1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Problem concering ANDT.sys & INDT2.sys

Discussion in 'Virus & Other Malware Removal' started by funkilla, Apr 8, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. funkilla

    funkilla Thread Starter

    Joined:
    Apr 8, 2008
    Messages:
    4
    Hi.

    I have recently had this problem on my computer which i have found out to be as a problem called andt.sys & indt2.sys.

    I recently downloaded a torrent file, straight after downloading it i kept getting a clicking noise from my speakers every so often sounds would play as well.

    I have ran Kaspersky & Spysweeper and even though it identifies the problem it cannot delete it.

    Here is my hijackthis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 15:45:01, on 08/04/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\perfs.exe
    C:\Program Files\Cyberlink\Shared files\RichVideo.exe
    C:\WINDOWS\system32\routing.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\andt.sys
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\Indt2.sys

    Please can sombody help, thank you.
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,342
    First Name:
    Derek
    Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix: especially follow the advice about installing the recovery console

    Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply
     
  3. funkilla

    funkilla Thread Starter

    Joined:
    Apr 8, 2008
    Messages:
    4
    Hi,

    I have followed the instruction and here are my hijackthis & combofix logs:

    Hijackthis:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 03:25:11, on 13/04/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Cyberlink\Shared files\RichVideo.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
    O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
    O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
    O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1207610293015
    O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

    --
    End of file - 3847 bytes

    ComboFix:

    ComboFix 08-04-11.5 - Rayhan 2008-04-13 3:07:06.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.644 [GMT 1:00]
    Running from: C:\Documents and Settings\Rayhan\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Rayhan\Application Data\inst.exe
    C:\Program Files\internet explorer\keygen.exe
    C:\WINDOWS\system32\andt.sys
    C:\WINDOWS\system32\drmgs.sys
    C:\WINDOWS\system32\Indt2.sys
    C:\WINDOWS\system32\routing.exe
    C:\WINDOWS\system32\systeminfo.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_PERFMONS
    -------\Legacy_ROUTING
    -------\Service_perfmons
    -------\Service_Routing


    ((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
    .

