1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Malware/trojan Virus..help!

Discussion in 'Virus & Other Malware Removal' started by echai, Nov 9, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. echai

    echai Thread Starter

    Joined:
    Nov 7, 2007
    Messages:
    8
    Hey,
    I think i got a virus, some kind of trojan virus thing which gives me alot of popups and i get a yellow exclamation point warning that says i have the virus PSW.x-Vir.
    I was wondering if anyone can help me out with this! Thanks so much!!

    Also, i have another error for [email protected], AND [email protected] which is probably another virus as well.
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    Download Combofix to your desktop:

    * Double-click combofix.exe & follow the prompts.
    * When finished, it shall produce a log for you. Post that log in your next reply.


    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
     
  3. echai

    echai Thread Starter

    Joined:
    Nov 7, 2007
    Messages:
    8
    hi, sorry for the delay, but here's my combofix log!
    -thanks.


    ComboFix 07-11-08.1 - Eric 2007-11-11 17:21:53.8 - NTFSx86
    Running from: C:\DOCUMENTS AND SETTINGS\ERIC\DESKTOP\ComboFix-1.exe
    * Created a new restore point
    .

    Unable to gain System Privileges

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
    C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
    C:\Documents and Settings\Dad\Desktop\Live Safety Center.lnk
    C:\Documents and Settings\Dad\Desktop\Online Security Guide.lnk
    C:\Documents and Settings\Dad\Favorites\Online Security Guide.lnk
    C:\Documents and Settings\Eric\Desktop\Live Safety Center.lnk
    C:\Documents and Settings\Eric\Desktop\Online Security Guide.lnk
    C:\Documents and Settings\Eric\Favorites\Online Security Guide.lnk
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\system32\awtqn.dll
    C:\WINDOWS\system32\fcgikyih.dllbox
    C:\WINDOWS\system32\nqtwa.bak1
    C:\WINDOWS\system32\nqtwa.bak2
    C:\WINDOWS\system32\nqtwa.ini

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_DOMAINSERVICE


    -------\DomainService


    ((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
    .

    2007-11-11 16:37 <DIR> d---s---- C:\Documents and Settings\Dad\UserData
    2007-11-11 01:20 79,936 --a------ C:\WINDOWS\system32\pidoblnv.dll
    2007-11-11 01:11 88,128 --a------ C:\WINDOWS\system32\ivwpecfd.dll
    2007-11-11 01:08 71,232 --a------ C:\WINDOWS\system32\fatwokwp.exe
    2007-11-09 11:21 77,888 --a------ C:\WINDOWS\system32\okdjdsbw.dll
    2007-11-09 11:21 71,232 --a------ C:\WINDOWS\system32\kyhofoky.exe
    2007-11-09 00:37 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\GetRightToGo
    2007-11-08 11:21 80,448 --a------ C:\WINDOWS\system32\menbshry.dll
    2007-11-06 15:36 81,472 --a------ C:\WINDOWS\system32\fbihynyv.dll
    2007-11-06 15:30 145,984 --a------ C:\WINDOWS\system32\vinycogp.dll
    2007-11-06 15:30 145,984 --a------ C:\WINDOWS\system32\fcgikyih.dll
    2007-11-06 01:59 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
    2007-11-06 01:59 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2007-11-06 01:59 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2007-11-06 01:59 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2007-11-06 01:59 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
    2007-11-06 01:59 578 --a------ C:\WINDOWS\system32\tmp.reg
    2007-11-06 00:28 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-11-06 00:22 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
    2007-11-06 00:22 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
    2007-11-06 00:22 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
    2007-11-06 00:21 <DIR> d-------- C:\Program Files\Alwil Software
    2007-11-06 00:21 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
    2007-11-06 00:21 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
    2007-11-06 00:21 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
    2007-11-06 00:21 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
    2007-11-05 18:26 1,536 --a------ C:\WINDOWS\system32\Delete_Me_Dummy_skuns.dat
    2007-11-05 13:39 18,432 --a------ C:\WINDOWS\fkwggshm.exe
    2007-11-05 13:23 274,424 --a------ C:\WINDOWS\us2.exe
    2007-11-05 13:23 56,320 --a------ C:\WINDOWS\pkill.exe
    2007-11-05 13:18 21,504 --a------ C:\WINDOWS\system32\aivskurq.dll
    2007-11-05 13:16 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\SpyGuardPro
    2007-11-05 13:12 36,352 --a------ C:\WINDOWS\system32\ddcayab.dll
    2007-11-05 13:12 35,840 --a------ C:\WINDOWS\mrofinu77.exe
    2007-11-05 13:12 35,840 --a------ C:\WINDOWS\mrofinu1000106.exe
    2007-11-05 13:11 <DIR> d-------- C:\WINDOWS\system32\Mz08r
    2007-11-05 13:11 <DIR> d-------- C:\Temp
    2007-10-30 02:23 <DIR> d-------- C:\WINDOWS\system32\IOSUBSYS
    2007-10-24 14:55 <DIR> d-------- C:\Program Files\MSECache
    2007-10-23 23:07 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Ruckus Network
    2007-10-23 23:04 <DIR> d-------- C:\Program Files\Ruckus Player
    2007-10-23 21:27 <DIR> d-------- C:\Program Files\Musicnotes

