I need help cleaning my computer

H

huxley-market

New Member
GameMaster said:
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

In next post please post:
  • SDFix report
  • ComboFix report
Click to expand...

ok, i did what you asked, here is the report of the SDfix:

Rebooting


Checking Files :

No Trojan Files Found




Folder C:\Program Files\AntiSpywareMaster - Removed
Folder C:\Program Files\winvi - Removed
Folder C:\Temp\1cb - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 20:39:57
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files :



Files with Hidden Attributes :

Sun 3 Sep 2006 848 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sun 13 Apr 2008 258,998,272 A.SH. --- "C:\System Volume Information\_restore{DBD29183-E1DA-442D-AFFB-41A1B3CD2AAE}\RP236\A0200517.sys"
Sun 13 Apr 2008 258,998,272 A.SH. --- "C:\System Volume Information\_restore{DBD29183-E1DA-442D-AFFB-41A1B3CD2AAE}\RP236\A0201517.sys"
Sun 10 Feb 2008 0 A..H. --- "C:\Documents and Settings\Steph\Local Settings\Temp\5f765cbhp65cb0.exe"
Sat 21 Jun 2003 377,344 A..H. --- "C:\Program Files\Smart Projects\IsoBuster\Help\AHlp.exe"

Finished!

--------------------------------------------------------------------

here is the hack this report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:56 PM, on 5/25/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {24F372CC-44AC-4A5F-8719-A2F97C93DB1C} - C:\WINDOWS\System32\qoMfgGyv.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {F9DF827A-8FA7-48A3-B268-CA4DB563EA40} - C:\WINDOWS\System32\fccddccY.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [BMaf7b56b0] Rundll32.exe "C:\WINDOWS\System32\teyqibol.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?101d4ec7a8ba474ab733853bbe3f1df9
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?101d4ec7a8ba474ab733853bbe3f1df9
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O20 - Winlogon Notify: fccddccY - C:\WINDOWS\SYSTEM32\fccddccY.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

--
End of file - 7898 bytes




But there is still some thing going on: c/windows/system32.gomfgGYv.dll

that clicks on when I start up explorer.
 
H

huxley-market

New Member
ok the combofix log:

ComboFix 08-05-25.3 - Steph 2008-05-25 21:05:23.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.78 [GMT -3:00]
Running from: C:\Documents and Settings\Steph\Desktop\installed software\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMaf7b56b0.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\efcASiHb.dll
C:\WINDOWS\system32\fccddccY.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rrahicxa.ini
C:\WINDOWS\system32\ssqOEVMD.dll
C:\WINDOWS\system32\tunrjghs.ini
C:\WINDOWS\system32\vyGgfMoq.ini
C:\WINDOWS\system32\vyGgfMoq.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYSLIBRARY
-------\Service_SysLibrary


((((((((((((((((((((((((( Files Created from 2008-04-26 to 2008-05-26 )))))))))))))))))))))))))))))))
.

