1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved regsvr problem

Discussion in 'Malware and Virus Removal Archive' started by niftytrader, 2008/04/02.

  1. 2008/04/02
    niftytrader

    niftytrader Inactive Thread Starter

    Joined:
    2008/04/02
    Messages:
    13
    Likes Received:
    0
    [Resolved]regsvr problem

    dear Geri

    i am also facing the same problem. i sending the main.txt log to you. please advise on what should i do.

    ______________________________________________


    Deckard's System Scanner v20071014.68
    Run by Admin on 2008-04-03 20:05:03
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    -- System Restore --------------------------------------------------------------

    System Restore is disabled; attempting to re-enable...success.


    -- Last 1 Restore Point(s) --
    1: 2008-04-03 14:35:34 UTC - RP1 - System Checkpoint


    Backed up registry hives.
    Performed disk cleanup.

    Percentage of Memory in Use: 79% (more than 75%).
    Total Physical Memory: 120 MiB (512 MiB recommended).
    System Drive C: has 0.58 GiB (less than 15%) free.


    -- HijackThis (run as Admin.exe) -----------------------------------------------

    Unable to find log (file not found); running clone.
    -- HijackThis Clone ------------------------------------------------------------


    Emulating logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2008-04-03 20:14:34
    Platform: Windows XP Service Pack 2 (5.01.2600)
    MSIE: Internet Explorer (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\system32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\alg.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    F:\dss.exe
    C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sharekhan.com/#
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\Administrator\Desktop\HijackThis.exe /startupscan
    O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] F:\RegistryBooster 2\RegistryBooster.exe /S
    O4 - HKLM\..\Policies\Explorer\Run: [status] present
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - (file missing)
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
    O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{A7B57157-B0F7-4B2E-83B7-7F3AAA5E35A2}: NameServer = 61.1.96.69,61.1.96.71
    O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe


    --
    End of file - 4193 bytes

    -- HijackThis Fixed Entries (C:\DOCUME~1\ADMINI~1\Desktop\backups\) ------------

    backup-20080303-222734-913 F2 - REG:system.ini: Shell=Explorer.exe regsvr.exe
    backup-20080303-222734-830 O7 - HKCU\Software\Microsoft\Windows\Curren

    tVersion\Policies\System, DisableRegedit=1
    backup-20080316-095609-762 O4 - HKLM\..\Run: [svchost Agent] C:\WINDOWS\system32\28463\svchost.exe
    backup-20080318-190548-370 O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
    backup-20080323-105401-584 O4 - HKCU\..\Run: [Msn Messsenger] C:\WINDOWS\system32\regsvr.exe
    backup-20080324-154728-218 F2 - REG:system.ini: Shell=
    backup-20080324-154728-702 O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    backup-20080324-154730-196 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    backup-20080324-154731-977 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    backup-20080324-193640-393 O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    backup-20080330-201539-709 O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

    -- File Associations -----------------------------------------------------------

    All associations okay.


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

    R1 cdrbsvsd - c:\windows\system32\drivers\cdrbsvsd.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD7>

    S3 aeaudio - c:\windows\system32\drivers\aeaudio.sys <Not Verified; Andrea Electronics Corporation; Andrea Audio Driver>
    S3 iadusb (ASL-25020) - c:\windows\system32\drivers\glauiad.sys <Not Verified; GlobespanVirata Inc.; GlobespanVirata USB to Ethernet (LAN) Viking Modem>
    S3 smwdm - c:\windows\system32\drivers\smwdm.sys <Not Verified; Analog Devices, Inc.; SoundMAX Digital Audio Driver>


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

    All services whitelisted.


    -- Device Manager: Disabled ----------------------------------------------------

    Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
    Description: USB Mass Storage Device
    Device ID: USB\VID_058F&PID_6387\EJEWMI68
    Manufacturer: Compatible USB storage device
    Name: USB Mass Storage Device
    PNP Device ID: USB\VID_058F&PID_6387\EJEWMI68
    Service: USBSTOR


    -- Files created between 2008-03-03 and 2008-04-03 -----------------------------

    2008-04-03 19:47:13 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
    2008-04-01 23:55:41 0 d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
    2008-03-13 17:25:05 0 d-------- C:\Documents and Settings\LocalService\Start Menu
    2008-03-10 21:22:46 0 d--h----- C:\WINDOWS\PIF
    2008-03-06 06:02:26 91700 --a------ C:\WINDOWS\system32\drivers\klin.dat
    2008-03-06 06:02:26 85860 --a------ C:\WINDOWS\system32\drivers\klick.dat
    2008-03-06 06:01:37 5920 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
    2008-03-06 06:01:37 240160 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
    2008-03-06 06:01:37 0 d-------- C:\Program Files\Kaspersky Lab
    2008-03-06 05:54:09 0 d-------- C:\kav
    2008-03-05 23:31:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-03-05 23:31:44 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
    2008-03-05 21:29:44 0 d-------- C:\Program Files\X-Cleaner


    -- Find3M Report ---------------------------------------------------------------

    2008-02-24 09:24:08 0 d-------- C:\Program Files\MinorSd


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [10/15/2002 11:18 PM]
    "HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [10/15/2002 11:05 PM]
    "Cmaudio "= "cmicnfg.cpl" []
    "AVP "= "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [02/08/2008 06:36 PM]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 07:26 PM]
    "HijackThis startup scan "= "C:\Documents and Settings\Administrator\Desktop\HijackThis.exe" [03/02/2008 09:15 PM]
    "Uniblue RegistryBooster 2 "= "F:\RegistryBooster 2\RegistryBooster.exe" []

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1/21/2000 12:15:54 AM]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableCAD "=0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableTaskMgr "=0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
    "status "=present

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NofolderOptions "=0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    "C:\Program Files\Messenger\msmsgs.exe" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
    C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
    C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0205112c-e60b-11dc-a1e3-b88edc9ca411}]
    Auto\command- H:\MicrosoftPowerPoint.exe
    AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{053758b0-cc9c-11dc-a1a8-9bacedc9db11}]
    AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL regsvr.exe
    Open\command- H:\regsvr.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36d72bae-3f78-11dc-a034-800be7d09d16}]
    Auto\command- H:\MicrosoftPowerPoint.exe
    AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44fdee02-103e-11dc-9feb-0018029421c4}]
    Auto\command- setup.exe
    AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{852b5dc6-bcdb-11dc-a186-0018029421c4}]
    1\Command- H:\.\RECYCLER\RECYCLER\autorun.exe
    2\Command- H:\.\RECYCLER\RECYCLER\autorun.exe
    AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7128f60-bc22-11dc-a185-fc1b03ed7716}]
    AutoRun\command- H:\ntdetec1.exe
    explore\Command- H:\ntdetec1.exe
    open\Command- H:\ntdetec1.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9705284-de40-11dc-a1d1-cc6e3554ba12}]
    Auto\command- H:\MicrosoftPowerPoint.exe
    AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe




    -- End of Deckard's System Scanner: finished at 2008-04-03 20:35:30 ------------
     
    niftytrader,
    #1
  2. 2008/04/02
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi niftytrader

    Can I ask did someone tell you to fix things with HJT?

    DO NOT use your usb (thumb, flash ) drives they are infected, don't let anyone else use them either or they will infect themselves.

    I'll be back later this evening to start helping you out here.

    Geri
     
    Geri,
    #2


  3. to hide this advert.

  4. 2008/04/02
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi
    I want you to know what you're dealing with here. So please check this link.
    http://www.sophos.com/security/analyses/viruses-and-spyware/w32rbotpr.html

    Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, collect confidential data and information from the computer, log activity on the computer and more.

    This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

    I would change all passwords using a Non-infected computer (Not this one) and refrain from any credit card or financial dealings until clean. If you do any financial dealings with this computer Contact any credit card or banks for possible fraud on your account.

    Now please do this.

    Download ComboFix from [color= "Red"]Here[/color] to your Desktop.

    It's best to disable realtime protection applications as they sometimes interfere with the tool.
    Check this link for any applicable programs you may have.
    • Close all open programs and windows
    • Double click combofix.exe and follow the prompts.
    • Vista users right click Combofix.exe and select Run As Administrator.
    • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

    Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

    Please post the Combofix log.

    Thanks
    Geri
     
    Geri,
    #3
  5. 2008/04/03
    niftytrader

    niftytrader Inactive Thread Starter

    Joined:
    2008/04/02
    Messages:
    13
    Likes Received:
    0
    dear geri,

    i read your mail and got that sinking feeling. anyway, i downloaded combofix. I have kaspersky antivirus installed and i turned it off. when i ran combofix, a small green progress bar was displayed followed by what looked like a command prompt window flashed for a few seconds and that is all that happened. no ok/click next and no log file and no '15 bad guys terminated' messages. did i do something wrong? please help. and before i installed kaspersky i was using avast. the avast support site had reccommended runnig HJT and deleting certain entries. so that is how i got HJT in the first place.
     
    niftytrader,
    #4
  6. 2008/04/03
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi
    OK Lets try this.
    Open HJT Click on "View list of back ups ", click the "restore button ", OK any prompts.

    Now go back to the "scan screen" and click on the "Config" button (bottom right of the window), then click on the "Ignorelist" button then click on Delete All, OK any prompts.

    Close HJT.

    Delete the Combofix.exe you have on your desk top and then dowload and install this one.

    Make sure you follow the instructions exactly as given.

    Download ComboFix from [color= "Red"]Here[/color] to your Desktop.

    It's best to disable realtime protection applications as they sometimes interfere with the tool.
    Check this link for any applicable programs you may have.
    • Close all open programs and windows
    • Double click combofix.exe and follow the prompts.
    • Vista users right click Combofix.exe and select Run As Administrator.
    • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

    Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

    Post the log if it produces one.

    Thanks
    Geri
     
    Geri,
    #5
  7. 2008/04/04
    niftytrader

    niftytrader Inactive Thread Starter

    Joined:
    2008/04/02
    Messages:
    13
    Likes Received:
    0


    Dear Geri,

    There were no items in HJT's backup or ignore list. I downloaded combofix again but had the same results. is there hope yet for a yellow smiley :( ? you had mentioned that my usb drives are infected. does that mean i can never use them again? will formatting the usb drive on another pc clean it?

    regards
     
    niftytrader,
    #6
  8. 2008/04/04
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi niftytrader
    No, I beleive they can be cleaned.

    Lets try this with Combofix.

    Delete the one you downloaded.

    Re-download it from the link above, except rename it prior to clicking save. Something like FixCombo.exe

    Then try running it as instructed.

    For your flash drive(s) do this.

    Download this file to desktop but don't run it yet.

    http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe

    Hold down the Shift key and insert your flash drive.
    It is important to hold the shift key while plugging in flash drive so the virus does not run and re-infect system.
    Double click on Flash_Disinfector.exe to run it. Once done, you will be prompted. Click OK.

    Repeat this step if you have more than one flash drives.

    Do not load any thing onto your flash drives from this computer until it is clean.

    Please post the Combofix log if you were able to get one.
    Let me know.

    Thanks
    Geri
     
    Geri,
    #7
  9. 2008/04/05
    niftytrader

    niftytrader Inactive Thread Starter

    Joined:
    2008/04/02
    Messages:
    13
    Likes Received:
    0
    **************************

    YOU DID IT DEPARTMENT.

    dear Geri,

    what is in a name by which we call a rose, as mark twain said (actually shakespeare said it but i like mark twain better). i renamed combofix & here is the log. if its not too much trouble can you tell me how renaming combofix helped?


    thanks & regards:)


    ComboFix 08-04-04.1 - Admin 2008-04-05 22:23:05.1 - FAT32x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.18 [GMT 5.5:30]
    Running from: C:\Documents and Settings\Administrator\Desktop\nixcombo.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\grouppolicy\machine\scripts\scripts.ini
    C:\WINDOWS\system32\setting.ini
    C:\WINDOWS\system32\setup.ini

    .
    ((((((((((((((((((((((((( Files Created from 2008-03-05 to 2008-04-05 )))))))))))))))))))))))))))))))
    .

