teamhex
Active Member
I also need the log from SDFix.
Iv yet to run it, so I guess ill just boot in safe mode and run it. Logs in a few mins.
ckvo process
- Thread starter teamhex
- Start date
Iv yet to run it, so I guess ill just boot in safe mode and run it. Logs in a few mins.
Respital
Active Member
Well ComboFix deleted a lot of infected files, we need to make sure they are all gone.
Let's run two more checks.
During the next two checks be sure to have any flash drives used with the computer connected.
How to run a scan with Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.
Run Kaspersky Online AV Scanner
Using Internet Explorer Go to http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html and click the Accept button at the end of the page.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
In your next reply i will need:
Let's run two more checks.
During the next two checks be sure to have any flash drives used with the computer connected.
How to run a scan with Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Full Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.
Run Kaspersky Online AV Scanner
Using Internet Explorer Go to http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html and click the Accept button at the end of the page.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
- Read the Requirements and limitations before you click Accept.
- Allow the ActiveX download if necessary.
- Once the database has downloaded, click Next.
- Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
- Click on "My Computer" and then put the kettle on!
- When the scan has completed, click Save Report As...
- Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
- Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
In your next reply i will need:
- The Malwarebytes' Anti-Malware Log
- The Kaspersky online scanner log
- A fresh HiJackThis log
- An update on how your PC is behaving
teamhex
Active Member
Alrighty. Im on it!
Thanks for the help mate, everything seems to be running great, im going to go ahead and do those follow up tests.
Still running malwarebytes but its found 2 files already that are infected, im going to finish this complete scan and try the other one.
Thanks for the help mate, everything seems to be running great, im going to go ahead and do those follow up tests.
Still running malwarebytes but its found 2 files already that are infected, im going to finish this complete scan and try the other one.
Last edited:
teamhex
Active Member
Before removing
Malwarebytes' Anti-Malware 1.30
Database version: 1337
Windows 5.1.2600 Service Pack 3
10/31/2008 5:55:52 PM
mbam-log-2008-10-31 (17-55-50).txt
Scan type: Full Scan (C:\|D:\|E:\|G:\|)
Objects scanned: 76100
Time elapsed: 20 minute(s), 8 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Qoobox\Quarantine\E\1yl2d.bat.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\E\6x8be16.cmd.vir (Spyware.OnlineGames) -> No action taken.
E:\m88coaim.exe (Spyware.OnlineGames) -> No action taken.
Malwarebytes' Anti-Malware 1.30
Database version: 1337
Windows 5.1.2600 Service Pack 3
10/31/2008 5:55:52 PM
mbam-log-2008-10-31 (17-55-50).txt
Scan type: Full Scan (C:\|D:\|E:\|G:\|)
Objects scanned: 76100
Time elapsed: 20 minute(s), 8 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Qoobox\Quarantine\E\1yl2d.bat.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\E\6x8be16.cmd.vir (Spyware.OnlineGames) -> No action taken.
E:\m88coaim.exe (Spyware.OnlineGames) -> No action taken.
teamhex
Active Member
AFTER deleteing the files it showed
Im now going to run the online one
Malwarebytes' Anti-Malware 1.30
Database version: 1337
Windows 5.1.2600 Service Pack 3
10/31/2008 5:56:34 PM
mbam-log-2008-10-31 (17-56-34).txt
Scan type: Full Scan (C:\|D:\|E:\|G:\|)
Objects scanned: 76100
Time elapsed: 20 minute(s), 8 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Qoobox\Quarantine\E\1yl2d.bat.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\E\6x8be16.cmd.vir (Spyware.OnlineGames) -> Quarantined and deleted successfully.
E:\m88coaim.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
Im now going to run the online one
Malwarebytes' Anti-Malware 1.30
Database version: 1337
Windows 5.1.2600 Service Pack 3
10/31/2008 5:56:34 PM
mbam-log-2008-10-31 (17-56-34).txt
Scan type: Full Scan (C:\|D:\|E:\|G:\|)
Objects scanned: 76100
Time elapsed: 20 minute(s), 8 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Qoobox\Quarantine\E\1yl2d.bat.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\E\6x8be16.cmd.vir (Spyware.OnlineGames) -> Quarantined and deleted successfully.