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-10-30 07:23 --------- d-----w C:\Program Files\Picasa2
    2007-10-27 17:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-10-24 19:56 55,552 ----a-w C:\Documents and Settings\Eric\Application Data\GDIPFONTCACHEV1.DAT
    2007-09-29 07:06 --------- d-----w C:\Program Files\Starcraft
    2007-09-07 18:55 94,208 ----a-w C:\WINDOWS\ScUnin.exe
    2007-08-22 13:12 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
    2007-08-22 13:12 658,944 ------w C:\WINDOWS\system32\dllcache\wininet.dll
    2007-08-22 13:12 615,424 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
    2007-08-22 13:12 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
    2007-08-22 13:12 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
    2007-08-22 13:12 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
    2007-08-22 13:12 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
    2007-08-22 13:12 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
    2007-08-22 13:12 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
    2007-08-22 13:12 3,058,176 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
    2007-08-22 13:12 251,392 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
    2007-08-22 13:12 205,312 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
    2007-08-22 13:12 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
    2007-08-22 13:12 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
    2007-08-22 13:12 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
    2007-08-22 13:12 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
    2007-08-22 13:12 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
    2007-08-22 13:12 1,022,976 ------w C:\WINDOWS\system32\dllcache\browseui.dll
    2007-08-21 10:30 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
    2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
    2007-01-08 21:38 784 ----a-w C:\Documents and Settings\Guest\Application Data\mpauth.dat
    2005-11-11 22:57 36,464 ----a-w C:\Documents and Settings\Dad\Application Data\GDIPFONTCACHEV1.DAT
    2005-07-31 21:40:00 56 --sh--r C:\WINDOWS\system32\A60EB3A246.sys
    2005-07-31 21:40:00 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((( [email protected]_ 2.19.23.57 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2007-11-06 07:06:28 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat
    + 2007-11-11 20:44:52 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat
    - 2007-11-06 07:06:28 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat
    + 2007-11-11 20:44:52 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat
    - 2007-04-02 19:21:27 139,776 ----a-w C:\WINDOWS\system32\swreg.exe
    + 2007-07-22 23:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
    + 2007-11-11 22:32:04 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6d4.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
    2007-11-05 13:12 36352 --a------ C:\WINDOWS\system32\ddcayab.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
    2007-11-06 15:30 145984 --a------ C:\WINDOWS\system32\fcgikyih.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\fcgikyih.dll [2007-11-06 15:30 145984]

    [HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    "{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\fcgikyih.dll [2007-11-06 15:30 145984]

    [HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
    "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 06:06]
    "30a46a11"="C:\WINDOWS\system32\ivwpecfd.dll" [2007-11-11 01:11]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
    "Steam"="" []
    "Aim6"="" []
    "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-29 10:09]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

    C:\Documents and Settings\Kevin\Start Menu\Programs\Startup\
    Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-07-30 12:13:07]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-05-16 16:58:28]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
    VPN Client.lnk - C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2007-05-17 17:10:03]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{634BBAB7-3F60-4426-944F-A62B9007F67F}"= C:\WINDOWS\system32\ddcayab.dll [2007-11-05 13:12 36352]

    [HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="C:\\WINDOWS\\system32\\userinit.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcayab]
    ddcayab.dll 2007-11-05 13:12 36352 C:\WINDOWS\system32\ddcayab.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcgikyih]
    fcgikyih.dll 2007-11-06 15:30 145984 C:\WINDOWS\system32\fcgikyih.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"= msv1_0 C:\WINDOWS\system32\awtqn.dll


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ddbec50a-212f-11dc-815c-00132052031c}]
    \Shell\AutoRun\command - F:\LaunchU3.exe -a

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-11-07 01:51:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2007-11-05 10:49:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
    - C:\WINDOWS\system32\cleanmgr.exe
    .
    **************************************************************************

    catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-11 17:33:57
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-11-11 17:35:35 - machine was rebooted
    C:\ComboFix2.txt ... 2007-11-07 22:12
    C:\ComboFix3.txt ... 2007-11-07 21:49
    .
    --- E O F ---
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    first

    download the attached lsafix.zip & save it to desktop.
    unzip it so you get a lsafix.reg on desktop
    Right click it & select merge
    Say yes to any prompts

    then

    download the attached CFScript.txt and save it to your desktop

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



    [​IMG]



    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.
     

    Attached Files:

  5. echai

    echai Thread Starter

    Joined:
    Nov 7, 2007
    Messages:
    8
    hey, here's my new hijackthis file along with the CFScript you sent me.

    CFScript
    File::
    C:\WINDOWS\system32\pidoblnv.dll
    C:\WINDOWS\system32\ivwpecfd.dll
    C:\WINDOWS\system32\fatwokwp.exe
    C:\WINDOWS\system32\okdjdsbw.dll
    C:\WINDOWS\system32\kyhofoky.exe
    C:\Documents and Settings\Eric\Application Data\GetRightToGo
    C:\WINDOWS\system32\menbshry.dll
    C:\WINDOWS\system32\fbihynyv.dll
    C:\WINDOWS\system32\vinycogp.dll
    C:\WINDOWS\system32\fcgikyih.dll
    C:\WINDOWS\system32\Delete_Me_Dummy_skuns.dat
    C:\WINDOWS\fkwggshm.exe
    C:\WINDOWS\us2.exe
    C:\WINDOWS\pkill.exe
    C:\WINDOWS\system32\aivskurq.dll
    C:\WINDOWS\system32\ddcayab.dll
    C:\WINDOWS\mrofinu77.exe
    C:\WINDOWS\mrofinu1000106.exe
    Folder::
    C:\WINDOWS\system32\Mz08r
    C:\Documents and Settings\Eric\Application Data\SpyGuardPro
    C:\Temp
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
    [-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    "{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
    [-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "30a46a11"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell ExecuteHooks]
    "{634BBAB7-3F60-4426-944F-A62B9007F67F}"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcayab]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcgikyih]






    NEW Hijackthis Logfile
    ComboFix 07-11-08.1 - Eric 2007-11-11 19:03:13.9 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.175 [GMT -5:00]
    Running from: C:\Documents and Settings\Eric\Desktop\ComboFix-1.exe
    Command switches used :: C:\Documents and Settings\Eric\Desktop\CFScript.txt
    * Created a new restore point

    FILE
    C:\Documents and Settings\Eric\Application Data\GetRightToGo
    C:\WINDOWS\fkwggshm.exe
    C:\WINDOWS\mrofinu1000106.exe
    C:\WINDOWS\mrofinu77.exe
    C:\WINDOWS\pkill.exe
    C:\WINDOWS\system32\aivskurq.dll
    C:\WINDOWS\system32\ddcayab.dll
    C:\WINDOWS\system32\Delete_Me_Dummy_skuns.dat
    C:\WINDOWS\system32\fatwokwp.exe
    C:\WINDOWS\system32\fbihynyv.dll
    C:\WINDOWS\system32\fcgikyih.dll
    C:\WINDOWS\system32\ivwpecfd.dll
    C:\WINDOWS\system32\kyhofoky.exe
    C:\WINDOWS\system32\menbshry.dll
    C:\WINDOWS\system32\okdjdsbw.dll
    C:\WINDOWS\system32\pidoblnv.dll
    C:\WINDOWS\system32\vinycogp.dll
    C:\WINDOWS\us2.exe
    .

    Unable to gain System Privileges

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
    C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
    C:\Documents and Settings\Eric\Application Data\SpyGuardPro
    C:\Documents and Settings\Eric\Application Data\SpyGuardPro\avtasks.dat
    C:\Documents and Settings\Eric\Application Data\SpyGuardPro\Logs\av.log
    C:\Documents and Settings\Eric\Application Data\SpyGuardPro\Logs\ga6Support.log
    C:\Documents and Settings\Eric\Desktop\Live Safety Center.lnk
    C:\Documents and Settings\Eric\Desktop\Online Security Guide.lnk
    C:\Documents and Settings\Eric\Favorites\Online Security Guide.lnk
    C:\Temp
    C:\WINDOWS\fkwggshm.exe
    C:\WINDOWS\mrofinu1000106.exe
    C:\WINDOWS\mrofinu77.exe
    C:\WINDOWS\pkill.exe
    C:\WINDOWS\system32\aivskurq.dll
    C:\WINDOWS\system32\ddcayab.dll
    C:\WINDOWS\system32\Delete_Me_Dummy_skuns.dat
    C:\WINDOWS\system32\fatwokwp.exe
    C:\WINDOWS\system32\fbihynyv.dll
    C:\WINDOWS\system32\fcgikyih.dll
    C:\WINDOWS\system32\fcgikyih.dllbox
    C:\WINDOWS\system32\ivwpecfd.dll
    C:\WINDOWS\system32\kyhofoky.exe
    C:\WINDOWS\system32\menbshry.dll
    C:\WINDOWS\system32\Mz08r
    C:\WINDOWS\system32\Mz08r\Mz08r1099.exe
    C:\WINDOWS\system32\okdjdsbw.dll
    C:\WINDOWS\system32\oqstv.bak1
    C:\WINDOWS\system32\oqstv.ini
    C:\WINDOWS\system32\pidoblnv.dll
    C:\WINDOWS\system32\vinycogp.dll
    C:\WINDOWS\system32\vtsqo.dll
    C:\WINDOWS\us2.exe

