View Full Version : --SOLVED--Deep Problem!!
tech2in
07-12-2008, 11:11 AM
Guyz some trouble here..was surfing online.. I usually use Mozilla Firefox..but yesterday i was On IE6..jus then., My Antivirus AVAST 4.8 home edition pops up saying Malware detected..move to chest Recommended Action..I did that..but it kept poppin..also Wallpaper changed to "Warning! Spyware detected on your computer.Download an Antivirus(as if i never had 1) or spyware remover."
Also a program popped up named - Antivirus Xp 2008 and started scanning automatically and then it showed me like 1200 sum viruses....i restarted the system in safe mode..did the whole scan thru Super anti spyware and removed this antivrus xp software...scan showed 81 viruses (i registry and rest from file items)..i did as it said.quarintine n all..after that restarted n agin scanned no virus!!
But the computer has again gone back to the same mode with same wallpaper ...I have no clue how to get rid of it..don't wanna format it..
The virus type accord to Avast is rootkit
Scotty
07-12-2008, 11:16 AM
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Post that log back here.
Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.
Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
For Vista users, right-click DSS and select Run As Administrator
If asked to install HijackThis click on Yes
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your next reply
tech2in
07-12-2008, 11:23 AM
Well I am running safemode with networking..so is it Ok to do all the downloadin stuff and all..Is their any problem if i stay in this mode for too long?
Also Avast antivrus is doing the system scan so should i cancel it for the time being?
Scotty
07-12-2008, 11:41 AM
Stop the Avast scan for now.
Just do the Deckards System Scanner for the moment.
mylanta
07-12-2008, 12:40 PM
Scotty I am curios why Avast is calling this a rootkit. That could be something different on the horizon.
Scotty
07-12-2008, 02:48 PM
Nothing would surprise me anymore. Sometimes av's dont clearly define rootkits. eg some aspects of Vundo use "rootkit-like" abilities, but arent actually rootkits.
tech2in
07-13-2008, 12:08 PM
I did as u said..but I was able to do all the scanning in safe mode with networking MODE..is that Ok..?
extra.txt
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: Intel Pentium III processor
Percentage of Memory in Use: 60%
Physical Memory (total/avail): 126.43 MiB / 50.5 MiB
Pagefile Memory (total/avail): 307.67 MiB / 237.21 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1928.66 MiB
A: is Removable (No Media)
C: is Fixed (FAT32) - 13.96 GiB total, 2.82 GiB free.
D: is Fixed (FAT32) - 23.32 GiB total, 1.64 GiB free.
E: is CDROM (No Media)
F: is CDROM (CDFS)
\\.\PHYSICALDRIVE0 - SAMSUNG SV0411N - 37.31 GiB - 2 partitions
\PARTITION0 (bootable) - Unknown - 13.97 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 23.33 GiB - D:
-- Security Center -------------------------------------------------------------
AUOptions is disabled.
Windows Internal Firewall is enabled.
FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.
FirewallOverride is set.
AV: avast! antivirus 4.8.1201 [VPS 080624-0] v4.8.1201 (ALWIL Software) Outdated
[HKLM\System\CurrentControlSet\Services\SharedAcces s\Parameters\FirewallPolicy\DomainProfile\Authoriz edApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2re s.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
[HKLM\System\CurrentControlSet\Services\SharedAcces s\Parameters\FirewallPolicy\StandardProfile\Author izedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2re s.dll,-22019"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares p2p for windows"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\BitLord\\BitLord.exe"="C:\\Program Files\\BitLord\\BitLord.exe:*:Enabled:BitLord"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Ena bled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Ya hoo! FT Server"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\****\\cs Portable College edition\\hlds.exe"="C:\\****\\cs Portable College edition\\hlds.exe:*:Enabled:HLDS Launcher"
"C:\\****\\cs Portable College edition\\hltv.exe"="C:\\****\\cs Portable College edition\\hltv.exe:*:Enabled:HLTV Launcher"
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLASSPATH=.;C:\Program Files\K-Lite Codec Pack\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SOFT-D73DCBCB53
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\SOFT-D73DCBCB53
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\Sys tem32\Wbem;C:\Program Files\K-Lite Codec Pack\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WS F;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0803
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\K-Lite Codec Pack\QuickTime\QTSystem\QTJava.zip
SAFEBOOT_OPTION=NETWORK
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=SOFT-D73DCBCB53
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS
-- User Profiles ---------------------------------------------------------------
Administrator (admin)
-- Add/Remove Programs ---------------------------------------------------------
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\ 01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{22EB2FA7-1BA0-4FFB-972F-353EC6ABA9D5}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\ 01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{28B97CAB-828F-49D8-A30A-675476F9BA92}\setup.exe" -l0x9 /cont -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\ 01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4E7DC12A-3597-4A94-9429-F6C6987361B1}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\ 01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6813C983-427E-4511-8456-E98FCAA1A125}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\ 01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DADB304-AF20-48C3-A780-4B4133A08817}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\ 01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9C423CF6-2DAA-4A37-94B8-59D7ECC7DB13}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\ 01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ACE66099-E18E-4037-83C8-9D182E5B9FA8}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\ 01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B34B6E67-FCDD-4E03-8742-B5701427FAFB}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\ 01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FA6CC4B4-7741-4F8D-8E81-15C4BAB9869B}\setup.exe" -l0x9 -removeonly
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activ eX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugi n.exe
Adobe Reader 6.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-000000000001}
Adobe Shockwave Player 11 --> C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Apple Mobile Device Support --> MsiExec.exe /I{3EBD3749-304E-4A4C-9575-C00E5F015217}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Ares 2.0.8 --> "C:\Program Files\Ares\uninstall.exe"
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
BitLord 1.1 --> C:\Program Files\BitLord\uninst.exe
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Cricket 2002 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD8BD297-5B65-4420-BA11-25FBAD24A1AD}\Setup.exe"
EAGLE 4.11 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\EAGLE-4.11\DeIsL1.isu"
EAGLE 4.16r1 --> C:\WINDOWS\unin0407.exe -f"C:\Program Files\EAGLE-4.16r1\DeIsL1.isu"
Eagle3D 1.05 --> "C:\Program Files\Eagle\ulp\Eagle3D\unins000.exe"
ExpressPCB --> MsiExec.exe /X{02E78A82-D1A6-4C1C-90C5-12473B36B1E5}
FIFA RTWC 98 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\EA SPORTS\FIFA RTWC 98\DeIsL1.isu"
Guitar Pro 5.2 --> "C:\Program Files\Guitar Pro 5\unins000.exe"
ImageMixer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\070 1\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5AA18C57-381C-4C99-8FE6-5EB1CB0A5BC0}\Setup.exe" -l0x9
iTunes --> MsiExec.exe /I{7FF9CD9C-6E0C-4462-9670-F424DCB32DAF}
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
K-Lite Mega Codec Pack 1.70 --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
LimeWire 4.14.10 --> "C:\Program Files\LimeWire\uninstall.exe"
Magic ISO Maker v5.5 (build 0261) --> C:\PROGRA~1\MAGICISO\UNWISE.EXE C:\PROGRA~1\MAGICISO\INSTALL.LOG
MagicDisc 2.7.97 --> C:\PROGRA~1\MAGICD~1\UNWISE.EXE C:\PROGRA~1\MAGICD~1\INSTALL.LOG
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spun inst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spunins t.exe"
Mozilla Firefox (2.0.0.15) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Power Tab Editor 1.7 --> C:\PROGRA~1\PTSOFT~1\PTEDIT~1\UNWISE.EXE C:\PROGRA~1\PTSOFT~1\PTEDIT~1\INSTALL.LOG
Prince of Persia 3D --> E:\PRINCE~2\PRINCE~6\IsUninst.exe -f"<r>\UninstPOP.isu"
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
Sony Picture Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\ 01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5068583-D569-468B-9755-5FBF5848F46F}\setup.exe" -l0x9 /removeonly uninstall -removeonly
Sony USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\ 01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\setup.exe" -l0x9 UNINSTALL -removeonly
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Tactile12000 2.1 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Tactile Pictures\Uninst.isu"
TVUPlayer 2.3.6.1 --> C:\Program Files\TVUPlayer\uninst.exe
Unlocker 1.8.5 --> C:\Program Files\Unlocker\uninst.exe
VideoLAN VLC media player 0.8.6c --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Mail --> MsiExec.exe /I{184E7118-0295-43C4-B72C-1D54AA75AAF7}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spunins t.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WordWeb --> C:\Program Files\WordWeb\uninst.exe
Yahoo! Messenger --> C:\PROGRA~1\YAHOO!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\YAHOO!\MESSEN~1\INSTALL.LOG
-- Application Event Log -------------------------------------------------------
Event Record #/Type1117 / Error
Event Submitted/Written: 07/13/2008 02:03:14 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application msserv.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x0037c82a.