E:\m88coaim.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
teamhex
Active Member
Man this is starting to suck, every time its something new
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, October 31, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, October 31, 2008 21:35:26
Records in database: 1365140
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Scan statistics
Files scanned 33571
Threat name 46
Infected objects 60
Suspicious objects 0
Duration of the scan 00:25:42
File name Threat name Threats count
C:\Qoobox\Quarantine\C\autorun.inf.vir Infected: Worm.Win32.AutoRun.rja 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ckvo0.dll.vir Infected: Packed.Win32.Krap.b 1
C:\Qoobox\Quarantine\C\xih9.cmd.vir Infected: Packed.Win32.Krap.b 1
C:\Qoobox\Quarantine\D\68.exe.vir Infected: Trojan-GameThief.Win32.Magania.agtn 1
C:\Qoobox\Quarantine\D\9.cmd.vir Infected: Trojan-GameThief.Win32.Magania.ahbf 1
C:\Qoobox\Quarantine\D\autorun.inf.vir Infected: Worm.Win32.AutoRun.rja 1
C:\Qoobox\Quarantine\D\bo1dhu.bat.vir Infected: Trojan-GameThief.Win32.OnLineGames.tnyo 1
C:\Qoobox\Quarantine\D\ev60a2.cmd.vir Infected: Trojan-GameThief.Win32.Magania.aguq 1
C:\Qoobox\Quarantine\D\itsduel.exe.vir Infected: Trojan-GameThief.Win32.OnLineGames.tncg 1
C:\Qoobox\Quarantine\D\xih9.cmd.vir Infected: Packed.Win32.Krap.b 1
C:\Qoobox\Quarantine\E\1rfw8hjr.com.vir Infected: Trojan.Win32.Vaklik.cjw 1
C:\Qoobox\Quarantine\E\1t6yxlxx.cmd.vir Infected: Worm.Win32.AutoRun.mug 1
C:\Qoobox\Quarantine\E\33gmhso.bat.vir Infected: Trojan.Win32.Vaklik.bvg 1
C:\Qoobox\Quarantine\E\6.bat.vir Infected: Trojan.Win32.Vaklik.cce 1
C:\Qoobox\Quarantine\E\68.exe.vir Infected: Trojan-GameThief.Win32.Magania.agtn 1
C:\Qoobox\Quarantine\E\9.cmd.vir Infected: Trojan-GameThief.Win32.Magania.ahbf 1
C:\Qoobox\Quarantine\E\a1.bat.vir Infected: Worm.Win32.AutoRun.ndh 1
C:\Qoobox\Quarantine\E\autorun.inf.vir Infected: Worm.Win32.AutoRun.rja 1
C:\Qoobox\Quarantine\E\bo1dhu.bat.vir Infected: Trojan-GameThief.Win32.OnLineGames.tnyo 1
C:\Qoobox\Quarantine\E\bwpncb6.com.vir Infected: Worm.Win32.AutoRun.lxm 1
C:\Qoobox\Quarantine\E\ev60a2.cmd.vir Infected: Trojan-GameThief.Win32.Magania.aguq 1
C:\Qoobox\Quarantine\E\f0.cmd.vir Infected: Trojan.Win32.Vaklik.cay 1
C:\Qoobox\Quarantine\E\ffojc.com.vir Infected: Worm.Win32.AutoRun.eks 1
C:\Qoobox\Quarantine\E\fi.cmd.vir Infected: Worm.Win32.AutoRun.ekv 1
C:\Qoobox\Quarantine\E\g.com.vir Infected: Trojan.Win32.Vaklik.cgo 1
C:\Qoobox\Quarantine\E\hgu.bat.vir Infected: Trojan-GameThief.Win32.Magania.vzi 1
C:\Qoobox\Quarantine\E\iefqwp.cmd.vir Infected: Trojan.Win32.Vaklik.asv 1
C:\Qoobox\Quarantine\E\itsduel.exe.vir Infected: Trojan-GameThief.Win32.OnLineGames.tncg 1
C:\Qoobox\Quarantine\E\ivcvknr.bat.vir Infected: Trojan.Win32.Vaklik.bym 1
C:\Qoobox\Quarantine\E\kk3.bat.vir Infected: Trojan-GameThief.Win32.Magania.abkt 1
C:\Qoobox\Quarantine\E\kn6jhgc.cmd.vir Infected: Trojan.Win32.Vaklik.cmb 1
C:\Qoobox\Quarantine\E\njibyekk.com.vir Infected: Trojan.Win32.Vaklik.cfk 1
C:\Qoobox\Quarantine\E\r.cmd.vir Infected: Trojan.Win32.Vaklik.bct 1
C:\Qoobox\Quarantine\E\r1y1.bat.vir Infected: Trojan-GameThief.Win32.OnLineGames.tdqz 1
C:\Qoobox\Quarantine\E\r813.bat.vir Infected: Trojan.Win32.Vaklik.cpe 1
C:\Qoobox\Quarantine\E\vxl.exe.vir Infected: Trojan-GameThief.Win32.Magania.acqa 1
C:\Qoobox\Quarantine\E\xih9.cmd.vir Infected: Packed.Win32.Krap.b 1
D:\2fiji.com Infected: Trojan-GameThief.Win32.Magania.aiau 1
D:\xlk9.com Infected: Trojan-GameThief.Win32.Magania.aigw 1
E:\00hoeav.com Infected: Trojan.Win32.Vaklik.bmk 1
E:\qwc.exe Infected: Trojan-GameThief.Win32.Magania.jag 1
E:\klp8j6i.com Infected: Worm.Win32.AutoRun.egy 1
E:\0gjn3yw.exe Infected: Trojan.Win32.Vaklik.bop 1
E:\k.com Infected: Worm.Win32.AutoRun.ekz 1
E:\p83gjy.exe Infected: Trojan.Win32.Vaklik.bwc 1
E:\ybj8df.exe Infected: Trojan.Win32.Vaklik.cbl 1
E:\e9ehn1m8.com Infected: Trojan.Win32.Vaklik.cce 1
E:\g2pfnid.com Infected: Trojan.Win32.Vaklik.chp 1
E:\jk.exe Infected: Trojan.Win32.Vaklik.cgo 1
E:\e.com Infected: Trojan.Win32.Vaklik.coh 1
E:\uis.com Infected: Trojan.Win32.Vaklik.coo 1
E:\22xo.exe Infected: Trojan-GameThief.Win32.Magania.abkz 1
E:\xqf.com Infected: Trojan-GameThief.Win32.Magania.ytx 1
E:\knupkb.com Infected: Worm.Win32.AutoRun.llw 1
E:\xvlyb.exe Infected: Trojan.Win32.Vaklik.csd 1
E:\ph.com Infected: Trojan-GameThief.Win32.Magania.abgx 1
E:\ktnquo.exe Infected: Worm.Win32.AutoRun.mrx 1
E:\39lpji.com Infected: Worm.Win32.AutoRun.nan 1
E:\2fiji.com Infected: Trojan-GameThief.Win32.Magania.aiau 1
E:\xlk9.com Infected: Trojan-GameThief.Win32.Magania.aigw 1
The selected area was scanned.
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, October 31, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, October 31, 2008 21:35:26
Records in database: 1365140
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Scan statistics
Files scanned 33571
Threat name 46
Infected objects 60
Suspicious objects 0
Duration of the scan 00:25:42
File name Threat name Threats count
C:\Qoobox\Quarantine\C\autorun.inf.vir Infected: Worm.Win32.AutoRun.rja 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ckvo0.dll.vir Infected: Packed.Win32.Krap.b 1
C:\Qoobox\Quarantine\C\xih9.cmd.vir Infected: Packed.Win32.Krap.b 1
C:\Qoobox\Quarantine\D\68.exe.vir Infected: Trojan-GameThief.Win32.Magania.agtn 1
C:\Qoobox\Quarantine\D\9.cmd.vir Infected: Trojan-GameThief.Win32.Magania.ahbf 1
C:\Qoobox\Quarantine\D\autorun.inf.vir Infected: Worm.Win32.AutoRun.rja 1
C:\Qoobox\Quarantine\D\bo1dhu.bat.vir Infected: Trojan-GameThief.Win32.OnLineGames.tnyo 1
C:\Qoobox\Quarantine\D\ev60a2.cmd.vir Infected: Trojan-GameThief.Win32.Magania.aguq 1
C:\Qoobox\Quarantine\D\itsduel.exe.vir Infected: Trojan-GameThief.Win32.OnLineGames.tncg 1
C:\Qoobox\Quarantine\D\xih9.cmd.vir Infected: Packed.Win32.Krap.b 1
C:\Qoobox\Quarantine\E\1rfw8hjr.com.vir Infected: Trojan.Win32.Vaklik.cjw 1
C:\Qoobox\Quarantine\E\1t6yxlxx.cmd.vir Infected: Worm.Win32.AutoRun.mug 1
C:\Qoobox\Quarantine\E\33gmhso.bat.vir Infected: Trojan.Win32.Vaklik.bvg 1
C:\Qoobox\Quarantine\E\6.bat.vir Infected: Trojan.Win32.Vaklik.cce 1
C:\Qoobox\Quarantine\E\68.exe.vir Infected: Trojan-GameThief.Win32.Magania.agtn 1
C:\Qoobox\Quarantine\E\9.cmd.vir Infected: Trojan-GameThief.Win32.Magania.ahbf 1
C:\Qoobox\Quarantine\E\a1.bat.vir Infected: Worm.Win32.AutoRun.ndh 1
C:\Qoobox\Quarantine\E\autorun.inf.vir Infected: Worm.Win32.AutoRun.rja 1
C:\Qoobox\Quarantine\E\bo1dhu.bat.vir Infected: Trojan-GameThief.Win32.OnLineGames.tnyo 1
C:\Qoobox\Quarantine\E\bwpncb6.com.vir Infected: Worm.Win32.AutoRun.lxm 1
C:\Qoobox\Quarantine\E\ev60a2.cmd.vir Infected: Trojan-GameThief.Win32.Magania.aguq 1
C:\Qoobox\Quarantine\E\f0.cmd.vir Infected: Trojan.Win32.Vaklik.cay 1
C:\Qoobox\Quarantine\E\ffojc.com.vir Infected: Worm.Win32.AutoRun.eks 1
C:\Qoobox\Quarantine\E\fi.cmd.vir Infected: Worm.Win32.AutoRun.ekv 1
C:\Qoobox\Quarantine\E\g.com.vir Infected: Trojan.Win32.Vaklik.cgo 1
C:\Qoobox\Quarantine\E\hgu.bat.vir Infected: Trojan-GameThief.Win32.Magania.vzi 1
C:\Qoobox\Quarantine\E\iefqwp.cmd.vir Infected: Trojan.Win32.Vaklik.asv 1
C:\Qoobox\Quarantine\E\itsduel.exe.vir Infected: Trojan-GameThief.Win32.OnLineGames.tncg 1
C:\Qoobox\Quarantine\E\ivcvknr.bat.vir Infected: Trojan.Win32.Vaklik.bym 1
