[jfaf]

Hi,

I need help removing some persistent malware from my family's computer.

When I first began, they had obviously installed a rogue antispyware software, xp antispyware 2009, as it was constantly popping up messages in the taskbar, and had hijacked xp's security center. Our internet explorer was also completely hijacked running random sound bits on its own and displaying random popups as soon as I connected to the internet.

I ran spybot search and destroy and removed the bad entries it found, to no avail (everything came back after I restarted).

I tried unchecking any suspicous entries in my msconfig file (facegame, getpack24, gool, all the wmsncs entries), only to have them all come back after a restart. I tried using spybot's teatimer to block any entries these programs tried to create, to no avail. SuperAntiSpyware was also used to no avail.

I then tried using Malwarebyte's anti-malware software, and removed all the bad entries listed. After a restart I got a message claiming the lsass could not be found, and I couldn't boot windows. I went back to last known good configuration and was able to boot from that. Afterwards, though, I couldn't access anything in windows explorer or internet explorer. Whenever I try to access control panel or browse the contents of any of this PC's drives I get an the following error message:

"Windows cannot find "'C:\WINDOWS\fonts\wmsncs.exe"'. Make sure you typed the name correctly, and then try again..."

When I try to access internet explorer, I get nothing whatsoever (no error message, no startup, just nothing). I'm currently running off Mozilla's Firefox 3 browser.

I was able to successfully access the PCs file system in safe mode, as well as start up internet explorer (I took this opportunity to clear out the cache). Still had the same problems in normal mode. Now the entries for Gool, Facegame, getpack24 and wmsncs no longer show up in the msconfig file. Anything related to xp antispyware 2009 seems to be absent as well.

I checked my most recent HijackThis log, and I still have a persisting entry for wmsncs. Here's the logfile:

____________________________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:42:21 AM, on 30/11/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
F2 - REG:system.ini: Shell=explorer.exe "C:\WINDOWS\Fonts\wmsncs.exe"
O2 - BHO: (no name) - {5d7b6baa-891e-4fe2-adbf-a775d666df47} - C:\WINDOWS\System32\magagovi.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Java VM v6.91] C:\WINDOWS\System32\jdk-1_5_0_19-windows-i391-pp\jav.bat
O4 - HKCU\..\Run: [Java VM v6.91] C:\WINDOWS\System32\jdk-1_5_0_19-windows-i391-pp\jav.bat
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Java VM v6.91] C:\WINDOWS\System32\jdk-1_5_0_19-windows-i391-pp\jav.bat (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Java VM v6.91] C:\WINDOWS\System32\jdk-1_5_0_19-windows-i391-pp\jav.bat (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7809E9F-5808-4B29-9A82-D7675534BBD5}: NameServer = 207.164.234.129 207.164.234.193
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 3478 bytes


And here's the DSS log file:

____________________________________________________________
DDS (Version 1.0)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 21/03/2002 7:21:28 PM
System Uptime: 30/11/2008 3:31:02 AM (0 hours ago)

Motherboard: IBM | | IBM
Processor: Intel(R) Pentium(R) 4 CPU 1.80GHz | WMT478/NWD | 1794/100mhz
BIOS: PhoenixBIOS 4.0 Release 6.0 for IBM NetVista. | PTLTD - 60400d0 | 20KT46AUS |

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 36 GiB total, 27.367 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP16: 14/10/2008 2:12:10 AM - System Checkpoint
RP17: 17/10/2008 7:45:07 PM - System Checkpoint
RP18: 18/10/2008 10:16:55 PM - System Checkpoint
RP19: 19/10/2008 10:22:07 PM - System Checkpoint
RP20: 20/10/2008 10:26:08 PM - System Checkpoint
RP21: 08/11/2008 2:08:55 AM - System Checkpoint
RP22: 09/11/2008 12:20:10 PM - System Checkpoint
RP23: 15/11/2008 12:55:23 PM - System Checkpoint
RP24: 16/11/2008 1:18:32 PM - System Checkpoint
RP25: 29/11/2008 11:37:53 PM - Installed SUPERAntiSpyware Free Edition
RP26: 30/11/2008 2:09:01 AM - ComboFix created restore point

