Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
my warcraft got hacked so i ran spybot to get rid of the keylogger and it got rid of all but 1 thing a trojan called virtumonde and now i keep geting a pop up error after pop error 3 differnt titles but the all say "the application or DDL C:\WINDOW\system32\_c009636D.dat is not a valid Windows image" i dont no what to do can any1 help?
We will need to run a few scans to find the bad files.
Please download Atribune's VundoFix.exe from the followinf site to your desktop:
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files,
click "yes".Once you click yes, your desktop will go blank as it starts removing
Vundo.When completed, it will prompt that it will reboot your computer,
click "ok".Please download and install the latest version of HijackThis v2.0.2:
Download the "HijackThis" Installer from this link:
Hijack This
1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
0 
Just an FYI, multi-posts for the same problem are not permitted on this site...
You should request that your other post located here: http://www.computing.net/windowsxp/...
be removed.
Life's more painless for the brainless.
0
sorry for the other post bit of confusion on my part the scan found nothing but i try to post the hijackthis log but when i click edit it is "not responding" and i get a new error message
hijackthis-Notepad: NOTEPAD.EXE-Bad image
the application or DDL C:\WINDOW\system32\_c009636D.dat is not a valid Windows image
0
Instead of clicking edit just highlight the contents of the scan> press "ctrl c" then "ctrl v" to paste it into the forums comments box.
0
ok got it
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:20:49 AM, on 1/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\WINDOWS\zHotkey.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\COMMON~1\AOL\115513~1\EE\AOLHOS~1.exe
C:\program files\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\arservice.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\PROGRA~1\COMMON~1\AOL\115513~1\EE\AOLServiceHost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner.STONY\Desktop\HiJackThis.exe
C:\WINDOWS\system32\NOTEPAD.exe
C:\WINDOWS\system32\wbem\wmiprvse.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage....
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage....
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1155139980\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SeekmoOE] C:\Program Files\Seekmo\bin\10.0.406.0\OEAddOn.exe
O4 - HKLM\..\Run: [SeekmoSA] "C:\Program Files\Seekmo\bin\10.0.406.0\SeekmoSA.exe"
O4 - HKLM\..\Run: [102b4a42] rundll32.exe "C:\WINDOWS\system32\__c0029D41.dat",b
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [A00F960B0F7.exe] C:\DOCUME~1\OWNER~1.STO\LOCALS~1\Temp\_A00F960B0F7.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: __c0033804 - C:\WINDOWS\system32\__c0033804.dat (file missing)
O20 - Winlogon Notify: __c005937E - C:\WINDOWS\system32\__c005937E.dat (file missing)
O20 - Winlogon Notify: __c009636D - C:\WINDOWS\system32\__c009636D.dat
O20 - Winlogon Notify: __c00BA2EE - C:\WINDOWS\system32\__c00BA2EE.dat (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)--
End of file - 12503 bytes
0
Go to the this link:
Follow their directions to disable any realtime protection that you have as it will interfere with the fix by reinstalling the corrupt files.
Please download ComboFix to the desktop from one of the following links:
Link 3
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.
0
ok did it
ComboFix 08-01-23.1C - Owner 2008-01-25 22:05:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1292 [GMT -5:00]
Running from: C:\Documents and Settings\Owner.STONY\Desktop\ComboFix.exe
* Created a new restore point[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\__c0019807.dat
C:\xcrashdump.dat
D:\Autorun.inf----- BITS: Possible infected sites -----
hxxp://javadl.sun.com
.
