Thread: Computer infected, please help!
View Single Post
Old 12-30-2007, 07:59 PM   #8 (permalink)
carynm
Registered User
 
Join Date: Dec 2007
Posts: 88
OS: Windows XP


Re: Computer infected, please help!
Hi Katana,

Here is the new log. I accidently exited out of the log and had to find it in c:\. While trying to access the log, I had 3 windows pop up one after another. When I finally opened the file, it stopped. Not sure if it will happen after I post this. It was hard to access anything!

The 3 windows popped up all in a row. They say: kvdxlis.exe - Bad Image
c:\windows\system32\kvdxlma.dll is not a valid windows image.

When I exit out of the window another pops up, and another after that. I didn't right down the other two names. If it happens again, should I write them down and let you know what they are?

Thanks!



ComboFix 07-12-28.1 - Owner 2005-12-28 21:15:50.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.143 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Program Files\csrss0.exe
C:\Program Files\Internet Explorer\IEXPLORE32.Dat
C:\Program Files\Internet Explorer\IEXPLORE32.Sys
C:\Program Files\Internet Explorer\IEXPLORE32.win
C:\WINDOWS\0494ac5aa2.dll
C:\WINDOWS\Downlo~1\hh9.dll
C:\WINDOWS\Downlo~1\num3rm0b.dll
C:\WINDOWS\Fonts\avwghinb.dll
C:\WINDOWS\Fonts\avzxlinb.dll
C:\WINDOWS\Fonts\hookhelp.ini
C:\WINDOWS\Fonts\kawdicsb.dll
C:\WINDOWS\Fonts\kvdxlcf.dll
C:\WINDOWS\Fonts\kvdxslcf.dll
C:\WINDOWS\Fonts\okmhccs.dll
C:\WINDOWS\Fonts\rarjenia.dll
C:\WINDOWS\Fonts\ratbrnib.dll
C:\WINDOWS\system32\26F21CF4.EXE
C:\WINDOWS\system32\28f1.dll
C:\WINDOWS\system32\7967556C.dat
C:\WINDOWS\system32\8f3b1.exe
C:\WINDOWS\system32\9E827BA2.DLL
C:\WINDOWS\system32\aamd532.dll
C:\WINDOWS\system32\adurl.ini
C:\WINDOWS\system32\avwghmn.dll
C:\WINDOWS\system32\avwlhmn.dll
C:\WINDOWS\system32\avzxlmn.dll
C:\WINDOWS\system32\bho.dll
C:\WINDOWS\system32\cflInfo.nt
C:\WINDOWS\system32\dnabeser.dat
C:\WINDOWS\system32\DRIVERS\5ylbkzwq.sys
C:\WINDOWS\system32\drivers\lr5lof8.sys
C:\WINDOWS\system32\drivers\usbhelp.sys
C:\WINDOWS\system32\drivers\usbplay.sys
C:\WINDOWS\system32\drivers\usbshow.sys
C:\WINDOWS\system32\e8ae8279a2.dll
C:\WINDOWS\system32\eee4d7ff00.dll
C:\WINDOWS\system32\ini.~tmp
C:\WINDOWS\system32\JQWEMTA.LDO
C:\WINDOWS\system32\jsqxayc.dll
C:\WINDOWS\system32\kaqhlzy.dll
