Tech Support banner

Status
Not open for further replies.
1 - 11 of 11 Posts

·
Registered
Joined
·
6 Posts
Discussion Starter #1
Hello everyone, I need your help in something.

My PC has been acting really weird in the last couple of days, then I noticed that fake yellow bar in IE telling that there's a possible spyware infection and click here to scan etc.. I didn't click it for sure. And there has several stange things happening on my PC. Anyway, I installed the hijackthis, scanned and got the following logfile. I'd be really appreciating if anyone can take a look at it and tell me if there is anything wrong.

Just a small note, I scanned with Norton Internet security, then removed it and scanned with Nod32, then with Ad-aware 2007 then AVG anti spyware and it came all clean.
Thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06:47 PM, on 3/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\WgaTray.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\DU Meter\DUMeter.exe
E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\MSN Messenger\usnsvc.exe
E:\Program Files\MSN Messenger\msnmsgr.exe
E:\Program Files\Windows Media Player\wmplayer.exe
E:\Program Files\DAP\DAP.EXE
E:\Documents and Settings\Administrator\My Documents\My Completed Downloads\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: GNX Rolex - {31BE1B95-DE72-41F3-A6AD-3E38648CA2D8} - E:\WINDOWS\drnpfdxrgq.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: etlrlws - {BEBA880D-1A1B-4A56-8E9F-1D488AA6CE80} - E:\WINDOWS\etlrlws.dll
O4 - HKLM\..\Run: [DU Meter] E:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [antiviirus] E:\Program Files\antiviirus.exe
O4 - HKLM\..\Run: [egui] "E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - E:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - E:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - E:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Organise-notes - {9455301C-CF6B-11D3-A266-00C04F689C50} - E:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{60E89C44-1A6F-45BC-8081-36F2FE5E180F}: NameServer = 62.84.64.3,62.84.71.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{60E89C44-1A6F-45BC-8081-36F2FE5E180F}: NameServer = 62.84.64.3,62.84.71.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{60E89C44-1A6F-45BC-8081-36F2FE5E180F}: NameServer = 62.84.64.3,62.84.71.3
O20 - Winlogon Notify: wingsa32 - wingsa32.dll (file missing)
O20 - Winlogon Notify: wudb - E:\WINDOWS\system32\wudb.dll (file missing)
O21 - SSODL: UnknownBoot - {e510b802-89d9-421c-9001-933a74f5c216} - E:\WINDOWS\Installer\{e510b802-89d9-421c-9001-933a74f5c216}\UnknownBoot.dll
O21 - SSODL: zip - {0ef02820-1375-490b-b8af-399eabaeab7d} - E:\WINDOWS\Installer\{0ef02820-1375-490b-b8af-399eabaeab7d}\zip.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - E:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

--
End of file - 6979 bytes
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Hello and Welcome. Apologies for any delay in replying, but we have been rather busy lately. The forum is overwhelmed with requests for help.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

If you still require assistance for this issue, and since it has been a few days since you first posted, please do this, as requested in our pre-posting sticky topic

http://www.techsupportforum.com/sec...read-before-posting-malware-removal-help.html

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.

What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

---------------------------------------------------------------------------------------------

Thank you.
 

·
Registered
Joined
·
6 Posts
Discussion Starter #4
Hey, it's ok, I know you are always busy, I did the second post on purpose to keep the topic in the first page.
Your help is very much appreciated, thank you.