C:\Qoobox\Quarantine\E\kk3.bat.vir Infected: Trojan-GameThief.Win32.Magania.abkt 1
C:\Qoobox\Quarantine\E\kn6jhgc.cmd.vir Infected: Trojan.Win32.Vaklik.cmb 1
C:\Qoobox\Quarantine\E\njibyekk.com.vir Infected: Trojan.Win32.Vaklik.cfk 1
C:\Qoobox\Quarantine\E\r.cmd.vir Infected: Trojan.Win32.Vaklik.bct 1
C:\Qoobox\Quarantine\E\r1y1.bat.vir Infected: Trojan-GameThief.Win32.OnLineGames.tdqz 1
C:\Qoobox\Quarantine\E\r813.bat.vir Infected: Trojan.Win32.Vaklik.cpe 1
C:\Qoobox\Quarantine\E\vxl.exe.vir Infected: Trojan-GameThief.Win32.Magania.acqa 1
C:\Qoobox\Quarantine\E\xih9.cmd.vir Infected: Packed.Win32.Krap.b 1
D:\2fiji.com Infected: Trojan-GameThief.Win32.Magania.aiau 1
D:\xlk9.com Infected: Trojan-GameThief.Win32.Magania.aigw 1
E:\00hoeav.com Infected: Trojan.Win32.Vaklik.bmk 1
E:\qwc.exe Infected: Trojan-GameThief.Win32.Magania.jag 1
E:\klp8j6i.com Infected: Worm.Win32.AutoRun.egy 1
E:\0gjn3yw.exe Infected: Trojan.Win32.Vaklik.bop 1
E:\k.com Infected: Worm.Win32.AutoRun.ekz 1
E:\p83gjy.exe Infected: Trojan.Win32.Vaklik.bwc 1
E:\ybj8df.exe Infected: Trojan.Win32.Vaklik.cbl 1
E:\e9ehn1m8.com Infected: Trojan.Win32.Vaklik.cce 1
E:\g2pfnid.com Infected: Trojan.Win32.Vaklik.chp 1
E:\jk.exe Infected: Trojan.Win32.Vaklik.cgo 1
E:\e.com Infected: Trojan.Win32.Vaklik.coh 1
E:\uis.com Infected: Trojan.Win32.Vaklik.coo 1
E:\22xo.exe Infected: Trojan-GameThief.Win32.Magania.abkz 1
E:\xqf.com Infected: Trojan-GameThief.Win32.Magania.ytx 1
E:\knupkb.com Infected: Worm.Win32.AutoRun.llw 1
E:\xvlyb.exe Infected: Trojan.Win32.Vaklik.csd 1
E:\ph.com Infected: Trojan-GameThief.Win32.Magania.abgx 1
E:\ktnquo.exe Infected: Worm.Win32.AutoRun.mrx 1
E:\39lpji.com Infected: Worm.Win32.AutoRun.nan 1
E:\2fiji.com Infected: Trojan-GameThief.Win32.Magania.aiau 1
E:\xlk9.com Infected: Trojan-GameThief.Win32.Magania.aigw 1
The selected area was scanned.
teamhex
Active Member
My pc seems to be running fine, but that thing said it found a bunch of stuff
If it helps, I deleted that quaritine folder, also that E drive is a IP phone called magic jack. Maybe that turd is giving me this stuff
Is there some program that can kill everything? Ill even pay for it, its got to be the ultimate remover/scanner
If it helps, I deleted that quaritine folder, also that E drive is a IP phone called magic jack. Maybe that turd is giving me this stuff
Is there some program that can kill everything? Ill even pay for it, its got to be the ultimate remover/scanner
Last edited:
Respital
Active Member
Well it detected a lot of stuff so that's good.
As i lack the privledge to give you a ComboFix script i will do what i can.
Please run ComboFix again.
Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Please remember to post an updated HiJackThis log.
As i lack the privledge to give you a ComboFix script i will do what i can.
Please run ComboFix again.
Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
- Download this file from one of the three below listed places :
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
- Then double click combofix.exe & follow the prompts.
- When finished, it shall produce a log for you. Post that log in your next reply
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Please remember to post an updated HiJackThis log.
teamhex
Active Member
Heres the log
ComboFix 08-10-30.13 - Chris 2008-10-31 20:12:07.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1597 [GMT -5:00]
Running from: C:\Documents and Settings\Chris\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2008-10-01 to 2008-11-01 )))))))))))))))))))))))))))))))
.