Processing media-specific event for [msserv.exe!ws!]
Event Record #/Type1116 / Error
Event Submitted/Written: 07/13/2008 01:55:20 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application msserv.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x0037c82a.
Processing media-specific event for [msserv.exe!ws!]
Event Record #/Type1114 / Error
Event Submitted/Written: 07/12/2008 07:05:27 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application msserv.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x0037c82a.
Processing media-specific event for [msserv.exe!ws!]
Event Record #/Type1111 / Error
Event Submitted/Written: 07/11/2008 00:40:39 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application ares.exe, version 2.0.8.3029, faulting module ares.exe, version 2.0.8.3029, fault address 0x0026f22e.
Processing media-specific event for [ares.exe!ws!]
Event Record #/Type1110 / Warning
Event Submitted/Written: 07/11/2008 00:11:17 PM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x8007043C
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type2666 / Error
Event Submitted/Written: 07/13/2008 08:53:16 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Computer Browser service terminated with the following error:
%%1460
Event Record #/Type2662 / Error
Event Submitted/Written: 07/13/2008 08:49:16 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
Aavmker4
Afif50
aswSP
Fips
SASDIFSV
SASKUTIL
Event Record #/Type2661 / Error
Event Submitted/Written: 07/13/2008 08:48:33 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
Event Record #/Type2657 / Error
Event Submitted/Written: 07/13/2008 02:03:53 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Computer Browser service terminated with the following error:
%%1460
Event Record #/Type2637 / Error
Event Submitted/Written: 07/13/2008 01:59:03 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
Afif50
-- End of Deckard's System Scanner: finished at 2008-07-13 21:30:24 ------------
tech2in
07-13-2008, 12:14 PM
Main.txt
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-07-13 21:27:52
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
-- Last 5 Restore Point(s) --
21: 2008-07-13 08:25:32 UTC - RP135 - Deckard's System Scanner Restore Point
20: 2008-07-12 06:48:38 UTC - RP134 - Installed SUPERAntiSpyware Free Edition
19: 2008-07-10 06:39:06 UTC - RP133 - System Checkpoint
18: 2008-07-06 05:25:10 UTC - RP132 - Shockwave Player
17: 2008-07-04 16:10:18 UTC - RP131 - System Checkpoint
-- First Restore Point --
1: 2008-05-31 15:09:54 UTC - RP115 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
Total Physical Memory: 127 MiB (512 MiB recommended).
-- HijackThis Clone ------------------------------------------------------------
Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-13 21:29:09
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [runwinlogon] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [lphc9a7j0e37g] C:\WINDOWS\system32\lphc9a7j0e37g.exe
O4 - HKLM\..\Run: [SMrhcca7j0e37g] C:\Program Files\rhcca7j0e37g\rhcca7j0e37g.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [msserv] C:\WINDOWS\msserv.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: WordWeb.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{90029A2D-51B9-4FE5-8578-E868E6E5CD96}: NameServer = 202.56.215.6,202.56.230.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspn et_state.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
--
End of file - 4414 bytes
-- File Associations -----------------------------------------------------------
All associations okay.
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>
R3 slnt (Realtek Rtl-8139d PCI Fast Ethernet Adapter) - c:\windows\system32\drivers\slnt.sys <Not Verified; Silan Micro-Electronics Inc.; Silan Micro-Electronics Inc.>
S1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
S1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
S3 PIXMCV (JVC Communication PIX-MCV Driver) - c:\windows\system32\drivers\pixmcvc.sys <Not Verified; Pixela; PIX-MCV Communication Driver (WinMe/2000/XP)>
S3 PIXMCVA (JVC PIX-MCV Audio Capture) - c:\windows\system32\drivers\pixmcva.sys <Not Verified; Pixela; Pixela>
S3 PIXMCVV (JVC PIX-MCV Video Capture) - c:\windows\system32\drivers\pixmcvv.sys <Not Verified; Pixela; Pixela>
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
S2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
S3 AresChatServer (Ares Chatroom server) - c:\program files\ares\chatserver.exe <Not Verified; Ares Development Group; Ares Chat Server>
S3 aspnet_state (ASP.NET State Service) - c:\windows\microsoft.net\framework\v2.0.50727\aspn et_state.exe (file missing)
-- Device Manager: Disabled ----------------------------------------------------
Class GUID: {D45B1C18-C8FA-11D1-9F77-0000F805F530}
Description: NT Apm/Legacy Interface Node
Device ID: ROOT\NTAPM\0000
Manufacturer: Microsoft
Name: NT Apm/Legacy Interface Node
PNP Device ID: ROOT\NTAPM\0000
Service: NtApm
-- Scheduled Tasks -------------------------------------------------------------
2008-07-13 13:58:32 318 --ahs---- C:\WINDOWS\Tasks\Tasks.job
2007-12-23 20:19:48 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
-- Files created between 2008-06-13 and 2008-07-13 -----------------------------
2008-07-13 20:47:58 0 d--hs---- C:\FOUND.013
2008-07-12 21:17:15 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-12 21:17:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-12 21:17:03 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-12 12:19:51 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-12 12:18:47 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-12 12:18:47 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-07-11 12:11:14 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-11 11:46:41 0 d--hs---- C:\WINDOWS\CSC
2008-07-11 11:46:28 0 d--hs---- C:\FOUND.012
2008-07-11 11:02:58 23040 --a------ C:\WINDOWS\system32\sysrest32.exe
2008-07-11 11:02:28 31232 --a------ C:\WINDOWS\system32\mssrv32.exe
2008-07-10 22:22:12 0 d--hs---- C:\FOUND.009
2008-07-10 21:51:50 94208 --a------ C:\WINDOWS\system32\pphc9a7j0e37g.exe
2008-07-10 21:51:47 0 d-------- C:\Documents and Settings\Administrator\Application Data\rhcca7j0e37g
2008-07-10 21:44:21 60928 --a------ C:\WINDOWS\system32\blphc9a7j0e37g.scr <Not Verified; Sysinternals; Sysinternals Blue Screen>
2008-07-10 21:42:52 118272 --a------ C:\WINDOWS\msserv.exe
2008-07-10 21:41:36 101888 --a------ C:\WINDOWS\system32\lphc9a7j0e37g.exe
2008-07-10 21:39:54 26624 --a------ C:\WINDOWS\system32\drivers\svchost.exe
2008-07-09 21:21:54 0 d-------- C:\WINDOWS\pss
2008-07-06 00:12:30 0 d--hs---- C:\FOUND.008
2008-07-04 18:30:08 0 d--hs---- C:\FOUND.007
2008-07-03 23:56:48 0 d--hs---- C:\FOUND.006
2008-07-03 21:41:23 0 d-------- C:\Documents and Settings\Administrator\Application Data\eBookPro6
2008-06-27 18:44:42 0 d--hs---- C:\FOUND.005
2008-06-26 22:56:42 0 d--hs---- C:\FOUND.004
2008-06-26 21:58:10 0 d--hs---- C:\FOUND.003
2008-06-25 20:17:02 1024 --a------ C:\WINDOWS\system32\sleep.exe
2008-06-25 01:52:31 0 d-------- C:\Program Files\Myrtilus Entertainment
2008-06-25 01:52:09 221184 -----n--- C:\WINDOWS\system32\MSHTMPGD.DLL <Not Verified; Microsoft Corporation; DHTMLPageDesigner Object Library>
2008-06-25 01:52:08 299008 -----n--- C:\WINDOWS\system32\MSDBRPTR.DLL <Not Verified; Microsoft Corporation; MSDataReport>
2008-06-19 11:18:58 0 d--hs---- C:\FOUND.002
-- Find3M Report ---------------------------------------------------------------
2008-06-08 23:14:26 1072 --a------ C:\WINDOWS\EReg072.dat
2008-06-08 21:25:34 0 d-------- C:\Program Files\MagicDisc
2008-06-08 18:50:50 0 d-------- C:\Program Files\MagicISO
2008-06-07 23:39:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\IGN_DLM
2008-06-06 16:54:40 0 d-------- C:\Program Files\Counter-Strike
2008-06-05 00:16:34 502 --a------ C:\WINDOWS\eReg.dat
2008-06-05 00:10:30 0 d-------- C:\Program Files\EA SPORTS
2008-06-04 23:02:12 0 d-------- C:\Program Files\Guitar Pro 5