2008-05-26 14:38 . 2008-05-26 14:38 <DIR> d--hs---- C:\FOUND.028
2008-05-25 21:00 . 2008-05-25 21:00 114,176 --a------ C:\WINDOWS\system32\uxawohwl.dll
2008-05-25 20:59 . 2008-05-25 20:59 135,168 --a------ C:\WINDOWS\system32\afrasfgd.dll
2008-05-25 20:53 . 2008-05-25 20:54 128,000 --a------ C:\WINDOWS\system32\nhkqvlqo.dll
2008-05-25 20:27 . 2008-05-25 20:27 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-25 20:27 . 2008-05-25 20:27 <DIR> d-------- C:\SDFix'
2008-05-25 20:17 . 2008-05-25 20:17 <DIR> d--hs---- C:\FOUND.032
2008-05-25 19:17 . 2008-05-25 19:17 <DIR> d-------- C:\Program Files\Webroot
2008-05-25 19:17 . 2008-05-25 19:17 <DIR> d-------- C:\Documents and Settings\Steph\Application Data\Webroot
2008-05-25 19:09 . 2008-05-25 19:09 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-25 15:03 . 2008-05-25 15:03 <DIR> d--hs---- C:\FOUND.031
2008-05-25 11:55 . 2008-05-25 11:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-24 20:42 . 2008-05-24 20:42 <DIR> d--hs---- C:\FOUND.030
2008-05-20 14:28 . 2008-05-20 14:28 <DIR> d--hs---- C:\FOUND.027
2008-05-18 17:38 . 2008-05-18 17:38 <DIR> d--hs---- C:\FOUND.029
2008-05-18 17:33 . 2008-05-18 17:33 371,712 --a------ C:\WINDOWS\system32\qoMfgGyv.dll
2008-05-18 17:29 . 2008-05-18 17:29 <DIR> d-------- C:\WINDOWS\system32\podll
2008-05-18 17:29 . 2008-05-18 17:29 <DIR> d-------- C:\WINDOWS\system32\DFE
2008-05-18 17:28 . 2008-05-18 17:28 <DIR> d-------- C:\WINDOWS\system32\logXv01
2008-05-18 17:28 . 2008-05-18 17:28 <DIR> d-------- C:\WINDOWS\system32\gcom
2008-05-18 17:28 . 2008-05-18 17:28 <DIR> d-------- C:\Temp\dmpxp32
2008-05-18 17:28 . 2008-05-18 17:28 <DIR> d-------- C:\Temp
2008-05-18 17:28 . 2008-05-18 17:28 371,549 --a------ C:\Temp\sCarp2030.exe
2008-05-11 16:57 . 2008-03-21 17:30 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2008-05-11 16:57 . 2008-03-21 17:30 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 21:25 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2006-09-04 02:22 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24F372CC-44AC-4A5F-8719-A2F97C93DB1C}]
2008-05-18 17:33 371712 --a------ C:\WINDOWS\System32\qoMfgGyv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-03 17:28 68856]
"WebCamRT.exe"="" []
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [2004-12-09 18:34 3545088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-06-21 14:14 35328]
"Device Detector"="DevDetect.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-23 18:13 77824]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 07:06 79224]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-08-12 14:53 20480]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 17:54 127022]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"BMaf7b56b0"="C:\WINDOWS\System32\teyqibol.dll" [ ]

C:\Documents and Settings\Steph\Start Menu\Programs\Startup\
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2006-08-28 18:55:41 19968]
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 21:57:56 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 15:04:48 176128]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 16423]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2002-08-29 03:41 1511453 C:\Program Files\Messenger\msmsgs.exe


.
Contents of the 'Scheduled Tasks' folder
"2008-05-25 15:29:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 21:20:26
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\C:\DOCUME~1\Steph\LOCALS~1\Temp\mc22.tmp"
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASWUPDSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\SYSTEM32\WDFMGR.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHDISP.EXE
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
.
**************************************************************************
.
Completion time: 2008-05-25 21:25:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-26 00:25:10

Pre-Run: 5,512,134,656 bytes free
Post-Run: 11,199,660,032 bytes free

128
-----------------------------------------------------------------





so guys what do i do now?
 
GameMaster

GameMaster

New Member
Some rogue anitmalware programs ( bad programs ) are deleted by SDFix, made this easier, though I really suspected on Trojans.

Download Avenger, and unzip it to your desktop or somewhere you can find it. (Do not run it yet).

Note: This program is for use on Windows XP 32 bit systems only, and must be run from an Administrator account.

  • Open a Notepad file by clicking Start > Run and typing Notepad.exe in the box, click OK.
  • Click Format, and ensure Word Wrap is unchecked.
  • Copy and Paste the text in the box below into Notepad.
  • Now save the file as RemoveFiles.txt in a location where you can find it.

Files to delete:
C:\WINDOWS\system32\afrasfgd.dll
C:\WINDOWS\system32\afrasfgd.dll
C:\WINDOWS\system32\nhkqvlqo.dll
C:\WINDOWS\system32\qoMfgGyv.dll
C:\Temp\dmpxp32
C:\Temp\sCarp2030.exe
Folders to delete:
C:\WINDOWS\system32\DFE
C:\WINDOWS\system32\podll
Click to expand...

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Start Avenger by double clicking on Avenger.exe.
  • Check Load script from file:
  • Click on the folder symbol below and to the right, and browse to RemoveFiles.txt.
  • Double click it to enter it into Avenger.
  • Click the green traffic light symbol.
  • You will be asked if you want to execute the script, answer Yes.
  • At this point you may get prompts from your protection systems, allow them please.
  • Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
  • Answer Yes, and allow your computer to re-boot.
  • Upon re-boot a command window will briefly appear on screen (this is normal).
  • A Notepad text file will be created C:\avenger.txt.
  • Copy and Paste it into your next post please.

Please tell me, do you recognise those folders in C:/ : FOUND.030, FOUND.28...
What are they? What program created them? Did you create them?
 
H

huxley-market

New Member
ok the avanger report:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\afrasfgd.dll" deleted successfully.

Error: file "C:\WINDOWS\system32\afrasfgd.dll" not found!
Deletion of file "C:\WINDOWS\system32\afrasfgd.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\nhkqvlqo.dll" deleted successfully.

Error: file "C:\WINDOWS\system32\qoMfgGyv.dll" not found!
Deletion of file "C:\WINDOWS\system32\qoMfgGyv.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: "C:\Temp\dmpxp32" is a folder, not a file!
Deletion of file "C:\Temp\dmpxp32" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

File "C:\Temp\sCarp2030.exe" deleted successfully.
Folder "C:\WINDOWS\system32\DFE" deleted successfully.
Folder "C:\WINDOWS\system32\podll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



----------------------------------

I dont know what those C/found files are honestly. I didnt create them.


I have a question, every time my windows boot up theres a error window that pops up it says.

RUNDLL
error loading c:/windows/system32/teyqibol.dll
the specified module could not be found.





so what does that mean exactly.



thanks for all your help guys
 
GameMaster

GameMaster

New Member
That means we didn't delete all the bad files.

Let's fix it all with HijackThis in the end.
Open HijackThis and choose Do a system scan only. Check these entries:
  • O2 - BHO: (no name) - {24F372CC-44AC-4A5F-8719-A2F97C93DB1C} - C:\WINDOWS\System32\qoMfgGyv.dll (file missing
  • O2 - BHO: (no name) - {F9DF827A-8FA7-48A3-B268-CA4DB563EA40} - C:\WINDOWS\System32\fccddccY.dll
  • O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0
  • O4 - HKLM\..\Run: [BMaf7b56b0] Rundll32.exe "C:\WINDOWS\System32\teyqibol.dll",s
  • O15 - Trusted Zone: *.amaena.com
    O15 - Trusted Zone: *.avsystemcare.com
    O15 - Trusted Zone: *.gomyhit.com
    O15 - Trusted Zone: *.imageservr.com
    O15 - Trusted Zone: *.imagesrvr.com
    O15 - Trusted Zone: *.onerateld.com
    O15 - Trusted Zone: *.safetydownload.com
    O15 - Trusted Zone: *.storageguardsoft.com
    O15 - Trusted Zone: *.trustedantivirus.com
    O15 - Trusted Zone: *.virusschlacht.com
    O15 - Trusted Zone: *.amaena.com (HKLM)
    O15 - Trusted Zone: *.avsystemcare.com (HKLM)
    O15 - Trusted Zone: *.gomyhit.com (HKLM)
    O15 - Trusted Zone: *.imageservr.com (HKLM)
    O15 - Trusted Zone: *.imagesrvr.com (HKLM)
    O15 - Trusted Zone: *.onerateld.com (HKLM)
    O15 - Trusted Zone: *.safetydownload.com (HKLM)
    O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
    O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
    O15 - Trusted Zone: *.virusschlacht.com (HKLM)
  • O20 - Winlogon Notify: fccddccY - C:\WINDOWS\SYSTEM32\fccddccY
Now close all open windows except the HijackThis and click Fix checked.
Reboot your computer.

I was stupid, didn't spot it was Vundo infection, I'd be sure in what to do immediately.
I hope you don't mind this process got a bit longer.

When done all suggested, run Avenger again but this time input this at the script:
Code: 
Files to delete: 
C:\WINDOWS\System32\teyqibol.dll
C:\WINDOWS\System32\fccddccY.dll
Do as last time, post the log.
How's your system running now?
 
H

huxley-market

New Member
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\WINDOWS\System32\teyqibol.dll" not found!
Deletion of file "C:\WINDOWS\System32\teyqibol.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

---------------------------------

I tried to do what you asked. the hack this. you wanted me to select only the ones with the black dot next to it , right,

well, i could only select :O15 - Trusted Zone: *.amaena.com
the 02 ones were not there. all the 015 were there, the 20 wasnt there.


what I think happened with the system/teyqibol, is that i clicked rename/move this one time when my avast poped up.


and yes my pc is working much better, i forget which program removed the spywaremaster but since then it's been working well, but i know there is still some stuff to fix , cause i did a scan with avast and it said i have 10 infected files, i wish i could copy paste for you to see them but it doesnt allow that.


so whats my next step ?
 