    2008-04-10 16:07 . 2008-04-10 16:08 <DIR> d-------- C:\Program Files\Panda Security
    2008-04-10 14:26 . 2008-04-10 14:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
    2008-03-26 05:49 . 2008-03-26 05:49 3,532 --a------ C:\drmHeader.bin
    2008-03-25 23:25 . 2008-03-25 23:25 244 --ah----- C:\sqmnoopt01.sqm
    2008-03-25 23:25 . 2008-03-25 23:25 232 --ah----- C:\sqmdata01.sqm
    2008-03-25 23:18 . 2008-03-25 23:18 244 --ah----- C:\sqmnoopt00.sqm
    2008-03-25 23:18 . 2008-03-25 23:18 232 --ah----- C:\sqmdata00.sqm
    2008-03-23 21:42 . 2008-03-23 21:42 <DIR> d-------- C:\Program Files\Real
    2008-03-23 21:42 . 2008-03-23 21:42 <DIR> d-------- C:\Program Files\Common Files\xing shared
    2008-03-23 21:42 . 2008-03-23 21:42 <DIR> d-------- C:\Program Files\Common Files\Real
    2008-03-23 21:41 . 2008-03-24 15:33 <DIR> d-------- C:\Program Files\Google
    2008-03-23 18:05 . 2008-04-09 15:52 <DIR> d-------- C:\Program Files\EsetOnlineScanner
    2008-03-23 17:49 . 2008-03-23 17:49 <DIR> d-------- C:\Program Files\Trend Micro
    2008-03-23 16:39 . 2008-03-25 21:19 0 --a------ C:\WINDOWS\win.ini
    2008-03-23 16:39 . 2008-04-13 03:11 0 --a------ C:\WINDOWS\system.ini
    2008-03-19 01:24 . 2008-03-19 01:37 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
    2008-03-18 16:46 . 2008-03-18 16:46 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
    2008-03-16 03:20 . 2007-07-19 23:54 1,521,464 --a------ C:\WINDOWS\WRSetup.dll
    2008-03-16 03:20 . 2007-07-19 23:42 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
    2008-03-15 17:00 . 2008-03-15 17:00 208 --a------ C:\WINDOWS\system32\MRT.INI
    2008-03-14 16:28 . 2008-03-14 16:28 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-13 02:11 65,537,056 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
    2008-04-13 02:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-04-13 02:10 878,732 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
    2008-04-13 02:10 151,196 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
    2008-04-13 02:10 1,601,824 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
    2008-04-12 02:55 --------- d-----w C:\Program Files\Akkhor Font
    2008-04-09 01:14 --------- d-----w C:\Program Files\DC++
    2008-03-11 22:10 --------- d-----w C:\Documents and Settings\Rayhan\Application Data\Vso
    2008-03-11 18:04 --------- d-----w C:\Program Files\DivX
    2008-03-11 02:13 --------- d-----w C:\Program Files\Dvd-cloner
    2008-03-07 00:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
    2008-03-07 00:00 --------- d-----w C:\Program Files\iTunes
    2008-03-07 00:00 --------- d-----w C:\Program Files\iPod
    2008-03-07 00:00 --------- d-----w C:\Documents and Settings\Rayhan\Application Data\Apple Computer
    2008-03-06 23:59 --------- d-----w C:\Program Files\Bonjour
    2008-03-06 23:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
    2008-03-06 23:58 --------- d-----w C:\Program Files\QuickTime
    2008-03-06 23:56 --------- d-----w C:\Program Files\Apple Software Update
    2008-03-06 23:55 --------- d-----w C:\Program Files\Common Files\Apple
    2008-03-06 23:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
    2008-03-06 23:36 --------- d-----w C:\Documents and Settings\Rayhan\Application Data\Any Video Converter Professional
    2008-03-03 19:03 47,360 ----a-w C:\Documents and Settings\Rayhan\Application Data\pcouffin.sys
    2008-03-03 19:03 --------- d-----w C:\Program Files\VSO
    2008-02-28 15:50 --------- d-----w C:\Program Files\Super_DVD_Creator_9.5
    2008-02-28 15:22 --------- d-----w C:\Program Files\Common Files\Nero
    2008-02-28 15:20 --------- d-----w C:\Program Files\Nero
    2008-02-28 15:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
    2008-02-27 00:18 --------- d-----w C:\Documents and Settings\Rayhan\Application Data\dvdcss
    2008-02-20 16:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
    2008-02-20 16:00 --------- d-----w C:\Program Files\Macromedia
    2008-02-20 15:57 --------- d-----w C:\Program Files\Common Files\Macromedia
    2008-02-20 15:34 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-02-20 15:22 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
    2008-02-19 18:50 --------- d-----w C:\Documents and Settings\LocalService\Application Data\CyberLink
    2008-02-19 18:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
    2008-02-19 18:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-02-19 17:59 --------- d-----w C:\Documents and Settings\Rayhan\Application Data\CyberLink
    2008-02-19 17:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
    2008-02-19 17:42 --------- d-----w C:\Program Files\Cyberlink
    2008-02-19 17:39 --------- d-----w C:\Program Files\SmartSound Software
    2008-02-19 01:53 --------- d-----w C:\Program Files\Any Video Converter Professional
    2008-02-19 01:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
    2008-02-13 01:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\BlazeVideo
    2008-02-13 01:27 --------- d-----w C:\Program Files\BlazeVideo
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51 218376]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
    backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    --a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
    --a------ 2007-06-28 12:51 218376 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
    --a------ 2004-08-04 13:00 33280 C:\WINDOWS\system32\rundll32.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2004-08-04 13:00 15360 C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    --a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --------- 2004-10-13 17:24 1694208 C:\Program Files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nForce Tray Options]
    --a------ 2003-12-17 18:53 73728 C:\WINDOWS\system32\sstray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    --a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "C-DillaSrv"=3 (0x3)
    "AresChatServer"=3 (0x3)
    "wwSecSvc"=2 (0x2)
    "WebrootSpySweeperService"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\MSN Messenger\\livecall.exe"=
    "C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
    "C:\\Program Files\\Cyberlink\\PowerDirector\\PDR.exe"=
    "C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
    "C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 7.0\\avp.exe"=
    "C:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=
    "C:\\Program Files\\Ares\\Ares.exe"=
    "C:\\Program Files\\DC++\\DCPlusPlus.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=