    .
    ((((((((((((((((((((((((( Files Created from 2007-10-12 to 2007-11-12 )))))))))))))))))))))))))))))))
    .

    2007-11-11 16:37 <DIR> d---s---- C:\Documents and Settings\Dad\UserData
    2007-11-09 00:37 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\GetRightToGo
    2007-11-06 01:59 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
    2007-11-06 01:59 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2007-11-06 01:59 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2007-11-06 01:59 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2007-11-06 01:59 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
    2007-11-06 01:59 578 --a------ C:\WINDOWS\system32\tmp.reg
    2007-11-06 00:28 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-11-06 00:22 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
    2007-11-06 00:22 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
    2007-11-06 00:22 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
    2007-11-06 00:21 <DIR> d-------- C:\Program Files\Alwil Software
    2007-11-06 00:21 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
    2007-11-06 00:21 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
    2007-11-06 00:21 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
    2007-11-06 00:21 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
    2007-10-30 02:23 <DIR> d-------- C:\WINDOWS\system32\IOSUBSYS
    2007-10-24 14:55 <DIR> d-------- C:\Program Files\MSECache
    2007-10-23 23:07 <DIR> d-------- C:\Documents and Settings\Eric\Application Data\Ruckus Network
    2007-10-23 23:04 <DIR> d-------- C:\Program Files\Ruckus Player
    2007-10-23 21:27 <DIR> d-------- C:\Program Files\Musicnotes

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-10-30 07:23 --------- d-----w C:\Program Files\Picasa2
    2007-10-27 17:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-10-24 19:56 55,552 ----a-w C:\Documents and Settings\Eric\Application Data\GDIPFONTCACHEV1.DAT
    2007-09-29 07:06 --------- d-----w C:\Program Files\Starcraft
    2007-09-07 18:55 94,208 ----a-w C:\WINDOWS\ScUnin.exe
    2007-01-08 21:38 784 ----a-w C:\Documents and Settings\Guest\Application Data\mpauth.dat
    2005-11-11 22:57 36,464 ----a-w C:\Documents and Settings\Dad\Application Data\GDIPFONTCACHEV1.DAT
    2005-07-31 21:40:00 56 --sh--r C:\WINDOWS\system32\A60EB3A246.sys
    2005-07-31 21:40:00 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((( [email protected]_ 2.19.23.57 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2007-11-06 07:06:28 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat
    + 2007-11-12 00:16:16 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat
    - 2007-11-06 07:06:28 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat
    + 2007-11-12 00:16:16 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat
    - 2007-04-02 19:21:27 139,776 ----a-w C:\WINDOWS\system32\swreg.exe
    + 2007-07-22 23:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
    + 2007-11-12 00:12:02 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6d8.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
    "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 06:06]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
    "Steam"="" []
    "Aim6"="" []
    "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-29 10:09]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

    C:\Documents and Settings\Kevin\Start Menu\Programs\Startup\
    Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-07-30 12:13:07]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-05-16 16:58:28]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
    VPN Client.lnk - C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2007-05-17 17:10:03]

    [HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="C:\\WINDOWS\\system32\\userinit.exe"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtsqo.dll


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ddbec50a-212f-11dc-815c-00132052031c}]
    \Shell\AutoRun\command - F:\LaunchU3.exe -a

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-11-07 01:51:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2007-11-05 10:49:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
    - C:\WINDOWS\system32\cleanmgr.exe
    .
    **************************************************************************

    catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-11 19:16:41
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-11-11 19:17:49 - machine was rebooted
    C:\ComboFix2.txt ... 2007-11-11 17:35
    C:\ComboFix3.txt ... 2007-11-07 22:12
    .
    --- E O F ---







    thanks!
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    you didn't do the LSA fix did you

    do it now & then run combofix again and post its log

    if you do not follow all instructions exactly in the order I give them then it will be very difficult if not impossible to fix your badly infected computer
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/649886

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice