1. Download this file -
combofix.exe and save it to your Desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
i believe that in the combofix log it states that no hidden malware was found, however when I shut off the computer a "ending program" box appears with "ShellconHiddenWindow" as the title, don't know if that is relevant, but thought it may help.. look forward to your reply Markamus...
here is the log:
ComboFix 08-03-07.4 - Jason 2008-03-07 22:05:01.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.210 [GMT -8:00] Running from: C:\Documents and Settings\Jason\Desktop\ComboFix.exe * Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! .
((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) .
Delete bad services Please
copy (Ctrl+C) and paste (Ctrl+V) the following
bolded blue text in the quote to
Notepad. Save it as
"All Files" and name it
FixServices.bat Please save it on your desktop.
@echo off sc MSControlService sc MSControlService exit
Double click FixServices.bat. A window will open and close. This is normal.
----------------------------------------------------------------------------------------------
Open
Notepad again and copy/paste the
bolded blue text into the window:
Refering to the picture above, drag CFScript.txt into ComboFix.exe
This will let
ComboFix run again.
Restart if you have to.
Save the
produced logfile to your desktop.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
per the instructions for creating the FixServices notepad file, after I save it as all files on my desktop under FixServices.bat name, I double click it and it does open a window but does not close automatically, it asks:
"would you like to see help for the QUERY and QUERYEX commands y/n?"
I would like to know about this before I continue, thanks again for your help
ComboFix 08-03-07.4 - Jason 2008-03-08 15:00:10.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.245 [GMT -8:00] Running from: C:\Documents and Settings\Jason\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Jason\Desktop\CFScript.txt * Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
*Newly Created Service* - GTNDIS5 . **************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-08 15:03:41 Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully hidden files: 0
************************************************************************** . Completion time: 2008-03-08 15:04:19 ComboFix-quarantined-files.txt 2008-03-08 23:04:17 ComboFix2.txt 2008-03-08 06:22:10 . 2008-02-13 11:02:36 --- E O F ---
HijackThis Log
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:16:50 PM, on 3/8/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal
Now the computer is running MUCH better, much quicker than before and it seems I am rid of those pesky popups.. I'm going to do an adaware scan and see if it finds anything..
Also, if I am finished here with the fixes I'd like to know what you recommend as far as antivirus software goes.. I am currently not running anything as my MCafee expired quite some time ago, I appreciate your help and feedback.
I have fixed those "trusted zone" files through HJT as I never saved those personally. As for the file you asked me to scan through the site... "C:\WINDOWS\SmFzb24\mAIWvZb.vbs"
Please visit this link
http://virusscan.jotti.org/ * Click the
Browse... button
* Navigate to the following file
C:\WINDOWS\SmFzb24\mAIWvZb.vbs * Click
Open * Please let me know the results.
About to follow your instructions in just a minute here, however I just ran adaware Fullsystem scan and found 22 new critical objects.. including a virus that it hasn't found before.. here are some of the objects found..
Regarding not being able to find the file, try this and see if you can locate it.
Show your hidden files To enable the viewing of Hidden files follow these steps:
Close all programs so that you are at your desktop.
Double-click on the My Computer icon (or click Start, then select My Computer)
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button and shutdown My Computer.
Now your computer is configured to show all hidden files. You will reverse this process when your system is clean. ----------------------------------------------------------------------------------------------
Now try to upload the file and let me know how it goes.
Markamus, here are the results from the scan for that file:
A-Squared Found nothing
AntiVir Found ADSPY/Isearch ArcaVir Found nothing
Avast Found VBS:Malware-gen AVG Antivirus Found nothing
BitDefender Found Adware.Isearch.D ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found Adware/Isearch Ikarus Found AdWare.Isearch Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found VBS/CommAd.A Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
many of the flagged files were located in System Volume Information, I've deleted them with Adaware, but will scan again to see if they are still present.. also, I've tried to look into that folder but access is denied. The Ewido Malware scan logfile/HJT log will follow shortly.. The download is taking quite some time..
*edit
looks like the scan is going to take longer than expected, will post details in a couple of hours, thanks for your help Markamus :robothappy:
Message Edited by watch your drag on 03-08-2008 07:40 PM
Where were the files located that the system scan was flagging?