==== Installed Programs ======================

Sansa Media Converter
Access IBM
Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
ConfigSafe
Contextual Tool Adsoftinc
Default
HijackThis 2.0.2
Intel(R) PRO Ethernet Adapter and Software
Intel(R) PROSet II
Malwarebytes' Anti-Malware
Microsoft Internet Explorer 6 SP1
Microsoft Office 2000 SR-1 Professional
Mozilla Firefox (3.0.4)
NVIDIA Windows 2000/XP Display Drivers
RON Tool Adsoftinc
Sansa Media Converter
Shockwave
SoundMAX
Spybot - Search & Destroy
Starcraft
SUPERAntiSpyware Free Edition
Sympatico 4.73
Sympatico NetAssistant
Uninstall PC-Doctor
WebFldrs XP
Windows Media Format Runtime

==== Event Viewer Messages ===================

24/11/2008 9:14:07 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

==== End Of File ===========================


Any help you can provide would be appreciated.

 

[sUBs]

Re: Need help removing wmsncs, gool, facegame and possibly others

Show me the log that combofix created

 

[jfaf]

Re: Need help removing wmsncs, gool, facegame and possibly others

Couldn't find where the old logfile was(don't remember it creating one in the first place either...), so I ran Combofix again. Here's the (current) logfile:

____________________________________________________________
ComboFix 08-11-29.01 - Admin 2008-11-30 5:55:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.130 [GMT -4:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ntndis.exe
c:\windows\system32\drivers\ntndis.sys

Infected copy of c:\windows\system32\spoolsv.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{DD0FC7C5-571D-4082-B53A-A49C32B8BEEB}\RP26\A0013129.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{DD0FC7C5-571D-4082-B53A-A49C32B8BEEB}\RP26\A0013019.exe

.
((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-30 )))))))))))))))))))))))))))))))
.