2008-06-04 22:38:22 11289948 --a------ C:\GP5DEMO.exe <Not Verified; Arobas Music; >
2008-05-29 01:03:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\TVU Networks
2008-05-29 01:02:00 0 d-------- C:\Program Files\TVUPlayer
2008-05-27 20:04:58 39424 --a------ C:\WINDOWS\winlogon.exe
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/16/2008 04:49 AM]
"runwinlogon"="C:\WINDOWS\winlogon.exe" [05/27/2008 08:04 PM]
"lphc9a7j0e37g"="C:\WINDOWS\system32\lphc9a7j0e37g.exe" [07/10/2008 09:41 PM]
"SMrhcca7j0e37g"="C:\Program Files\rhcca7j0e37g\rhcca7j0e37g.exe" []
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"SVCHOST.EXE"="C:\WINDOWS\system32\drivers\svchost.exe" [07/10/2008 09:39 PM]
"msserv"="C:\WINDOWS\msserv.exe" [07/10/2008 09:42 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 02:06 PM]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [12/23/2007 7:56:49 PM]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\System Reserved]
@="Driver Group"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
backup=C:\WINDOWS\pss\Picture Motion Browser Media Check Tool.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runwinlogon]
C:\WINDOWS\winlogon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
"C:\Program Files\Unlocker\UnlockerAssistant.exe"
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\F]
AutoRun\command- F:\AUTORUN.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{23b26ff0-357c-11dd-a4a6-00e0206e0269}]
AutoRun\command- F:\AUTORUN.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{b021a8b0-e3d0-11dc-a3f9-00e0206e0269}]
explore\Command- mshta "javascript:new ActiveXObject('WScript.Shell').Run('SOLA\\SOLA.BAT -USB',0);window.close()"
open\Command- mshta "javascript:new ActiveXObject('WScript.Shell').Run('SOLA\\SOLA.BAT -USB',0);window.close()"
打开(&O)\command- mshta "javascript:new ActiveXObject('WScript.Shell').Run('SOLA\\SOLA.BAT -USB',0);window.close()"
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{d8659e20-0586-11dd-a44d-00e0206e0269}]
AutoRun\command- SCVHSOT.exe
Open\command- SCVHSOT.exe
-- End of Deckard's System Scanner: finished at 2008-07-13 21:30:24 ------------
Please help me man!!
tech2in
07-13-2008, 12:33 PM
Main.txt
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-07-13 21:27:52
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
-- Last 5 Restore Point(s) --
21: 2008-07-13 08:25:32 UTC - RP135 - Deckard's System Scanner Restore Point
20: 2008-07-12 06:48:38 UTC - RP134 - Installed SUPERAntiSpyware Free Edition
19: 2008-07-10 06:39:06 UTC - RP133 - System Checkpoint
18: 2008-07-06 05:25:10 UTC - RP132 - Shockwave Player
17: 2008-07-04 16:10:18 UTC - RP131 - System Checkpoint
-- First Restore Point --
1: 2008-05-31 15:09:54 UTC - RP115 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
Total Physical Memory: 127 MiB (512 MiB recommended).
-- HijackThis Clone ------------------------------------------------------------
Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-13 21:29:09
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [runwinlogon] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [lphc9a7j0e37g] C:\WINDOWS\system32\lphc9a7j0e37g.exe
O4 - HKLM\..\Run: [SMrhcca7j0e37g] C:\Program Files\rhcca7j0e37g\rhcca7j0e37g.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [msserv] C:\WINDOWS\msserv.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: WordWeb.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{90029A2D-51B9-4FE5-8578-E868E6E5CD96}: NameServer = 202.56.215.6,202.56.230.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspn et_state.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
--
End of file - 4414 bytes
-- File Associations -----------------------------------------------------------
All associations okay.
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>
R3 slnt (Realtek Rtl-8139d PCI Fast Ethernet Adapter) - c:\windows\system32\drivers\slnt.sys <Not Verified; Silan Micro-Electronics Inc.; Silan Micro-Electronics Inc.>
S1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
S1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
S3 PIXMCV (JVC Communication PIX-MCV Driver) - c:\windows\system32\drivers\pixmcvc.sys <Not Verified; Pixela; PIX-MCV Communication Driver (WinMe/2000/XP)>
S3 PIXMCVA (JVC PIX-MCV Audio Capture) - c:\windows\system32\drivers\pixmcva.sys <Not Verified; Pixela; Pixela>
S3 PIXMCVV (JVC PIX-MCV Video Capture) - c:\windows\system32\drivers\pixmcvv.sys <Not Verified; Pixela; Pixela>
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
S2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
S3 AresChatServer (Ares Chatroom server) - c:\program files\ares\chatserver.exe <Not Verified; Ares Development Group; Ares Chat Server>
S3 aspnet_state (ASP.NET State Service) - c:\windows\microsoft.net\framework\v2.0.50727\aspn et_state.exe (file missing)
-- Device Manager: Disabled ----------------------------------------------------
Class GUID: {D45B1C18-C8FA-11D1-9F77-0000F805F530}
Description: NT Apm/Legacy Interface Node
Device ID: ROOT\NTAPM\0000
Manufacturer: Microsoft
Name: NT Apm/Legacy Interface Node
PNP Device ID: ROOT\NTAPM\0000
Service: NtApm
-- Scheduled Tasks -------------------------------------------------------------
2008-07-13 13:58:32 318 --ahs---- C:\WINDOWS\Tasks\Tasks.job
2007-12-23 20:19:48 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
-- Files created between 2008-06-13 and 2008-07-13 -----------------------------
2008-07-13 20:47:58 0 d--hs---- C:\FOUND.013
2008-07-12 21:17:15 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-12 21:17:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-12 21:17:03 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-12 12:19:51 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-12 12:18:47 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-12 12:18:47 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-07-11 12:11:14 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-11 11:46:41 0 d--hs---- C:\WINDOWS\CSC
2008-07-11 11:46:28 0 d--hs---- C:\FOUND.012
2008-07-11 11:02:58 23040 --a------ C:\WINDOWS\system32\sysrest32.exe
2008-07-11 11:02:28 31232 --a------ C:\WINDOWS\system32\mssrv32.exe
2008-07-10 22:22:12 0 d--hs---- C:\FOUND.009
2008-07-10 21:51:50 94208 --a------ C:\WINDOWS\system32\pphc9a7j0e37g.exe
2008-07-10 21:51:47 0 d-------- C:\Documents and Settings\Administrator\Application Data\rhcca7j0e37g
2008-07-10 21:44:21 60928 --a------ C:\WINDOWS\system32\blphc9a7j0e37g.scr <Not Verified; Sysinternals; Sysinternals Blue Screen>
2008-07-10 21:42:52 118272 --a------ C:\WINDOWS\msserv.exe
2008-07-10 21:41:36 101888 --a------ C:\WINDOWS\system32\lphc9a7j0e37g.exe
2008-07-10 21:39:54 26624 --a------ C:\WINDOWS\system32\drivers\svchost.exe
2008-07-09 21:21:54 0 d-------- C:\WINDOWS\pss
2008-07-06 00:12:30 0 d--hs---- C:\FOUND.008
2008-07-04 18:30:08 0 d--hs---- C:\FOUND.007
2008-07-03 23:56:48 0 d--hs---- C:\FOUND.006
2008-07-03 21:41:23 0 d-------- C:\Documents and Settings\Administrator\Application Data\eBookPro6
2008-06-27 18:44:42 0 d--hs---- C:\FOUND.005
2008-06-26 22:56:42 0 d--hs---- C:\FOUND.004
2008-06-26 21:58:10 0 d--hs---- C:\FOUND.003
2008-06-25 20:17:02 1024 --a------ C:\WINDOWS\system32\sleep.exe
2008-06-25 01:52:31 0 d-------- C:\Program Files\Myrtilus Entertainment
2008-06-25 01:52:09 221184 -----n--- C:\WINDOWS\system32\MSHTMPGD.DLL <Not Verified; Microsoft Corporation; DHTMLPageDesigner Object Library>
2008-06-25 01:52:08 299008 -----n--- C:\WINDOWS\system32\MSDBRPTR.DLL <Not Verified; Microsoft Corporation; MSDataReport>
2008-06-19 11:18:58 0 d--hs---- C:\FOUND.002
-- Find3M Report ---------------------------------------------------------------
2008-06-08 23:14:26 1072 --a------ C:\WINDOWS\EReg072.dat
2008-06-08 21:25:34 0 d-------- C:\Program Files\MagicDisc
2008-06-08 18:50:50 0 d-------- C:\Program Files\MagicISO
2008-06-07 23:39:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\IGN_DLM
