\A0000139.exe/data.rar/crack.exe Infected: Trojan-Downloader.Win32.Agent.dlu skipped
C:\System Volume Information\_restore{29150F25-0AFD-4DC9-A0B7-869AAB3F52F4}\RP6\A0000139.exe/data.rar/serial.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{29150F25-0AFD-4DC9-A0B7-869AAB3F52F4}\RP6\A0000139.exe/data.rar/install.exe Infected: Virus.Win32.Virut.av skipped
C:\System Volume Information\_restore{29150F25-0AFD-4DC9-A0B7-869AAB3F52F4}\RP6\A0000139.exe/data.rar Infected: Virus.Win32.Virut.av skipped
C:\System Volume Information\_restore{29150F25-0AFD-4DC9-A0B7-869AAB3F52F4}\RP6\A0000139.exe RarSFX: infected - 5 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SophosEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skippedScan process completed.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