GameMaster

GameMaster

New Member
Delete all 015 lines. I'm sorry, I was just too lazy and I wanted to post the answer fast so... It's hard to type like 15 times [*] :D

Don't worry if you don't find some of the entries in HijackThis, that means it's removed. Fix what you found and reboot.

Also, I suggested two files to delete with Avenger; one is already deleted but what with another one? Where did it disappear?
It is important that this file gets deleted.
C:\WINDOWS\System32\fccddccY.dll
 
H

huxley-market

New Member
GameMaster said:
Delete all 015 lines. I'm sorry, I was just too lazy and I wanted to post the answer fast so... It's hard to type like 15 times [*] :D

Don't worry if you don't find some of the entries in HijackThis, that means it's removed. Fix what you found and reboot.

Also, I suggested two files to delete with Avenger; one is already deleted but what with another one? Where did it disappear?
It is important that this file gets deleted.
C:\WINDOWS\System32\fccddccY.dll
Click to expand...

dont worry about it. You've been very helpful, serious. ok, I did what you asked. here is the report of avenger:




Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\WINDOWS\System32\fccddccY.dll" not found!
Deletion of file "C:\WINDOWS\System32\fccddccY.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.




plus when i start up my pc it has stoped doing that error thing the one with teyqibol.dll


so whats next for now? plus after this is all done, I really need to learn how to protect my pc from this happening again.


thanks
 
GameMaster

GameMaster

New Member
Yep. To be sure, please scan with HijackThis again and post the log.
Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we at Computer Forum are to help you, for your sake we would rather not have repeat customers. :p

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, if you haven't done that already. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.
[OR]
I notice that you do not seem to be running antivirus software. This is somewhat suicidal in today's digital world. AVG makes an excellent free antivirus client, as do AntiVir or avast!.

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. Some good free firewalls are ZoneAlarm, Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems! Good luck. :D
 
H

huxley-market

New Member
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:07:02 PM, on 5/27/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Final Draft 7\Final Draft.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?101d4ec7a8ba474ab733853bbe3f1df9
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?101d4ec7a8ba474ab733853bbe3f1df9
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

--
End of file - 6817 bytes




I do have a anti virus program on, I use avast , but I'm finding that it's not that great, I think I did try to download "AVG" but it was asking that I change my windows to some other windows xp that is like 200 something megabites, so I didnt cause I was unsure about what it would do. so I didnt do it.


I'll go read up on the tutotrials you gave me and download those protection software, and if I have any questions relating to them I'll send you a private msg. thanks for all your help , my pc is working a 1000 times better from what it was like 3 days ago. thanks
 
G25r8cer

G25r8cer

Active Member
If you find that avast is using too much cpu like I did then I recommend Nod32. Nod32 is a much smaller running antivirus and works a treat.
 
H

huxley-market

New Member
Ok, first off, I'm on another computer, in the house. I think my computer crashed. I can't get windows screen. it loads up with the black dos pages , 2 of them, then it goes to a screen full of funny symbols. plus I can't even go into safe mode. the only things I can do with it is go into setup( but i dont know what i can do with it there) plus f10 change the bootstraps (but dont know what that means. ) it's pxe boot using interuptor 18 ( if that helps but i can change them )

so is my computer done for or can i fix this on my own?



i find it strange cause i had just cleaned it all up and was about to put all new protection stuff, what happend was i was on microsoft update page and had cannceled a update cause i had just read that i needed to be fully clean before uploading it ,so i canceled to wait to hear if i was all clean, then went back to upload after knowing i was good. but the page was different , so other upload and not the windows pack 2 , so refreshed my page , same thing, i decided to hit the restart button, my computer restarted ok , it went to the blue scanning page , i wanted to skip it so i pressed esc, but it didnt skip , just stop, so i hit the restart button a second time, computer started , went throught the 2 dos pages but the 3rd page is all this computer symbols junk,



any ideas how to fix that ?
 
cohen

cohen

New Member
sounds like that it was an update that has stuffed windows.

You'll have to do a windows repair.
 
H

huxley-market

New Member
question,,, I'm on my computer in town,,, i 'm running on a bootleg windows , like i dont have a cd for windows , it's the windows that came with the computer from the pc store.




I want to protect this computer, so my question is all those protection software, fire wall , anty virus, ect... is it ok for my riped copy of windows.


note.. I will not download the windows upodates because thats what i think crashed my computer
 
You must log in or register to reply here.
Top