2008-06-06 16:54:40 0 d-------- C:\Program Files\Counter-Strike
2008-06-05 00:16:34 502 --a------ C:\WINDOWS\eReg.dat
2008-06-05 00:10:30 0 d-------- C:\Program Files\EA SPORTS
2008-06-04 23:02:12 0 d-------- C:\Program Files\Guitar Pro 5
2008-06-04 22:38:22 11289948 --a------ C:\GP5DEMO.exe <Not Verified; Arobas Music; >
2008-05-29 01:03:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\TVU Networks
2008-05-29 01:02:00 0 d-------- C:\Program Files\TVUPlayer
2008-05-27 20:04:58 39424 --a------ C:\WINDOWS\winlogon.exe
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/16/2008 04:49 AM]
"runwinlogon"="C:\WINDOWS\winlogon.exe" [05/27/2008 08:04 PM]
"lphc9a7j0e37g"="C:\WINDOWS\system32\lphc9a7j0e37g.exe" [07/10/2008 09:41 PM]
"SMrhcca7j0e37g"="C:\Program Files\rhcca7j0e37g\rhcca7j0e37g.exe" []
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"SVCHOST.EXE"="C:\WINDOWS\system32\drivers\svchost.exe" [07/10/2008 09:39 PM]
"msserv"="C:\WINDOWS\msserv.exe" [07/10/2008 09:42 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 02:06 PM]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [12/23/2007 7:56:49 PM]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\System Reserved]
@="Driver Group"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
backup=C:\WINDOWS\pss\Picture Motion Browser Media Check Tool.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runwinlogon]
C:\WINDOWS\winlogon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
"C:\Program Files\Unlocker\UnlockerAssistant.exe"
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\F]
AutoRun\command- F:\AUTORUN.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{23b26ff0-357c-11dd-a4a6-00e0206e0269}]
AutoRun\command- F:\AUTORUN.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{b021a8b0-e3d0-11dc-a3f9-00e0206e0269}]
explore\Command- mshta "javascript:new ActiveXObject('WScript.Shell').Run('SOLA\\SOLA.BAT -USB',0);window.close()"
open\Command- mshta "javascript:new ActiveXObject('WScript.Shell').Run('SOLA\\SOLA.BAT -USB',0);window.close()"
打开(&O)\command- mshta "javascript:new ActiveXObject('WScript.Shell').Run('SOLA\\SOLA.BAT -USB',0);window.close()"
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{d8659e20-0586-11dd-a44d-00e0206e0269}]
AutoRun\command- SCVHSOT.exe
Open\command- SCVHSOT.exe
-- End of Deckard's System Scanner: finished at 2008-07-13 21:30:24 ------------
Please help me man!!
tech2in
07-13-2008, 01:06 PM
Below is The Log of MALWAREBYTES- ANTI MALWARE
Malwarebytes' Anti-Malware 1.20
Database version: 945
Windows 5.1.2600 Service Pack 2
10:34:21 PM 7/13/2008
mbam-log-7-13-2008 (22-34-21).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 93385
Time elapsed: 38 minute(s), 50 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 12
Files Infected: 30
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\runwinlogon (Trojan.Proxy) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\msserv (Worm.Zhelatin) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\lphc9a7j0e37g (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\smrhcca7j0e37g (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\Documents and Settings\Administrator\Application Data\rhcca7j0e37g (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhcca7j0e37g\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhcca7j0e37g\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhcca7j0e37g\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhcca7j0e37g\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhcca7j0e37g\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhcca7j0e37g\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhcca7j0e37g\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhcca7j0e37g\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhcca7j0e37g\Quarantine\Autorun\StartMenuAllU sers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhcca7j0e37g\Quarantine\Autorun\StartMenuCurr entUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\winlogon.exe (Trojan.Proxy) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wpx2.cpx (Trojan.Pakes) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wpx15.cpx (Trojan.Peed) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\7.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pphc9a7j0e37g.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AC795B4F-7871-40C6-B73D-E91625AD657A}\RP133\A0115187.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AC795B4F-7871-40C6-B73D-E91625AD657A}\RP133\A0115203.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AC795B4F-7871-40C6-B73D-E91625AD657A}\RP133\A0115216.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AC795B4F-7871-40C6-B73D-E91625AD657A}\RP133\A0115226.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AC795B4F-7871-40C6-B73D-E91625AD657A}\RP133\A0116224.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{AC795B4F-7871-40C6-B73D-E91625AD657A}\RP133\A0117240.dll (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Deckard\System Scanner\20080713212736\backup\DOCUME~1\ADMINI~1\LO CALS~1\Temp\epomajem.exe (Trojan.Buzus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wpx24.cpx (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\back.exe.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mssrv32.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\msserv.exe (Worm.Zhelatin) -> Quarantined and deleted successfully.
C:\WINDOWS\msserv.config (Worm.Zhelatin) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phc9a7j0e37g.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphc9a7j0e37g.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blphc9a7j0e37g.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysrest32.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
Scotty
07-13-2008, 01:59 PM
Hi
At least one of those files was a keylogger. Do you use this computer for banking transactions or with credit card details being sent over the net?
tech2in
07-13-2008, 02:09 PM
Nope..not at all.,,
tech2in
07-13-2008, 02:24 PM
Well ..what should i do now..continue running my system on Safe mode or ?
Scotty
07-13-2008, 02:27 PM
Hi
You can go back into Normal Mode.
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once Recovery Console is installed, you should see a blue screen prompt like the one below:
http://img.photobucket.com/albums/v706/ried7/RC_whatnext.gif
Click Yes to allow Combofix to continue scanning for malware.
When done, a log will be produced. Please post that log and a new HijackThis log in your next reply.
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
In your next reply post:
ComboFix.txt
New HijackThis log taken after the above scan has run
tech2in
07-13-2008, 03:07 PM
please temme..is it actually going to get my pc rid of all malwares....I mean didn't the earlier scan and posting of log help the cause in any way.....
Scotty
07-13-2008, 03:28 PM
The earlier scans did help, but we have to be thorough. Combo will tell me much more. Your pc was in a worse state than we first saw.
tech2in
07-14-2008, 04:02 AM
Right Got it!! There are two questions i'd like to put up before I start off with Combo fix
1)"ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper."....So what do U suggest shall i select the recovery console mode when it asks me?
2) There is a chance that Electricity might go off..when I am in the middle of Combofix scanning..If that happens I only have 5-10 mins at my disposal owing to my UPS..what should i do then?
Scotty
07-14-2008, 04:37 AM
The recovery console is installed as a backup in case of any problems. Ive never had to tell anyone to use it as yet, but it's good to have there. You will only need to select that option if I tell you.
CF normally only takes a few minutes. MBAM has removed most of the crud.
tech2in
07-14-2008, 04:43 AM
Sir..so of what i make out of your statement is that..a) i don't have to select the option of recovery console while startin combofix scan.
b) Since CF scan takes only a few minutes..i should go for this scan as and when its feasible.