    R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS [2007-07-19 23:42]
    R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
    S3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\WG11TND5.sys []
    S3 C-Dilla;C-Dilla;C:\WINDOWS\system32\drivers\CDANT.SYS []
    S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\DNINDIS5.SYS [2003-07-24 12:10]
    S3 n558;N558 Bluetooth USB Filter Driver;C:\WINDOWS\system32\Drivers\n558.sys [2007-08-15 08:27]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c35a4434-d438-11dc-9226-00e098c36d6c}]
    \Shell\Auto\command - auto.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
    \Shell\explore\Command - ie.exe
    \Shell\open\Command - ie.exe

    .
    **************************************************************************

    catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-13 03:11:29
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Cyberlink\Shared files\RichVideo.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2008-04-13 3:16:17 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-04-13 02:16:10
    Pre-Run: 80,936,783,872 bytes free
    Post-Run: 80,842,817,536 bytes free
    .
    2008-04-09 14:34:07 --- E O F ---

    Hope this is ok, Thanks.
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,342
    First Name:
    Derek
    download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)

    Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



    [​IMG]



    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

    Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.
     

    Attached Files:

  5. funkilla

    funkilla Thread Starter

    Joined:
    Apr 8, 2008
    Messages:
    4
    Hi,

    i have done the followinf and this is my new combofix and hjt logs:

    ComboFix:

    ComboFix 08-04-11.5 - Rayhan 2008-04-14 4:12:12.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.636 [GMT 1:00]
    Running from: C:\Documents and Settings\Rayhan\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Rayhan\Desktop\CFScript.txt
    * Created a new restore point
    .
    TimedOut: progfile.dat

    ((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))
    .

    2008-04-14 03:43 . 2008-04-14 03:43 244 --ah----- C:\sqmnoopt03.sqm
    2008-04-14 03:43 . 2008-04-14 03:43 232 --ah----- C:\sqmdata03.sqm
    2008-04-13 03:29 . 2008-04-13 03:29 244 --ah----- C:\sqmnoopt02.sqm
    2008-04-13 03:29 . 2008-04-13 03:29 232 --ah----- C:\sqmdata02.sqm
    2008-04-10 16:07 . 2008-04-10 16:08 <DIR> d-------- C:\Program Files\Panda Security
    2008-04-10 14:26 . 2008-04-10 14:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
    2008-03-26 05:49 . 2008-03-26 05:49 3,532 --a------ C:\drmHeader.bin
    2008-03-25 23:25 . 2008-03-25 23:25 244 --ah----- C:\sqmnoopt01.sqm
    2008-03-25 23:25 . 2008-03-25 23:25 232 --ah----- C:\sqmdata01.sqm
    2008-03-25 23:18 . 2008-03-25 23:18 244 --ah----- C:\sqmnoopt00.sqm
    2008-03-25 23:18 . 2008-03-25 23:18 232 --ah----- C:\sqmdata00.sqm
    2008-03-23 21:42 . 2008-03-23 21:42 <DIR> d-------- C:\Program Files\Real
    2008-03-23 21:42 . 2008-03-23 21:42 <DIR> d-------- C:\Program Files\Common Files\xing shared
    2008-03-23 21:42 . 2008-03-23 21:42 <DIR> d-------- C:\Program Files\Common Files\Real
    2008-03-23 21:41 . 2008-03-24 15:33 <DIR> d-------- C:\Program Files\Google
    2008-03-23 18:05 . 2008-04-09 15:52 <DIR> d-------- C:\Program Files\EsetOnlineScanner
    2008-03-23 17:49 . 2008-03-23 17:49 <DIR> d-------- C:\Program Files\Trend Micro
    2008-03-23 16:39 . 2008-03-25 21:19 0 --a------ C:\WINDOWS\win.ini
    2008-03-19 01:24 . 2008-03-19 01:37 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
    2008-03-18 16:46 . 2008-03-18 16:46 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
    2008-03-16 03:20 . 2007-07-19 23:54 1,521,464 --a------ C:\WINDOWS\WRSetup.dll
    2008-03-16 03:20 . 2007-07-19 23:42 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
    2008-03-15 17:00 . 2008-03-15 17:00 208 --a------ C:\WINDOWS\system32\MRT.INI
    2008-03-14 16:28 . 2008-03-14 16:28 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-14 03:16 65,956,384 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
    2008-04-14 03:15 1,608,480 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
    2008-04-13 23:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-04-13 20:19 881,228 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
    2008-04-13 20:19 151,460 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
    2008-04-13 03:57 --------- d-----w C:\Documents and Settings\Rayhan\Application Data\Any Video Converter Professional
    2008-04-13 03:04 --------- d-----w C:\Program Files\DC++
    2008-04-12 02:55 --------- d-----w C:\Program Files\Akkhor Font
    2008-03-23 20:42 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
    2008-03-23 20:42 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
    2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
    2008-03-11 22:10 --------- d-----w C:\Documents and Settings\Rayhan\Application Data\Vso
    2008-03-11 18:04 --------- d-----w C:\Program Files\DivX
    2008-03-11 02:13 --------- d-----w C:\Program Files\Dvd-cloner
    2008-03-07 00:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
    2008-03-07 00:00 --------- d-----w C:\Program Files\iTunes
    2008-03-07 00:00 --------- d-----w C:\Program Files\iPod
    2008-03-07 00:00 --------- d-----w C:\Documents and Settings\Rayhan\Application Data\Apple Computer
    2008-03-06 23:59 --------- d-----w C:\Program Files\Bonjour
    2008-03-06 23:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
    2008-03-06 23:58 --------- d-----w C:\Program Files\QuickTime
    2008-03-06 23:56 --------- d-----w C:\Program Files\Apple Software Update
    2008-03-06 23:55 --------- d-----w C:\Program Files\Common Files\Apple
    2008-03-06 23:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
    2008-03-03 19:03 47,360 ----a-w C:\Documents and Settings\Rayhan\Application Data\pcouffin.sys
    2008-03-03 19:03 --------- d-----w C:\Program Files\VSO
    2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
    2008-02-28 15:50 --------- d-----w C:\Program Files\Super_DVD_Creator_9.5
    2008-02-28 15:22 --------- d-----w C:\Program Files\Common Files\Nero
    2008-02-28 15:20 --------- d-----w C:\Program Files\Nero
    2008-02-28 15:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
    2008-02-27 00:18 --------- d-----w C:\Documents and Settings\Rayhan\Application Data\dvdcss
    2008-02-21 02:05 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
    2008-02-21 02:05 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
    2008-02-21 02:05 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
    2008-02-21 02:04 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
    2008-02-21 02:04 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
    2008-02-21 02:04 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
    2008-02-21 02:04 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
    2008-02-21 02:04 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
    2008-02-21 02:04 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
    2008-02-21 02:04 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
    2008-02-21 02:04 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
    2008-02-21 02:04 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
    2008-02-21 02:04 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
    2008-02-21 02:04 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
    2008-02-21 02:04 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
    2008-02-21 02:03 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
    2008-02-21 02:03 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
    2008-02-20 16:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
    2008-02-20 16:00 --------- d-----w C:\Program Files\Macromedia
    2008-02-20 15:57 --------- d-----w C:\Program Files\Common Files\Macromedia
    2008-02-20 15:34 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-02-20 15:22 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
    2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
    2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
    2008-02-19 18:50 --------- d-----w C:\Documents and Settings\LocalService\Application Data\CyberLink
    2008-02-19 18:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
    2008-02-19 18:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-02-19 17:59 --------- d-----w C:\Documents and Settings\Rayhan\Application Data\CyberLink
    2008-02-19 17:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
    2008-02-19 17:42 --------- d-----w C:\Program Files\Cyberlink
    2008-02-19 17:39 --------- d-----w C:\Program Files\SmartSound Software
    2008-02-19 01:53 --------- d-----w C:\Program Files\Any Video Converter Professional
    2008-02-19 01:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
    2008-02-11 08:39 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
    2008-02-11 08:39 237,568 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
    2008-02-08 12:53 110,592 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
    2008-02-05 07:48 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
    .

    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .

    ---- Directory of C:\Program Files\internet explorer ----

    2008-03-23 21:42 11028 --a------ C:\Program Files\internet explorer\PLUGINS\RichFX\Player\nprfxins_EULA.txt
    2008-03-23 21:41 569397 --a------ C:\Program Files\internet explorer\PLUGINS\RichFX\Player\nprfxins.dll
    2008-03-17 19:32 1115219 --a------ C:\Program Files\internet explorer\PowerISO40.exe
    2008-03-07 00:58 4208 --a------ C:\Program Files\internet explorer\PLUGINS\QuickTimePlugin.class
    2008-03-07 00:58 143360 --a------ C:\Program Files\internet explorer\PLUGINS\npqtplugin7.dll
    2008-03-07 00:58 143360 --a------ C:\Program Files\internet explorer\PLUGINS\npqtplugin6.dll
    2008-03-07 00:58 143360 --a------ C:\Program Files\internet explorer\PLUGINS\npqtplugin5.dll
    2008-03-07 00:58 143360 --a------ C:\Program Files\internet explorer\PLUGINS\npqtplugin4.dll
    2008-03-07 00:58 143360 --a------ C:\Program Files\internet explorer\PLUGINS\npqtplugin3.dll
    2008-03-07 00:58 143360 --a------ C:\Program Files\internet explorer\PLUGINS\npqtplugin2.dll
    2008-03-07 00:58 143360 --a------ C:\Program Files\internet explorer\PLUGINS\npqtplugin.dll
    2008-02-29 09:55 625664 --a------ C:\Program Files\internet explorer\iexplore.exe
    2007-08-13 19:54 33792 --------- C:\Program Files\internet explorer\custsat.dll
    2007-08-13 19:54 287744 --a------ C:\Program Files\internet explorer\ieproxy.dll
    2007-08-13 19:44 69120 --a------ C:\Program Files\internet explorer\iedw.exe
    2007-08-13 19:43 573440 --------- C:\Program Files\internet explorer\en-US\iexplore.exe.mui
    2007-08-13 19:43 5120 --------- C:\Program Files\internet explorer\en-US\iedw.exe.mui
    2007-08-13 19:18 60416 --a------ C:\Program Files\internet explorer\hmmapi.dll
    2007-08-13 19:17 32768 --------- C:\Program Files\internet explorer\en-US\hmmapi.dll.mui
    2007-08-13 18:12 448 --a------ C:\Program Files\internet explorer\SIGNUP\install.ins
    2007-05-10 22:52 95864 --a------ C:\Program Files\internet explorer\PLUGINS\nppdf32.dll
    2004-08-04 13:00 86016 --a------ C:\Program Files\internet explorer\Connection Wizard\icwconn2.exe
    2004-08-04 13:00 851 --a------ C:\Program Files\internet explorer\Connection Wizard\state.icw
    2004-08-04 13:00 73728 --a------ C:\Program Files\internet explorer\Connection Wizard\icwtutor.exe
    2004-08-04 13:00 617 --a------ C:\Program Files\internet explorer\Connection Wizard\icwx25b.dun
    2004-08-04 13:00 61440 --a------ C:\Program Files\internet explorer\Connection Wizard\icwres.dll
    2004-08-04 13:00 61440 --a------ C:\Program Files\internet explorer\Connection Wizard\icwconn.dll
    2004-08-04 13:00 566 --a------ C:\Program Files\internet explorer\Connection Wizard\icwx25c.dun
    2004-08-04 13:00 566 --a------ C:\Program Files\internet explorer\Connection Wizard\icwx25a.dun
    2004-08-04 13:00 49152 --a------ C:\Program Files\internet explorer\Connection Wizard\icwutil.dll
    2004-08-04 13:00 40960 --a------ C:\Program Files\internet explorer\Connection Wizard\trialoc.dll
    2004-08-04 13:00 352 --a------ C:\Program Files\internet explorer\Connection Wizard\icwip.dun
    2004-08-04 13:00 32768 --a------ C:\Program Files\internet explorer\Connection Wizard\icwdl.dll
    2004-08-04 13:00 2921 --a------ C:\Program Files\internet explorer\Connection Wizard\phone.icw
    2004-08-04 13:00 24576 --a------ C:\Program Files\internet explorer\Connection Wizard\icwrmind.exe
    2004-08-04 13:00 214528 --a------ C:\Program Files\internet explorer\Connection Wizard\icwconn1.exe
    2004-08-04 13:00 20480 --a------ C:\Program Files\internet explorer\Connection Wizard\inetwiz.exe
    2004-08-04 13:00 197 --a------ C:\Program Files\internet explorer\Connection Wizard\msn.isp
    2004-08-04 13:00 19 --a------ C:\Program Files\internet explorer\Connection Wizard\phone.ver
    2004-08-04 13:00 172032 --a------ C:\Program Files\internet explorer\Connection Wizard\icwhelp.dll
    2004-08-04 13:00 16384 --a------ C:\Program Files\internet explorer\Connection Wizard\isignup.exe
    2004-08-04 13:00 158 --a------ C:\Program Files\internet explorer\Connection Wizard\msicw.isp
    2004-08-04 13:00 132 --a------ C:\Program Files\internet explorer\Connection Wizard\support.icw