Using Windows Explorer
(Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate and Delete the following
folder
C:\WINDOWS\
SmFzb24
----------------------------------------------------------------------------------------------
When a dialog box appears asking you if you would like to download and install the ewido anti-spyware online scanner please click Yes to allow the download.
Click on Start Scan.
after the scan completes i twill produce a log for you, copy and paste the results of that scan as a reply to this thread
If any infections are found, (After you save the logfile), Click on Remove Infections.
Anything found in System Volume Information poses no threat. If you can, find out the exact location of the files being flagged and I will check them just to be sure.
markamus
435 Posts
0
March 7th, 2008 22:00
Welcome to DCF.
1. Download this file - combofix.exe and save it to your Desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
watch your drag
55 Posts
0
March 8th, 2008 04:00
hey markamus, thanks for the quick reply!
i believe that in the combofix log it states that no hidden malware was found, however when I shut off the computer a "ending program" box appears with "ShellconHiddenWindow" as the title, don't know if that is relevant, but thought it may help.. look forward to your reply Markamus...
here is the log:
ComboFix 08-03-07.4 - Jason 2008-03-07 22:05:01.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.210 [GMT -8:00]
Running from: C:\Documents and Settings\Jason\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Jonathan\My Documents\ECURIT~1
C:\Documents and Settings\Jonathan\My Documents\ECURIT~1\?ecurity\
C:\Documents and Settings\Jonathan\My Documents\ECURIT~1\dexplore.exe
C:\Program Files\curity~1
C:\Program Files\curity~1\c?rss.exe
C:\Program Files\JavaCore
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\JavaCore\UnInstall.exe
C:\Program Files\NoDNS
C:\Program Files\NoDNS\NoDNS.exe
C:\Program Files\NoDNS\UnInstall.exe
C:\Program Files\outerinfo
C:\Program Files\Temporary
C:\Program Files\Temporary\InsiDERIns.exe
C:\Program Files\xInsIDE
C:\Program Files\xInsIDE\xInsIDE.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\BMe77c23fd.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aakeoyge.dll
C:\WINDOWS\system32\adeeg.ini2
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\bwagwhqo.dll
C:\WINDOWS\system32\bxwuwdny.ini
C:\WINDOWS\system32\cjgihcbd.dll
C:\WINDOWS\system32\crglaoel.dll
C:\WINDOWS\system32\eauqjcjr.ini
C:\WINDOWS\system32\efhkj.ini2
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f02WtR\f02WtR1065.exe
C:\WINDOWS\system32\fmwjxeno.dll
C:\WINDOWS\system32\gebxwvw.dll
C:\WINDOWS\system32\hjjphejm.dll
C:\WINDOWS\system32\ltrmguxo.dll
C:\WINDOWS\system32\mvshydk.dll
C:\WINDOWS\system32\orutv.ini
C:\WINDOWS\system32\orutv.ini2
C:\WINDOWS\system32\qehepxtk.dll
C:\WINDOWS\system32\qrutv.ini
C:\WINDOWS\system32\qrutv.ini2
C:\WINDOWS\system32\qulponmv.ini
C:\WINDOWS\system32\spvlbpjx.dll
C:\WINDOWS\system32\ststv.ini
C:\WINDOWS\system32\ststv.ini2
C:\WINDOWS\system32\tdwegiek.dll
C:\WINDOWS\system32\vmnopluq.dll
C:\WINDOWS\system32\vnkgygvq.dll
C:\WINDOWS\system32\vturq.dll
C:\WINDOWS\system32\wgywcnou.dll
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\yndwuwxb.dll
C:\WINDOWS\system32\ytslevrl.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_NETWORK_MONITOR
((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
.