If thats cool..i will get back to this forum with the log as soon as possible
Scotty
07-14-2008, 05:20 AM
When you drag and drop the RC setup file onto the Combofix icon it will just install it, and then run Combofix.
tech2in
07-14-2008, 12:28 PM
There You GO:-
ComboFix 08-07-13.9 - Administrator 2008-07-14 21:39:01.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.25 [GMT 5.5:30]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\WinXP_EN_PRO_BF.EXE
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SYSREST.SYS
((((((((((((((((((((((((( Files Created from 2008-06-14 to 2008-07-14 )))))))))))))))))))))))))))))))
.
2008-07-13 20:47 . 2008-07-13 20:47 <DIR> d--hs---- C:\FOUND.013
2008-07-13 13:37 . 2008-07-13 13:37 <DIR> d-------- C:\Deckard
2008-07-12 21:17 . 2008-07-12 21:17 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-12 21:17 . 2008-07-12 21:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-12 21:17 . 2008-07-12 21:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-12 21:17 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-12 21:17 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-12 12:19 . 2008-07-12 12:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-12 12:18 . 2008-07-12 12:18 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-12 12:18 . 2008-07-12 12:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-07-11 12:11 . 2008-07-11 12:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-11 11:46 . 2008-07-11 11:46 <DIR> d--hs---- C:\FOUND.012
2008-07-10 22:22 . 2008-07-10 22:22 <DIR> d--hs---- C:\FOUND.009
2008-07-10 21:46 . 2004-08-03 22:39 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2008-07-10 21:46 . 2004-08-03 22:39 142,464 --a------ C:\WINDOWS\system32\dllcache\aec.sys
2008-07-10 21:43 . 2008-07-10 21:43 29 --a------ C:\WINDOWS\system32\ffqtiiag.tmp
2008-07-09 12:41 . 2008-07-09 12:41 244 --ah----- C:\sqmnoopt11.sqm
2008-07-09 12:41 . 2008-07-09 12:41 232 --ah----- C:\sqmdata11.sqm
2008-07-06 00:12 . 2008-07-06 00:12 <DIR> d--hs---- C:\FOUND.008
2008-07-04 18:30 . 2008-07-04 18:30 <DIR> d--hs---- C:\FOUND.007
2008-07-03 23:56 . 2008-07-03 23:56 <DIR> d--hs---- C:\FOUND.006
2008-07-03 21:41 . 2008-07-03 21:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\eBookPro6
2008-06-27 18:44 . 2008-06-27 18:44 <DIR> d--hs---- C:\FOUND.005
2008-06-26 22:56 . 2008-06-26 22:56 <DIR> d--hs---- C:\FOUND.004
2008-06-26 21:58 . 2008-06-26 21:58 <DIR> d--hs---- C:\FOUND.003
2008-06-25 20:17 . 2007-02-03 13:10 1,024 --a------ C:\WINDOWS\system32\sleep.exe
2008-06-25 01:52 . 2008-06-25 01:52 <DIR> d-------- C:\Program Files\Myrtilus Entertainment
2008-06-25 01:52 . 2004-02-23 20:42 1,386,496 --------- C:\WINDOWS\system32\msvbvm60.dll
2008-06-25 01:52 . 2004-03-09 13:00 1,081,616 --------- C:\WINDOWS\system32\MSCOMCTL.OCX
2008-06-25 01:52 . 2001-04-05 17:43 1,009,336 --------- C:\WINDOWS\system32\mschrt20.ocx
2008-06-25 01:52 . 1998-06-18 08:00 317,200 --------- C:\WINDOWS\system32\wbclsdsr.ocx
2008-06-25 01:52 . 1998-06-18 00:00 299,008 --------- C:\WINDOWS\system32\MSDBRPTR.DLL
2008-06-25 01:52 . 2004-03-09 00:00 224,016 --------- C:\WINDOWS\system32\tabctl32.ocx
2008-06-25 01:52 . 1998-06-18 08:00 221,184 --------- C:\WINDOWS\system32\MSHTMPGD.DLL
2008-06-25 01:52 . 1998-06-24 00:00 203,576 --------- C:\WINDOWS\system32\RICHTX32.OCX
2008-06-25 01:52 . 1999-05-07 13:00 198,640 --------- C:\WINDOWS\system32\MCI32.OCX
2008-06-19 11:18 . 2008-06-19 11:18 <DIR> d--hs---- C:\FOUND.002
2008-06-18 13:43 . 2008-06-18 13:43 244 --ah----- C:\sqmnoopt10.sqm
2008-06-18 13:43 . 2008-06-18 13:43 232 --ah----- C:\sqmdata10.sqm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-06-25 15:49 135 ----a-w C:\WINDOWS\Fonts\Regedit.reg
2008-06-08 15:55 --------- d-----w C:\Program Files\MagicDisc
2008-06-08 13:20 --------- d-----w C:\Program Files\MagicISO
2008-06-07 18:09 --------- d-----w C:\Documents and Settings\Administrator\Application Data\IGN_DLM
2008-06-06 11:24 --------- d-----w C:\Program Files\Counter-Strike
2008-06-04 18:40 --------- d-----w C:\Program Files\EA SPORTS
2008-06-04 17:32 --------- d-----w C:\Program Files\Guitar Pro 5
2008-06-04 17:08 11,289,948 ----a-w C:\GP5DEMO.exe
2008-05-28 19:33 --------- d-----w C:\Documents and Settings\Administrator\Application Data\TVU Networks
2008-05-28 19:32 --------- d-----w C:\Program Files\TVUPlayer
2008-05-28 19:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\TVU Networks
2008-05-27 06:41 96,896 ----a-w C:\WINDOWS\system32\drivers\mcdbus.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2007-12-23 19:56:49 44384]
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
backup=C:\WINDOWS\pss\Picture Motion Browser Media Check Tool.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-14 10:00 267064 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\K-Lite Codec Pack\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-09-07 22:49 15872 C:\Program Files\Unlocker\UnlockerAssistant.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 04:50]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswF sBlk.sys [2008-05-16 04:46]
R3 slnt;Realtek Rtl-8139d PCI Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\slnt.sys [2004-11-11 16:58]
S3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2001-08-17 13:28]
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-08-17 13:47]
S3 PIXMCV;JVC Communication PIX-MCV Driver;C:\WINDOWS\system32\Drivers\pixmcvc.sys [2003-12-05 19:09]
S3 PIXMCVA;JVC PIX-MCV Audio Capture;C:\WINDOWS\system32\Drivers\pixmcva.sys [2003-12-05 19:09]
S3 PIXMCVV;JVC PIX-MCV Video Capture;C:\WINDOWS\system32\Drivers\pixmcvv.sys [2003-12-05 19:09]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\AUTORUN.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{23b26ff0-357c-11dd-a4a6-00e0206e0269}]
\Shell\AutoRun\command - F:\AUTORUN.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{b021a8b0-e3d0-11dc-a3f9-00e0206e0269}]
\shell\explore\Command - mshta "javascript:new ActiveXObject('WScript.Shell').Run('SOLA\\SOLA.BAT -USB',0);window.close()"
\shell\open\Command - mshta "javascript:new ActiveXObject('WScript.Shell').Run('SOLA\\SOLA.BAT -USB',0);window.close()"
\shell\打开(&O)\command - mshta "javascript:new ActiveXObject('WScript.Shell').Run('SOLA\\SOLA.BAT -USB',0);window.close()"
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{d8659e20-0586-11dd-a44d-00e0206e0269}]
\Shell\AutoRun\command - SCVHSOT.exe
\Shell\Open\command - SCVHSOT.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-12-23 14:49:48 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-14 16:14:30 C:\WINDOWS\Tasks\Tasks.job"
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-runwinlogon - C:\WINDOWS\winlogon.exe
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-14 21:45:28
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASWUPDSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
************************************************** ************************
.
Completion time: 2008-07-14 21:49:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-14 16:19:30
Pre-Run: 2,805,538,816 bytes free
Post-Run: 2,821,095,424 bytes free
WinXP_EN_PRO_BF.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
176
tech2in
07-14-2008, 02:52 PM
Dude now that U r here..kindly tell me whats next?..Can i assume that my pc is safe??
Scotty
07-14-2008, 03:10 PM
Not yet.