main.txt

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-03-28 23:36:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 88% (more than 75%).
Total Physical Memory: 254 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:51 PM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\Program Files\DU Meter\DUMeter.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\WgaTray.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\MSN Messenger\msnmsgr.exe
E:\Program Files\MSN Messenger\usnsvc.exe
E:\Program Files\MSN Messenger\msnmsgr.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Documents and Settings\Administrator\My Documents\My Completed Downloads\dss.exe
E:\DOCUME~1\ADMINI~1\MYDOCU~1\MYCOMP~1\ADMINI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: GNX Rolex - {31BE1B95-DE72-41F3-A6AD-3E38648CA2D8} - E:\WINDOWS\drnpfdxrgq.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: etlrlws - {BEBA880D-1A1B-4A56-8E9F-1D488AA6CE80} - E:\WINDOWS\etlrlws.dll
O4 - HKLM\..\Run: [DU Meter] E:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [antiviirus] E:\Program Files\antiviirus.exe
O4 - HKLM\..\Run: [egui] "E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - E:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - E:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - E:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Organise-notes - {9455301C-CF6B-11D3-A266-00C04F689C50} - E:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{60E89C44-1A6F-45BC-8081-36F2FE5E180F}: NameServer = 62.84.64.3,62.84.71.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{60E89C44-1A6F-45BC-8081-36F2FE5E180F}: NameServer = 62.84.64.3,62.84.71.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{60E89C44-1A6F-45BC-8081-36F2FE5E180F}: NameServer = 62.84.64.3,62.84.71.3
O20 - Winlogon Notify: wingsa32 - wingsa32.dll (file missing)
O20 - Winlogon Notify: wudb - E:\WINDOWS\system32\wudb.dll (file missing)
O21 - SSODL: UnknownBoot - {e510b802-89d9-421c-9001-933a74f5c216} - E:\WINDOWS\Installer\{e510b802-89d9-421c-9001-933a74f5c216}\UnknownBoot.dll (file missing)
O21 - SSODL: zip - {0ef02820-1375-490b-b8af-399eabaeab7d} - E:\WINDOWS\Installer\{0ef02820-1375-490b-b8af-399eabaeab7d}\zip.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - E:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

--
End of file - 7224 bytes

-- Files created between 2008-02-28 and 2008-03-28 -----------------------------

2008-03-26 00:44:35 0 d--hs--c- E:\Program Files\Common Files\WindowsLiveInstaller
2008-03-26 00:43:26 0 d-------- E:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-19 23:56:42 0 d-------- E:\Documents and Settings\All Users\Application Data\ESET
2008-03-19 23:22:08 0 dr-h----- E:\Documents and Settings\Administrator\Recent
2008-03-19 22:32:24 0 d-------- E:\Program Files\Lavasoft
2008-03-19 21:19:24 0 d-------- E:\Program Files\Common Files\Wise Installation Wizard
2008-03-17 19:30:32 0 d--h----- E:\WINDOWS\system32\GroupPolicy
2008-03-17 18:43:28 94208 --a------ E:\WINDOWS\fmsxwqs.exe
2008-03-17 18:43:28 176128 --a------ E:\WINDOWS\etlrlws.dll
2008-03-17 18:43:28 237568 --a------ E:\WINDOWS\drnpfdxrgq.dll
2008-03-17 18:43:28 221184 --a------ E:\WINDOWS\bokpkov.dll
2008-03-17 18:43:28 241664 --a------ E:\WINDOWS\altvxvm.dll


-- Find3M Report ---------------------------------------------------------------

2008-03-28 17:48:54 0 d-------- E:\Documents and Settings\Administrator\Application Data\LimeWire
2008-03-26 00:44:35 0 d-------- E:\Program Files\Common Files
2008-03-26 00:43:55 0 d-------- E:\Program Files\Windows Live
2008-03-19 23:54:09 0 d-------- E:\Program Files\Common Files\Symantec Shared
2008-03-19 23:50:35 0 d-------- E:\Program Files\Symantec
2008-02-25 17:41:39 0 d-------- E:\Program Files\Mikroelektronika
2008-02-24 16:57:39 0 d-------- E:\Program Files\LimeWire
2008-02-22 23:48:35 0 d-------- E:\Documents and Settings\Administrator\Application Data\Real
2008-01-23 00:13:15 8590 --a------ E:\WINDOWS\hh.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31BE1B95-DE72-41F3-A6AD-3E38648CA2D8}]
03/14/2008 11:56 AM 237568 --a------ E:\WINDOWS\drnpfdxrgq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DU Meter"="E:\Program Files\DU Meter\DUMeter.exe" [02/01/2005 06:28 PM]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [03/14/2007 02:43 AM]
"TkBellExe"="E:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07/07/2007 02:45 PM]
"!AVG Anti-Spyware"="E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 11:25 AM]
"Symantec PIF AlertEng"="E:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [11/28/2007 07:51 PM]
"antiviirus"="E:\Program Files\antiviirus.exe" []
"egui"="E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [12/21/2007 08:21 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="E:\WINDOWS\system32\ctfmon.exe" [08/04/2004 09:56 AM]
"MsnMsgr"="E:\Program Files\MSN Messenger\MsnMsgr.exe" [05/25/2007 08:57 PM]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 9:05:26 PM]
Microsoft Office.lnk - E:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 12:01:04 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"UnknownBoot"= {e510b802-89d9-421c-9001-933a74f5c216} - E:\WINDOWS\Installer\{e510b802-89d9-421c-9001-933a74f5c216}\UnknownBoot.dll [ ]
"zip"= {0ef02820-1375-490b-b8af-399eabaeab7d} - E:\WINDOWS\Installer\{0ef02820-1375-490b-b8af-399eabaeab7d}\zip.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wingsa32]
wingsa32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wudb]
E:\WINDOWS\system32\wudb.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Administrator^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=E:\Documents and Settings\Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=E:\WINDOWS\pss\LimeWire On Startup.lnkStartup


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{666bc3a2-0d0f-11dc-8587-00c0a88e35d9}]
AutoRun\command- E:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2d8cc89-cc22-11dc-8748-00c0a88e35d9}]
AutoRun\command- E:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL systems.com
read\command- explorer.exe
start\command- systems.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3de41a4-3ff3-11dc-861f-00c0a88e35d9}]
AutoRun\command- G:\fooool.exe
explore\Command- G:\fooool.exe
open\Command- G:\fooool.exe




-- End of Deckard's System Scanner: finished at 2008-03-28 23:37:47 ------------




and kindly find attached the extra.txt file
 

Attachments

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
P2P - I see you have P2P software (Limewire ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here,
here and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

---------------------------------------------------------------------------------------------

I see parts of Norton installed still, but no real reason to have them. If you need LiveUpdate for some application I don't see, leave it, otherwise uninstall from Add/Remove.

LiveUpdate 3.2
LiveUpdate Notice


If you uninstall, then do this:

Please use the instructions on this page to completely uninstall your Norton Products.

Next.....


Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery mode. This allows us to help you in the case that your computer has a problem after an attempted removal of malware.

When you run ComboFix according to the instructions on that page, please have whatever device is typically your G drive inserted/active. (flash drive, USB external?)

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

If you have any questions along the way, STOP and ask them before proceeding.
 

·
Registered
Joined
·
6 Posts
Discussion Starter #6
Hey, I was kind of busy lately so I couldn't, until today, do any of the things you asked me to.

ComboFix log:

ComboFix 08-04-14.2 - Administrator 2008-04-15 20:43:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.63 [GMT 3:00]
Running from: E:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
E:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
E:\WINDOWS\Installer\{0ef02820-1375-490b-b8af-399eabaeab7d}\zip.dll
E:\WINDOWS\Installer\{e510b802-89d9-421c-9001-933a74f5c216}\UnknownBoot.dll
E:\WINDOWS\rs.txt

----- BITS: Possible infected sites -----

hxxp://apps.corel.com
.
((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-03-26 19:58 . 2008-03-26 19:58 <DIR> d-------- E:\Deckard
2008-03-26 08:37 . 2007-07-30 20:19 271,224 --a------ E:\WINDOWS\system32\mucltui.dll
2008-03-26 08:37 . 2007-07-30 20:19 207,736 --a------ E:\WINDOWS\system32\muweb.dll
2008-03-26 08:37 . 2007-07-30 20:19 30,072 --a------ E:\WINDOWS\system32\mucltui.dll.mui
2008-03-26 01:44 . 2008-03-26 01:44 <DIR> d--hsc--- E:\Program Files\Common Files\WindowsLiveInstaller
2008-03-26 01:43 . 2008-04-01 00:40 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-20 00:56 . 2008-03-20 00:56 <DIR> d-------- E:\Program Files\ESET
2008-03-20 00:56 . 2008-03-20 00:56 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\ESET
2008-03-19 23:32 . 2008-03-19 23:32 <DIR> d-------- E:\Program Files\Lavasoft
2008-03-19 22:19 . 2008-03-19 23:30 <DIR> d-------- E:\Program Files\Common Files\Wise Installation Wizard
2008-03-17 20:30 . 2008-03-17 20:31 <DIR> d--h----- E:\WINDOWS\system32\GroupPolicy
2008-03-17 19:43 . 2008-03-14 12:56 241,664 --a------ E:\WINDOWS\altvxvm.dll
2008-03-17 19:43 . 2008-03-14 12:56 237,568 --a------ E:\WINDOWS\drnpfdxrgq.dll
2008-03-17 19:43 . 2008-03-14 12:56 221,184 --a------ E:\WINDOWS\bokpkov.dll
2008-03-17 19:43 . 2008-03-14 12:56 176,128 --a------ E:\WINDOWS\etlrlws.dll
2008-03-17 19:43 . 2008-03-14 12:56 94,208 --a------ E:\WINDOWS\fmsxwqs.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 17:42 --------- d---a-w E:\Documents and Settings\All Users\Application Data\TEMP
2008-04-15 16:59 --------- d-----w E:\Program Files\Common Files\Symantec Shared
2008-04-15 16:59 --------- d-----w E:\Documents and Settings\All Users\Application Data\Symantec
2008-04-13 22:05 --------- d-----w E:\Documents and Settings\Administrator\Application Data\LimeWire
2008-03-25 22:43 --------- d-----w E:\Program Files\Windows Live
2008-03-19 20:37 --------- d-----w E:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-25 15:41 20,608 ----a-w E:\WINDOWS\system32\drivers\USB18PRG.SYS
2008-02-25 15:41 --------- d-----w E:\Program Files\Mikroelektronika
2008-02-24 14:57 --------- d-----w E:\Program Files\LimeWire
2007-12-11 21:19 33,128 ----a-w E:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31BE1B95-DE72-41F3-A6AD-3E38648CA2D8}]
2008-03-14 12:56 237568 --a------ E:\WINDOWS\drnpfdxrgq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{BEBA880D-1A1B-4A56-8E9F-1D488AA6CE80}"= "E:\WINDOWS\etlrlws.dll" [2008-03-14 12:56 176128]

[HKEY_CLASSES_ROOT\clsid\{beba880d-1a1b-4a56-8e9f-1d488aa6ce80}]
[HKEY_CLASSES_ROOT\etlrlws.1]
[HKEY_CLASSES_ROOT\TypeLib\{E9E78868-062F-4610-B0DA-5892397E3480}]
[HKEY_CLASSES_ROOT\etlrlws]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="E:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:56 15360]
"MsnMsgr"="E:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-05-25 21:57 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DU Meter"="E:\Program Files\DU Meter\DUMeter.exe" [2005-02-01 19:28 1469952]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
"TkBellExe"="E:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-07-07 15:45 185896]
"!AVG Anti-Spyware"="E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 12:25 6731312]
"egui"="E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 09:21 1443072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="E:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 10:56 15360]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - E:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wingsa32]
wingsa32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wudb]
E:\WINDOWS\system32\wudb.dll

[HKLM\~\startupfolder\E:^Documents and Settings^Administrator^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=E:\Documents and Settings\Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=E:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"E:\\Program Files\\LimeWire\\LimeWire.exe"=

R1 epfwtdir;epfwtdir;E:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-12-21 09:21]
R1 SbPd;SbPd;E:\WINDOWS\system32\Drivers\SbPd.sys [2007-05-25 22:09]
R3 cwrwdm;SoundFusion(tm) WDM Driver;E:\WINDOWS\system32\DRIVERS\cwrwdm.sys [2004-08-04 01:32]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2d8cc89-cc22-11dc-8748-00c0a88e35d9}]
\Shell\AutoRun\command - E:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL systems.com
\Shell\read\command - explorer.exe
\Shell\start\command - systems.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3de41a4-3ff3-11dc-861f-00c0a88e35d9}]
\Shell\AutoRun\command - G:\fooool.exe
\Shell\explore\Command - G:\fooool.exe
\Shell\open\Command - G:\fooool.exe

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 20:46:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 9

**************************************************************************
.
Completion time: 2008-04-15 20:50:24
ComboFix-quarantined-files.txt 2008-04-15 17:49:54
ComboFix2.txt 2007-07-10 13:41:39

Pre-Run: 5,000,753,152 bytes free
Post-Run: 5,000,945,664 bytes free



HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:58:17 PM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\MSN Messenger\usnsvc.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
E:\WINDOWS\system32\WgaTray.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\DU Meter\DUMeter.exe
E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program Files\MSN Messenger\msnmsgr.exe
E:\WINDOWS\system32\NOTEPAD.EXE
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Documents and Settings\Administrator\My Documents\My Completed Downloads\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: GNX Rolex - {31BE1B95-DE72-41F3-A6AD-3E38648CA2D8} - E:\WINDOWS\drnpfdxrgq.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: etlrlws - {BEBA880D-1A1B-4A56-8E9F-1D488AA6CE80} - E:\WINDOWS\etlrlws.dll
O4 - HKLM\..\Run: [DU Meter] E:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [egui] "E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - E:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - E:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - E:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Organise-notes - {9455301C-CF6B-11D3-A266-00C04F689C50} - E:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{60E89C44-1A6F-45BC-8081-36F2FE5E180F}: NameServer = 62.84.64.3,62.84.71.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{60E89C44-1A6F-45BC-8081-36F2FE5E180F}: NameServer = 62.84.64.3,62.84.71.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{60E89C44-1A6F-45BC-8081-36F2FE5E180F}: NameServer = 62.84.64.3,62.84.71.3
O20 - Winlogon Notify: wingsa32 - wingsa32.dll (file missing)
O20 - Winlogon Notify: wudb - E:\WINDOWS\system32\wudb.dll (file missing)
O21 - SSODL: UnknownBoot - {e510b802-89d9-421c-9001-933a74f5c216} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - E:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

--
End of file - 5983 bytes


Thank you.=)
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
While I understand that life gets busy, if you want my continued support, you'll need to reply in a more timely fashion. Malware does not wait so long to keep spawning.


Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

This machine does not have the Windows XP Recovery Console installed.

The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

Please do this:

Download this file:

http://www.microsoft.com/downloads/...8D-5E10-49B5-B80C-0A0205368124&displaylang=en

Download the file & save it as it's originally named, next to ComboFix.exe.




Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

When complete, a log named CF_RC.txt will open. Please post the contents of that log at the end of this fix, along with the other requested logs.

Next......................

  1. Download Flash_Disinfector.exe from here and save it to your desktop.
  2. Disconnect from the internet....pull the plug!
  3. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

    Run Flash_Disinfector.exe
    • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    • Wait until it has finished scanning and then exit the program.

    Make sure what is usually your G drive is still inserted or active.
  4. Open notepad and copy/paste the text in the quotebox below into it:

    Killall::

    File::
    E:\WINDOWS\altvxvm.dll
    E:\WINDOWS\drnpfdxrgq.dll
    E:\WINDOWS\bokpkov.dll
    E:\WINDOWS\etlrlws.dll
    E:\WINDOWS\fmsxwqs.exe
    G:\fooool.exe

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31BE1B95-DE72-41F3-A6AD-3E38648CA2D8}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{BEBA880D-1A1B-4A56-8E9F-1D488AA6CE80}"=-
    [-HKEY_CLASSES_ROOT\clsid\{beba880d-1a1b-4a56-8e9f-1d488aa6ce80}]
    [-HKEY_CLASSES_ROOT\etlrlws.1]
    [-HKEY_CLASSES_ROOT\TypeLib\{E9E78868-062F-4610-B0DA-5892397E3480}]
    [-HKEY_CLASSES_ROOT\etlrlws]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wingsa32]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wudb]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2d8cc89-cc22-11dc-8748-00c0a88e35d9}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3de41a4-3ff3-11dc-861f-00c0a88e35d9}]
    Save this as CFScript.txt




    Referring to the picture above, drag CFScript.txt into ComboFix.exe


  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
  8. Re-establish an internet connection.
  9. Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

    ---------------------------------------------------------------------------------------------

Return with these logs:

C:\CF_RC.txt
C:\ComboFix.txt
new Hijackthis log
 

·
Registered
Joined
·
6 Posts
Discussion Starter #8
When I did the previous scan, I dragged the recovery thing into the ComboFix.exe and it started running immediatly. Could that message "WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!" be due to my NOT original Windows XP?
 

·
Registered
Joined
·
6 Posts
Discussion Starter #10
I don't have an original copy of windows XP, pirated copy.

Anyway, it worked this time, and the log file that opened after I dragged the recovery thing mentioned nothing about not having a recovery console installed.

However, after I dragged the CFScript.txt to the ComboFix.exe, it started scanning and said something like it usually takes 10 minutes to do the scan, and the timing may double for badly infected computers. I left it for 2 hours, and when I came back it was still there, so I aborted it because I had some things to do on the PC.

A while ago, after I finished my projects, I did a NOD32 scan and it quarantined
E:\WINDOWS\fmsxwqs.exe
and another file (from the to kill list above)

That's all for now, I guess.

Thank you.
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
1 - 11 of 11 Posts
Status
Not open for further replies.
Top