C:\WINDOWS\system32\key.~tmp
C:\WINDOWS\system32\mstacim.sig
C:\WINDOWS\system32\mu17kg0g.dll
C:\WINDOWS\system32\ratbrpi.dll
C:\WINDOWS\system32\rsztnpm.dll
C:\WINDOWS\system32\setyahoo.ini
C:\WINDOWS\system32\TZFNVBIPVCI.DLL
C:\WINDOWS\system32\usbhelp.exe
C:\WINDOWS\system32\usbplay.exe
C:\WINDOWS\system32\usbshow.dll
C:\WINDOWS\system32\WCIPYELRYFLS.DLL
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\t
C:\Program Files\csrss0.exe
C:\Program Files\Internet Explorer\IEXPLORE32.Dat
C:\Program Files\Internet Explorer\IEXPLORE32.jmp
C:\Program Files\Internet Explorer\IEXPLORE32.Sys
C:\Program Files\Internet Explorer\IEXPLORE32.win
C:\WINDOWS\0494ac5aa2.dll
C:\WINDOWS\Downlo~1\hh9.dll
C:\WINDOWS\Downlo~1\num3rm0b.dll
C:\WINDOWS\Fonts\avwghinb.dll
C:\WINDOWS\Fonts\avzxlinb.dll
C:\WINDOWS\Fonts\hookhelp.ini
C:\WINDOWS\Fonts\kawdicsb.dll
C:\WINDOWS\Fonts\kvdxlcf.dll
C:\WINDOWS\Fonts\kvdxslcf.dll
C:\WINDOWS\Fonts\okmhccs.dll
C:\WINDOWS\Fonts\rarjenia.dll
C:\WINDOWS\Fonts\ratbrnib.dll
C:\WINDOWS\system32\26F21CF4.EXE
C:\WINDOWS\system32\28f1.dll
C:\WINDOWS\system32\4209D
C:\WINDOWS\system32\4209D\ctfmon.exe
C:\WINDOWS\system32\4209D\incdown.txt
C:\WINDOWS\system32\4209D\insatll.~tmp
C:\WINDOWS\system32\4209D\report.~tmp
C:\WINDOWS\system32\4209D\svchost.exe
C:\WINDOWS\system32\7967556C.dat
C:\WINDOWS\system32\8f3b1.exe
C:\WINDOWS\system32\9E827BA2.DLL
C:\WINDOWS\system32\aamd532.dll
C:\WINDOWS\system32\adurl.ini
C:\WINDOWS\system32\avwghmn.dll
C:\WINDOWS\system32\avwlhmn.dll
C:\WINDOWS\system32\bho.dll
C:\WINDOWS\system32\cflInfo.nt
C:\WINDOWS\system32\dnabeser.dat
C:\WINDOWS\system32\DRIVERS\5ylbkzwq.sys
C:\WINDOWS\system32\drivers\lr5lof8.sys
C:\WINDOWS\system32\drivers\usbhelp.sys
C:\WINDOWS\system32\drivers\usbplay.sys
C:\WINDOWS\system32\drivers\usbshow.sys
C:\WINDOWS\system32\e8ae8279a2.dll
C:\WINDOWS\system32\eee4d7ff00.dll
C:\WINDOWS\system32\ini.~tmp
C:\WINDOWS\system32\JQWEMTA.LDO
C:\WINDOWS\system32\jsqxayc.dll
C:\WINDOWS\system32\kaqhlzy.dll
C:\WINDOWS\system32\key.~tmp
C:\WINDOWS\system32\mstacim.sig
C:\WINDOWS\system32\mu17kg0g.dll
C:\WINDOWS\system32\ratbrpi.dll
C:\WINDOWS\system32\setyahoo.ini
C:\WINDOWS\system32\TZFNVBIPVCI.DLL
C:\WINDOWS\system32\usbhelp.exe
C:\WINDOWS\system32\usbplay.exe
C:\WINDOWS\system32\usbshow.dll
C:\WINDOWS\system32\WCIPYELRYFLS.DLL

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_7967556C
-------\LEGACY_LR5LOF8
-------\LEGACY_MS_2FAX
-------\7967556C
-------\lr5lof8


((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-29 )))))))))))))))))))))))))))))))
.

2007-12-28 12:18 . 2005-12-28 21:59 19,379 --a--c--- C:\WINDOWS\system32\dllcache\svchost.exe
2007-12-28 10:59 . 2007-12-28 10:59 <DIR> d-------- C:\Program Files\Windows Live
2007-12-28 10:59 . 2007-12-28 10:59 <DIR> d-------- C:\Program Files\MSN Messenger
2007-12-28 10:59 . 2005-12-28 13:22 <DIR> d-------- C:\Program Files\Incesoft
2007-12-28 10:59 . 2007-12-28 10:59 20,541 --a------ C:\WINDOWS\system32\detoured.dll
2007-12-28 10:44 . 2007-12-28 10:43 16,175 --------- C:\WINDOWS\system32\kawdiaz.exe
2007-12-28 10:43 . 2007-12-28 10:43 24,123 ---hs---- C:\WINDOWS\system32\kvdxlma.dll
2007-12-28 10:43 . 2007-12-28 10:43 15,779 --------- C:\WINDOWS\system32\kvdxlis.exe
2007-12-28 10:43 . 2007-12-28 10:42 15,502 --------- C:\WINDOWS\system32\kvdxslis.exe
2007-12-28 10:43 . 2007-12-28 10:43 60 ---hs---- C:\WINDOWS\system32\kvdxslma.dll
2007-12-28 10:42 . 2007-12-28 10:42 16,087 --------- C:\WINDOWS\system32\okmhcaz.exe
2007-12-28 10:42 . 2007-12-28 10:42 62 ---hs---- C:\WINDOWS\system32\okmhczy.dll
2007-12-28 10:41 . 2007-12-28 10:41 15,194 --------- C:\WINDOWS\system32\ratbrtl.exe
2007-12-28 09:31 . 2005-12-29 09:53 20 --a------ C:\Documents and Settings\Owner\mhsha1.dat
2007-12-27 20:11 . 2007-12-27 20:10 15,416 --a------ C:\WINDOWS\system32\jsqxazc.exe
2007-12-27 20:10 . 2007-12-28 10:40 17,056 --a------ C:\WINDOWS\system32\wsmseax.exe
2007-12-27 20:10 . 2007-12-28 10:45 16,517 --------- C:\WINDOWS\system32\avwghst.exe
2007-12-27 20:10 . 2007-12-27 20:10 16,109 --a------ C:\WINDOWS\system32\kawdhaz.exe
2007-12-27 20:10 . 2007-12-27 20:10 15,989 --a------ C:\WINDOWS\system32\gjtmazc.exe
2007-12-27 20:10 . 2007-12-27 20:10 15,888 --a------ C:\WINDOWS\system32\swrcfac.exe
2007-12-27 20:10 . 2007-12-28 10:41 15,588 --------- C:\WINDOWS\system32\kaqhlaz.exe
2007-12-27 20:10 . 2007-12-28 10:44 15,576 --------- C:\WINDOWS\system32\gjcsczc.exe
2007-12-27 20:10 . 2007-12-28 10:45 15,388 --------- C:\WINDOWS\system32\gjfhazc.exe
2007-12-27 20:09 . 2005-12-28 15:01 134,144 --a------ C:\WINDOWS\system32\SSLDyn.dll
2007-12-27 20:09 . 2007-12-27 20:09 77,824 --a------ C:\WINDOWS\system32\wxptdi.sys
2007-12-27 20:09 . 2007-12-27 20:09 16,949 --a------ C:\WINDOWS\system32\rsztnsp.exe
2007-12-27 20:09 . 2007-12-28 10:43 16,506 --------- C:\WINDOWS\system32\avwlhst.exe
2007-12-14 21:23 . 2007-12-27 14:19 <DIR> d-------- C:\Program Files\Evrsoft First Page 2006
2007-12-14 21:23 . 2005-09-23 17:02 887,296 --a------ C:\WINDOWS\system32\KsDHTMLEDLib.ocx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-29 14:12 53,248 ----a-r C:\WINDOWS\a341.exe
2007-12-29 02:24 126 ----a-w C:\WINDOWS\Fonts\avwlhin.dll
2007-12-29 02:24 108 ----a-w C:\WINDOWS\Fonts\jsqxass.dll
2007-12-29 02:24 105 ----a-w C:\WINDOWS\Fonts\kaqhlcsa.dll
2007-12-29 02:24 104 ----a-w C:\WINDOWS\Fonts\avwghina.dll
2007-12-28 15:51 --------- d-----w C:\Program Files\LimeWire
2007-12-28 15:51 --------- d-----w C:\Program Files\iWin.com
2007-12-26 01:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\CoreFTP
2007-11-13 16:55 --------- d-----w C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-11-13 16:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-13 16:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-13 03:10 --------- d-----w C:\Program Files\Trend Micro
2007-11-12 13:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-11-11 13:50 --------- d-----w C:\Program Files\Java
2007-02-06 21:01 6,252,136 ----a-w C:\Program Files\winzip100.exe
2006-03-01 01:50 9,898,658 ----a-w C:\Program Files\fp2006-final-3.00-setup.exe
2005-12-07 18:47 34,412,848 ----a-w C:\Program Files\iTunesSetup.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\system32\-5-64-8750 ----

C:\WINDOWS\system32\-5-64-8750\

---- Directory of C:\WINDOWS\system32\10b ----

C:\WINDOWS\system32\10b\

---- Directory of C:\WINDOWS\system32\11-64-8750 ----

C:\WINDOWS\system32\11-64-8750\

---- Directory of C:\WINDOWS\system32\127a10 ----

C:\WINDOWS\system32\127a10\

---- Directory of C:\WINDOWS\system32\363 ----

C:\WINDOWS\system32\363\

---- Directory of C:\WINDOWS\system32\3e610 ----

C:\WINDOWS\system32\3e610\

---- Directory of C:\WINDOWS\system32\53da ----

C:\WINDOWS\system32\53da\

---- Directory of C:\WINDOWS\system32\610b ----

C:\WINDOWS\system32\610b\

---- Directory of C:\WINDOWS\system32\63e6 ----

C:\WINDOWS\system32\63e6\

---- Directory of C:\WINDOWS\system32\672 ----

C:\WINDOWS\system32\672\

---- Directory of C:\WINDOWS\system32\9127 ----

C:\WINDOWS\system32\9127\

---- Directory of C:\WINDOWS\system32\d1c0a932 ----

C:\WINDOWS\system32\d1c0a932\

---- Directory of C:\WINDOWS\system32\d49 ----

C:\WINDOWS\system32\d49\


((((((((((((((((((((((((((((( snapshot@2005-12-28_13.28.30.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-12-28 18:39:20 218,624 ----a-w C:\WINDOWS\Downloaded Program Files\dpg.dll
- 2007-12-28 14:42:20 16,644 ----a-w C:\WINDOWS\Fonts\hookhelp.dll
+ 2005-12-28 18:33:21 16,644 ----a-w C:\WINDOWS\Fonts\hookhelp.dll
- 2005-12-28 18:26:11 12,913 ----a-w C:\WINDOWS\system32\tablet.dat
+ 2007-12-29 02:33:17 12,913 ----a-w C:\WINDOWS\system32\tablet.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"Washer"="C:\Program Files\Washer\washer.exe" [2001-06-22 15:29]
"EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 22:00]
"EPSON Stylus CX5000 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVA.exe" [2006-10-18 06:01]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CHotkey"="zHotkey.exe" [2003-06-03 13:01 C:\WINDOWS\zHotkey.exe]
"SunKistEM"="C:\Program Files\eMachines Bay Reader\shwiconem.exe" [2004-03-11 17:18]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 13:50]
"EPSON Stylus CX5400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" []
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 03:50]
"EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 22:00]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-22 16:29]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 14:58]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-07 13:57]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 18:54]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"Trend Micro AntiVirus 2007"="C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" []
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2007-09-18 00:29]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"washindex"="C:\Program Files\Washer\washidx.exe" [2001-04-02 21:32]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-07-30 14:11:05]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2006-09-28 05:52:35]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2007-02-27 01:44:01]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-06-22 23:20:09]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
"{E159854F-6971-3456-6941-10235412974E}"= C:\WINDOWS\Fonts\hookhelp.dll [2005-12-28 13:33 16644]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=hookhelp.dll

S0 5ylbkzwq;5ylbkzw;C:\WINDOWS\system32\DRIVERS\5ylbkzwq.sys []
S2 Serviceusbhelp;ServicevcHelp;C:\WINDOWS\system32\usbplay.exe []
S2 YahooSvr;Yahoo Service;C:\WINDOWS\system32\4209D\svchost.exe []
S3 FontCache6.0.5070.0;WinFX Font Cache 6.0.5070.0;C:\WINDOWS\Microsoft.NET\Windows\v6.0.5070\PresentationFontCache.exe [2005-11-07 01:29]
S3 PciHardDisk;PciHardDisk;C:\WINDOWS\system32\fat32.sys []
S4 itcppss;Indigo Tcp Port Sharing Service;C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\IndigoListener.exe [2006-01-13 02:37]

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 21:33:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\Fonts\hookhelp.dll
.
Completion time: 2007-12-28 21:35:40 - machine was rebooted
C:\ComboFix2.txt ... 2005-12-28 13:29
.
2007-12-28 05:59:31 --- E O F ---
carynm is offline