Download Flash_Disinfector from here (http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe) and save it to your desktop.
Doubleclick on Flash_Disinfector.exe to run it and follow the prompts.
Wait until it has finished scanning and then exit the program.
The utility may ask you to insert your flash drive and/or other removable drives. This may include your mobile phone.
Please do so and allow the utility to clean up those drives as well.
Go to http://virusscan.jotti.org
Copy the following line into the white textbox:
C:\WINDOWS\system32\sleep.exe
Click Submit.
Please post the results of this scan to this thread.
Do the same for this:
C:\WINDOWS\Fonts\Regedit.reg
If Jotti is busy or unavailable, please try
Virustotal (http://www.virustotal.com/en/indexf.html)
Remember to disconnect from the Internet before carrying out the next instruction, and to save the following script before you do.You must
also manually disable your anti-virus and anti-spyware programs. See the link below for instructions on doing this.
http://www.bleepingcomputer.com/forums/topic114351.html
Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C
File::
C:\WINDOWS\system32\ffqtiiag.tmp
C:\sqmnoopt11.sqm
C:\sqmdata11.sqm
C:\sqmnoopt10.sqm
C:\sqmdata10.sqm
F:\AUTORUN.EXE
Folder::
C:\FOUND.013
C:\FOUND.012
C:\FOUND.009
C:\FOUND.008
C:\FOUND.007
C:\FOUND.006
C:\FOUND.005
C:\FOUND.004
C:\FOUND.003
C:\FOUND.002
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\F]
[-HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{23b26ff0-357c-11dd-a4a6-00e0206e0269}]
[-HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{b021a8b0-e3d0-11dc-a3f9-00e0206e0269}]
[-HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{d8659e20-0586-11dd-a44d-00e0206e0269}]
Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop
http://images.malwareremoval.com/cfscript/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
Once you have installed the Scanner, and the updated definitions, you can disconnect from the Internet and disable your anti-virus, to reduce scanning time. Re-enable the anti-virus before reconnecting to the Internet.
Instructions on disabling a variety of security programs can be found at the link below.
http://www.bleepingcomputer.com/forums/topic114351.html
In your next reply post:
Jotti results
ComboFix.txt
Kaspersky report
New HijackThis log taken after the above scan has run
tech2in
07-15-2008, 04:37 AM
Right I will do that..One question ..I am using the normal Mode to come to internet.and d time spent at the forum easily slips to around half and hour so does that mean..I am actually putting my pC back in danger again or Should i USe Safe mode?
Scotty
07-15-2008, 07:08 AM
I doubt it would matter. It is best to just get on with the cleaning.:)
jcampi
07-15-2008, 07:42 AM
I believe the user that started this thread stated they didn't have an antivirus on their computer (sorry if I'm mistaken, but the thread is long and I may have lost track). This thread is one of the best reasons I've seen for having a good quality antivirus program on your computer. What a mess! I know many of us are strapped for $ and times are tough. However, how could anyone afford not to have an antivirus on their pc? Nod32 can be purchased for less than $20 and other antivirus programs are free. Not having a good antivirus program on your computer puts the entire computer at risk for 'damage'.
Scotty, you sure are doing a fine job counceling this user. I like the step by step guidance you are providing. This kind of help from a tech support line would cost$.
Scotty
07-15-2008, 08:36 AM
@jcampi
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASWUPDSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
Avast is running.:)
tech2in
07-15-2008, 12:18 PM
Results of http://virusscan.jotti.org with C:\WINDOWS\system32\sleep.exe
Service load:
0% 100%
File: sleep.exe
Status:
OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: b29f5cf262010a7b1d300deb81e33a05
Packers detected:
-
Scanner results
Scan taken on 15 Jul 2008 16:08:43 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
with C:\WINDOWS\Fonts\Regedit.reg
Service load:
0% 100%
File: Regedit.reg
Status:
OK
MD5: e0fd78097437e865401b8642190cfbea
Packers detected:
-
Scanner results
Scan taken on 15 Jul 2008 16:16:03 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
tech2in
07-15-2008, 03:36 PM
Combo fix results -: ComboFix 08-07-13.9 - Administrator 2008-07-15 21:55:57.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.18 [GMT 5.5:30]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\sqmdata10.sqm
C:\sqmdata11.sqm
C:\sqmnoopt10.sqm
C:\sqmnoopt11.sqm
C:\WINDOWS\system32\ffqtiiag.tmp
F:\AUTORUN.EXE
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\FOUND.002
C:\FOUND.002\FILE0000.CHK
C:\FOUND.003
C:\FOUND.003\FILE0000.CHK
C:\FOUND.004
C:\FOUND.004\FILE0000.CHK
C:\FOUND.005
C:\FOUND.005\FILE0000.CHK
C:\FOUND.006
C:\FOUND.006\FILE0000.CHK
C:\FOUND.006\FILE0001.CHK
C:\FOUND.006\FILE0002.CHK
C:\FOUND.006\FILE0003.CHK
C:\FOUND.006\FILE0004.CHK
C:\FOUND.006\FILE0005.CHK
C:\FOUND.006\FILE0006.CHK
C:\FOUND.006\FILE0007.CHK
C:\FOUND.006\FILE0008.CHK
C:\FOUND.006\FILE0009.CHK
C:\FOUND.006\FILE0010.CHK
C:\FOUND.006\FILE0011.CHK
C:\FOUND.006\FILE0012.CHK
C:\FOUND.006\FILE0013.CHK
C:\FOUND.006\FILE0014.CHK
C:\FOUND.006\FILE0015.CHK
C:\FOUND.006\FILE0016.CHK
C:\FOUND.006\FILE0017.CHK
C:\FOUND.006\FILE0018.CHK
C:\FOUND.006\FILE0019.CHK
C:\FOUND.006\FILE0020.CHK
C:\FOUND.006\FILE0021.CHK
C:\FOUND.006\FILE0022.CHK
C:\FOUND.006\FILE0023.CHK
C:\FOUND.006\FILE0024.CHK
C:\FOUND.006\FILE0025.CHK
C:\FOUND.006\FILE0026.CHK
C:\FOUND.006\FILE0027.CHK
C:\FOUND.006\FILE0028.CHK
C:\FOUND.006\FILE0029.CHK
C:\FOUND.006\FILE0030.CHK
C:\FOUND.006\FILE0031.CHK
C:\FOUND.006\FILE0032.CHK
C:\FOUND.006\FILE0033.CHK
C:\FOUND.006\FILE0034.CHK
C:\FOUND.006\FILE0035.CHK
C:\FOUND.006\FILE0036.CHK
C:\FOUND.006\FILE0037.CHK
C:\FOUND.006\FILE0038.CHK
C:\FOUND.006\FILE0039.CHK
C:\FOUND.006\FILE0040.CHK
C:\FOUND.006\FILE0041.CHK
C:\FOUND.006\FILE0042.CHK
C:\FOUND.006\FILE0043.CHK
C:\FOUND.006\FILE0044.CHK
C:\FOUND.006\FILE0045.CHK
C:\FOUND.006\FILE0046.CHK
C:\FOUND.006\FILE0047.CHK
C:\FOUND.006\FILE0048.CHK
C:\FOUND.006\FILE0049.CHK
C:\FOUND.006\FILE0050.CHK
C:\FOUND.006\FILE0051.CHK
C:\FOUND.007
C:\FOUND.007\FILE0000.CHK
C:\FOUND.008
C:\FOUND.008\FILE0000.CHK
C:\FOUND.008\FILE0001.CHK
C:\FOUND.008\FILE0002.CHK
C:\FOUND.008\FILE0003.CHK
C:\FOUND.009
C:\FOUND.009\FILE0000.CHK
C:\FOUND.009\FILE0001.CHK
C:\FOUND.009\FILE0002.CHK
C:\FOUND.012
C:\FOUND.012\FILE0000.CHK
C:\FOUND.012\FILE0001.CHK
C:\FOUND.013
C:\FOUND.013\FILE0000.CHK
C:\FOUND.013\FILE0001.CHK
C:\FOUND.013\FILE0002.CHK
C:\sqmdata10.sqm
C:\sqmdata11.sqm
C:\sqmnoopt10.sqm
C:\sqmnoopt11.sqm
C:\WINDOWS\system32\ffqtiiag.tmp
F:\AUTORUN.EXE . . . . failed to delete
.