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51 218376]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
    backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    --a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
    --a------ 2007-06-28 12:51 218376 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
    --a------ 2004-08-04 13:00 33280 C:\WINDOWS\system32\rundll32.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2004-08-04 13:00 15360 C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    --a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --------- 2004-10-13 17:24 1694208 C:\Program Files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nForce Tray Options]
    --a------ 2003-12-17 18:53 73728 C:\WINDOWS\system32\sstray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    --a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "C-DillaSrv"=3 (0x3)
    "AresChatServer"=3 (0x3)
    "wwSecSvc"=2 (0x2)
    "WebrootSpySweeperService"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\MSN Messenger\\livecall.exe"=
    "C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
    "C:\\Program Files\\Cyberlink\\PowerDirector\\PDR.exe"=
    "C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
    "C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 7.0\\avp.exe"=
    "C:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=
    "C:\\Program Files\\Ares\\Ares.exe"=
    "C:\\Program Files\\DC++\\DCPlusPlus.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=

    R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS [2007-07-19 23:42]
    R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
    S3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\WG11TND5.sys []
    S3 C-Dilla;C-Dilla;C:\WINDOWS\system32\drivers\CDANT.SYS []
    S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\DNINDIS5.SYS [2003-07-24 12:10]
    S3 n558;N558 Bluetooth USB Filter Driver;C:\WINDOWS\system32\Drivers\n558.sys [2007-08-15 08:27]

    .
    **************************************************************************

    catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-14 04:16:13
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-04-14 4:17:00
    ComboFix-quarantined-files.txt 2008-04-14 03:16:46
    ComboFix2.txt 2008-04-13 02:16:18
    Pre-Run: 80,816,070,656 bytes free
    Post-Run: 80,802,590,720 bytes free
    .
    2008-04-09 14:34:07 --- E O F ---

    HJT:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 04:19:58, on 14/04/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Cyberlink\Shared files\RichVideo.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\PROGRA~1\MSNMES~1\msnmsgr.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
    O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
    O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
    O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1207610293015
    O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

    --
    End of file - 3788 bytes

    Just one other thing Kaspersky identifes Combofix as a virus is that ok?

    Thanks.
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,342
    First Name:
    Derek
    kaspersky does sometimes detect one or more components of combofix but that is OK

    I can't see anything now except I wonder what this is doing in the Internet explorer folder as it isn't the usual place to have it

    C:\Program Files\internet explorer\PowerISO40.exe

    I would like to examine that file to make sure it isn't a dodgy one

    download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)

    Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



    [​IMG]



    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

    Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

    This will create a zip file named something like [38][email protected]

    at the end it will pop up an alert & open your browser and ask you to send the zip file

    please follow those instructions. We need to see the zip file before we can carry on with the fix

    If there is no pop up alert or open browser then

    please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
    Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

    Files to submit:
    the zip file on desktop created by combofix named something like [38]-Submit_2008-01-1[email protected]
     

    Attached Files:

  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/701592

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice