Solved: Need help removing a virus

8dalejr.fan · 12:11 AM

Was on my favourite go karting place's website today to see what their prices are, and I picked up a virus.

Avast just told me about it but did nothing, then the virus restarted my computer, and now the virus created a new icon in the system tray and it is bombarding me with messages that say I'm infected and to download their product.

The virus that Avast reported is Win32:Agent-QNI [Trj]. It said it was found in the C:\Windows\system32\dllcache\figaro.sys file.

This describes perfectly what happened, and what appeared:
http://www.symantec.com/security_res...055-99&tabid=2

Here is a HJT log. I'm going to run a full system scan with Avast in the mean time, then post a new log, and I'd be happy to follow any advice from the TSG experts.

Logfile of HijackThis v1.99.1
Scan saved at 10:39:07 PM, on 18/07/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\AceGain\LiveUpdate\aceagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hijack This\Mypoppy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nascar.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [CTDVDDet] "C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] "REGSVR32.EXE" /S CTASIO.DLL
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Itiva Media Accelerator] C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {40289096-9F72-4A04-BCB3-E434ECDCEE33} (AppDLCtrl Class) - http://download.howudodat.com/chatte...load/appdl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6BA77042-FC93-4AED-B0E8-824979156BA4} (InstallerAX Class) - http://chevy.a.content.maven.net/mvm...nstallerAX.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab
O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} (OcarptMain Class) - https://oca.microsoft.com/en/secure/ocarpt.CAB
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\508\G2AWinLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GoToAssist - Unknown owner - C:\Program Files\Citrix\GoToAssist\508\g2aservice.exe" Start=service (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

8dalejr.fan · 19-Jul-2009, 12:59 AM #2

Avast scan came up clean but that Braviax file is still there and I believe that's a part of the virus.

8dalejr.fan · 01:48 PM

I should add that I left the machine on last night because I worry it might not boot up properly next time if the virus is still there (as the beep.sys driver was apparently replaced with the virus files according to the Symantec link I posted).

cybertech · 19-Jul-2009, 04:27 PM #4

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2

--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

8dalejr.fan · 19-Jul-2009, 04:49 PM #5

How bad is the infection?

When I ran ComboFix, it asked me to install some kind of Recovery Console. I didn't know what this was so I didn't do it. I don't know if that's a bad thing. I can re-run the scan and download the Recovery Console if that's what I'm supposed to do.

It also asked me to disable my antivirus when I ran it, so I did, but now Windows Firewall seems to be disabled also.

--------------------

ComboFix 09-07-19.02 - Mikey Chrobok 19/07/2009 15:32.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.524 [GMT -4:00]
Running from: c:\documents and settings\Mikey Chrobok\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1335 [VPS 090718-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\56e64.msi
c:\windows\Installer\eed021.msi
c:\windows\patch.exe
c:\windows\system32\Data
c:\windows\system32\Data\CTP0243W.DAT
c:\windows\system32\E95THK16.EXE
c:\windows\system32\encapi32.dll
c:\windows\system32\netzy.dll

.
((((((((((((((((((((((((( Files Created from 2009-06-19 to 2009-07-19 )))))))))))))))))))))))))))))))
.

2009-07-19 02:27 . 2009-07-19 02:27 180690 ----a-w- c:\windows\system32\wisdstr.exe
2009-07-19 00:57 . 2009-07-19 00:57 -------- d-----w- c:\documents and settings\Mikey Chrobok\Local Settings\Application Data\Codemasters
2009-07-19 00:39 . 2009-07-19 00:39 -------- d-----w- c:\program files\Codemasters
2009-07-15 15:22 . 2009-07-15 15:22 -------- d-----w- c:\documents and settings\Mikey Chrobok\.jagex_cache_32
2009-07-15 15:21 . 2009-07-15 15:21 -------- d-----w- C:\.jagex_cache_32
2009-07-02 11:46 . 2008-02-20 21:49 495104 ----a-w- c:\windows\Michael_Walltrip.exe
2009-07-02 11:46 . 2009-07-02 11:46 -------- d-----w- c:\windows\Michael_Walltrip Uninstaller
2009-07-02 11:46 . 2008-02-20 21:50 903680 ----a-w- c:\windows\Michael_Walltrip.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-19 19:13 . 2006-01-07 14:21 -------- d-----w- c:\program files\Hijack This
2009-07-19 15:48 . 2008-07-23 23:04 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-07-19 04:51 . 2008-11-06 12:39 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-07-19 02:26 . 2004-07-30 02:36 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2009-07-19 02:26 . 2004-07-30 02:36 288 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2009-07-19 00:50 . 2004-10-05 00:49 31256 ----a-w- c:\documents and settings\Mikey Chrobok\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-19 00:40 . 2004-07-30 01:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-18 23:54 . 2008-07-04 19:10 34 ----a-w- c:\documents and settings\Mikey Chrobok\jagex_runescape_preferences.dat
2009-07-10 01:06 . 2007-07-06 14:06 -------- d-----w- c:\documents and settings\Mikey Chrobok\Application Data\ZoomBrowser EX
2009-07-10 01:06 . 2007-07-06 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-07-03 00:50 . 2007-09-01 19:11 138016 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-03 00:50 . 2007-09-01 19:10 189448 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-06-13 01:25 . 2009-01-19 01:39 -------- d-----w- c:\program files\ARCA Download Client
2009-06-13 01:23 . 2009-01-19 02:30 -------- d-----w- c:\program files\ARCA 08
2009-06-13 01:15 . 2009-03-01 01:22 20480 ----a-w- c:\documents and settings\All Users\Application Data\ARCA Download Client\dcds\patches\SelfUpdateFull.exe
2009-05-31 18:55 . 2007-09-01 19:10 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-04-28 18:21 . 2009-04-28 18:21 34063 ----a-w- c:\documents and settings\Mikey Chrobok\Application Data\Move Networks\ie_bin\Uninst.exe
2009-04-28 18:21 . 2009-04-28 18:20 1046584 ----a-w- c:\documents and settings\Mikey Chrobok\Application Data\Move Networks\MoveMediaPlayer_071301000019.exe
2005-10-22 23:44 . 2005-10-06 02:31 0 ---h--w- c:\program files\viewpoint
2009-04-03 20:03 . 2004-08-12 13:04 10022 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SB Audigy 2 Startup Menu"="/L:ENG" [X]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 1415824]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-23 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2004-10-08 131072]
"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-06-25 294998]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-10-31 180269]
"AceGain LiveUpdate"="c:\program files\AceGain\LiveUpdate\LiveUpdate.exe" [2004-01-01 417792]
"mmtask"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2004-10-08 53248]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-06-15 366400]
"Itiva Media Accelerator"="c:\program files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe" [2008-06-04 4994288]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2003-02-20 28672]
"AsioReg"="CTASIO.DLL" - c:\windows\system32\CTASIO.DLL [2003-02-20 110592]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-03 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2004-8-2 106560]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-02-27 15:39 282624 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-04-08 15:09 10536 ----a-w- c:\program files\Citrix\GoToAssist\508\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawser vice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDef end]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Papyrus\\NASCAR Racing 2003 Season\\NR2003.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Soldier of Fortune II - Double Helix GOLD\\SoF2MP.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aomx.exe"=
"c:\\Program Files\\ARCA Remax\\ARCA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Itiva\\Itiva Media Accelerator\\ItivaMediaAccelerator.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ARCA Download Client\\ARCALeverageClient.exe"=
"c:\\Program Files\\ARCA 08\\ARCA.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [31/03/2009 8:44 PM 114768]
R1 atitray;atitray;c:\program files\Ray Adams\ATI Tray Tools\atitray.sys [22/05/2007 5:04 AM 18088]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/10/2006 12:53 PM 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [27/02/2007 11:39 AM 32256]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [31/03/2009 8:44 PM 20560]
R2 IniPciCheck;IniPciCheck;c:\windows\system32\drivers\IPciChk.sys [12/09/2004 11:59 AM 5120]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [23/07/2008 7:03 PM 206096]
R2 sensorsview;sensorsview;c:\windows\system32\drivers\sensorsview.sys [17/08/2007 12:00 PM 4224]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 6:19 PM 13592]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/02/2006 4:51 PM 4096]
S3 tupdate;tupdate;\??\c:\docume~1\MIKEYC~1\LOCALS~1\Temp\tupdate.sys --> c:\docume~1\MIKEYC~1\LOCALS~1\Temp\tupdate.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-07-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 22:20]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Sonic RecordNow! - (no file)
HKCU-Run-Start WingMan Profiler - (no file)
Notify-AtiExtEvent - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://nascar.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = about:blank
mSearch Bar = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Search &Dictionary - c:\program files\Lexico\Toolbar\dictionary.htm
IE: Search &Thesaurus - c:\program files\Lexico\Toolbar\thesaurus.htm
DPF: {6BA77042-FC93-4AED-B0E8-824979156BA4} - hxxp://chevy.a.content.maven.net/mvms/vfs/chevy/chevylive/live/install/installerAX.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-19 15:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D8B5B5E3-2F8F-3000-6CB8-D2D6FBAF5C53}\InProcServer32*]
"oalijnfmmidclifhmdehadbjnmcdia"=hex:6a,61,63,63,69,67,70,61,64,67,70,65,62 ,68,
6c,69,68,70,70,6a,00,00
"nalidpalmhnhbficmckhgaigmieg"=hex:6b,61,6a,6e,6f,67,6c,67,64,6d,61,6a,65,6 5,
61,66,66,68,67,64,68,62,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(552)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Citrix\GoToAssist\508\G2AWinLogon.dll
.
Completion time: 2009-07-19 15:45
ComboFix-quarantined-files.txt 2009-07-19 19:45
ComboFix2.txt 2007-05-05 17:48

Pre-Run: 2,745,925,632 bytes free
Post-Run: 5,885,231,104 bytes free

179

8dalejr.fan · 19-Jul-2009, 04:51 PM #6

The rogue file in HJT appears to be gone.

TeaTimer was detecting registry changes and bugging me about what to do with them. Should we disable TeaTimer?

I will backup some more files before we continue.

Logfile of HijackThis v1.99.1
Scan saved at 3:50:24 PM, on 19/07/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\AceGain\LiveUpdate\aceagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Hijack This\Mypoppy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nascar.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [CTDVDDet] "C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] "REGSVR32.EXE" /S CTASIO.DLL
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Itiva Media Accelerator] C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {40289096-9F72-4A04-BCB3-E434ECDCEE33} (AppDLCtrl Class) - http://download.howudodat.com/chatte...load/appdl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6BA77042-FC93-4AED-B0E8-824979156BA4} (InstallerAX Class) - http://chevy.a.content.maven.net/mvm...nstallerAX.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab
O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} (OcarptMain Class) - https://oca.microsoft.com/en/secure/ocarpt.CAB
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\508\G2AWinLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GoToAssist - Unknown owner - C:\Program Files\Citrix\GoToAssist\508\g2aservice.exe" Start=service (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

cybertech · 19-Jul-2009, 04:59 PM #7

How bad is it? Depends on what you use your machine for. I would not hesitate to format and reload my machine if I got infected.

Yes disable teatimer for now.

Recovery Console is like another way into your system that you can use if Windows will not boot. I install it on all of my systems.

Open Notepad and copy and paste the text in the code box below into it:

Code:

KILLALL::
File::
c:\windows\system32\wisdstr.exe
c:\docume~1\MIKEYC~1\LOCALS~1\Temp\tupdate.sys 
Driver::
tupdate
RegNULL::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D8B5B5E3-2F8F-3000-6CB8-D2D6FBAF5C53}\InProcServer32*]

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. It may ask to reboot. Post the contents of c:\Combofix.txt in your next reply.

Download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Click Exit on the Main menu to close the program.

Download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

8dalejr.fan · 19-Jul-2009, 05:00 PM #8

How can I install the Recovery Console (since I guess I screwed up)? Will I be given the option when I run ComboFix again?

cybertech · 19-Jul-2009, 05:06 PM #9

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

Download the file & save it as it's originally named.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

Please note once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall.

Drag the setup package onto ComboFix.exe and drop it.
Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

At the next prompt, click 'Yes' to run the full ComboFix scan.

8dalejr.fan · 06:09 PM

Should I install the Recovery Console & run an initial ComboFix scan before I proceed with your earlier instructions about dragging the CFScript.txt into ComboFix.exe?

Also, would I need any floppy disks when installing the Recovery Console?

Windows Firewall reports that it is disabled after running ComboFix the first time. Is this ok for now?

I use the computer for gaming, Internet/email, and school work (which is backed up).

Is this a major virus? I've had many infections before (d'oh!) but the folks at TSG, you yourself included, have always helped me so I've never had to format and reload my machine.

Thank you for your help so far.

cybertech · 19-Jul-2009, 06:12 PM **#11**

Install Recovery Console and use the link to the Microsoft site for SP2 since that is what you are using.

Then run the script.

8dalejr.fan · 19-Jul-2009, 06:15 PM **#12**

Sorry to sound dumb, but...

1. Install Recovery Console
2. Click Yes and run ComboFix
3. Install the script
4. Run ComboFix

Or do I click "No" after installing Recovery Console, then run the script and the scan, so I only run ComboFix once?

(Sorry again for being malware illiterate

)

8dalejr.fan · 19-Jul-2009, 06:22 PM **#13**

One more stupid question...

Disabling TeaTimer: how do I do it properly, should I do it before installing the Recovery Console, and is it ok if it makes me restart the computer before I finish getting rid of the malware (will it boot up ok)?

8dalejr.fan · 19-Jul-2009, 10:03 PM **#14**

I want to disable TeaTimer first but it is not letting me... I can't get the Spybot program to open. It freezes while loading.

I think this is because Spybot is one of the programs the trojan interferes with, along with many other anti-malware programs.

Quote:

The Trojan may then end the following processes:

aluschedulersvc.exe
appsvc32.exe
apvxdwin.exe
ashmaisv.exe
ashserv.exe
ashwebsv.exe
autoruns.exe
avciman.exe
avengine.exe
avgagent.exe
avgamsvr.exe
avgas.exe
avgas.exe
avgcc.exe
avgemc.exe
avgemc.exe
avgupsvc.exe
avgupsvc.exe
avgw.exe
avgw.exe
avp.exe
avpcc.exe
avpm.exe
avsched32.exe
avz.exe
bdmcon.exe
bdss.exe
bolenja.exe
bolenjx.exe
cavrid.exe
cavtray.exe
ccapp.exe
ccevtmgr.exe
ccevtmgr.exe
ccimscan.exe
ccproxy.exe
ccpwdsvc.exe
ccpwdsvc.exe
ccpxysvc.exe
ccsetmgr.exe
ccsetmgr.exe
ccsvchst.exe
combo.exe
combofix
comboxfix.exe
cpd.exe
cpf.exe
crypserv.exe
cureit.exe
defwatch.exe
dsentry.exe
dss.exe
eyetidecontroller.exe
farsighter.exe
fatbuster.exe
fsav32.exe
fsbl.exe
f-sched.exe
fsm32.exe
f-stopw.exe
fwservice.exe
gcasdtserv.exe
gcasserv.exe
globkill.exe
gmer.exe
hackmon.exe
hbtoeaddon.exe
hijackthis
hitvirus.exe
hwpe2.exe
iao.exe
icmon.exe
inetupd.exe
ismini.exe
isnotify.exe
issvc.exe
issvc.exe
kav.exe
kavss.exe
kavsvc.exe
killbox.exe
klpf.exe
klswd.exe
kmd.exe
kpf4ss.exe
little_helper2.exe
livesrv.exe
lsasrv.exe
lsass32.exe
lsetup.exe
lucoms~1.exe
magiclink.exe
malscr.exe
malswep.exe
mcshield.exe
msmpeng.exe
msssrv.exe
mwsoemon.exe
myvideodaily2.exe
navapp.exe
navapsvc.exe
navapsvc.exe
navapsvc.exe
navilog
navstub.exe
navw32.exe
nisum.exe
njexplor.exe
nlsupervisorpro.exe
no32mon.exe
nod32krn.exe
nod32ra.exe
nortonupdate.exe
nsmdtr.exe
nvctrl.exe
ofcdog.exe
op_mon.exe
outpost.exe
overseer.exe
overspy.exe
pavfnsvr.exe
pavfnsvr.exe
pavprsrv.exe
pavsrv51.exe
pbcpl.exe
pboptions.exe
pifsvc.exe
prevxcsi.exe
prevxcsi.exe
printer.exe
procmast.exe
psctrls.exe
pshost.exe
psimsvc.exe
pskmssvc.exe
rootkit_detektive.exe
rtvscan.exe
sandboxieserver.exe
savscan.exe
savscan.exe
sbserv.exe
sdfix.exe
sdtrayapp.exe
sndmon.exe
sndsrvc.exe
spbbcsvc.exe
spyblock.dll
spybot.exe
spybotsd.exe
spywaredetector.exe
superantispyware.exe
svcntaux.exe
svcntaux.exe
swdsvc.exe
swdsvc.exe
symlcsvc.exe
symlcsvc.exe
symwsc.exe
thguard.exe
tpsrv.exe
trjscan.exe
vundofix.exe
winavxx.exe
zclient.exe
zcodec.exe
zcomservice.exe

8dalejr.fan · 19-Jul-2009, 10:23 PM **#15**

I should also add, cybertech, that there is a batch file on my desktop called delself.bat.

I stumbled upon it while backing up things from my desktop using the drop down menu in my CD burner program. I must have not noticed it earlier as my desktop is full of shortcuts and this batch file must be sitting out of view on my 1024x768 desktop.

Tag Cloud
access acer asus bios bsod computer crash drive driver drivers error ethernet excel freeze games gaming graphics hard drive hardware hdmi internet laptop malware memory monitor motherboard netgear network printer problem ram random registry router slow software sound trojan usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless xbox

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!