((((((((((((((((((((((((( Files Created from 2008-06-15 to 2008-07-15 )))))))))))))))))))))))))))))))
.
2008-07-13 13:37 . 2008-07-13 13:37 <DIR> d-------- C:\Deckard
2008-07-12 21:17 . 2008-07-12 21:17 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-12 21:17 . 2008-07-12 21:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-12 21:17 . 2008-07-12 21:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-12 21:17 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-12 21:17 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-12 12:19 . 2008-07-12 12:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-12 12:18 . 2008-07-12 12:18 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-12 12:18 . 2008-07-12 12:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-07-11 12:11 . 2008-07-11 12:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-10 21:46 . 2004-08-03 22:39 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2008-07-10 21:46 . 2004-08-03 22:39 142,464 --a------ C:\WINDOWS\system32\dllcache\aec.sys
2008-07-03 21:41 . 2008-07-03 21:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\eBookPro6
2008-06-25 20:17 . 2007-02-03 13:10 1,024 --a------ C:\WINDOWS\system32\sleep.exe
2008-06-25 01:52 . 2008-06-25 01:52 <DIR> d-------- C:\Program Files\Myrtilus Entertainment
2008-06-25 01:52 . 2004-02-23 20:42 1,386,496 --------- C:\WINDOWS\system32\msvbvm60.dll
2008-06-25 01:52 . 2004-03-09 13:00 1,081,616 --------- C:\WINDOWS\system32\MSCOMCTL.OCX
2008-06-25 01:52 . 2001-04-05 17:43 1,009,336 --------- C:\WINDOWS\system32\mschrt20.ocx
2008-06-25 01:52 . 1998-06-18 08:00 317,200 --------- C:\WINDOWS\system32\wbclsdsr.ocx
2008-06-25 01:52 . 1998-06-18 00:00 299,008 --------- C:\WINDOWS\system32\MSDBRPTR.DLL
2008-06-25 01:52 . 2004-03-09 00:00 224,016 --------- C:\WINDOWS\system32\tabctl32.ocx
2008-06-25 01:52 . 1998-06-18 08:00 221,184 --------- C:\WINDOWS\system32\MSHTMPGD.DLL
2008-06-25 01:52 . 1998-06-24 00:00 203,576 --------- C:\WINDOWS\system32\RICHTX32.OCX
2008-06-25 01:52 . 1999-05-07 13:00 198,640 --------- C:\WINDOWS\system32\MCI32.OCX
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-06-25 15:49 135 ----a-w C:\WINDOWS\Fonts\Regedit.reg
2008-06-08 15:55 --------- d-----w C:\Program Files\MagicDisc
2008-06-08 13:20 --------- d-----w C:\Program Files\MagicISO
2008-06-07 18:09 --------- d-----w C:\Documents and Settings\Administrator\Application Data\IGN_DLM
2008-06-06 11:24 --------- d-----w C:\Program Files\Counter-Strike
2008-06-04 18:40 --------- d-----w C:\Program Files\EA SPORTS
2008-06-04 17:32 --------- d-----w C:\Program Files\Guitar Pro 5
2008-06-04 17:08 11,289,948 ----a-w C:\GP5DEMO.exe
2008-05-28 19:33 --------- d-----w C:\Documents and Settings\Administrator\Application Data\TVU Networks
2008-05-28 19:32 --------- d-----w C:\Program Files\TVUPlayer
2008-05-28 19:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\TVU Networks
2008-05-27 06:41 96,896 ----a-w C:\WINDOWS\system32\drivers\mcdbus.sys
.
((((((((((((((((((((((((((((( snapshot@2008-07-14_21.48.43.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-14 17:30:22 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_568.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2007-12-23 19:56:49 44384]
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
backup=C:\WINDOWS\pss\Picture Motion Browser Media Check Tool.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-14 10:00 267064 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\K-Lite Codec Pack\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-09-07 22:49 15872 C:\Program Files\Unlocker\UnlockerAssistant.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 04:50]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswF sBlk.sys [2008-05-16 04:46]
R3 slnt;Realtek Rtl-8139d PCI Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\slnt.sys [2004-11-11 16:58]
S3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2001-08-17 13:28]
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-08-17 13:47]
S3 PIXMCV;JVC Communication PIX-MCV Driver;C:\WINDOWS\system32\Drivers\pixmcvc.sys [2003-12-05 19:09]
S3 PIXMCVA;JVC PIX-MCV Audio Capture;C:\WINDOWS\system32\Drivers\pixmcva.sys [2003-12-05 19:09]
S3 PIXMCVV;JVC PIX-MCV Video Capture;C:\WINDOWS\system32\Drivers\pixmcvv.sys [2003-12-05 19:09]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\AUTORUN.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{23b26ff0-357c-11dd-a4a6-00e0206e0269}]
\Shell\AutoRun\command - F:\AUTORUN.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{b021a8b0-e3d0-11dc-a3f9-00e0206e0269}]
\shell\explore\Command - mshta "javascript:new ActiveXObject('WScript.Shell').Run('SOLA\\SOLA.BAT -USB',0);window.close()"
\shell\open\Command - mshta "javascript:new ActiveXObject('WScript.Shell').Run('SOLA\\SOLA.BAT -USB',0);window.close()"
\shell\打开(&O)\command - mshta "javascript:new ActiveXObject('WScript.Shell').Run('SOLA\\SOLA.BAT -USB',0);window.close()"
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{d8659e20-0586-11dd-a44d-00e0206e0269}]
\Shell\AutoRun\command - SCVHSOT.exe
\Shell\Open\command - SCVHSOT.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-12-23 14:49:48 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-15 16:31:22 C:\WINDOWS\Tasks\Tasks.job"
.
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-15 22:01:48
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASWUPDSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
************************************************** ************************
.
Completion time: 2008-07-15 22:07:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-15 16:37:16
ComboFix2.txt 2008-07-14 16:20:00
Pre-Run: 2,784,477,184 bytes free
Post-Run: 2,777,505,792 bytes free
246
P.S: Kaspersky is taking ages to scan..apparently light went off so i guess i have to start all over again..
tech2in
07-15-2008, 06:11 PM
I am in a sort of a Fix..Its bin like 1hr 50 mins..and Scanning process has reached only 20%..I don't have a clue how long do i have to be online ????
tech2in
07-16-2008, 04:11 AM
I have allowed scanning of my complete C: drive..as if at all i have to format..its the C:drive that gets formatted and not the D;..so here's the result..Kaspersky Scan of C: drive (file:///C:/Documents%20and%20Settings/Administrator/Desktop/ghd.html)
Guest110
07-16-2008, 04:12 AM
I am in a sort of a Fix..Its bin like 1hr 50 mins..and Scanning process has reached only 20%..I don't have a clue how long do i have to be online ????
Did you miss this
Once you have installed the Scanner, and the updated definitions, you can disconnect from the Internet and disable your anti-virus, to reduce scanning time. Re-enable the anti-virus before reconnecting to the Internet.
You can disconnect from the internet to let the scan run :)
tech2in
07-16-2008, 04:16 AM
Finally the Deckard Scanner Result:
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-07-16 13:43:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------
Total Physical Memory: 127 MiB (512 MiB recommended).
