Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I went to this website looking up commands for someone elses computer. I know what site. next thing i know my firewall shut off by its self. then when i turned it back on the computer shut off. restarted black screen waited 60sec turned back on let me go to login page but not sign in so i shut off. thismorning turned on and some program download on my computer says i have 38 infections will not let me go to my avg or internet explore. it is blocking from doing anything. the program is called XP-Antispyware installer 2009.. it keeps shuting firewall off.. so im on different computer to post this log.. also i downloaded malwarebytes on to a cd and installed it on my computer I was able to run it but can't update it because computer won't go online something is blocking me.. please help. thank you
angeljam
Try these first two suggestions> restart the computer and try to connect to the internet. If no luck try the third suggestion.
(Suggestion 1)
Go start > run type cmd and press enter or ok.
type ipconfig /flushdns (The space between g and / is needed)Then press Enter, type Exit, press Enter again
(Suggestion 2)
Launch Notepad, and copy/paste all the instructions between the X’s below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.(Suggestion 3)
You will probably not have to go further than Step 2 Item 6.
Step 1
1. Click Start, and then click Run.
2. In the Open box, type regedit, and then click OK.
3. In Registry Editor, locate the following keys, right-click each key, and then click Delete:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2
4. When you are prompted to confirm the deletion, click Yes.
Note Restart the computer after you delete the Winsock keys. Doing so causes the Windows XP operating system to create new shell entries for those two keys. If you do not restart the computer after you delete the Winsock keys, the next step does not work correctly.
Step 2: Install TCP/IP
1. Right-click the network connection, and then click Properties.
2. Click Install.
3. Click Protocol, and then click Add.
4. Click Have Disk.
5. Type C:\Windows\inf, and then click OK.
6. On the list of available protocols, click Internet Protocol (TCP/IP), and then click OK.If Internet Protocol (TCP/IP) does not appear, follow these steps:a. Click Start, and then click Search.
b. In the Search Companion pane, click More advanced options.
c. Click to select the following three check boxes:• Search system folders
• Search hidden files and folders
• Search subfolders
d. In the All or part of the file name box, type nettcpip.inf, and then click Search.
e. In the results pane, right-click Nettcpip.inf, and then click Install.
7. Restart the computer.Try to update Malwarebytes and run it again and post a Hijack This log when and if you can get online..
0 
maybe i'm panicing here but.. i couldn't do option 2. after i did option 3 was able to kinda get online.. it has changed my hompage to igoogle won't let me go anywhere else.. also malwarebytes started to update but this thing stopped it said i don't have access to firewall it has removed my microsoft security center..more things showed up when i did another scan. this is what malwarebytes says now.. items couldnot be removed. c:/windows/system32, c:/windows/system32/tdssbrsr.dll, c:/windows/system32/tdssbubx.log, c:/windows/system32/tdssxwp.dll, c:/windows/system32.tdssnmxh.log
isn't that my whole system op? i have not restarted ..
angeljam
0
Reboot into safe mode with networking and run SDFix and be sure to turn off your antivirus and any antispyware that you have.
Download SDFix.exe and save it to your Desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.1.Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
2. Open the c:\SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
3. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
4. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt
0
[b]SDFix: Version 1.236 [/b]
Run by Owner on Sun 10/19/2008 at 07:42 PMMicrosoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix[b]Checking Services [/b]:
[b]Name [/b]:
tdssserv[b]Path [/b]:
\systemroot\system32\drivers\TDSSpqlt.systdssserv - Deleted
Restoring Default Security Values
Restoring Default Hosts FileRebooting
[b]Checking Files [/b]:Trojan Files Found:
C:\DOCUME~1\OWNER\COOKIES\ODYDOBEL.BIN - Deleted
C:\DOCUME~1\OWNER\COOKIES\ULUHUF~1.BIN - Deleted
C:\DOCUME~1\OWNER\COOKIES\YHELIHA.VBS - Deleted
C:\Documents and Settings\All Users\Documents\onylog.ban - Deleted
C:\Program Files\Common Files\aqigymyp.exe - Deleted
C:\Program Files\Common Files\xibatod.scr - Deleted
C:\Documents and Settings\Owner\Application Data\wklnhst.dat - Deleted
C:\Documents and Settings\Owner\Application Data\petilujuwa.scr - Deleted
C:\Documents and Settings\Owner\Application Data\ysehypa._sy - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\Binaries3.cab4 - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\Binaries3.cab5 - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\TDSS19df.tmp - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\TDSS19ef.tmp - DeletedRemoving Temp Files