2008-10-31 18:45 . 2008-04-14 05:42 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-10-31 18:45 . 2008-04-14 00:15 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-10-31 18:45 . 2008-04-14 00:15 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-10-31 18:45 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-10-31 18:16 . 2008-10-31 18:16 <DIR> d-------- C:\Program Files\JAM Software
2008-10-31 18:00 . 2008-10-31 18:00 <DIR> d-------- C:\WINDOWS\Sun
2008-10-31 17:58 . 2008-10-31 17:58 <DIR> d-------- C:\Program Files\Java
2008-10-31 17:58 . 2008-10-31 17:58 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-10-31 17:58 . 2008-10-31 17:58 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-10-31 17:15 . 2008-10-31 17:15 578,560 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-10-31 17:14 . 2008-10-31 17:14 <DIR> d-------- C:\WINDOWS\ERUNT
2008-10-31 13:21 . 2008-10-31 17:20 <DIR> d-------- C:\SDFix
2008-10-29 21:47 . 2008-10-29 21:47 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-10-29 21:47 . 2008-04-14 05:42 294,912 -----c--- C:\WINDOWS\system32\dllcache\dlimport.exe
2008-10-29 21:44 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\002897_.tmp
2008-10-29 19:30 . 2008-10-29 19:30 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-10-29 18:18 . 2008-10-29 18:18 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\DAEMON Tools
2008-10-29 18:18 . 2008-10-29 18:18 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-10-29 17:10 . 2008-10-29 17:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-29 16:49 . 2008-10-29 16:49 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\Malwarebytes
2008-10-29 16:49 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-29 16:48 . 2008-10-29 16:49 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-29 16:48 . 2008-10-29 16:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-29 16:48 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-29 16:44 . 2008-10-29 16:44 <DIR> d-------- C:\Program Files\uTorrent
2008-10-29 16:44 . 2008-10-29 19:17 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\uTorrent
2008-10-27 22:51 . 2008-10-27 22:51 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\vlc
2008-10-27 22:50 . 2008-10-27 22:50 <DIR> d-------- C:\Program Files\VideoLAN
2008-10-27 22:04 . 2008-06-13 06:05 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-10-27 22:04 . 2008-06-13 06:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-10-27 22:03 . 2008-08-14 05:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-27 22:03 . 2008-08-14 05:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-27 22:03 . 2008-08-14 04:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-27 22:03 . 2008-08-14 04:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-27 22:03 . 2008-09-15 07:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-27 22:03 . 2008-04-11 14:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-10-27 22:03 . 2008-09-08 05:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-27 22:03 . 2008-05-08 09:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-10-27 22:02 . 2008-10-15 11:34 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-27 21:36 . 2008-10-27 21:36 13,646 --a------ C:\WINDOWS\system32\wpa.bak
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-01 00:40 --------- d-----w C:\Program Files\Steam
2008-10-28 01:52 --------- d-----w C:\Program Files\Realtek
2008-10-28 01:49 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-10-28 01:34 --------- d-----w C:\Program Files\Intel
2008-10-28 01:16 --------- d-----w C:\Program Files\microsoft frontpage
2008-10-28 01:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-28 01:01 --------- d-----w C:\Program Files\ATI Technologies