-- HijackThis (run as Administrator.exe) ---------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:44:15 PM, on 7/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cmd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{90029A2D-51B9-4FE5-8578-E868E6E5CD96}: NameServer = 202.56.215.6,202.56.230.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspn et_state.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
--
End of file - 3797 bytes
-- Files created between 2008-06-16 and 2008-07-16 -----------------------------
2008-07-16 13:43:58 0 d-------- C:\Program Files\Trend Micro
2008-07-16 13:32:08 0 d--hs---- C:\FOUND.002
2008-07-15 21:37:40 0 drahs---- C:\autorun.inf
2008-07-14 21:38:44 237728 --a------ C:\cmldr
2008-07-14 21:38:40 0 d-------- C:\cmdcons
2008-07-14 21:37:00 68096 --a------ C:\WINDOWS\zip.exe
2008-07-14 21:37:00 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-14 21:37:00 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-14 21:37:00 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-14 21:37:00 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-14 21:37:00 98816 --a------ C:\WINDOWS\sed.exe
2008-07-14 21:37:00 80412 --a------ C:\WINDOWS\grep.exe
2008-07-14 21:37:00 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-12 21:17:15 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-12 21:17:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-12 21:17:03 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-12 12:19:51 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-12 12:18:47 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-12 12:18:47 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-07-11 12:11:14 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-11 11:46:41 0 d--hs---- C:\WINDOWS\CSC
2008-07-09 21:21:54 0 d-------- C:\WINDOWS\pss
2008-07-03 21:41:23 0 d-------- C:\Documents and Settings\Administrator\Application Data\eBookPro6
2008-06-25 20:17:02 1024 --a------ C:\WINDOWS\system32\sleep.exe
2008-06-25 01:52:31 0 d-------- C:\Program Files\Myrtilus Entertainment
2008-06-25 01:52:09 221184 -----n--- C:\WINDOWS\system32\MSHTMPGD.DLL <Not Verified; Microsoft Corporation; DHTMLPageDesigner Object Library>
2008-06-25 01:52:08 299008 -----n--- C:\WINDOWS\system32\MSDBRPTR.DLL <Not Verified; Microsoft Corporation; MSDataReport>
-- Find3M Report ---------------------------------------------------------------
2008-06-08 23:14:26 1072 --a------ C:\WINDOWS\EReg072.dat
2008-06-08 21:25:34 0 d-------- C:\Program Files\MagicDisc
2008-06-08 18:50:50 0 d-------- C:\Program Files\MagicISO
2008-06-07 23:39:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\IGN_DLM
2008-06-06 16:54:40 0 d-------- C:\Program Files\Counter-Strike
2008-06-05 00:16:34 502 --a------ C:\WINDOWS\eReg.dat
2008-06-05 00:10:30 0 d-------- C:\Program Files\EA SPORTS
2008-06-04 23:02:12 0 d-------- C:\Program Files\Guitar Pro 5
2008-06-04 22:38:22 11289948 --a------ C:\GP5DEMO.exe <Not Verified; Arobas Music; >
2008-05-29 01:03:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\TVU Networks
2008-05-29 01:02:00 0 d-------- C:\Program Files\TVUPlayer
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 02:06 PM]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [12/23/2007 7:56:49 PM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
backup=C:\WINDOWS\pss\Picture Motion Browser Media Check Tool.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
"C:\Program Files\Unlocker\UnlockerAssistant.exe"
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\F]
AutoRun\command- F:\AUTORUN.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{23b26ff0-357c-11dd-a4a6-00e0206e0269}]
AutoRun\command- F:\AUTORUN.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{b021a8b0-e3d0-11dc-a3f9-00e0206e0269}]
explore\Command- mshta "javascript:new ActiveXObject('WScript.Shell').Run('SOLA\\SOLA.BAT -USB',0);window.close()"
open\Command- mshta "javascript:new ActiveXObject('WScript.Shell').Run('SOLA\\SOLA.BAT -USB',0);window.close()"
打开(&O)\command- mshta "javascript:new ActiveXObject('WScript.Shell').Run('SOLA\\SOLA.BAT -USB',0);window.close()"
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{d8659e20-0586-11dd-a44d-00e0206e0269}]
AutoRun\command- SCVHSOT.exe
Open\command- SCVHSOT.exe
-- End of Deckard's System Scanner: finished at 2008-07-16 13:45:24 ------------
tech2in
07-16-2008, 04:18 AM
You can disconnect from the internet to let the scan run :)[/QUOTE]
I am not too sure if that was meant for Combofix.scan or kaspersky..coz kaspersky is an online virus scanner...anyways thanks for noticing:)
Guest110
07-16-2008, 04:24 AM
You can disconnect from the internet to let the scan run :)
I am not too sure if that was meant for Combofix.scan or kaspersky..coz kaspersky is an online virus scanner...anyways thanks for noticing:)
Once Kaspersky has downloaded all the updates and is ready to scan you can disconnect from the internet and disable your antivirus
This should speed up the scan time :)
Scotty
07-16-2008, 06:39 AM
Im not sure what the link in the post at the top is meant to do but it wont open for me. Did you save the report?
tech2in
07-16-2008, 11:15 AM
Below are the scan results of Local C: drive. This is the drive that would be formatted incase of a Format.
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, July 16, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, July 15, 2008 18:30:26
Records in database: 957023
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
F:\
Scan statistics
Files scanned 53855
Threat name 12
Infected objects 18
Suspicious objects 0
Duration of the scan 07:17:05
File name Threat name Threats count
C:\System Volume Information\_restore{AC795B4F-7871-40C6-B73D-E91625AD657A}\RP132\A0113102.bat Infected: Trojan-Proxy.Win32.Small.mu 1
C:\System Volume Information\_restore{AC795B4F-7871-40C6-B73D-E91625AD657A}\RP127\A0095870.bat Infected: Trojan-Proxy.Win32.Small.mp 1
C:\System Volume Information\_restore{AC795B4F-7871-40C6-B73D-E91625AD657A}\RP127\A0099866.bat Infected: Trojan-Proxy.Win32.Small.mp 1
C:\System Volume Information\_restore{AC795B4F-7871-40C6-B73D-E91625AD657A}\RP129\A0104936.bat Infected: Trojan-Proxy.Win32.Small.mp 1
C:\System Volume Information\_restore{AC795B4F-7871-40C6-B73D-E91625AD657A}\RP133\A0114184.sys Infected: Rootkit.Win32.Qandr.es 1
C:\System Volume Information\_restore{AC795B4F-7871-40C6-B73D-E91625AD657A}\RP133\A0115214.bat Infected: Trojan-Proxy.Win32.Small.mp 1
C:\System Volume Information\_restore{AC795B4F-7871-40C6-B73D-E91625AD657A}\RP133\A0116222.bat Infected: Trojan-Proxy.Win32.Small.mp 1
C:\System Volume Information\_restore{AC795B4F-7871-40C6-B73D-E91625AD657A}\RP133\A0116226.exe Infected: Packed.Win32.Tibs.jn 1
C:\System Volume Information\_restore{AC795B4F-7871-40C6-B73D-E91625AD657A}\RP133\A0117239.exe Infected: Trojan-Downloader.Win32.FraudLoad.vaiq 1
C:\System Volume Information\_restore{AC795B4F-7871-40C6-B73D-E91625AD657A}\RP134\A0117333.exe Infected: Trojan.Win32.Buzus.jjn 1
C:\System Volume Information\_restore{AC795B4F-7871-40C6-B73D-E91625AD657A}\RP135\A0118380.bat Infected: Trojan-Proxy.Win32.Small.mp 1
C:\System Volume Information\_restore{AC795B4F-7871-40C6-B73D-E91625AD657A}\RP135\A0120392.exe Infected: Trojan-Proxy.Win32.Small.pj 1
C:\System Volume Information\_restore{AC795B4F-7871-40C6-B73D-E91625AD657A}\RP135\A0120393.exe Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1
C:\System Volume Information\_restore{AC795B4F-7871-40C6-B73D-E91625AD657A}\RP135\A0120394.exe Infected: Trojan.Win32.Buzus.jjl 1
C:\System Volume Information\_restore{AC795B4F-7871-40C6-B73D-E91625AD657A}\RP135\A0120401.exe Infected: Trojan.Win32.Agent.tuh 1
C:\System Volume Information\_restore{AC795B4F-7871-40C6-B73D-E91625AD657A}\RP135\A0120403.exe Infected: Trojan-Downloader.Win32.Cntr.gi 1
C:\System Volume Information\_restore{AC795B4F-7871-40C6-B73D-E91625AD657A}\RP135\A0120404.exe Infected: Trojan.Win32.Buzus.lgq 1
C:\System Volume Information\_restore{AC795B4F-7871-40C6-B73D-E91625AD657A}\RP135\A0120405.exe Infected: Packed.Win32.Tibs.jn 1
The scan was stopped by the user.
Scotty
07-16-2008, 11:39 AM
Hi
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Post that log back here with a new Hijackthis log, please.
tech2in
07-16-2008, 12:06 PM
Sir, i guess i have this program..u only asked me to download