Solved: Problem concering ANDT.sys & INDT2.sys

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

funkilla

Thread Starter
Joined
Apr 8, 2008
Messages
4
Hi.

I have recently had this problem on my computer which i have found out to be as a problem called andt.sys & indt2.sys.

I recently downloaded a torrent file, straight after downloading it i kept getting a clicking noise from my speakers every so often sounds would play as well.

I have ran Kaspersky & Spysweeper and even though it identifies the problem it cannot delete it.

Here is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:45:01, on 08/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\perfs.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\routing.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\andt.sys
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\Indt2.sys

Please can sombody help, thank you.
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix: especially follow the advice about installing the recovery console

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply
 

funkilla

Thread Starter
Joined
Apr 8, 2008
Messages
4
Hi,

I have followed the instruction and here are my hijackthis & combofix logs:

Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:25:11, on 13/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1207610293015
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 3847 bytes

ComboFix:

ComboFix 08-04-11.5 - Rayhan 2008-04-13 3:07:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.644 [GMT 1:00]
Running from: C:\Documents and Settings\Rayhan\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Rayhan\Application Data\inst.exe
C:\Program Files\internet explorer\keygen.exe
C:\WINDOWS\system32\andt.sys
C:\WINDOWS\system32\drmgs.sys
C:\WINDOWS\system32\Indt2.sys
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\systeminfo.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PERFMONS
-------\Legacy_ROUTING
-------\Service_perfmons
-------\Service_Routing


((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.