2008-11-30 01:47 . 2001-11-08 16:38 844,048 --a------ c:\windows\system32\msdxm.ocx
2008-11-30 01:47 . 2001-11-08 16:38 498,960 --a------ c:\windows\system32\dxmasf.dll
2008-11-30 01:47 . 2001-04-20 12:14 251,904 --a------ c:\windows\system32\strmdll.dll
2008-11-30 01:45 . 2008-11-30 01:46 <DIR> d-------- c:\windows\Windows Update Setup Files
2008-11-30 01:45 . 2008-11-30 01:47 <DIR> d--h----- c:\windows\msdownld.tmp
2008-11-29 23:52 . 2008-11-29 23:52 <DIR> d-------- c:\program files\Trend Micro
2008-11-29 23:38 . 2008-11-29 23:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-29 23:37 . 2008-11-30 00:43 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-29 23:37 . 2008-11-29 23:37 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-29 23:37 . 2008-11-29 23:37 <DIR> d-------- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com
2008-11-29 01:30 . 2008-11-29 01:30 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-29 01:30 . 2008-11-29 01:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-29 01:30 . 2008-11-29 01:30 <DIR> d-------- c:\documents and settings\Admin\Application Data\Malwarebytes
2008-11-29 01:30 . 2008-10-22 16:27 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-29 01:30 . 2008-10-22 16:27 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-29 01:13 . 2008-11-29 01:13 16,399 --a------ c:\windows\xemizis.inf
2008-11-28 18:24 . 2008-11-28 18:24 53,938 --a------ c:\windows\system32\cont_adsoftinc-remove.exe
2008-11-28 18:23 . 2008-11-29 01:29 47,575 --a------ c:\windows\system32\xbndegfrlepwyvkn.exe
2008-11-28 18:19 . 2008-11-28 18:19 16,539 --a------ c:\documents and settings\All Users\Application Data\jocukopeh.exe
2008-11-16 12:54 . 2008-11-16 12:55 111,470 --a------ c:\windows\system32\mksupdate.exe
2008-11-16 12:00 . 2008-11-16 12:00 44 --a------ c:\windows\system32\D.tmp
2008-11-16 12:00 . 2008-11-16 12:00 0 --a------ c:\windows\system32\14.tmp
2008-11-15 12:22 . 2008-11-15 12:22 0 --a------ c:\windows\system32\13.tmp
2008-11-15 12:21 . 2008-11-15 12:22 44 --a------ c:\windows\system32\10.tmp
2008-11-14 17:08 . 2008-11-14 17:08 44 --a------ c:\windows\system32\24.tmp
2008-11-14 17:08 . 2008-11-14 17:08 18 --a------ c:\windows\system32\26.tmp
2008-11-09 10:43 . 2008-11-09 10:43 48 --a------ c:\windows\system32\B.tmp
2008-11-08 20:50 . 2008-11-08 20:50 48 --a------ c:\windows\system32\E5.tmp
2008-11-08 20:50 . 2008-11-08 20:50 18 --a------ c:\windows\system32\E7.tmp
2008-11-08 20:44 . 2008-11-09 11:12 111,470 --a------ c:\windows\system32\mshsupedw.exe
2008-11-08 14:53 . 2008-11-08 20:51 <DIR> d-------- c:\documents and settings\Admin\Application Data\U3
2008-11-08 01:05 . 2008-11-08 01:05 16,359 --a------ c:\windows\qaval.dl
2008-10-26 21:14 . 2008-10-26 21:14 <DIR> d---s---- c:\documents and settings\Admin\UserData
2008-10-21 18:02 . 2008-10-21 18:02 48 --a------ c:\windows\system32\16.tmp
2008-10-21 18:02 . 2008-10-21 18:02 18 --a------ c:\windows\system32\18.tmp
2008-10-21 16:09 . 2008-10-21 16:09 18 --a------ c:\windows\system32\C.tmp
2008-10-19 15:47 . 2008-10-19 15:47 48 --a------ c:\windows\system32\7.tmp
2008-10-19 15:47 . 2008-10-19 15:47 18 --a------ c:\windows\system32\A.tmp
2008-10-19 10:05 . 2008-10-19 10:05 48 --a------ c:\windows\system32\F.tmp
2008-10-19 10:05 . 2008-10-19 10:05 18 --a------ c:\windows\system32\11.tmp
2008-10-19 00:46 . 2008-10-19 00:46 48 --a------ c:\windows\system32\6.tmp
2008-10-19 00:46 . 2008-10-19 00:46 18 --a------ c:\windows\system32\8.tmp
2008-10-19 00:30 . 2008-10-19 00:30 48 --a------ c:\windows\system32\18F.tmp
2008-10-19 00:30 . 2008-10-19 00:30 0 --a------ c:\windows\system32\191.tmp
2008-10-18 19:13 . 2008-10-21 18:52 111,470 --a------ c:\windows\system32\hjsjsuer.exe
2008-10-17 20:59 . 2008-10-17 20:59 19,753 --a------ c:\windows\egyhisokuj.sys
2008-10-17 20:59 . 2008-10-17 20:59 19,132 --a------ c:\windows\system32\acymypen.ban
2008-10-17 20:59 . 2008-10-17 20:59 18,632 --a------ c:\windows\system32\rapav.bin
2008-10-17 20:59 . 2008-10-17 20:59 18,378 --a------ c:\windows\ixokymi._dl
2008-10-17 20:59 . 2008-10-17 20:59 18,023 --a------ c:\windows\ezysoxus.reg
2008-10-17 20:59 . 2008-10-17 20:59 17,450 --a------ c:\documents and settings\Admin\Application Data\dewojar.exe
2008-10-17 20:59 . 2008-10-17 20:59 17,415 --a------ c:\program files\Common Files\yjef.pif
2008-10-17 20:59 . 2008-10-17 20:59 17,173 --a------ c:\documents and settings\Admin\Application Data\pukux.dat
2008-10-17 20:59 . 2008-10-17 20:59 16,712 --a------ c:\documents and settings\All Users\Application Data\omijydefen.sys
2008-10-17 20:59 . 2008-10-17 20:59 16,652 --a------ c:\windows\ilog.bat
2008-10-17 20:59 . 2008-10-17 20:59 15,689 --a------ c:\documents and settings\Admin\Application Data\pavyto.bat
2008-10-17 20:59 . 2008-10-17 20:59 14,694 --a------ c:\program files\Common Files\abehary.com
2008-10-17 20:59 . 2008-10-17 20:59 13,311 --a------ c:\windows\okefocej.db
2008-10-17 20:59 . 2008-10-17 20:59 11,394 --a------ c:\program files\Common Files\ucisuzi.dll
2008-10-17 20:59 . 2008-10-17 20:59 10,525 --a------ c:\windows\ugaz.dat
2008-10-17 20:59 . 2008-10-17 20:59 10,227 --a------ c:\windows\riqyh.sys
2008-10-17 19:49 . 2008-11-29 13:05 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-10-17 19:49 . 2008-11-29 22:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-17 18:25 . 2008-10-17 18:25 12,772 --a------ c:\windows\system32\rezivinuc._dl
2008-10-14 19:32 . 2008-10-14 19:32 18,968 --a------ c:\documents and settings\Admin\Application Data\dutuve.vbs
2008-10-14 19:32 . 2008-10-14 19:32 18,659 --a------ c:\documents and settings\Admin\Application Data\nalix.dll
2008-10-14 19:32 . 2008-10-14 19:32 18,099 --a------ c:\program files\Common Files\amydibu.com
2008-10-14 19:32 . 2008-10-14 19:32 17,954 --a------ c:\documents and settings\All Users\Application Data\pygyw.bin
2008-10-14 19:32 . 2008-10-14 19:32 17,137 --a------ c:\windows\acub.db
2008-10-14 19:32 . 2008-10-14 19:32 16,055 --a------ c:\windows\maxicaxe.db
2008-10-14 19:32 . 2008-10-14 19:32 15,051 --a------ c:\windows\yqivinir.bin
2008-10-14 19:32 . 2008-10-14 19:32 14,714 --a------ c:\documents and settings\All Users\Application Data\qiwemyxecu.com
2008-10-14 19:32 . 2008-10-14 19:32 14,686 --a------ c:\documents and settings\Admin\Application Data\arynijyn.exe
2008-10-14 19:32 . 2008-10-14 19:32 14,172 --a------ c:\documents and settings\Admin\Application Data\ginehyhon.pif
2008-10-14 19:32 . 2008-10-14 19:32 12,624 --a------ c:\windows\system32\favelamo.inf
2008-10-14 19:32 . 2008-10-14 19:32 12,515 --a------ c:\windows\system32\voniby.db
2008-10-14 19:32 . 2008-10-14 19:32 12,152 --a------ c:\windows\paxuhecep.reg
2008-10-14 19:32 . 2008-10-14 19:32 11,948 --a------ c:\windows\deki.scr
2008-10-14 19:32 . 2008-10-14 19:32 11,348 --a------ c:\documents and settings\Admin\Application Data\zefova.scr
2008-10-14 19:32 . 2008-10-14 19:32 11,194 --a------ c:\documents and settings\All Users\Application Data\ajidilu.scr
2008-10-14 19:32 . 2008-10-14 19:32 11,128 --a------ c:\documents and settings\All Users\Application Data\lijepezu.pif
2008-10-14 19:32 . 2008-10-14 19:32 10,742 --a------ c:\documents and settings\Admin\Application Data\uvolikozu.sys
2008-10-14 19:32 . 2008-10-14 19:32 10,100 --a------ c:\windows\system32\yruk.dll
2008-10-14 19:28 . 2008-10-14 19:28 18,423 --a------ c:\documents and settings\All Users\Application Data\ijozip.sys
2008-10-14 19:28 . 2008-10-14 19:28 18,185 --a------ c:\documents and settings\Admin\Application Data\igotokaroz.sys
2008-10-14 19:28 . 2008-10-14 19:28 17,243 --a------ c:\program files\Common Files\qakabojema.pif
2008-10-14 19:28 . 2008-10-14 19:28 16,256 --a------ c:\documents and settings\All Users\Application Data\winy.dll
2008-10-14 19:28 . 2008-10-14 19:28 15,025 --a------ c:\windows\nidevy._sy
2008-10-14 19:28 . 2008-10-14 19:28 14,573 --a------ c:\windows\pilijelos.exe
2008-10-14 19:28 . 2008-10-14 19:28 13,897 --a------ c:\windows\qorax.sys
2008-10-14 19:28 . 2008-10-14 19:28 13,468 --a------ c:\windows\ydonyrulib._sy
2008-10-14 19:28 . 2008-10-14 19:28 13,069 --a------ c:\documents and settings\All Users\Application Data\dydyb.vbs
2008-10-14 19:28 . 2008-10-14 19:28 13,030 --a------ c:\documents and settings\All Users\Application Data\epekofo.vbs
2008-10-14 19:28 . 2008-10-14 19:28 13,026 --a------ c:\windows\gububoj.ban
2008-10-14 19:28 . 2008-10-14 19:28 10,829 --a------ c:\windows\zawyhiju._sy
2008-10-14 18:38 . 2008-10-14 18:38 48 --a------ c:\windows\system32\133.tmp
2008-10-14 18:38 . 2008-10-14 18:38 18 --a------ c:\windows\system32\135.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-30 09:56 1,010,688 ----a-w c:\windows\explorer.exe
2008-11-29 17:04 --------- d-----w c:\program files\Common Files\Real
2008-11-15 16:22 186,240 ----a-w c:\windows\system32\drivers\ndis.sys
2008-10-14 23:32 11,317 ----a-w c:\program files\Common Files\ocinuwy._dl
2008-10-14 23:28 13,587 ----a-w c:\program files\Common Files\qune._sy
2008-10-14 23:20 --------- d-----w c:\documents and settings\Admin\Application Data\MSN6
2002-10-14 22:38 198,144 --sh--r c:\windows\wmssvc.exe
.

------- Sigcheck -------

2008-11-15 12:22 186240 3efd4f59ba0a340de0a3ab984001dbf7 c:\windows\system32\dllcache\ndis.sys
2008-11-15 12:22 186240 3efd4f59ba0a340de0a3ab984001dbf7 c:\windows\system32\drivers\ndis.sys

2008-11-30 05:56 1010688 6d9022780895f945f7236e54b4c16b4b c:\windows\explorer.exe
2001-08-18 09:00 1010688 60d00ee716d71210b3cb66564d5113d2 c:\windows\system32\dllcache\explorer.exe

2001-08-18 09:00 23040 2426fe59bc72f713f34a9c5adaa86fae c:\windows\system32\ctfmon.exe
2001-08-18 09:00 23040 382f25934d7b3d6b201ff3e7f671430f c:\windows\system32\dllcache\ctfmon.exe

2001-08-18 09:00 121856 39fb46dc504677c76da9d06308eb4b4a c:\windows\system32\wuauclt.exe
2001-08-18 09:00 121856 cc00b474c80c40f48965ea0dca8a95ba c:\windows\system32\dllcache\wuauclt.exe

2001-08-18 09:00 31232 e026034bd3bcd6d5ded404f5ad6180c0 c:\windows\system32\userinit.exe
2001-08-18 09:00 31232 0f5e6ee0aca5d5214bfff080fc212ef1 c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( [email protected]_ 2.21.38.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-30 06:19:13 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-30 10:04:01 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-11-30 06:19:13 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-30 10:04:01 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-11-30 06:19:13 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-30 10:04:01 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2001-06-26 21:49:06 102,450 ----a-w c:\windows\system32\cscript.exe
+ 2001-06-26 21:49:06 114,738 ----a-w c:\windows\system32\cscript.exe
- 2001-06-26 21:49:06 102,450 ----a-w c:\windows\system32\dllcache\cscript.exe
+ 2001-06-26 21:49:06 114,738 ----a-w c:\windows\system32\dllcache\cscript.exe
- 2002-08-29 11:14:40 28,672 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
+ 2002-08-29 11:14:40 38,400 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
- 2002-08-29 11:14:40 24,576 ----a-w c:\windows\system32\dllcache\mshta.exe
+ 2002-08-29 11:14:40 34,304 ----a-w c:\windows\system32\dllcache\mshta.exe
- 2002-08-29 11:06:02 57,344 ----a-w c:\windows\system32\dllcache\msimn.exe
+ 2002-08-29 11:06:02 67,072 ----a-w c:\windows\system32\dllcache\msimn.exe
- 2002-08-29 11:06:02 55,808 ----a-w c:\windows\system32\dllcache\oemig50.exe
+ 2002-08-29 11:06:02 65,536 ----a-w c:\windows\system32\dllcache\oemig50.exe
- 2002-08-29 11:06:14 67,584 ----a-w c:\windows\system32\dllcache\setup50.exe
+ 2002-08-29 11:06:14 77,312 ----a-w c:\windows\system32\dllcache\setup50.exe
- 2002-08-29 11:06:14 42,496 ----a-w c:\windows\system32\dllcache\wab.exe
+ 2002-08-29 11:06:14 52,224 ----a-w c:\windows\system32\dllcache\wab.exe
- 2002-08-29 11:06:14 27,648 ----a-w c:\windows\system32\dllcache\wabmig.exe
+ 2002-08-29 11:06:14 37,376 ----a-w c:\windows\system32\dllcache\wabmig.exe
- 2001-06-26 21:53:50 118,834 ----a-w c:\windows\system32\dllcache\wscript.exe
+ 2001-06-26 21:53:50 131,122 ----a-w c:\windows\system32\dllcache\wscript.exe
- 2008-11-30 02:22:33 40,196 ----a-w c:\windows\system32\perfc009.dat
+ 2008-11-30 09:58:59 40,196 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-30 02:22:33 311,934 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-30 09:58:59 311,934 ----a-w c:\windows\system32\perfh009.dat
- 2008-11-30 06:11:57 51,200 ----a-w c:\windows\system32\spoolsv.exe
+ 2008-11-30 09:56:53 51,200 ----a-w c:\windows\system32\spoolsv.exe
- 2005-01-28 20:44:28 38,912 ----a-w c:\windows\system32\wdfmgr.exe
+ 2005-01-28 20:44:28 48,640 ----a-w c:\windows\system32\wdfmgr.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5d7b6baa-891e-4fe2-adbf-a775d666df47}]
2008-08-29 13:41 71680 --ahs---- c:\windows\System32\magagovi.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Java VM v6.91"="c:\windows\System32\jdk-1_5_0_19-windows-i391-pp\jav.bat" [2008-01-21 87]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"GetPack24"="c:\program files\GetPack\GetPack24.exe" [BU]
"Facegame"="c:\documents and settings\Admin\Application Data\Facegame\Facegame.exe" [BU]
"SfKg6wIP"="c:\documents and settings\Admin\Application Data\Microsoft\Windows\lfjxva.exe" [BU]
"Gool"="c:\documents and settings\Admin\Application Data\Gool\Gool.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\Smtray.exe" [2002-06-07 102400]
"ConfigSafe"="c:\cfgsafe\NTFSCLUP.EXE" [2001-05-18 53248]
"CSScheduleCheck"="c:\cfgsafe\SCHWIZEX.EXE" [2001-05-03 77824]
"Motive SmartBridge"="c:\progra~1\NETASS~1\SMARTB~1\MotiveSB.exe" [2002-10-31 339968]
"Java VM v6.91"="c:\windows\System32\jdk-1_5_0_19-windows-i391-pp\jav.bat" [2008-01-21 87]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Java VM v6.91"="" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Java VM v6.91"="c:\windows\System32\jdk-1_5_0_19-windows-i391-pp\jav.bat" [2008-01-21 87]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 77876]
NetAssistant.lnk - c:\program files\NetAssistant\bin\matcli.exe [2002-08-18 212992]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{1DD7CBED-2F05-11D3-A521-00400514C916}"= "c:\cfgsafe\CSHOOK.DLL" [2001-09-24 126976]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="explorer.exe \"c:\\WINDOWS\\Fonts\\wmsncs.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ WinCinema Manager.lnk
backup=c:\windows\pss\ WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^wmsncs.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\wmsncs.exe
backup=c:\windows\pss\wmsncs.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
NvQTwk [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Facegame]
c:\documents and settings\Admin\Application Data\Facegame\Facegame.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GetPack24]
c:\program files\GetPack\GetPack24.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gool]
c:\documents and settings\Admin\Application Data\Gool\Gool.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6wIP]
c:\documents and settings\Admin\Application Data\Microsoft\Windows\lfjxva.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"wmssvc.exe"= wmssvc.exe:SYSTEM

R2 NET Service;NET Service;"c:\windows\wmssvc.exe" [2002-10-14 198144]
S4 hpt3xx;hpt3xx; []

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{103L3C30-C3B3-4130-9363-E59E1375PERM}]
c:\windows\Fonts\wmsncs.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-24 c:\windows\Tasks\Scheduled Snapshot.job
- c:\cfgsafe\SCHWIZEX.EXE [2001-05-03 20:03]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\v16ngose.default\
FF -: plugin - c:\program files\Adobe\Acrobat 5.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Sympatico\Communicator\Program\Plugins\np32asw.dll
FF -: plugin - c:\program files\Sympatico\Communicator\Program\Plugins\NP32DSW.DLL
FF -: plugin - c:\program files\Sympatico\Communicator\Program\Plugins\npaudio.dll
FF -: plugin - c:\program files\Sympatico\Communicator\Program\Plugins\npavi32.dll
FF -: plugin - c:\program files\Sympatico\Communicator\Program\Plugins\NPBeatSP.dll
FF -: plugin - c:\program files\Sympatico\Communicator\Program\Plugins\NPDocBox.dll
FF -: plugin - c:\program files\Sympatico\Communicator\Program\Plugins\npdrmv2.dll
FF -: plugin - c:\program files\Sympatico\Communicator\Program\Plugins\npdsplay.dll
FF -: plugin - c:\program files\Sympatico\Communicator\Program\Plugins\npnul32.dll
FF -: plugin - c:\program files\Sympatico\Communicator\Program\Plugins\nppdf32.dll
FF -: plugin - c:\program files\Sympatico\Communicator\Program\Plugins\nppl3260.dll
FF -: plugin - c:\program files\Sympatico\Communicator\Program\Plugins\NPSVGVw.dll
FF -: plugin - c:\program files\Sympatico\Communicator\Program\Plugins\npswf32.dll
FF -: plugin - c:\program files\Sympatico\Communicator\Program\Plugins\npwmsdrm.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-30 06:04:16
Windows 5.1.2600 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

c:\windows\wmssvc.exe [1616] 0x80E82020

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Java VM v6.91 = c:\windows\System32\jdk-1_5_0_19-windows-i391-pp\jav.bat???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Java VM v6.91 = ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Java VM v6.91 = c:\windows\System32\jdk-1_5_0_19-windows-i391-pp\jav.bat???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\ODBC32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(692)
c:\windows\System32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\combofix\hidec.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wdfmgr.exe
c:\combofix\Catchme.tmp
.
**************************************************************************
.
Completion time: 2008-11-30 6:08:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-30 10:07:29
ComboFix2.txt 2008-11-30 06:23:51

Pre-Run: 29,761,765,376 bytes free
Post-Run: 29,416,632,320 bytes free

309


Spybot's teatimer picked up a registry entry made for Spool Driver Service in the ...system32\spool\drivers\wmsncs.exe. Should I block it?

 

[sUBs]

Re: Need help removing wmsncs, gool, facegame and possibly others

I shall be frank. You're badly infected & I do not have the confidence to bring you out of this. Machine is badly compromised. This is mainly due to the fact that this machine does not a resident antivirus program. Bringing one in now is too late. There's severe damage to your system files. I recommend that you wipe the machine.

 

[jfaf]

Re: Need help removing wmsncs, gool, facegame and possibly others

That's what I feared. I don't have the time or expertise either, so I'll wipe the system and start over, making sure to install the appropriate security software this time around before handing it over to the less tech savvy people using this PC.

Thanks for all your help.