    2008-04-03 20:04 . 2008-04-03 20:04 <DIR> d-------- C:\Deckard
    2008-04-03 19:47 . 2008-04-03 19:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
    2008-04-01 23:55 . 2008-04-01 23:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
    2008-03-10 21:22 . 2008-03-10 21:22 <DIR> d--h----- C:\WINDOWS\PIF
    2008-03-10 12:54 . 2008-03-10 12:54 <DIR> d--hs---- C:\FOUND.001
    2008-03-10 12:22 . 2008-03-10 12:22 <DIR> d-------- C:\Program Files\Lavasoft
    2008-03-10 12:21 . 2008-03-10 12:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-03-10 12:20 . 2008-03-30 00:15 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe
    2008-03-10 12:20 . 2008-03-29 23:53 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
    2008-03-10 12:20 . 2008-03-30 00:05 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
    2008-03-10 12:20 . 2008-01-17 22:04 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
    2008-03-10 12:20 . 2008-03-30 00:01 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
    2008-03-10 12:20 . 2008-03-29 23:57 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
    2008-03-10 12:20 . 2008-03-29 23:56 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
    2008-03-10 12:20 . 2008-03-29 23:59 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
    2008-03-10 12:20 . 2008-03-30 00:05 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
    2008-03-10 00:22 . 2008-03-10 00:22 <DIR> d-------- C:\ComboFix
    2008-03-10 00:06 . 2008-03-10 00:06 <DIR> d--hs---- C:\FOUND.000
    2008-03-09 22:47 . 2008-03-09 22:47 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-03-09 22:47 . 2008-03-09 22:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-03-09 22:34 . 2008-03-09 22:34 <DIR> d-------- C:\Program Files\COMODO
    2008-03-09 22:34 . 2008-03-09 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
    2008-03-09 22:34 . 2008-03-09 22:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Comodo
    2008-03-09 21:38 . 2008-03-09 21:38 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-03-09 21:38 . 2008-03-09 21:38 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-03-09 21:37 . 2008-03-09 21:37 <DIR> d-------- C:\Program Files\Picasa2
    2008-03-09 21:37 . 2006-10-05 08:12 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
    2008-03-09 21:37 . 2006-10-05 08:12 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
    2008-03-06 05:54 . 2008-03-06 05:54 <DIR> d-------- C:\kav
    2008-03-05 23:31 . 2008-03-05 23:31 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2008-03-05 23:31 . 2008-03-05 23:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-03-05 21:36 . 2008-03-05 21:46 75 --a------ C:\WINDOWS\WININIT.INI
    2008-03-05 21:29 . 2008-03-05 21:29 <DIR> d-------- C:\Program Files\X-Cleaner

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-03-02 17:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-02-24 03:54 --------- d-----w C:\Program Files\MinorSd
    2008-02-23 02:38 43,872 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
    2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
    2006-12-09 07:49 12,099,848 ----a-w C:\Program Files\setupeng.exe
    2002-03-05 01:05 819,200 ----a-w C:\Program Files\SAFlashPlayer.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 19:26 15360]
    "HijackThis startup scan "= "C:\Documents and Settings\Administrator\Desktop\HijackThis.exe" [2008-03-02 21:15 218112]
    "SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [2002-10-15 23:18 155648]
    "HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [2002-10-15 23:05 114688]
    "Cmaudio "= "cmicnfg.cpl" []
    "avast! "= "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-30 00:07 79224]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54 65588]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableCAD "= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
    "status "= present

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "MSVideo8 "= VfWWDM32.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    --a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --------- 2004-10-13 08:24 1694208 C:\Program Files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
    --a------ 2005-12-13 08:49 217088 C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
    --a------ 2005-11-30 16:56 1306624 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    --a------ 2007-08-30 07:24 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "C:\\WINDOWS\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "F:\\Flash MX\\Flash.exe "=
    "C:\\WINDOWS\\System32\\mmc.exe "=

    R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-30 00:01]
    R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-30 00:05]
    S3 iadusb;ASL-25020;C:\WINDOWS\system32\DRIVERS\glauiad.sys [2006-09-29 00:55]
    S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 22:41]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0205112c-e60b-11dc-a1e3-b88edc9ca411}]
    \Shell\Auto\command -
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{053758b0-cc9c-11dc-a1a8-9bacedc9db11}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL regsvr.exe
    \Shell\Open\command -

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36d72bae-3f78-11dc-a034-800be7d09d16}]
    \Shell\Auto\command - MicrosoftPowerPoint.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44fdee02-103e-11dc-9feb-0018029421c4}]
    \Shell\Auto\command - setup.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{852b5dc6-bcdb-11dc-a186-0018029421c4}]
    \Shell\1\Command -
    \Shell\2\Command -
    \Shell\AutoRun\command -

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7128f60-bc22-11dc-a185-fc1b03ed7716}]
    \Shell\AutoRun\command -
    \Shell\explore\Command -
    \Shell\open\Command -

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9705284-de40-11dc-a1d1-cc6e3554ba12}]
    \Shell\Auto\command -
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-05 22:25:11
    Windows 5.1.2600 Service Pack 2 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-04-05 22:26:02
    ComboFix-quarantined-files.txt 2008-04-05 16:56:00
    Pre-Run: 271,810,560 bytes free
    Post-Run: 469,737,472 bytes free
    .
    2008-03-25 11:44:39 --- E O F ---
     
    niftytrader,
    #8
  10. 2008/04/06
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi niftytrader
    There's starting to be a few infections that will interrupt CF, They look for Combofix.exe and if found prevent it from executing, renaming it stops that.

    The Vundo infection did the same with HJT, only when you tried to run HJT it would hide from it.

    Now please do the following.

    Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
    Click here to see how to use CFScript.txt
    Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

    Code:
    Folder::
C:\Documents and Settings\All Users\Application Data\SecTaskMan

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
 "status "=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0205112c-e60b-11dc-a1e3-b88edc9ca411}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9705284-de40-11dc-a1d1-cc6e3554ba12}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44fdee02-103e-11dc-9feb-0018029421c4}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36d72bae-3f78-11dc-a034-800be7d09d16}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{053758b0-cc9c-11dc-a1a8-9bacedc9db11}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{852b5dc6-bcdb-11dc-a186-0018029421c4}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7128f60-bc22-11dc-a185-fc1b03ed7716}]
    Please post the CFScript log.

    I would also like to see the CF quarantine folder, please post the contents of this.
    C:\QOOBOX

    Thanks
    Geri
     
    Geri,
    #9
  11. 2008/04/06
    niftytrader

    niftytrader Inactive Thread Starter

    Joined:
    2008/04/02
    Messages:
    13
    Likes Received:
    0



    Dear Geri,

    here are the logs. i am not too sure if i have got the part about "would also like to see the CF quarantine folder, please post the contents of this.
    C:\QOOBOX" right. but i have posted contents of the Combofix-quarantine -files.txt file. if there is some thing else that you would like to see do let me know.

    thanks, i really appreciate your help.


    ***************************************************

    quarantine

    *****************************************************

    2004-08-03 19:26 616960 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\_entreelist.dll.vir
    2004-08-03 19:26 708096 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\_enviewlist.dll.vir
    2007-10-01 23:19 6 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\GroupPolicy\Machine\Scripts\scripts.ini.vir
    2008-02-28 21:08 96 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\setup.ini.vir
    2008-02-28 22:42 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\setting.ini.vir
    2008-04-03 19:47 10 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\icn_4301AEBD288588A40833184CFEC0AF92.dll.vir
    2008-04-03 19:47 10636 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\icn_904000001E872D116BF00006799C897E.dll.vir
    2008-04-03 19:47 108 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0B79C053C7D38EE4AB9A00CB3B5D2472.dll.vir
    2008-04-03 19:47 152 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0E23E40C6140D434FA9B96967D309AFE.dll.vir
    2008-04-03 19:47 1577 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\icn_904040001E872D116BF00006799C897E.vir
    2008-04-03 19:47 1914 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\icn_A2F950FF7A26A6E43B505559192D67E9.dll.vir
    2008-04-03 19:47 210 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\icn_2E43F5A8FC734DA408C8D21473683EA1.dll.vir
    2008-04-03 19:47 3159 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\icn_904000001E872D116BF00006799C897E.vir
    2008-04-03 19:47 4360 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\icn_904040001E872D116BF00006799C897E.dll.vir
    2008-04-03 19:47 522 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0B79C053C7D38EE4AB9A00CB3B5D2472.vir
    2008-04-03 19:47 522 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\icn_2E43F5A8FC734DA408C8D21473683EA1.vir
    2008-04-03 19:47 522 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\icn_4301AEBD288588A40833184CFEC0AF92.vir
    2008-04-03 19:47 539 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0E23E40C6140D434FA9B96967D309AFE.vir
    2008-04-03 19:47 656 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\icn_7317577B17A0F9A4A828A14E1A7B4302.vir
    2008-04-03 19:47 694 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\icn_106BB9B49E3124043ACB7E59B54F9AF8.dll.vir
    2008-04-03 19:47 716 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\icn_68AB67CA7DA73301B7448A0100000030.vir
    2008-04-03 19:47 744 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\icn_68AB67CA7DA73301B7448A0100000030.dll.vir
    2008-04-03 19:47 788 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\icn_106BB9B49E3124043ACB7E59B54F9AF8.vir
    2008-04-03 19:47 84 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\icn_7317577B17A0F9A4A828A14E1A7B4302.dll.vir
    2008-04-03 19:47 929 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\icn_A2F950FF7A26A6E43B505559192D67E9.vir
    2008-04-03 19:48 1257 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\_ExplorerBD8C40F.vir
    2008-04-03 19:48 191463 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\_googletoolbar11CD3AC64.vir
    2008-04-03 19:48 23684 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\_avp47A47A13.vir
    2008-04-03 19:48 2587 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\_HijackThis49B05403.vir
    2008-04-03 19:48 6335 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\_igfxtray15C26002.vir
    2008-04-03 19:48 8061 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\_AcroIEHelper4789F280.vir
    2008-04-03 19:49 2379 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\_svchost14F83800.vir
    2008-04-03 19:50 17826 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\_swg383CF5BC.vir
    2008-04-03 19:51 5718 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\_hkcmdE71C001.vir
    2008-04-03 19:51 6323 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\SecTaskMan\_miscr34B735A11.vir
    2008-04-06 22:36 78 --a------ C:\Qoobox\Quarantine\catchme.log


    *************************************************



    Logfile of HijackThis v1.99.1
    Scan saved at 10:58:11 PM, on 4/6/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Administrator\Desktop\hijackthis2.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sharekhan.com/#
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\Administrator\Desktop\HijackThis.exe /startupscan
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{68F3F10F-A005-4BF1-B92E-E8684418ABE4}: NameServer = 218.248.240.208 218.248.240.24
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A7B57157-B0F7-4B2E-83B7-7F3AAA5E35A2}: NameServer = 61.1.96.69,61.1.96.71
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

    **********************************************************




    combofix log



    *******************************



    ComboFix 08-04-04.1 - Admin 2008-04-06 22:34:11.2 - FAT32x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.16 [GMT 5.5:30]
    Running from: C:\Documents and Settings\Administrator\Desktop\nixcombo.exe
    Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    TimedOut: Windir.dat

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\SecTaskMan
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\_AcroIEHelper4789F280
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\_avp47A47A13
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\_entreelist.dll
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\_enviewlist.dll
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\_ExplorerBD8C40F
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\_googletoolbar11CD3AC64
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\_HijackThis49B05403
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\_hkcmdE71C001
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\_igfxtray15C26002
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\_miscr34B735A11
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\_svchost14F83800
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\_swg383CF5BC
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0B79C053C7D38EE4AB9A00CB3B5D2472
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0B79C053C7D38EE4AB9A00CB3B5D2472.dll
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0E23E40C6140D434FA9B96967D309AFE
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0E23E40C6140D434FA9B96967D309AFE.dll
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_106BB9B49E3124043ACB7E59B54F9AF8
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_106BB9B49E3124043ACB7E59B54F9AF8.dll
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_2E43F5A8FC734DA408C8D21473683EA1
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_2E43F5A8FC734DA408C8D21473683EA1.dll
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_4301AEBD288588A40833184CFEC0AF92
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_4301AEBD288588A40833184CFEC0AF92.dll
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_68AB67CA7DA73301B7448A0100000030
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_68AB67CA7DA73301B7448A0100000030.dll
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_7317577B17A0F9A4A828A14E1A7B4302
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_7317577B17A0F9A4A828A14E1A7B4302.dll
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_904000001E872D116BF00006799C897E
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_904000001E872D116BF00006799C897E.dll
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_904040001E872D116BF00006799C897E
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_904040001E872D116BF00006799C897E.dll
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_A2F950FF7A26A6E43B505559192D67E9
    C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_A2F950FF7A26A6E43B505559192D67E9.dll

    .
    ((((((((((((((((((((((((( Files Created from 2008-03-06 to 2008-04-06 )))))))))))))))))))))))))))))))
    .

    2008-04-03 20:04 . 2008-04-03 20:04 <DIR> d-------- C:\Deckard
    2008-04-01 23:55 . 2008-04-01 23:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
    2008-03-10 21:22 . 2008-03-10 21:22 <DIR> d--h----- C:\WINDOWS\PIF
    2008-03-10 12:54 . 2008-03-10 12:54 <DIR> d--hs---- C:\FOUND.001
    2008-03-10 12:22 . 2008-03-10 12:22 <DIR> d-------- C:\Program Files\Lavasoft
    2008-03-10 12:21 . 2008-03-10 12:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-03-10 12:20 . 2008-03-30 00:15 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe
    2008-03-10 12:20 . 2008-03-29 23:53 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
    2008-03-10 12:20 . 2008-03-30 00:05 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
    2008-03-10 12:20 . 2008-01-17 22:04 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
    2008-03-10 12:20 . 2008-03-30 00:01 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
    2008-03-10 12:20 . 2008-03-29 23:57 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
    2008-03-10 12:20 . 2008-03-29 23:56 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
    2008-03-10 12:20 . 2008-03-29 23:59 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
    2008-03-10 12:20 . 2008-03-30 00:05 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
    2008-03-10 00:22 . 2008-03-10 00:22 <DIR> d-------- C:\ComboFix
    2008-03-10 00:06 . 2008-03-10 00:06 <DIR> d--hs---- C:\FOUND.000
    2008-03-09 22:47 . 2008-03-09 22:47 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-03-09 22:47 . 2008-03-09 22:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-03-09 22:34 . 2008-03-09 22:34 <DIR> d-------- C:\Program Files\COMODO
    2008-03-09 22:34 . 2008-03-09 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
    2008-03-09 22:34 . 2008-03-09 22:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Comodo
    2008-03-09 21:38 . 2008-03-09 21:38 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-03-09 21:38 . 2008-03-09 21:38 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-03-09 21:37 . 2008-03-09 21:37 <DIR> d-------- C:\Program Files\Picasa2
    2008-03-09 21:37 . 2006-10-05 08:12 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
    2008-03-09 21:37 . 2006-10-05 08:12 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
    2008-03-06 05:54 . 2008-03-06 05:54 <DIR> d-------- C:\kav

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-03-05 18:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-03-05 15:59 --------- d-----w C:\Program Files\X-Cleaner
    2008-03-02 17:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-02-24 03:54 --------- d-----w C:\Program Files\MinorSd
    2008-02-23 02:38 43,872 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
    2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
    2006-12-09 07:49 12,099,848 ----a-w C:\Program Files\setupeng.exe
    2002-03-05 01:05 819,200 ----a-w C:\Program Files\SAFlashPlayer.exe
    .

    ((((((((((((((((((((((((((((( snapshot@2008-04-05_22.25.41.18 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-04-06 14:55:58 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_434.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 19:26 15360]
    "HijackThis startup scan "= "C:\Documents and Settings\Administrator\Desktop\HijackThis.exe" [ ]
    "SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [2002-10-15 23:18 155648]
    "HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [2002-10-15 23:05 114688]
    "Cmaudio "= "cmicnfg.cpl" []
    "avast! "= "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-30 00:07 79224]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54 65588]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableCAD "= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "MSVideo8 "= VfWWDM32.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    --a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --------- 2004-10-13 08:24 1694208 C:\Program Files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
    --a------ 2005-12-13 08:49 217088 C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
    --a------ 2005-11-30 16:56 1306624 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    --a------ 2007-08-30 07:24 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "C:\\WINDOWS\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "F:\\Flash MX\\Flash.exe "=
    "C:\\WINDOWS\\System32\\mmc.exe "=

    R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-30 00:01]
    R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-30 00:05]
    S3 iadusb;ASL-25020;C:\WINDOWS\system32\DRIVERS\glauiad.sys [2006-09-29 00:55]
    S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 22:41]

    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-06 22:36:58
    Windows 5.1.2600 Service Pack 2 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-04-06 22:37:48
    ComboFix-quarantined-files.txt 2008-04-06 17:07:44
    ComboFix2.txt 2008-04-05 16:56:06
    Pre-Run: 288,456,704 bytes free
    Post-Run: 278,265,856 bytes free
    .
    2008-03-25 11:44:39 --- E O F ---
     
    niftytrader,
    #10
  12. 2008/04/06
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi niftytrader
    That's looking good.

    If you did not delete these before, please look for them and delete them now.

    Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete these.

    C:\WINDOWS\system32\28463 <<This folder
    C:\WINDOWS\system32\regsvr.exe <<This File

    Lets get a on-line scan.

    Download ATF Cleaner by Atribune and save it to your Desktop.
    This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
    Double click ATF-Cleaner.exe to run the program.
    Check the boxes to the left of:

    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    Prefetch
    Java Cache
    Recycle bin

    The rest are optional - if you want it to remove everything check "Select All ".
    Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

    Now do a scan.

    Please do an online scan with Kaspersky WebScanner

    Click on “Accept” If your pop –up blocker blocks the ActiveX download, allow it, click on “Accept” again

    You will be promted to install an ActiveX component from Kaspersky, Click Yes or Install.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
      • Scan Options:
      • Scan Archives
        Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      • Select My Computer
    • This will start the program and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Save the file to your desktop.
    • Copy and paste that information in your next post.

    Thanks
    Geri
     
    Geri,
    #11
  13. 2008/04/07
    niftytrader

    niftytrader Inactive Thread Starter

    Joined:
    2008/04/02
    Messages:
    13
    Likes Received:
    0


    dear Geri,

    the files / folders
    C:\WINDOWS\system32\28463 <<This folder
    C:\WINDOWS\system32\regsvr.exe <<This File

    are not present. however there is a file C:\WINDOWS\system32\regsvr32.exe
    shall i delete it instead?

    will get back to you after ATF and Kaspersky online scan.

    one more thing, i have DSS, Hijackthis and now ATF scanner installed. do i need all of them? how often do i need to run these?

    thanks
     
    niftytrader,
    #12
  14. 2008/04/07
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi
    regsvr32.exe is a legit files so don't delete it.

    dss, only when asked to do so.
    HJT you have scanning at start up, we'll talk about that later.
    ATF is a good temp cleaner and you should run it like once a week, depending on how much you're on the internet.