2008-10-28 01:00 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-10-28 00:55 --------- d-----w C:\Documents and Settings\Chris\Application Data\mjusbsp
2008-09-24 03:09 3,331,072 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-09-24 03:05 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe
2008-09-24 02:18 425,984 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2008-09-24 02:17 311,296 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-09-24 02:09 10,772,480 ----a-w C:\WINDOWS\system32\atioglxx.dll
2008-09-24 02:07 188,416 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-09-24 02:06 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-09-24 02:06 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-09-24 02:06 143,360 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-09-24 02:06 143,360 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-09-24 02:04 581,632 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-09-24 02:03 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-09-24 01:56 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2008-09-24 01:54 4,008,864 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-09-24 01:38 2,399,744 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-09-24 01:24 48,640 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-09-24 01:20 380,928 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-09-24 01:19 39,424 ----a-w C:\WINDOWS\system32\atiadlxx.dll
2008-09-24 01:18 53,248 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-09-24 01:18 253,952 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-09-24 01:18 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-09-24 01:12 573,440 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-20 05:30 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:09 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2006-06-24 06:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-10-31 136600]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2008-08-01 16:23 61440 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-10-27 19:58 1410296 C:\Program Files\Steam\Steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 13:43 69632 C:\WINDOWS\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2008-03-26 11:14 16859136 C:\WINDOWS\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Documents and Settings\\Chris\\Desktop\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-10-31 152984]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113 PCI-E Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l1e51x86.sys [2008-02-02 36864]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8232b83a-a48e-11dd-8bf7-f1955dcc1f35}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8232b83b-a48e-11dd-8bf7-f1955dcc1f35}]
\Shell\AutoRun\command - J:\xih9.cmd
\Shell\explore\Command - J:\xih9.cmd
\Shell\open\Command - J:\xih9.cmd
*Newly Created Service* - JAVAQUICKSTARTERSERVICE
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\37qluhek.default\
FF -: plugin - C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-31 20:12:50
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-10-31 20:13:36
ComboFix-quarantined-files.txt 2008-11-01 01:13:33
ComboFix2.txt 2008-10-31 18:27:15
Pre-Run: 16,250,286,080 bytes free
Post-Run: 16,287,870,976 bytes free
148 --- E O F --- 2008-10-31 18:18:18
ComboFix 08-10-30.13 - Chris 2008-10-31 20:12:07.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1597 [GMT -5:00]
Running from: C:\Documents and Settings\Chris\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2008-10-01 to 2008-11-01 )))))))))))))))))))))))))))))))
.
2008-10-31 18:45 . 2008-04-14 05:42 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-10-31 18:45 . 2008-04-14 00:15 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-10-31 18:45 . 2008-04-14 00:15 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-10-31 18:45 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-10-31 18:16 . 2008-10-31 18:16 <DIR> d-------- C:\Program Files\JAM Software
2008-10-31 18:00 . 2008-10-31 18:00 <DIR> d-------- C:\WINDOWS\Sun
2008-10-31 17:58 . 2008-10-31 17:58 <DIR> d-------- C:\Program Files\Java
2008-10-31 17:58 . 2008-10-31 17:58 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-10-31 17:58 . 2008-10-31 17:58 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-10-31 17:15 . 2008-10-31 17:15 578,560 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-10-31 17:14 . 2008-10-31 17:14 <DIR> d-------- C:\WINDOWS\ERUNT
2008-10-31 13:21 . 2008-10-31 17:20 <DIR> d-------- C:\SDFix
2008-10-29 21:47 . 2008-10-29 21:47 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-10-29 21:47 . 2008-04-14 05:42 294,912 -----c--- C:\WINDOWS\system32\dllcache\dlimport.exe
2008-10-29 21:44 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\002897_.tmp
2008-10-29 19:30 . 2008-10-29 19:30 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-10-29 18:18 . 2008-10-29 18:18 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\DAEMON Tools
2008-10-29 18:18 . 2008-10-29 18:18 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-10-29 17:10 . 2008-10-29 17:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-29 16:49 . 2008-10-29 16:49 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\Malwarebytes
2008-10-29 16:49 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-29 16:48 . 2008-10-29 16:49 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-29 16:48 . 2008-10-29 16:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-29 16:48 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-29 16:44 . 2008-10-29 16:44 <DIR> d-------- C:\Program Files\uTorrent
2008-10-29 16:44 . 2008-10-29 19:17 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\uTorrent
2008-10-27 22:51 . 2008-10-27 22:51 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\vlc
2008-10-27 22:50 . 2008-10-27 22:50 <DIR> d-------- C:\Program Files\VideoLAN
2008-10-27 22:04 . 2008-06-13 06:05 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-10-27 22:04 . 2008-06-13 06:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-10-27 22:03 . 2008-08-14 05:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-27 22:03 . 2008-08-14 05:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-27 22:03 . 2008-08-14 04:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-27 22:03 . 2008-08-14 04:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-27 22:03 . 2008-09-15 07:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-27 22:03 . 2008-04-11 14:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-10-27 22:03 . 2008-09-08 05:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-27 22:03 . 2008-05-08 09:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-10-27 22:02 . 2008-10-15 11:34 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-27 21:36 . 2008-10-27 21:36 13,646 --a------ C:\WINDOWS\system32\wpa.bak
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-01 00:40 --------- d-----w C:\Program Files\Steam
2008-10-28 01:52 --------- d-----w C:\Program Files\Realtek
2008-10-28 01:49 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-10-28 01:34 --------- d-----w C:\Program Files\Intel
2008-10-28 01:16 --------- d-----w C:\Program Files\microsoft frontpage
2008-10-28 01:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-28 01:01 --------- d-----w C:\Program Files\ATI Technologies
2008-10-28 01:00 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-10-28 00:55 --------- d-----w C:\Documents and Settings\Chris\Application Data\mjusbsp
2008-09-24 03:09 3,331,072 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-09-24 03:05 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe
2008-09-24 02:18 425,984 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2008-09-24 02:17 311,296 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-09-24 02:09 10,772,480 ----a-w C:\WINDOWS\system32\atioglxx.dll
2008-09-24 02:07 188,416 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-09-24 02:06 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-09-24 02:06 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-09-24 02:06 143,360 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-09-24 02:06 143,360 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-09-24 02:04 581,632 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-09-24 02:03 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-09-24 01:56 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2008-09-24 01:54 4,008,864 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-09-24 01:38 2,399,744 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-09-24 01:24 48,640 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-09-24 01:20 380,928 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-09-24 01:19 39,424 ----a-w C:\WINDOWS\system32\atiadlxx.dll
2008-09-24 01:18 53,248 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-09-24 01:18 253,952 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-09-24 01:18 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-09-24 01:12 573,440 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-20 05:30 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:09 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2006-06-24 06:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-10-31 136600]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2008-08-01 16:23 61440 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-10-27 19:58 1410296 C:\Program Files\Steam\Steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 13:43 69632 C:\WINDOWS\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2008-03-26 11:14 16859136 C:\WINDOWS\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Documents and Settings\\Chris\\Desktop\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-10-31 152984]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113 PCI-E Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l1e51x86.sys [2008-02-02 36864]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8232b83a-a48e-11dd-8bf7-f1955dcc1f35}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8232b83b-a48e-11dd-8bf7-f1955dcc1f35}]
\Shell\AutoRun\command - J:\xih9.cmd
\Shell\explore\Command - J:\xih9.cmd
\Shell\open\Command - J:\xih9.cmd
*Newly Created Service* - JAVAQUICKSTARTERSERVICE
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\37qluhek.default\
FF -: plugin - C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-31 20:12:50
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-10-31 20:13:36
ComboFix-quarantined-files.txt 2008-11-01 01:13:33
ComboFix2.txt 2008-10-31 18:27:15
Pre-Run: 16,250,286,080 bytes free
Post-Run: 16,287,870,976 bytes free
148 --- E O F --- 2008-10-31 18:18:18
Respital
Active Member
Lets take a deeper look.
: Download and Run DSS :
Download Deckard's System Scanner (DSS) to your Desktop. You must be logged onto an account with administrator privileges.
Post post a new HiJackThis log after this scan it is a must.
: Download and Run DSS :
Download Deckard's System Scanner (DSS) to your Desktop. You must be logged onto an account with administrator privileges.
- Close all applications and windows.
- Double-click on dss.exe to run it, and follow the prompts.
- When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<- this one will be minimized.
- Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your reply.
Post post a new HiJackThis log after this scan it is a must.
teamhex
Active Member
Lets take a deeper look.
: Download and Run DSS :
Download Deckard's System Scanner (DSS) to your Desktop. You must be logged onto an account with administrator privileges.
- Close all applications and windows.
- Double-click on dss.exe to run it, and follow the prompts.
- When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<- this one will be minimized.
- Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your reply.
Post post a new HiJackThis log after this scan it is a must.
Im sorry, but at this point, this is just madness. Iv gone through how many programs? For some reason the link wont work, the page wont load.
I went back a directory on the site, this is what I found
"Deckard's System Scanner interacts with a specific rootkit (tdssserv) in a way that may make your system unusable (altering the svchost netsvcs registry entry). This download link has been removed until a fix is released by Deckard. For your own protection, please do not attempt to download this tool from other sites."
Last edited:
teamhex
Active Member
Will do, but I think its gone, Hi jack this has found nothing. Heres the log.Okay, please post a new hijackthis log and wait for a pro to let you know if anything needs to be fixed, please be patient. Until a pro has told you your log is clean please avoid important things such as banking.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:24:32 PM, on 11/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Chris\Application Data\mjusbsp\magicJack.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Chris\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
--
End of file - 3451 bytes
Respital
Active Member
HiJackThis is not a scanner. HJT is a diagnostic program so that we know whats going on, on your computer. So HiJackThis doesn't look for anything a security pro has to manually look up each line of the log. Please be patient.
teamhex
Active Member
HiJackThis is not a scanner. HJT is a diagnostic program so that we know whats going on, on your computer. So HiJackThis doesn't look for anything a security pro has to manually look up each line of the log. Please be patient.
Yeah it just checks running processes. Everything on it looks normal to me. Im not security pro, but I know what processes should and shouldn't be running.
BTW Respital Thanks, no one else has jumped in and attempted to help. Again Thanks a Ton Mate.
Respital
Active Member
teamhex
Active Member
No problem. I try to do as much as i can.
This thing popped up again on my system, its got to be hiding somewhere. I just keep running the steps and it stays gone for a day or so. I guess im going to just toss or reformat my flash drives and both HD's. I really don't want to format my slave, but if I have to.
Respital
Active Member
Hold on a minute!
It's likely that it's from a flash drive, figure out which one you plugged in when it popped up again and report back.
teamhex
Active Member
Hold on a minute!
It's likely that it's from a flash drive, figure out which one you plugged in when it popped up again and report back.
The crazy thing is I had it pluged in when I ran Combo/SD fix and it cleaned some stuff off along with stuff on the C and D drive. So its still somewhere.