((((((((((((((((((((((((( Files Created from 2007-12-26 to 2008-01-26 )))))))))))))))))))))))))))))))
.2008-01-25 22:02 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-24 21:36 . 2008-01-24 21:36 <DIR> d-------- C:\VundoFix Backups
2008-01-24 21:34 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-24 12:29 . 2008-01-24 12:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-24 07:50 . 2008-01-24 07:50 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-24 06:53 . 2008-01-25 00:32 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-24 06:53 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-24 06:53 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-24 06:53 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-24 06:53 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-24 06:31 . 2008-01-24 06:31 5,376 --a------ C:\WINDOWS\system32\drivers\MS1000.sys
2008-01-24 06:30 . 2008-01-24 06:54 <DIR> d-------- C:\Program Files\The Cleaner Free
2008-01-18 08:33 . 2008-01-24 06:51 995,167 ---hs---- C:\WINDOWS\system32\14D9200c__.ini
2008-01-15 10:11 . 2008-01-23 13:24 130,016 --a------ C:\WINDOWS\system32\os.exe
2008-01-15 10:10 . 2008-01-15 10:10 1,320,448 --ah----- C:\WINDOWS\upx.exe
2008-01-15 10:10 . 2008-01-15 10:10 786,692 --ah----- C:\WINDOWS\wmplayer.exe
2008-01-15 10:10 . 2008-01-15 10:10 80 --a------ C:\WINDOWS\system32\Deleteme.bat
2008-01-08 21:51 . 2008-01-17 21:52 1,012,854 ---hs---- C:\WINDOWS\system32\826A300c__.ini
2007-12-31 21:51 . 2008-01-07 21:53 1,007,960 ---hs---- C:\WINDOWS\system32\25B7700c__.ini.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-26 03:12 --------- d-----w C:\Program Files\Steam
2008-01-26 02:12 --------- d-----w C:\Program Files\World of Warcraft
2008-01-25 14:04 --------- d-----w C:\Program Files\Winamp Remote
2008-01-25 02:34 --------- d-----w C:\Program Files\Java
2008-01-15 16:04 --------- d-----w C:\Program Files\McAfee
2007-12-19 10:41 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-19 09:16 --------- d-----w C:\Program Files\DivX
2007-11-27 07:50 --------- d-----w C:\Program Files\Winamp Toolbar
2007-11-27 07:50 --------- d-----w C:\Program Files\Winamp
2007-10-16 03:58 3,759,104 --sha-w C:\Program Files\ehthumbs.db
2006-12-27 10:41 5,971,432 ----a-w C:\Program Files\Firefox Setup 2.0.0.1.exe
2006-12-27 06:11 2,010,624 ----a-w C:\Program Files\ventrilo-2.3.0-Windows-i386.exe
2006-12-24 09:11 5,037,072 ----a-w C:\Program Files\spybotsd14.exe
2006-12-20 06:51 1,256,464 ----a-w C:\Program Files\s.a.d.setup.exe
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
2007-10-20 18:09 56 --sh--r C:\WINDOWS\system32\BC7DDD947D.sys
2007-10-20 18:09 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
2007-10-04 15:06 1135968 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{0BF43445-2F28-4351-9252-17FE6E806AA0}
{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-15 14:48 68856]
"Steam"="c:\program files\steam\steam.exe" [2007-12-08 04:19 1266936]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [2007-10-22 19:47 360448][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 22:56 64512]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-08-09 11:00 169984]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 18:19 77312 C:\WINDOWS\arpwrmsg.exe]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 20:44 139264]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-14 04:01 16010752 C:\WINDOWS\RTHDCPL.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-18 10:32 7204864]
"nwiz"="nwiz.exe" [2005-09-18 10:32 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-09-18 10:32 86016]
"CHotkey"="zHotkey.exe" [2004-12-08 19:57 550912 C:\WINDOWS\zHotkey.exe]
"HostManager"="C:\Program Files\Common Files\AOL\1155139980\EE\AOLHostManager.exe" [2004-11-03 16:03 125528]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 19:42 79448]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"Recguard"="%WINDIR%\SMINST\RECGUARD.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 16:30 152144]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-02-08 21:39 36904]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-30 07:39 185632]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 00:28 36352]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53 1103752]