2008-04-10 16:07 . 2008-04-10 16:08 <DIR> d-------- C:\Program Files\Panda Security
2008-04-10 14:26 . 2008-04-10 14:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2008-03-26 05:49 . 2008-03-26 05:49 3,532 --a------ C:\drmHeader.bin
2008-03-25 23:25 . 2008-03-25 23:25 244 --ah----- C:\sqmnoopt01.sqm
2008-03-25 23:25 . 2008-03-25 23:25 232 --ah----- C:\sqmdata01.sqm
2008-03-25 23:18 . 2008-03-25 23:18 244 --ah----- C:\sqmnoopt00.sqm
2008-03-25 23:18 . 2008-03-25 23:18 232 --ah----- C:\sqmdata00.sqm
2008-03-23 21:42 . 2008-03-23 21:42 <DIR> d-------- C:\Program Files\Real
2008-03-23 21:42 . 2008-03-23 21:42 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-03-23 21:42 . 2008-03-23 21:42 <DIR> d-------- C:\Program Files\Common Files\Real
2008-03-23 21:41 . 2008-03-24 15:33 <DIR> d-------- C:\Program Files\Google
2008-03-23 18:05 . 2008-04-09 15:52 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-03-23 17:49 . 2008-03-23 17:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-23 16:39 . 2008-03-25 21:19 0 --a------ C:\WINDOWS\win.ini
2008-03-23 16:39 . 2008-04-13 03:11 0 --a------ C:\WINDOWS\system.ini
2008-03-19 01:24 . 2008-03-19 01:37 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-18 16:46 . 2008-03-18 16:46 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-16 03:20 . 2007-07-19 23:54 1,521,464 --a------ C:\WINDOWS\WRSetup.dll
2008-03-16 03:20 . 2007-07-19 23:42 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2008-03-15 17:00 . 2008-03-15 17:00 208 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-14 16:28 . 2008-03-14 16:28 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 02:11 65,537,056 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-13 02:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-13 02:10 878,732 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-13 02:10 151,196 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-04-13 02:10 1,601,824 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-04-12 02:55 --------- d-----w C:\Program Files\Akkhor Font
2008-04-09 01:14 --------- d-----w C:\Program Files\DC++
2008-03-11 22:10 --------- d-----w C:\Documents and Settings\Rayhan\Application Data\Vso
2008-03-11 18:04 --------- d-----w C:\Program Files\DivX
2008-03-11 02:13 --------- d-----w C:\Program Files\Dvd-cloner
2008-03-07 00:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2008-03-07 00:00 --------- d-----w C:\Program Files\iTunes
2008-03-07 00:00 --------- d-----w C:\Program Files\iPod
2008-03-07 00:00 --------- d-----w C:\Documents and Settings\Rayhan\Application Data\Apple Computer
2008-03-06 23:59 --------- d-----w C:\Program Files\Bonjour
2008-03-06 23:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-06 23:58 --------- d-----w C:\Program Files\QuickTime
2008-03-06 23:56 --------- d-----w C:\Program Files\Apple Software Update
2008-03-06 23:55 --------- d-----w C:\Program Files\Common Files\Apple
2008-03-06 23:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-03-06 23:36 --------- d-----w C:\Documents and Settings\Rayhan\Application Data\Any Video Converter Professional
2008-03-03 19:03 47,360 ----a-w C:\Documents and Settings\Rayhan\Application Data\pcouffin.sys
2008-03-03 19:03 --------- d-----w C:\Program Files\VSO
2008-02-28 15:50 --------- d-----w C:\Program Files\Super_DVD_Creator_9.5
2008-02-28 15:22 --------- d-----w C:\Program Files\Common Files\Nero
2008-02-28 15:20 --------- d-----w C:\Program Files\Nero
2008-02-28 15:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-02-27 00:18 --------- d-----w C:\Documents and Settings\Rayhan\Application Data\dvdcss
2008-02-20 16:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-02-20 16:00 --------- d-----w C:\Program Files\Macromedia
2008-02-20 15:57 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-02-20 15:34 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-20 15:22 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-02-19 18:50 --------- d-----w C:\Documents and Settings\LocalService\Application Data\CyberLink
2008-02-19 18:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
2008-02-19 18:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-19 17:59 --------- d-----w C:\Documents and Settings\Rayhan\Application Data\CyberLink
2008-02-19 17:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-02-19 17:42 --------- d-----w C:\Program Files\Cyberlink
2008-02-19 17:39 --------- d-----w C:\Program Files\SmartSound Software
2008-02-19 01:53 --------- d-----w C:\Program Files\Any Video Converter Professional
2008-02-19 01:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-13 01:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\BlazeVideo
2008-02-13 01:27 --------- d-----w C:\Program Files\BlazeVideo
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51 218376]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
--a------ 2007-06-28 12:51 218376 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 13:00 33280 C:\WINDOWS\system32\rundll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 13:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 17:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nForce Tray Options]
--a------ 2003-12-17 18:53 73728 C:\WINDOWS\system32\sstray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"C-DillaSrv"=3 (0x3)
"AresChatServer"=3 (0x3)
"wwSecSvc"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"C:\\Program Files\\Cyberlink\\PowerDirector\\PDR.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 7.0\\avp.exe"=
"C:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS [2007-07-19 23:42]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
S3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\WG11TND5.sys []
S3 C-Dilla;C-Dilla;C:\WINDOWS\system32\drivers\CDANT.SYS []
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\DNINDIS5.SYS [2003-07-24 12:10]
S3 n558;N558 Bluetooth USB Filter Driver;C:\WINDOWS\system32\Drivers\n558.sys [2007-08-15 08:27]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c35a4434-d438-11dc-9226-00e098c36d6c}]
\Shell\Auto\command - auto.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
\Shell\explore\Command - ie.exe
\Shell\open\Command - ie.exe

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 03:11:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-04-13 3:16:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-13 02:16:10
Pre-Run: 80,936,783,872 bytes free
Post-Run: 80,842,817,536 bytes free
.
2008-04-09 14:34:07 --- E O F ---

Hope this is ok, Thanks.
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.







This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.
 

Attachments

funkilla

Thread Starter
Joined
Apr 8, 2008
Messages
4
Hi,

i have done the followinf and this is my new combofix and hjt logs:

ComboFix:

ComboFix 08-04-11.5 - Rayhan 2008-04-14 4:12:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.636 [GMT 1:00]
Running from: C:\Documents and Settings\Rayhan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Rayhan\Desktop\CFScript.txt
* Created a new restore point
.
TimedOut: progfile.dat

((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))
.

2008-04-14 03:43 . 2008-04-14 03:43 244 --ah----- C:\sqmnoopt03.sqm
2008-04-14 03:43 . 2008-04-14 03:43 232 --ah----- C:\sqmdata03.sqm
2008-04-13 03:29 . 2008-04-13 03:29 244 --ah----- C:\sqmnoopt02.sqm
2008-04-13 03:29 . 2008-04-13 03:29 232 --ah----- C:\sqmdata02.sqm
2008-04-10 16:07 . 2008-04-10 16:08 <DIR> d-------- C:\Program Files\Panda Security
2008-04-10 14:26 . 2008-04-10 14:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2008-03-26 05:49 . 2008-03-26 05:49 3,532 --a------ C:\drmHeader.bin
2008-03-25 23:25 . 2008-03-25 23:25 244 --ah----- C:\sqmnoopt01.sqm
2008-03-25 23:25 . 2008-03-25 23:25 232 --ah----- C:\sqmdata01.sqm
2008-03-25 23:18 . 2008-03-25 23:18 244 --ah----- C:\sqmnoopt00.sqm
2008-03-25 23:18 . 2008-03-25 23:18 232 --ah----- C:\sqmdata00.sqm
2008-03-23 21:42 . 2008-03-23 21:42 <DIR> d-------- C:\Program Files\Real
2008-03-23 21:42 . 2008-03-23 21:42 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-03-23 21:42 . 2008-03-23 21:42 <DIR> d-------- C:\Program Files\Common Files\Real
2008-03-23 21:41 . 2008-03-24 15:33 <DIR> d-------- C:\Program Files\Google
2008-03-23 18:05 . 2008-04-09 15:52 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-03-23 17:49 . 2008-03-23 17:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-23 16:39 . 2008-03-25 21:19 0 --a------ C:\WINDOWS\win.ini
2008-03-19 01:24 . 2008-03-19 01:37 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-18 16:46 . 2008-03-18 16:46 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-16 03:20 . 2007-07-19 23:54 1,521,464 --a------ C:\WINDOWS\WRSetup.dll
2008-03-16 03:20 . 2007-07-19 23:42 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2008-03-15 17:00 . 2008-03-15 17:00 208 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-14 16:28 . 2008-03-14 16:28 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 03:16 65,956,384 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-14 03:15 1,608,480 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-04-13 23:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-13 20:19 881,228 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-13 20:19 151,460 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-04-13 03:57 --------- d-----w C:\Documents and Settings\Rayhan\Application Data\Any Video Converter Professional
2008-04-13 03:04 --------- d-----w C:\Program Files\DC++
2008-04-12 02:55 --------- d-----w C:\Program Files\Akkhor Font
2008-03-23 20:42 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-03-23 20:42 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-11 22:10 --------- d-----w C:\Documents and Settings\Rayhan\Application Data\Vso
2008-03-11 18:04 --------- d-----w C:\Program Files\DivX
2008-03-11 02:13 --------- d-----w C:\Program Files\Dvd-cloner
2008-03-07 00:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2008-03-07 00:00 --------- d-----w C:\Program Files\iTunes
2008-03-07 00:00 --------- d-----w C:\Program Files\iPod
2008-03-07 00:00 --------- d-----w C:\Documents and Settings\Rayhan\Application Data\Apple Computer
2008-03-06 23:59 --------- d-----w C:\Program Files\Bonjour
2008-03-06 23:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-06 23:58 --------- d-----w C:\Program Files\QuickTime
2008-03-06 23:56 --------- d-----w C:\Program Files\Apple Software Update
2008-03-06 23:55 --------- d-----w C:\Program Files\Common Files\Apple
2008-03-06 23:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-03-03 19:03 47,360 ----a-w C:\Documents and Settings\Rayhan\Application Data\pcouffin.sys
2008-03-03 19:03 --------- d-----w C:\Program Files\VSO
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-28 15:50 --------- d-----w C:\Program Files\Super_DVD_Creator_9.5
2008-02-28 15:22 --------- d-----w C:\Program Files\Common Files\Nero
2008-02-28 15:20 --------- d-----w C:\Program Files\Nero
2008-02-28 15:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-02-27 00:18 --------- d-----w C:\Documents and Settings\Rayhan\Application Data\dvdcss
2008-02-21 02:05 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-02-21 02:05 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-02-21 02:05 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-02-21 02:04 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-02-21 02:04 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-02-21 02:04 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-02-21 02:04 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-02-21 02:04 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-02-21 02:04 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-02-21 02:04 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-02-21 02:04 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-02-21 02:04 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-02-21 02:04 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-02-21 02:04 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-02-21 02:04 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-02-21 02:03 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-02-21 02:03 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-02-20 16:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-02-20 16:00 --------- d-----w C:\Program Files\Macromedia
2008-02-20 15:57 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-02-20 15:34 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-20 15:22 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-19 18:50 --------- d-----w C:\Documents and Settings\LocalService\Application Data\CyberLink
2008-02-19 18:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
2008-02-19 18:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-19 17:59 --------- d-----w C:\Documents and Settings\Rayhan\Application Data\CyberLink
2008-02-19 17:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-02-19 17:42 --------- d-----w C:\Program Files\Cyberlink
2008-02-19 17:39 --------- d-----w C:\Program Files\SmartSound Software
2008-02-19 01:53 --------- d-----w C:\Program Files\Any Video Converter Professional
2008-02-19 01:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-11 08:39 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
2008-02-11 08:39 237,568 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
2008-02-08 12:53 110,592 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
2008-02-05 07:48 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\internet explorer ----

2008-03-23 21:42 11028 --a------ C:\Program Files\internet explorer\PLUGINS\RichFX\Player\nprfxins_EULA.txt
2008-03-23 21:41 569397 --a------ C:\Program Files\internet explorer\PLUGINS\RichFX\Player\nprfxins.dll
2008-03-17 19:32 1115219 --a------ C:\Program Files\internet explorer\PowerISO40.exe
2008-03-07 00:58 4208 --a------ C:\Program Files\internet explorer\PLUGINS\QuickTimePlugin.class
2008-03-07 00:58 143360 --a------ C:\Program Files\internet explorer\PLUGINS\npqtplugin7.dll
2008-03-07 00:58 143360 --a------ C:\Program Files\internet explorer\PLUGINS\npqtplugin6.dll
2008-03-07 00:58 143360 --a------ C:\Program Files\internet explorer\PLUGINS\npqtplugin5.dll
2008-03-07 00:58 143360 --a------ C:\Program Files\internet explorer\PLUGINS\npqtplugin4.dll
2008-03-07 00:58 143360 --a------ C:\Program Files\internet explorer\PLUGINS\npqtplugin3.dll
2008-03-07 00:58 143360 --a------ C:\Program Files\internet explorer\PLUGINS\npqtplugin2.dll
2008-03-07 00:58 143360 --a------ C:\Program Files\internet explorer\PLUGINS\npqtplugin.dll
2008-02-29 09:55 625664 --a------ C:\Program Files\internet explorer\iexplore.exe
2007-08-13 19:54 33792 --------- C:\Program Files\internet explorer\custsat.dll
2007-08-13 19:54 287744 --a------ C:\Program Files\internet explorer\ieproxy.dll
2007-08-13 19:44 69120 --a------ C:\Program Files\internet explorer\iedw.exe
2007-08-13 19:43 573440 --------- C:\Program Files\internet explorer\en-US\iexplore.exe.mui
2007-08-13 19:43 5120 --------- C:\Program Files\internet explorer\en-US\iedw.exe.mui
2007-08-13 19:18 60416 --a------ C:\Program Files\internet explorer\hmmapi.dll
2007-08-13 19:17 32768 --------- C:\Program Files\internet explorer\en-US\hmmapi.dll.mui
2007-08-13 18:12 448 --a------ C:\Program Files\internet explorer\SIGNUP\install.ins
2007-05-10 22:52 95864 --a------ C:\Program Files\internet explorer\PLUGINS\nppdf32.dll
2004-08-04 13:00 86016 --a------ C:\Program Files\internet explorer\Connection Wizard\icwconn2.exe
2004-08-04 13:00 851 --a------ C:\Program Files\internet explorer\Connection Wizard\state.icw
2004-08-04 13:00 73728 --a------ C:\Program Files\internet explorer\Connection Wizard\icwtutor.exe
2004-08-04 13:00 617 --a------ C:\Program Files\internet explorer\Connection Wizard\icwx25b.dun
2004-08-04 13:00 61440 --a------ C:\Program Files\internet explorer\Connection Wizard\icwres.dll
2004-08-04 13:00 61440 --a------ C:\Program Files\internet explorer\Connection Wizard\icwconn.dll
2004-08-04 13:00 566 --a------ C:\Program Files\internet explorer\Connection Wizard\icwx25c.dun
2004-08-04 13:00 566 --a------ C:\Program Files\internet explorer\Connection Wizard\icwx25a.dun
2004-08-04 13:00 49152 --a------ C:\Program Files\internet explorer\Connection Wizard\icwutil.dll
2004-08-04 13:00 40960 --a------ C:\Program Files\internet explorer\Connection Wizard\trialoc.dll
2004-08-04 13:00 352 --a------ C:\Program Files\internet explorer\Connection Wizard\icwip.dun
2004-08-04 13:00 32768 --a------ C:\Program Files\internet explorer\Connection Wizard\icwdl.dll
2004-08-04 13:00 2921 --a------ C:\Program Files\internet explorer\Connection Wizard\phone.icw
2004-08-04 13:00 24576 --a------ C:\Program Files\internet explorer\Connection Wizard\icwrmind.exe
2004-08-04 13:00 214528 --a------ C:\Program Files\internet explorer\Connection Wizard\icwconn1.exe
2004-08-04 13:00 20480 --a------ C:\Program Files\internet explorer\Connection Wizard\inetwiz.exe
2004-08-04 13:00 197 --a------ C:\Program Files\internet explorer\Connection Wizard\msn.isp
2004-08-04 13:00 19 --a------ C:\Program Files\internet explorer\Connection Wizard\phone.ver
2004-08-04 13:00 172032 --a------ C:\Program Files\internet explorer\Connection Wizard\icwhelp.dll
2004-08-04 13:00 16384 --a------ C:\Program Files\internet explorer\Connection Wizard\isignup.exe
2004-08-04 13:00 158 --a------ C:\Program Files\internet explorer\Connection Wizard\msicw.isp
2004-08-04 13:00 132 --a------ C:\Program Files\internet explorer\Connection Wizard\support.icw


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51 218376]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
--a------ 2007-06-28 12:51 218376 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 13:00 33280 C:\WINDOWS\system32\rundll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 13:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 17:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nForce Tray Options]
--a------ 2003-12-17 18:53 73728 C:\WINDOWS\system32\sstray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"C-DillaSrv"=3 (0x3)
"AresChatServer"=3 (0x3)
"wwSecSvc"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"C:\\Program Files\\Cyberlink\\PowerDirector\\PDR.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 7.0\\avp.exe"=
"C:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS [2007-07-19 23:42]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
S3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\WG11TND5.sys []
S3 C-Dilla;C-Dilla;C:\WINDOWS\system32\drivers\CDANT.SYS []
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\DNINDIS5.SYS [2003-07-24 12:10]
S3 n558;N558 Bluetooth USB Filter Driver;C:\WINDOWS\system32\Drivers\n558.sys [2007-08-15 08:27]

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-14 04:16:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-14 4:17:00
ComboFix-quarantined-files.txt 2008-04-14 03:16:46
ComboFix2.txt 2008-04-13 02:16:18
Pre-Run: 80,816,070,656 bytes free
Post-Run: 80,802,590,720 bytes free
.
2008-04-09 14:34:07 --- E O F ---

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:19:58, on 14/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1207610293015
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 3788 bytes

Just one other thing Kaspersky identifes Combofix as a virus is that ok?

Thanks.
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
kaspersky does sometimes detect one or more components of combofix but that is OK

I can't see anything now except I wonder what this is doing in the Internet explorer folder as it isn't the usual place to have it

C:\Program Files\internet explorer\PowerISO40.exe

I would like to examine that file to make sure it isn't a dodgy one

download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.







This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

This will create a zip file named something like [38][email protected]

at the end it will pop up an alert & open your browser and ask you to send the zip file

please follow those instructions. We need to see the zip file before we can carry on with the fix

If there is no pop up alert or open browser then

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the zip file on desktop created by combofix named something like [38][email protected]
 

Attachments

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 2)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top