2008-03-07 15:22 . 2008-03-07 15:22
2008-03-06 00:37 . 2008-03-07 00:39 6,400,038 ---hs---- C:\WINDOWS\system32\tstlylve.ini
2008-03-05 00:33 . 2008-03-06 00:34 4,365,118 ---hs---- C:\WINDOWS\system32\kskohfyh.ini
2008-03-03 16:56 . 2008-03-05 00:28 2,334,423 ---hs---- C:\WINDOWS\system32\qresvcfj.ini
2008-02-29 10:23 . 2008-03-07 22:04 31,612 ---hs---- C:\WINDOWS\system32\hjjphejm.dllbox
2008-02-29 10:15 . 2008-02-29 10:15 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-02-29 09:00 . 2008-02-29 10:15
2008-02-28 19:04 . 2008-02-28 19:04
2008-02-28 19:04 . 2008-02-28 19:35
2008-02-28 17:55 . 2008-02-28 17:55
2008-02-28 17:55 . 2008-02-28 17:55
2008-02-28 17:53 . 2008-02-28 17:53
2008-02-28 17:06 . 2008-02-28 17:06
2008-02-28 07:34 . 2008-02-28 07:34
2008-02-28 04:35 . 2008-02-28 19:39
2008-02-28 04:24 . 2008-02-28 04:24
2008-02-28 04:24 . 2008-02-28 18:58
2008-02-27 04:08 . 2008-02-27 02:08 50,176 --------- C:\WINDOWS\b153.exe_old
2008-02-25 07:00 . 2008-02-25 05:00 81,920 --------- C:\WINDOWS\b154.exe_old
2008-02-20 09:02 . 2008-02-20 07:02 101,376 --------- C:\WINDOWS\b152.exe_old
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 09:46 --------- d-----w C:\Program Files\Warcraft III
2008-02-29 17:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-02-29 04:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-29 04:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-29 01:33 --------- d-----w C:\Program Files\Viewpoint
2008-02-29 01:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-29 01:23 --------- d-----w C:\Documents and Settings\Jason\Application Data\Lavasoft
2008-02-29 01:02 --------- d-----w C:\Documents and Settings\Jason\Application Data\DivX
2008-02-22 03:10 --------- d-----w C:\Program Files\Bodog Poker
2008-02-04 22:41 --------- d-----w C:\Documents and Settings\Jason\Application Data\AdobeUM
2008-02-02 03:06 --------- d-----w C:\Documents and Settings\Jonathan\Application Data\Corel
2008-01-28 07:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2007-02-04 12:20 44,240 ----a-w C:\Documents and Settings\Jonathan\Application Data\GDIPFONTCACHEV1.DAT
2005-07-30 00:24 472 --sha-r C:\WINDOWS\SmFzb24\mAIWvZb.vbs
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D7663FD3-7A48-4BA5-A1DA-62A2229A174A}]
C:\WINDOWS\system32\vtsts.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E167D4D0-3263-4D1C-98F2-7F09184D7AE5}]
C:\WINDOWS\system32\vturo.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]
"AIM"="C:\Program Files\AIM\aim.exe" [2004-06-07 12:53 61440]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 13:46 135168]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 15:48 32881]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 22:20 339968 C:\WINDOWS\stsystra.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 19:05 344064]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 14:19 53248]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 23:05 127035]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 08:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 08:44 81920]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 17:20 8192]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 09:06 106496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-01 13:09 98304]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-04 13:18 185896]
"hovymib"="C:\Program Files\MSN\hovymib77798.exe" [ ]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16 1121792]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 09:59:36 806912]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\ijji\\ENGLISH\\u_sf\\soldierfront.exe"=
"C:\\ijji\\ENGLISH\\u_gbound.exe"=
S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-07 22:18:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MSControlService]
"ImagePath"="C:\WINDOWS\system32\windows"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
.
**************************************************************************
.
Completion time: 2008-03-07 22:22:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-08 06:22:06
.
2008-02-13 11:02:36 --- E O F ---
markamus
435 Posts
0
March 8th, 2008 05:00
Delete bad services
Please copy (Ctrl+C) and paste (Ctrl+V) the following bolded blue text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat Please save it on your desktop.
@echo off
sc MSControlService
sc MSControlService
exit
Double click FixServices.bat. A window will open and close. This is normal.
----------------------------------------------------------------------------------------------
Open Notepad again and copy/paste the bolded blue text into the window:
File::
C:\WINDOWS\system32\tstlylve.ini
C:\WINDOWS\system32\kskohfyh.ini
C:\WINDOWS\system32\qresvcfj.ini
C:\WINDOWS\system32\hjjphejm.dllbox
C:\WINDOWS\b153.exe_old
C:\WINDOWS\b154.exe_old
C:\WINDOWS\b152.exe_old
C:\WINDOWS\system32\vtsts.dll
C:\WINDOWS\system32\vturo.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D7663FD3-7A48-4BA5-A1DA-62A2229A174A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E167D4D0-3263-4D1C-98F2-7F09184D7AE5}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hovymib"=-
Save it to your desktop as CFScript.txt
Refering to the picture above, drag CFScript.txt into ComboFix.exe
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
In your next reply, please include the following:
watch your drag
55 Posts
0
March 8th, 2008 20:00
hi there markamus,
per the instructions for creating the FixServices notepad file, after I save it as all files on my desktop under FixServices.bat name, I double click it and it does open a window but does not close automatically, it asks:
"would you like to see help for the QUERY and QUERYEX commands y/n?"
I would like to know about this before I continue, thanks again for your help
markamus
435 Posts
0
March 8th, 2008 20:00
My apologies. It seems as though the forum software stripped out part of that fix and I just now noticed it.
Repeat those steps, posting the following into Notepad:
@echo off
sc stop MSControlService
sc delete MSControlService
exit
Then continue with the rest of the fix.
watch your drag
55 Posts
0
March 8th, 2008 21:00
Hey Markamus,
Thanks again for the help!, here are the logs..
ComboFix Log
ComboFix 08-03-07.4 - Jason 2008-03-08 15:00:10.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.245 [GMT -8:00]
Running from: C:\Documents and Settings\Jason\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jason\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\b152.exe_old
C:\WINDOWS\b153.exe_old
C:\WINDOWS\b154.exe_old
C:\WINDOWS\system32\hjjphejm.dllbox
C:\WINDOWS\system32\kskohfyh.ini
C:\WINDOWS\system32\qresvcfj.ini
C:\WINDOWS\system32\tstlylve.ini
C:\WINDOWS\system32\vtsts.dll
C:\WINDOWS\system32\vturo.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\b152.exe_old
C:\WINDOWS\b153.exe_old
C:\WINDOWS\b154.exe_old
C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M0611NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UGDC_0001_N122M2802NetInstaller.exe
C:\WINDOWS\system32\hjjphejm.dllbox
C:\WINDOWS\system32\kskohfyh.ini
C:\WINDOWS\system32\qresvcfj.ini
C:\WINDOWS\system32\tstlylve.ini
.
((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
.
2008-03-07 15:22 . 2008-03-07 15:22
2008-02-29 10:15 . 2008-02-29 10:15 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-02-29 09:00 . 2008-02-29 10:15
2008-02-28 19:04 . 2008-02-28 19:04
2008-02-28 19:04 . 2008-02-28 19:35
2008-02-28 17:55 . 2008-02-28 17:55
2008-02-28 17:55 . 2008-02-28 17:55
2008-02-28 17:53 . 2008-02-28 17:53
2008-02-28 17:06 . 2008-02-28 17:06
2008-02-28 07:34 . 2008-02-28 07:34
2008-02-28 04:35 . 2008-02-28 19:39
2008-02-28 04:24 . 2008-02-28 04:24
2008-02-28 04:24 . 2008-02-28 18:58
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 10:54 --------- d-----w C:\Program Files\Warcraft III
2008-02-29 17:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-02-29 04:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-29 04:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-29 01:33 --------- d-----w C:\Program Files\Viewpoint
2008-02-29 01:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-29 01:23 --------- d-----w C:\Documents and Settings\Jason\Application Data\Lavasoft
2008-02-29 01:02 --------- d-----w C:\Documents and Settings\Jason\Application Data\DivX
2008-02-22 03:10 --------- d-----w C:\Program Files\Bodog Poker
2008-02-12 05:12 4,704 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-02-04 22:41 --------- d-----w C:\Documents and Settings\Jason\Application Data\AdobeUM
2008-02-02 03:06 --------- d-----w C:\Documents and Settings\Jonathan\Application Data\Corel
2008-01-28 07:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-14 19:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-02-04 12:20 44,240 ----a-w C:\Documents and Settings\Jonathan\Application Data\GDIPFONTCACHEV1.DAT
2005-07-30 00:24 472 --sha-r C:\WINDOWS\SmFzb24\mAIWvZb.vbs
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]
"AIM"="C:\Program Files\AIM\aim.exe" [2004-06-07 12:53 61440]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 13:46 135168]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 15:48 32881]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 22:20 339968 C:\WINDOWS\stsystra.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 19:05 344064]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 14:19 53248]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 23:05 127035]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 08:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 08:44 81920]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 17:20 8192]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 09:06 106496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-01 13:09 98304]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-04 13:18 185896]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16 1121792]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 09:59:36 806912]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\ijji\\ENGLISH\\u_sf\\soldierfront.exe"=
"C:\\ijji\\ENGLISH\\u_gbound.exe"=
*Newly Created Service* - GTNDIS5
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 15:03:41
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-08 15:04:19
ComboFix-quarantined-files.txt 2008-03-08 23:04:17
ComboFix2.txt 2008-03-08 06:22:10
.
2008-02-13 11:02:36 --- E O F ---
HijackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:50 PM, on 3/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\Jonathan\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\Jonathan\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
--
End of file - 8086 bytes
Now the computer is running MUCH better, much quicker than before and it seems I am rid of those pesky popups.. I'm going to do an adaware scan and see if it finds anything..
Also, if I am finished here with the fixes I'd like to know what you recommend as far as antivirus software goes.. I am currently not running anything as my MCafee expired quite some time ago, I appreciate your help and feedback.
watch your drag
55 Posts
0
March 8th, 2008 21:00
Markamus,
I have fixed those "trusted zone" files through HJT as I never saved those personally. As for the file you asked me to scan through the site... "C:\WINDOWS\SmFzb24\mAIWvZb.vbs"
I am not able to locate it for some reason?
markamus
435 Posts
0
March 8th, 2008 21:00
If you did not knowingly put these in your trusted zone, have HijackThis fix them:
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
---------------------------------------------------------------------
Please visit this link http://virusscan.jotti.org/
* Click the Browse... button
* Navigate to the following file C:\WINDOWS\SmFzb24\mAIWvZb.vbs
* Click Open
* Please let me know the results.
watch your drag
55 Posts
0
March 8th, 2008 23:00
also, when I shutdown the computer, this window still pops up "Ending Program- ShellIconHiddenWindow"
is this something I should be worried about?
*edit n/m, i think it went away after i deleted musicmatch jukebox :smileyhappy:
watch your drag
55 Posts
0
March 9th, 2008 00:00
About to follow your instructions in just a minute here, however I just ran adaware Fullsystem scan and found 22 new critical objects.. including a virus that it hasn't found before.. here are some of the objects found..
win32.trojandownloader.adload
virtumonde
win32.trojandownloader.small
win32.trojanclicker
markamus
435 Posts
0
March 9th, 2008 00:00
Show your hidden files
To enable the viewing of Hidden files follow these steps:
----------------------------------------------------------------------------------------------
Now try to upload the file and let me know how it goes.
watch your drag
55 Posts
0
March 9th, 2008 00:00
Markamus, here are the results from the scan for that file:
AntiVir Found ADSPY/Isearch
ArcaVir Found nothing
Avast Found VBS:Malware-gen
AVG Antivirus Found nothing
BitDefender Found Adware.Isearch.D
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found Adware/Isearch
Ikarus Found AdWare.Isearch
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found VBS/CommAd.A
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
watch your drag
55 Posts
0
March 9th, 2008 01:00
many of the flagged files were located in System Volume Information, I've deleted them with Adaware, but will scan again to see if they are still present.. also, I've tried to look into that folder but access is denied. The Ewido Malware scan logfile/HJT log will follow shortly.. The download is taking quite some time..
*edit
looks like the scan is going to take longer than expected, will post details in a couple of hours, thanks for your help Markamus :robothappy:
markamus
435 Posts
0
March 9th, 2008 01:00
Where were the files located that the system scan was flagging?
Using Windows Explorer
- (Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate and Delete the following folderC:\WINDOWS\ SmFzb24
----------------------------------------------------------------------------------------------
Please perform an Ewido Online Malware Scan
In your next reply, please include the following:
markamus
435 Posts
0
March 9th, 2008 01:00
Anything found in System Volume Information poses no threat. If you can, find out the exact location of the files being flagged and I will check them just to be sure.