[b]ADS Check [/b]:
[b]Final Check [/b]:catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-19 19:52:21
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
[b]Remaining Services [/b]:
Authorized Application Key Export:[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.exe"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Disabled:America Online 9.0"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Disabled:AOL"
"C:\\Program Files\\BearShare\\BearShare.exe"="C:\\Program Files\\BearShare\\BearShare.exe:*:Disabled:BearShare"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Disabled:Windows Live Messenger 8.1 (Phone)"[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"[b]Remaining Files [/b]:
File Backups: - C:\SDFix\backups\backups.zip[b]Files with Hidden Attributes [/b]:
Mon 11 Sep 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 11 Sep 2006 4,348 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\My Music\License Backup\drmv1key.bak"
Mon 11 Sep 2006 20 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\My Music\License Backup\drmv1lic.bak"
Mon 11 Sep 2006 9,721 A.SH. --- "C:\Documents and Settings\Owner\My Documents\My Music\My Music\License Backup\drmv2key.bak"
Wed 21 May 2008 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Wed 21 May 2008 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Wed 21 May 2008 8 A..H. --- "C:\Documents and Settings\Owner\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Wed 21 May 2008 8 A..H. --- "C:\Documents and Settings\Owner\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"[b]Finished![/b]
thank you!!!
angeljam
0
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:16:41 PM, on 10/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\MSN Messenger\MsnMsgr.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/act...
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/res...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by109fd.bay109.hotmail.msn.c...
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: karna.dat
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe--
End of file - 6185 bytesangeljam
0
Please download ComboFix to the desktop from one of the following links:
Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.In your case to run Combofix do the following:
1. Go offline turn off your AVG antivirus, and any antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.
Remember to re-enable the protection again afterwards before connecting to the Internet.
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.
0
ComboFix 08-10-19.03 - Owner 2008-10-19 21:51:48.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.311 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point[COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR]
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\Documents and Settings\Owner\Cookies\owek.com
C:\UWA7P
C:\WINDOWS\system32\AutoRun.inf
D:\Autorun.inf.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.-------\Legacy_FOPN
((((((((((((((((((((((((( Files Created from 2008-09-20 to 2008-10-20 )))))))))))))))))))))))))))))))
.2100-02-23 14:35 . 2001-02-22 09:54 768 --a------ C:\Program Files\x73_lut.dat
2100-02-08 16:03 . 2001-05-11 11:39 53,248 --a------ C:\Program Files\ACMonitor_X73.exe
2008-10-19 19:42 . 2008-10-19 19:42 578,560 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-10-19 19:40 . 2008-10-19 19:40 <DIR> d-------- C:\WINDOWS\ERUNT
2008-10-19 19:37 . 2008-10-19 19:57 <DIR> d-------- C:\SDFix
2008-10-19 16:59 . 2008-10-19 21:33 <DIR> d--h----- C:\$AVG8.VAULT$
2008-10-19 12:33 . 2008-10-19 12:33 268 --ah----- C:\sqmdata04.sqm
2008-10-19 12:33 . 2008-10-19 12:33 244 --ah----- C:\sqmnoopt04.sqm
2008-10-19 12:23 . 2008-10-19 12:23 268 --ah----- C:\sqmdata03.sqm
2008-10-19 12:23 . 2008-10-19 12:23 244 --ah----- C:\sqmnoopt03.sqm
2008-10-19 12:22 . 2008-10-19 12:22 268 --ah----- C:\sqmdata02.sqm
2008-10-19 12:22 . 2008-10-19 12:22 244 --ah----- C:\sqmnoopt02.sqm
2008-10-18 13:55 . 2008-10-19 12:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-18 13:55 . 2008-10-18 13:55 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-10-18 13:55 . 2008-10-18 13:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-18 13:55 . 2008-10-16 20:25 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-18 13:55 . 2008-10-16 20:25 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-18 10:07 . 2008-10-18 10:07 19,952 --a------ C:\WINDOWS\asuzakuciz.inf
2008-10-18 10:07 . 2008-10-18 10:07 19,134 --a------ C:\WINDOWS\system32\byku.dll
2008-10-18 10:07 . 2008-10-18 10:07 18,655 --a------ C:\WINDOWS\pehini.sys
2008-10-18 10:07 . 2008-10-18 10:07 18,448 --a------ C:\Documents and Settings\All Users\Application Data\nyhybij.bat
2008-10-18 10:07 . 2008-10-18 10:07 18,274 --a------ C:\Documents and Settings\All Users\Application Data\xahamazifu.exe
2008-10-18 10:07 . 2008-10-18 10:07 17,580 --a------ C:\Documents and Settings\Owner\Application Data\cofu.reg
2008-10-18 10:07 . 2008-10-18 10:07 15,443 --a------ C:\WINDOWS\iqygyh.dll
2008-10-18 10:07 . 2008-10-18 10:07 14,777 --a------ C:\WINDOWS\system32\vyrisik.dat
2008-10-18 10:07 . 2008-10-18 10:07 13,945 --a------ C:\WINDOWS\dysu.exe
2008-10-18 10:07 . 2008-10-18 10:07 13,400 --a------ C:\WINDOWS\ipigufej.exe
2008-10-18 10:07 . 2008-10-18 10:07 11,492 --a------ C:\WINDOWS\mokymige.reg
2008-10-18 10:07 . 2008-10-18 10:07 10,913 --a------ C:\WINDOWS\system32\inab.ban
2008-10-17 23:23 . 2008-10-19 12:59 164 --a------ C:\WINDOWS\system32\TDSSosvd.dat
2008-10-15 07:42 . 2008-09-08 06:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-15 07:41 . 2008-08-14 06:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 07:41 . 2008-08-14 06:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 07:41 . 2008-08-14 05:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 07:41 . 2008-08-14 05:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 07:41 . 2008-09-15 08:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-09 07:12 . 2008-10-19 20:12 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-10-09 07:12 . 2008-10-09 07:12 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-10-09 07:12 . 2008-10-09 07:12 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-10-09 07:12 . 2008-10-09 07:12 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-10-09 07:02 . 2008-10-18 16:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-18 14:07 15,984 ----a-w C:\Program Files\Common Files\adinav.inf
2008-09-19 17:33 20,747 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-09-19 17:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-19 17:33 --------- d-----w C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor
2008-09-10 17:59 --------- d-----w C:\Program Files\MSN Messenger
2008-09-09 13:34 --------- d-----w C:\Program Files\AVG
2008-09-09 13:26 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-09-09 13:12 --------- d-----w C:\Program Files\Windows Desktop Search
2008-09-09 13:11 --------- d-----w C:\Program Files\Yahoo!
2008-09-09 13:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-09-09 13:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2008-09-09 13:07 --------- d-----w C:\Program Files\Java
2008-09-09 13:05 --------- d-----w C:\Program Files\Yahoo SiteBuilder
2008-09-09 13:05 --------- d-----w C:\Program Files\QuickTime
2008-09-09 13:03 --------- d-----w C:\Documents and Settings\Owner\Application Data\Windows Search
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2001-07-26 20:58 47 ----a-w C:\Program Files\ACMonitor_X73.ini
2001-07-05 16:46 8,116 ----a-w C:\Program Files\OSLO3071b2.USB
2001-05-08 20:36 114,688 ----a-w C:\Program Files\lxarscan.dll
2001-04-23 18:22 1,437 ----a-w C:\Program Files\gtx73.ini
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 5674352]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 286720]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-10-09 1234712]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2005-05-09 1742384]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520][HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-10-09 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-10-09 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-09 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-10-09 76040]
S2 vdo_561d-700a;vdo_561d-700a;C:\WINDOWS\system32\vdo_561d-700a.sys [ ][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{87d0bcef-c8a3-11d9-9ff5-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder2008-10-09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]2005-10-08 C:\WINDOWS\Tasks\ISP signup reminder 1.job
- C:\WINDOWS\system32\OOBE\oobebaln.exe [2008-04-13 20:12]2005-10-08 C:\WINDOWS\Tasks\ISP signup reminder 2.job
- C:\WINDOWS\system32\OOBE\oobebaln.exe [2008-04-13 20:12]2005-10-08 C:\WINDOWS\Tasks\ISP signup reminder 3.job
- C:\WINDOWS\system32\OOBE\oobebaln.exe [2008-04-13 20:12]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
R1 -: HKCU-Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: &AOL Toolbar search - C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-19 21:56:30
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
r Running Proce
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-10-19 22:00:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-20 01:59:52Pre-Run: 148,260,368,384 bytes free
Post-Run: 148,470,484,992 bytes free175 --- E O F --- 2008-10-15 11:48:44
angeljam
0
Open Notepad and copy/paste everything between the X"s into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
C:\sqmdata04.sqm
C:\sqmnoopt04.sqm
C:\sqmdata03.sqm
C:\sqmnoopt03.sqm
C:\sqmdata02.sqm
C:\sqmnoopt02.sqm
C:\WINDOWS\asuzakuciz.inf
C:\WINDOWS\system32\byku.dll
C:\WINDOWS\pehini.sys
C:\Documents and Settings\All Users\Application Data\nyhybij.bat
C:\Documents and Settings\All Users\Application Data\xahamazifu.exe
C:\Documents and Settings\Owner\Application Data\cofu.reg
C:\WINDOWS\iqygyh.dll
C:\WINDOWS\system32\vyrisik.dat
C:\WINDOWS\dysu.exe
C:\WINDOWS\ipigufej.exe
C:\WINDOWS\mokymige.reg
C:\WINDOWS\system32\inab.ban
C:\WINDOWS\system32\TDSSosvd.dat
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".Post a new Combofix log following the previous directions then continue with the clean up.
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Please run Esets online scanner from this link:
1. Note: You will need to use Internet explorer for this scan
2. Tick the box next to YES, I accept the Terms of Use.
3. Click Start
4. When asked, allow the activex control to install
5. Click Start
6. Make sure that the option Remove found threats is unticked ( Iwant to see what is found first), and the option Scan unwanted applications is checked
7. Click Scan
8. Wait for the scan to finish
9. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
10. Copy and paste that log in your next reply.
0
ComboFix 08-10-19.03 - Owner 2008-10-19 22:32:36.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.296 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point[COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR]
FILE ::
C:\Documents and Settings\All Users\Application Data\nyhybij.bat
C:\Documents and Settings\All Users\Application Data\xahamazifu.exe
C:\Documents and Settings\Owner\Application Data\cofu.reg
C:\sqmdata02.sqm
C:\sqmdata03.sqm
C:\sqmdata04.sqm
C:\sqmnoopt02.sqm
C:\sqmnoopt03.sqm
C:\sqmnoopt04.sqm
C:\WINDOWS\asuzakuciz.inf
C:\WINDOWS\dysu.exe
C:\WINDOWS\ipigufej.exe
C:\WINDOWS\iqygyh.dll
C:\WINDOWS\mokymige.reg
C:\WINDOWS\pehini.sys
C:\WINDOWS\system32\byku.dll
C:\WINDOWS\system32\inab.ban
C:\WINDOWS\system32\TDSSosvd.dat
C:\WINDOWS\system32\vyrisik.dat
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\Documents and Settings\All Users\Application Data\nyhybij.bat
C:\Documents and Settings\All Users\Application Data\xahamazifu.exe
C:\Documents and Settings\Owner\Application Data\cofu.reg
C:\sqmdata02.sqm
C:\sqmdata03.sqm
C:\sqmdata04.sqm
C:\sqmnoopt02.sqm
C:\sqmnoopt03.sqm
C:\sqmnoopt04.sqm
C:\WINDOWS\asuzakuciz.inf
C:\WINDOWS\dysu.exe
C:\WINDOWS\ipigufej.exe
C:\WINDOWS\iqygyh.dll
C:\WINDOWS\mokymige.reg
C:\WINDOWS\pehini.sys
C:\WINDOWS\system32\byku.dll
C:\WINDOWS\system32\inab.ban
C:\WINDOWS\system32\TDSSosvd.dat
C:\WINDOWS\system32\vyrisik.dat.
((((((((((((((((((((((((( Files Created from 2008-09-20 to 2008-10-20 )))))))))))))))))))))))))))))))
.2100-02-23 14:35 . 2001-02-22 09:54 768 --a------ C:\Program Files\x73_lut.dat
2100-02-08 16:03 . 2001-05-11 11:39 53,248 --a------ C:\Program Files\ACMonitor_X73.exe
2008-10-19 19:42 . 2008-10-19 19:42 578,560 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-10-19 19:40 . 2008-10-19 19:40 <DIR> d-------- C:\WINDOWS\ERUNT
2008-10-19 19:37 . 2008-10-19 19:57 <DIR> d-------- C:\SDFix
2008-10-19 16:59 . 2008-10-19 21:33 <DIR> d--h----- C:\$AVG8.VAULT$
2008-10-18 13:55 . 2008-10-19 12:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-18 13:55 . 2008-10-18 13:55 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-10-18 13:55 . 2008-10-18 13:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-18 13:55 . 2008-10-16 20:25 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-18 13:55 . 2008-10-16 20:25 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-15 07:42 . 2008-09-08 06:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-15 07:41 . 2008-08-14 06:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 07:41 . 2008-08-14 06:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 07:41 . 2008-08-14 05:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 07:41 . 2008-08-14 05:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 07:41 . 2008-09-15 08:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-09 07:12 . 2008-10-19 20:12 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-10-09 07:12 . 2008-10-09 07:12 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-10-09 07:12 . 2008-10-09 07:12 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-10-09 07:12 . 2008-10-09 07:12 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-10-09 07:02 . 2008-10-18 16:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-18 14:07 15,984 ----a-w C:\Program Files\Common Files\adinav.inf
2008-09-19 17:33 20,747 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-09-19 17:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-19 17:33 --------- d-----w C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor
2008-09-10 17:59 --------- d-----w C:\Program Files\MSN Messenger
2008-09-09 13:34 --------- d-----w C:\Program Files\AVG
2008-09-09 13:26 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-09-09 13:12 --------- d-----w C:\Program Files\Windows Desktop Search
2008-09-09 13:11 --------- d-----w C:\Program Files\Yahoo!
2008-09-09 13:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-09-09 13:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2008-09-09 13:07 --------- d-----w C:\Program Files\Java
2008-09-09 13:05 --------- d-----w C:\Program Files\Yahoo SiteBuilder
2008-09-09 13:05 --------- d-----w C:\Program Files\QuickTime
2008-09-09 13:03 --------- d-----w C:\Documents and Settings\Owner\Application Data\Windows Search
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2001-07-26 20:58 47 ----a-w C:\Program Files\ACMonitor_X73.ini
2001-07-05 16:46 8,116 ----a-w C:\Program Files\OSLO3071b2.USB
2001-05-08 20:36 114,688 ----a-w C:\Program Files\lxarscan.dll
2001-04-23 18:22 1,437 ----a-w C:\Program Files\gtx73.ini
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 5674352]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 286720]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-10-09 1234712]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2005-05-09 1742384]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520][HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-10-09 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-10-09 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-09 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-10-09 76040]
S2 vdo_561d-700a;vdo_561d-700a;C:\WINDOWS\system32\vdo_561d-700a.sys [ ][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{87d0bcef-c8a3-11d9-9ff5-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder2008-10-09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]2005-10-08 C:\WINDOWS\Tasks\ISP signup reminder 1.job
- C:\WINDOWS\system32\OOBE\oobebaln.exe [2008-04-13 20:12]2005-10-08 C:\WINDOWS\Tasks\ISP signup reminder 2.job
- C:\WINDOWS\system32\OOBE\oobebaln.exe [2008-04-13 20:12]2005-10-08 C:\WINDOWS\Tasks\ISP signup reminder 3.job
- C:\WINDOWS\system32\OOBE\oobebaln.exe [2008-04-13 20:12]
.**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-19 22:36:32
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
r Running Proce
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-10-19 22:41:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-20 02:40:28
ComboFix2.txt 2008-10-20 02:00:56Pre-Run: 148,457,205,760 bytes free
Post-Run: 148,451,086,336 bytes free178 --- E O F --- 2008-10-15 11:48:44
angeljam
0
Please go to Virus Total and upload the following files, one at the time, for analysis:
C:\Program Files\Common Files\adinav.inf
C:\WINDOWS\system32\vdo_561d-700a.sys
Use the browse button at the site to find the file, once you find the file double click it and it should appear in the empty space to the left of the browse button> click "send file".
Post the results in your reply.
0
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3536 (20081019)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.060 (20070601)
# EOSSerial=81380ff883c93d4a9630cfbafe7fdb11
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-10-20 03:30:20
# local_time=2008-10-19 11:30:20 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=335815
# found=4
# scan_time=2329
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\41\529ea6e9-1b3a32b9 Java/TrojanDownloader.OpenStream.NAA trojan E9E68CFBC0EF79DD30117953CD36547E
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\41\529ea6e9-1b3a32b9 »ZIP »OP.class Java/TrojanDownloader.OpenStream.NAA trojan 00000000000000000000000000000000
C:\SDFix\backups\backups.zip Win32/Agent.ODG virus 00000000000000000000000000000000
C:\SDFix\backups\backups.zip »ZIP »backups/TDSS19ef.tmp Win32/Agent.ODG virus 00000000000000000000000000000000angeljam
0
went to that site typed in what you asked and nothing happens. i posted the eset log.
angeljam
0
Navigate to and delete this folder if found:
C:\SDFix
Go to start> control panel> java> general tab> settings> delete files> ok.
Go to start> control panel>add/remove programs and make sure you have only the jav 6 update 7 installed. Any others need to be uninstalled.
0
I just tried the site and it analyzed the file I sent in just a minute. You don't type it in the space> click the browse button at the site> then navigate to the files, one at the time> double click the file (should now appear in the space> click send.
If you don't see the files they are probably hidden:
Set up the computer to view hidden files:
To show hidden files do the following:
Click Start > My Computer
On the Tools menu, click Folder Options.
Click the View tab.
Uncheck Hide file extensions for known file types.
Uncheck Hide protected operating system files.
Under the Hidden files folder, locate and check Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply > OK.Then look again for the files.
0
File adinav.inf received on 10.20.2008 05:53:32 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/36 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 45 and 64 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2008.10.18.0 2008.10.20 -
AntiVir 7.9.0.5 2008.10.19 -
Authentium 5.1.0.4 2008.10.20 -
Avast 4.8.1248.0 2008.10.15 -
AVG 8.0.0.161 2008.10.19 -
BitDefender 7.2 2008.10.20 -
CAT-QuickHeal 9.50 2008.10.18 -
ClamAV 0.93.1 2008.10.20 -
DrWeb 4.44.0.09170 2008.10.19 -
eSafe 7.0.17.0 2008.10.19 -
eTrust-Vet 31.6.6154 2008.10.17 -
Ewido 4.0 2008.10.19 -
F-Prot 4.4.4.56 2008.10.19 -
F-Secure 8.0.14332.0 2008.10.20 -
Fortinet 3.113.0.0 2008.10.20 -
GData 19 2008.10.20 -
Ikarus T3.1.1.44.0 2008.10.20 -
K7AntiVirus 7.10.498 2008.10.18 -
Kaspersky 7.0.0.125 2008.10.20 -
McAfee 5408 2008.10.17 -
Microsoft 1.4005 2008.10.19 -
NOD32 3536 2008.10.19 -
Norman 5.80.02 2008.10.17 -
Panda 9.0.0.4 2008.10.19 -
PCTools 4.4.2.0 2008.10.20 -
Prevx1 V2 2008.10.20 -
Rising 20.66.62.00 2008.10.19 -
SecureWeb-Gateway 6.7.6 2008.10.20 -
Sophos 4.34.0 2008.10.20 -
Sunbelt 3.1.1732.1 2008.10.18 -
Symantec 10 2008.10.20 -
TheHacker 6.3.1.0.119 2008.10.18 -
TrendMicro 8.700.0.1004 2008.10.17 -
VBA32 3.12.8.7 2008.10.19 -
ViRobot 2008.10.20.1427 2008.10.20 -
VirusBuster 4.5.11.0 2008.10.19 -
Additional information
File size: 15984 bytes
MD5...: 673436001286e45cad7ad3072023dd45
SHA1..: 695b5e0a00a7d8f002da950f782a8f90a2a621b1
SHA256: fc31a9dbf3aab25a8f18c9b3b60f2c87be0f4b840bc737b998fffd76ee589602
SHA512: eb4891d328996f26bfc029f866a3a1df1164810f677cb5cffe6236b3c00dce1f
6e52c78d75c2d568d8a73013f5b661126d3aa25c15549ebc8f374d2f03e3b905
PEiD..: -
TrID..: File type identification
MPEG Video (100.0%)
PEInfo: -
the first one was found but second one cannot be found. should i recheck them hidden files?angeljam
0
It is running fine. Should I be concerned about my personal information like paypal,ebay and other accounts I have on here? Thank you for your help. Have a good day.
angeljam
0
Definitely go through again and change your passwords,
especially to the websites whether you've stored any bank or
credit card details. Even though you've removed the threat,
you should be aware that some data could potentially have
already been intercepted.I would recommend changing passwords to sites like eBay
and PayPal regularly whether your computer has been
infected or not. It's just much more secure to do so.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