"102b4a42"="C:\WINDOWS\system32\__c0029D41.dat" [ ][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{0015D204-D7A2-456A-AE04-EB9ABF822FE4}"= C:\DOCUME~1\OWNER~1.STO\LOCALS~1\Temp\osow.dll [2008-01-15 10:11 42720][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0019807]
C:\WINDOWS\system32\__c0019807.dat[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0033804]
C:\WINDOWS\system32\__c0033804.dat[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c005937E]
C:\WINDOWS\system32\__c005937E.dat[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c009636D]
C:\WINDOWS\system32\__c009636D.dat[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00B3985]
C:\WINDOWS\system32\__c00B3985.dat[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00BA2EE]
C:\WINDOWS\system32\__c00BA2EE.dat[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00EF8A2]
C:\WINDOWS\system32\__c00EF8A2.dat[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovauS3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 03:06]
S3 MS1000;MS1000;C:\WINDOWS\system32\DRIVERS\MS1000.sys [2008-01-24 06:31]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 16:10]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
FastUserSwitchingCompatibility
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Schedule
Seclogon
SRService
Themes
TrkWks
W32Time
Wmi
WmdmPmSp
winmgmt
wscsvc
xmlprov
MHN
BITS
wuauserv
ShellHWDetection
helpsvc[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7e6734b-27be-11db-b115-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 06:00:01 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-01-01 06:00:02 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 22:12:09
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------PROCESS: C:\WINDOWS\Explorer.exe [6.00.2900.3156]
-> C:\PROGRA~1\Google\GOOGLE~1\GOA66E~1.DLL
.
Completion time: 2008-01-25 22:15:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-26 03:15:13
.
2008-01-24 11:00:58 --- E O F ---
0
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\system32\14D9200c__.ini
C:\WINDOWS\system32\os.exe
C:\WINDOWS\upx.exe
C:\WINDOWS\system32\Deleteme.bat
C:\WINDOWS\system32\826A300c__.ini
C:\WINDOWS\system32\25B7700c__.iniRegistry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"102b4a42"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{0015D204-D7A2-456A-AE04-EB9ABF822FE4}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0019807]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0033804]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c005937E]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c009636D]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00B3985]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00BA2EE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00EF8A2]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".Post the newCombofix log.
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Download ATF Cleaner from this link:
ATF Cleaner
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Post a new Hijack This log please.
0
he you go sir the combofix
ComboFix 08-01-23.1C - Owner 2008-01-26 4:38:17.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1314 [GMT -5:00]
Running from: C:\Documents and Settings\Owner.STONY\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.STONY\Desktop\CFScript.txt
* Created a new restore point[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE
C:\WINDOWS\system32\14D9200c__.ini
C:\WINDOWS\system32\25B7700c__.ini
C:\WINDOWS\system32\826A300c__.ini
C:\WINDOWS\system32\Deleteme.bat
C:\WINDOWS\system32\os.exe
C:\WINDOWS\upx.exe
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\WINDOWS\system32\14D9200c__.ini
C:\WINDOWS\system32\25B7700c__.ini
C:\WINDOWS\system32\826A300c__.ini
C:\WINDOWS\system32\Deleteme.bat
C:\WINDOWS\system32\os.exe
C:\WINDOWS\upx.exe.
((((((((((((((((((((((((( Files Created from 2007-12-26 to 2008-01-26 )))))))))))))))))))))))))))))))
.2008-01-25 22:02 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-24 21:36 . 2008-01-24 21:36 <DIR> d-------- C:\VundoFix Backups
2008-01-24 21:34 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-24 12:29 . 2008-01-24 12:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-24 07:50 . 2008-01-24 07:50 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-24 06:53 . 2008-01-25 00:32 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-24 06:53 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-24 06:53 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-24 06:53 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-24 06:53 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-24 06:31 . 2008-01-24 06:31 5,376 --a------ C:\WINDOWS\system32\drivers\MS1000.sys
2008-01-24 06:30 . 2008-01-24 06:54 <DIR> d-------- C:\Program Files\The Cleaner Free
2008-01-15 10:10 . 2008-01-15 10:10 786,692 --ah----- C:\WINDOWS\wmplayer.exe.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-26 09:42 --------- d-----w C:\Program Files\Steam
2008-01-26 03:21 --------- d-----w C:\Program Files\World of Warcraft
2008-01-25 14:04 --------- d-----w C:\Program Files\Winamp Remote
2008-01-25 02:34 --------- d-----w C:\Program Files\Java
2008-01-15 16:04 --------- d-----w C:\Program Files\McAfee
2007-12-19 10:41 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-19 09:16 --------- d-----w C:\Program Files\DivX
2007-11-27 07:50 --------- d-----w C:\Program Files\Winamp Toolbar
2007-11-27 07:50 --------- d-----w C:\Program Files\Winamp
2007-10-16 03:58 3,759,104 --sha-w C:\Program Files\ehthumbs.db
2006-12-27 10:41 5,971,432 ----a-w C:\Program Files\Firefox Setup 2.0.0.1.exe
2006-12-27 06:11 2,010,624 ----a-w C:\Program Files\ventrilo-2.3.0-Windows-i386.exe
2006-12-24 09:11 5,037,072 ----a-w C:\Program Files\spybotsd14.exe
2006-12-20 06:51 1,256,464 ----a-w C:\Program Files\s.a.d.setup.exe
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
2007-10-20 18:09 56 --sh--r C:\WINDOWS\system32\BC7DDD947D.sys
2007-10-20 18:09 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.((((((((((((((((((((((((((((( snapshot@2008-01-25_22.14.45.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-26 03:05:26 1,429,504 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-01-26 09:38:07 1,429,504 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
- 2008-01-26 03:05:26 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-01-26 09:38:07 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat
- 2008-01-26 03:05:26 1,429,504 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT
+ 2008-01-26 09:38:07 1,429,504 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT
- 2008-01-26 03:05:26 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
+ 2008-01-26 09:38:07 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
- 2008-01-26 03:05:26 4,894,720 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT
+ 2008-01-26 09:38:07 4,927,488 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT
- 2008-01-26 03:05:26 327,680 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
+ 2008-01-26 09:38:07 331,776 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
- 2008-01-26 02:02:59 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-26 06:44:13 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-26 02:02:59 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-26 06:44:13 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-26 02:02:59 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-26 06:44:13 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
2007-10-04 15:06 1135968 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{0BF43445-2F28-4351-9252-17FE6E806AA0}
{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-15 14:48 68856]
"Steam"="c:\program files\steam\steam.exe" [2007-12-08 04:19 1266936]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [2007-10-22 19:47 360448][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 22:56 64512]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-08-09 11:00 169984]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 18:19 77312 C:\WINDOWS\arpwrmsg.exe]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 20:44 139264]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-14 04:01 16010752 C:\WINDOWS\RTHDCPL.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-18 10:32 7204864]
"nwiz"="nwiz.exe" [2005-09-18 10:32 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-09-18 10:32 86016]
"CHotkey"="zHotkey.exe" [2004-12-08 19:57 550912 C:\WINDOWS\zHotkey.exe]
"HostManager"="C:\Program Files\Common Files\AOL\1155139980\EE\AOLHostManager.exe" [2004-11-03 16:03 125528]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 19:42 79448]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"Recguard"="%WINDIR%\SMINST\RECGUARD.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 16:30 152144]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-02-08 21:39 36904]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-30 07:39 185632]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 00:28 36352]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53 1103752][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0019807]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0033804]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c005937E]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c009636D]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00B3985]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00BA2EE]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00EF8A2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovauS3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 03:06]
S3 MS1000;MS1000;C:\WINDOWS\system32\DRIVERS\MS1000.sys [2008-01-24 06:31]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 16:10][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7e6734b-27be-11db-b115-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 06:00:01 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-01-01 06:00:02 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-26 04:42:13
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2008-01-26 4:45:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-26 09:45:05
ComboFix2.txt 2008-01-26 04:57:20
ComboFix3.txt 2008-01-26 03:15:18
.
2008-01-24 11:00:58 --- E O F ---
0
and heres the hijackthis logLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:53:29 AM, on 1/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\WINDOWS\zHotkey.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\COMMON~1\AOL\115513~1\EE\AOLHOS~1.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\program files\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\COMMON~1\AOL\115513~1\EE\AOLServiceHost.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner.STONY\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage....
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage....
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1155139980\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: __c0019807 - C:\WINDOWS\
O20 - Winlogon Notify: __c0033804 - C:\WINDOWS\
O20 - Winlogon Notify: __c005937E - C:\WINDOWS\
O20 - Winlogon Notify: __c009636D - C:\WINDOWS\
O20 - Winlogon Notify: __c00B3985 - C:\WINDOWS\
O20 - Winlogon Notify: __c00BA2EE - C:\WINDOWS\
O20 - Winlogon Notify: __c00EF8A2 - C:\WINDOWS\
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)--
End of file - 11962 bytes
0
Disable McAfee VirusScan ScriptStopper feature by by doing the folowing:
Right-mouse click the McAfee VirusScan icon in the system tray.
The McAfee system tray icon looks like .Select VirusScan then click Options.
Click the Advanced button and then click the ScriptStopper tab.Note: McAfee VirusScan 10 users, click the Exploits tab.
Make sure Enable ScriptStopper (recommended) option is de-selected.
Click OK and then click OK to complete disabling McAfee ScriptStopper feature.
Run Hijack This again and remove these items:
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O20 - Winlogon Notify: __c0019807 - C:\WINDOWS\
O20 - Winlogon Notify: __c0033804 - C:\WINDOWS\
O20 - Winlogon Notify: __c005937E - C:\WINDOWS\
O20 - Winlogon Notify: __c009636D - C:\WINDOWS\
O20 - Winlogon Notify: __c00B3985 - C:\WINDOWS\
O20 - Winlogon Notify: __c00BA2EE - C:\WINDOWS\
O20 - Winlogon Notify: __c00EF8A2 - C:\WINDOWS\
Exit Hijack This.
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
Driver::
__c0019807
__c0033804
__c005937E
__c009636D
__c00B3985
__c00BA2EE
__c00EF8A2
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0019807]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0033804]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c005937E]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c009636D]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00B3985]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00BA2EE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00EF8A2]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".Please go to Virus Total and upload the following file for analysis:
C:\Program Files\spybotsd14.exe
C:\Program Files\s.a.d.setup.exe
C:\WINDOWS\system32\AVSredirect.dll
C:\WINDOWS\system32\BC7DDD947D.sys
Post the results in your reply.
0
If you can't find how to disable script stopper, go off line turn your antivirus off, then run Hijack This and Combofix as suggested.
Restart the computer, make sure your av is running then do the remainder of the suggestions.
0
File spybotsd14.exe received on 01.16.2008 14:38:58 (CET)
Current status: finished
Result: 0/32 (0.00%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.1.16.11 2008.01.16 -
AntiVir 7.6.0.48 2008.01.16 -
Authentium 4.93.8 2008.01.16 -
Avast 4.7.1098.0 2008.01.16 -
AVG 7.5.0.516 2008.01.16 -
BitDefender 7.2 2008.01.16 -
CAT-QuickHeal 9.00 2008.01.16 -
ClamAV 0.91.2 2008.01.16 -
DrWeb 4.44.0.09170 2008.01.16 -
eSafe 7.0.15.0 2008.01.15 -
eTrust-Vet 31.3.5462 2008.01.16 -
Ewido 4.0 2008.01.16 -
FileAdvisor 1 2008.01.16 -
Fortinet 3.14.0.0 2008.01.16 -
F-Prot 4.4.2.54 2008.01.15 -
F-Secure 6.70.13030.0 2008.01.16 -
Ikarus T3.1.1.20 2008.01.16 -
Kaspersky 7.0.0.125 2008.01.16 -
McAfee 5208 2008.01.15 -
Microsoft 1.3109 2008.01.16 -
NOD32v2 2797 2008.01.16 -
Norman 5.80.02 2008.01.16 -
Panda 9.0.0.4 2008.01.15 -
Prevx1 V2 2008.01.16 -
Rising 20.27.22.00 2008.01.16 -
Sophos 4.24.0 2008.01.16 -
Sunbelt 2.2.907.0 2008.01.15 -
Symantec 10 2008.01.16 -
TheHacker 6.2.9.188 2008.01.16 -
VBA32 3.12.2.5 2008.01.15 -
VirusBuster 4.3.26:9 2008.01.15 -
Webwasher-Gateway 6.6.2 2008.01.16 -
Additional information
File size: 5037072 bytes
MD5: c1a843913269018a8fc962407d7e5169
SHA1: f6feca87bf7ae26bb175753129de87d7577c822e
PEiD: -File s.a.d.setup.exe received on 01.26.2008 22:39:27 (CET)
Current status: finished
Result: 1/32 (3.12%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.1.26.10 2008.01.25 -
AntiVir 7.6.0.53 2008.01.25 -
Authentium 4.93.8 2008.01.26 -
Avast 4.7.1098.0 2008.01.26 -
AVG 7.5.0.516 2008.01.26 -
BitDefender 7.2 2008.01.26 -
CAT-QuickHeal 9.00 2008.01.25 -
ClamAV 0.91.2 2008.01.26 -
DrWeb 4.44.0.09170 2008.01.26 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5486 2008.01.26 -
Ewido 4.0 2008.01.26 -
FileAdvisor 1 2008.01.26 -
Fortinet 3.14.0.0 2008.01.26 -
F-Prot 4.4.2.54 2008.01.26 -
F-Secure 6.70.13260.0 2008.01.26 -
Ikarus T3.1.1.20 2008.01.26 -
Kaspersky 7.0.0.125 2008.01.26 -
McAfee 5216 2008.01.26 -
Microsoft 1.3109 2008.01.26 -
NOD32v2 2824 2008.01.26 -
Norman 5.80.02 2008.01.24 -
Panda 9.0.0.4 2008.01.26 -
Prevx1 V2 2008.01.26 Heuristic: Suspicious Self Modifying File
Rising 20.28.52.00 2008.01.26 -
Sophos 4.25.0 2008.01.26 -
Sunbelt 2.2.907.0 2008.01.25 -
Symantec 10 2008.01.26 -
TheHacker 6.2.9.199 2008.01.26 -
VBA32 3.12.2.5 2008.01.21 -
VirusBuster 4.3.26:9 2008.01.26 -
Webwasher-Gateway 6.6.2 2008.01.26 -
Additional information
File size: 1256464 bytes
MD5: d7d23e6aee1c3cf284a163db393dfa4b
SHA1: df9a9bc8ed6fa00432a0e9bc6cbb2253ecae36f7
PEiD: -File AVSredirect.dll received on 01.24.2008 11:19:36 (CET)
Current status: finished
Result: 4/32 (12.50%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.1.24.11 2008.01.24 -
AntiVir 7.6.0.48 2008.01.24 -
Authentium 4.93.8 2008.01.24 -
Avast 4.7.1098.0 2008.01.23 -
AVG 7.5.0.516 2008.01.23 -
BitDefender 7.2 2008.01.24 -
CAT-QuickHeal 9.00 2008.01.23 -
ClamAV 0.91.2 2008.01.24 PUA.Packed.TeLock
DrWeb 4.44.0.09170 2008.01.24 -
eSafe 7.0.15.0 2008.01.16 Suspicious File
eTrust-Vet 31.3.5482 2008.01.24 -
Ewido 4.0 2008.01.23 -
FileAdvisor 1 2008.01.24 -
Fortinet 3.14.0.0 2008.01.24 -
F-Prot 4.4.2.54 2008.01.24 -
F-Secure 6.70.13260.0 2008.01.24 -
Ikarus T3.1.1.20 2008.01.24 -
Kaspersky 7.0.0.125 2008.01.24 -
McAfee 5214 2008.01.23 -
Microsoft 1.3109 2008.01.24 -
NOD32v2 2819 2008.01.24 -
Norman 5.80.02 2008.01.23 -
Panda 9.0.0.4 2008.01.23 -
Prevx1 V2 2008.01.24 -
Rising 20.28.31.00 2008.01.24 -
Sophos 4.24.0 2008.01.24 -
Sunbelt 2.2.907.0 2008.01.23 VIPRE.Suspicious
Symantec 10 2008.01.24 -
TheHacker 6.2.9.196 2008.01.23 -
VBA32 3.12.2.5 2008.01.21 -
VirusBuster 4.3.26:9 2008.01.23 -
Webwasher-Gateway 6.6.2 2008.01.24 Win32.Malware.gen!88 (suspicious)
Additional information
File size: 27648 bytes
MD5: 39854962ade636403358ab8a2edeab6b
SHA1: 06668003859bed01486ee9137f14dcba04fb7468
PEiD: tElock 0.98 -> tE!
packers: TeLock
packers: PE_Patch, TeLockFile BC7DDD947D.sys received on 01.26.2008 22:57:24 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 34.
Estimated start time is between 108 and 154 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2008.1.26.10 2008.01.25 -
AntiVir 7.6.0.53 2008.01.25 -
Authentium 4.93.8 2008.01.26 -
Avast 4.7.1098.0 2008.01.26 -
AVG 7.5.0.516 2008.01.26 -
BitDefender 7.2 2008.01.26 -
CAT-QuickHeal 9.00 2008.01.25 -
ClamAV 0.91.2 2008.01.26 -
DrWeb 4.44.0.09170 2008.01.26 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5486 2008.01.26 -
Ewido 4.0 2008.01.26 -
FileAdvisor 1 2008.01.26 -
Fortinet 3.14.0.0 2008.01.26 -
F-Prot 4.4.2.54 2008.01.26 -
F-Secure 6.70.13260.0 2008.01.26 -
Ikarus T3.1.1.20 2008.01.26 -
Kaspersky 7.0.0.125 2008.01.26 -
McAfee 5216 2008.01.26 -
Microsoft 1.3109 2008.01.26 -
NOD32v2 2824 2008.01.26 -
Norman 5.80.02 2008.01.24 -
Panda 9.0.0.4 2008.01.26 -
Prevx1 V2 2008.01.26 -
Rising 20.28.52.00 2008.01.26 -
Sophos 4.25.0 2008.01.26 -
Sunbelt 2.2.907.0 2008.01.25 -
Symantec 10 2008.01.26 -
TheHacker 6.2.9.199 2008.01.26 -
VBA32 3.12.2.5 2008.01.21 -
VirusBuster 4.3.26:9 2008.01.26 -
Webwasher-Gateway 6.6.2 2008.01.26 -
Additional information
File size: 56 bytes
MD5: 6ec1af77cf67fd0eca184d36e0f1874f
SHA1: 06ca049ca2c047baa53a3e52750a60d54e19f043
PEiD: -
0
oops srry
ComboFix 08-01-23.1C - Owner 2008-01-26 16:15:07.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1307 [GMT -5:00]
Running from: C:\Documents and Settings\Owner.STONY\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.STONY\Desktop\CFScript.txt
* Created a new restore point[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.((((((((((((((((((((((((( Files Created from 2007-12-26 to 2008-01-26 )))))))))))))))))))))))))))))))
.2008-01-25 22:02 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-24 21:36 . 2008-01-24 21:36 <DIR> d-------- C:\VundoFix Backups
2008-01-24 21:34 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-24 12:29 . 2008-01-24 12:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-24 07:50 . 2008-01-24 07:50 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-24 06:53 . 2008-01-25 00:32 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-24 06:53 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-24 06:53 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-24 06:53 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-24 06:53 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-24 06:31 . 2008-01-24 06:31 5,376 --a------ C:\WINDOWS\system32\drivers\MS1000.sys
2008-01-24 06:30 . 2008-01-24 06:54 <DIR> d-------- C:\Program Files\The Cleaner Free
2008-01-15 10:10 . 2008-01-15 10:10 786,692 --ah----- C:\WINDOWS\wmplayer.exe.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-26 21:23 --------- d-----w C:\Program Files\Steam
2008-01-26 03:21 --------- d-----w C:\Program Files\World of Warcraft
2008-01-25 14:04 --------- d-----w C:\Program Files\Winamp Remote
2008-01-25 02:34 --------- d-----w C:\Program Files\Java
2008-01-15 16:04 --------- d-----w C:\Program Files\McAfee
2007-12-19 10:41 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-19 09:16 --------- d-----w C:\Program Files\DivX
2007-11-27 07:50 --------- d-----w C:\Program Files\Winamp Toolbar
2007-11-27 07:50 --------- d-----w C:\Program Files\Winamp
2007-10-16 03:58 3,759,104 --sha-w C:\Program Files\ehthumbs.db
2006-12-27 10:41 5,971,432 ----a-w C:\Program Files\Firefox Setup 2.0.0.1.exe
2006-12-27 06:11 2,010,624 ----a-w C:\Program Files\ventrilo-2.3.0-Windows-i386.exe
2006-12-24 09:11 5,037,072 ----a-w C:\Program Files\spybotsd14.exe
2006-12-20 06:51 1,256,464 ----a-w C:\Program Files\s.a.d.setup.exe
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
2007-10-20 18:09 56 --sh--r C:\WINDOWS\system32\BC7DDD947D.sys
2007-10-20 18:09 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.((((((((((((((((((((((((((((( snapshot@2008-01-25_22.14.45.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-26 03:05:26 1,429,504 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-01-26 21:14:53 1,429,504 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
- 2008-01-26 03:05:26 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-01-26 21:14:53 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat
- 2008-01-26 03:05:26 1,429,504 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT
+ 2008-01-26 21:14:53 1,429,504 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT
- 2008-01-26 03:05:26 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
+ 2008-01-26 21:14:53 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
- 2008-01-26 03:05:26 4,894,720 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT
+ 2008-01-26 21:14:54 5,001,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT
- 2008-01-26 03:05:26 327,680 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
+ 2008-01-26 21:14:54 331,776 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
- 2008-01-26 02:02:59 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-26 20:58:43 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-26 02:02:59 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-26 20:58:43 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-26 02:02:59 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-26 20:58:43 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
2007-10-04 15:06 1135968 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{0BF43445-2F28-4351-9252-17FE6E806AA0}
{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-15 14:48 68856]
"Steam"="c:\program files\steam\steam.exe" [2007-12-08 04:19 1266936]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [2007-10-22 19:47 360448][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 22:56 64512]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-08-09 11:00 169984]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 18:19 77312 C:\WINDOWS\arpwrmsg.exe]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 20:44 139264]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-14 04:01 16010752 C:\WINDOWS\RTHDCPL.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-18 10:32 7204864]
"nwiz"="nwiz.exe" [2005-09-18 10:32 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-09-18 10:32 86016]
"CHotkey"="zHotkey.exe" [2004-12-08 19:57 550912 C:\WINDOWS\zHotkey.exe]
"HostManager"="C:\Program Files\Common Files\AOL\1155139980\EE\AOLHostManager.exe" [2004-11-03 16:03 125528]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 19:42 79448]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"Recguard"="%WINDIR%\SMINST\RECGUARD.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 16:30 152144]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-02-08 21:39 36904]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-30 07:39 185632]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 00:28 36352]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53 1103752]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-10 14:00 388608][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovauS3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 03:06]
S3 MS1000;MS1000;C:\WINDOWS\system32\DRIVERS\MS1000.sys [2008-01-24 06:31]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 16:10][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7e6734b-27be-11db-b115-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 06:00:01 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-01-01 06:00:02 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-26 16:23:33
Windows 5.1.2600 Service Pack 2 NTFSdetected NTDLL code modification:
ZwClosescanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2008-01-26 16:26:53 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-01-26 21:26:48
ComboFix2.txt 2008-01-26 09:45:11
ComboFix3.txt 2008-01-26 04:57:20
ComboFix4.txt 2008-01-26 03:15:18
.
2008-01-24 11:00:58 --- E O F ---
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