    Geri
     
    Geri,
    #13
  15. 2008/04/07
    niftytrader

    niftytrader Inactive Thread Starter

    Joined:
    2008/04/02
    Messages:
    13
    Likes Received:
    0



    IS IT TOO EARLY FOR A HAIKU DEPARTMENT


    Dear Geri,

    the kaspersky scan did not detect a single problem. feels great. i had run it a month back & there were about a zillion infections. so thanks a ton and here is a haiku

    alone on the web
    drops of sensitivity
    embrace an eyelash

    - Chris Spruck

    and now could you please humour me some more and clear my doubts. if you are busy that's fine.

    after running the online kaspersky scan a month ago, i installed the kaspersky antivirus. my system performance improved immediately. while i just couldn't use the net earlier it was back to normal now. kaspersky also detected and cleaned infections on my thumbdrive. however after some time it stopped detecting anything eventhough i knew the thumbdrive was infected. thats when i registered with windowsbbs. i also did two additional things firstly using hijackthis log i edited my registry to manually delete all entries in mounpoints2 related to svchost.exe and regsvr.exe secondly i ran spybot which detected and cleaned regsvr.exe.

    what i want to know is how did kaspersky stop detecting infections on the thumbdrive. secondly i need to shuttle data between computers (some of which are bound to be infected) using my thumbdrive. how can i check for sure that the thumbdrive is not infected and how can i keep my computer from getting infected?

    thanks again for you help

    here is the kaspersky log (i hope there is no anticlimax with you telling me that there is still something wrong)

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Tuesday, April 08, 2008 12:15:29 AM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 7/04/2008
    Kaspersky Anti-Virus database records: 688619
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\
    G:\

    Scan Statistics:
    Total number of scanned objects: 34449
    Number of viruses found: 0
    Number of infected objects: 0
    Number of suspicious objects: 0
    Duration of the scan process: 01:04:10

    Infected Object Name / Virus Name / Last Action
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
    C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
    C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
    C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\Temp\Perflib_Perfdata_424.dat Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\pfirewall.log Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
    C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
    C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
    C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
    C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
    C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
    D:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
    D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    E:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
    E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    F:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
    F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

    Scan process completed.
     
    niftytrader,
    #14
  16. 2008/04/07
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi niftytrader

    It depends, Kaspersky only scans what it can see, If your thumb drive was not plugged in or it was sent not to scan that drive.
    The drive letter for your thumb drive is only created when you plug it in, E, D, F, what ever.
    Unless the thumb drive in plugged in and Kaspersky is set to scan that drive it won't see it.
    That is why we tell people to use "My Computer" when scanning that way it looks everywhere, not just the C drive.

    One way is to have a thumb drive that has Anti-Virus installed on it.
    I have a SanDisk Cruzer Micro 2GB, It has Avast installed on it, make sure you update the virus protection data just before using it and have it set to scan all files before or while it loads them.
    Then when moving files, transfer all files to a set folder, say My Documents New transfer folder.Then scan that folder with your Anti-Virus program that is on your computer.


    Now your Kaspersky scan looks good.

    So lets clean up.

    Click Start>Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created.

    Then delete these.
    dss.exe
    C:\Deckard

    Run ATF Cleaner again or empty your recycle bin.

    HJT you have to scan at start up.
    This is not a bad idea, though rarely used.
    It will show you any registry changes that have taken place (that is where HJT looks) just don't go deleting everything, that could be disastrous.
    We are always happy to look over a log, so if you have any doubts you can always post the HJT log.


    Please look at this link for some preventive recommendations, It could keep you from ending up back here to the Spyware and Virus Removal Forums.
    http://www.windowsbbs.com/showthread.php?t=67958

    Let me know that everything is OK and I'll mark this one resolved.

    Surf Safely
    Geri
     
    Geri,
    #15
  17. 2008/04/08
    niftytrader

    niftytrader Inactive Thread Starter

    Joined:
    2008/04/02
    Messages:
    13
    Likes Received:
    0


    Dear Geri,

    i was unable to uninstall ComboFix using the method you had suggested. when i ran ComboFix /u the same green progress bar appeared but ComboFix was very much there. i tried nixcombo /u (remember ComboFix was not running on my pc and you had asked me to rename it) but i got the message that nixcombo cannot be found. finally i just deleted the exe from the desktop and the ComboFix and nixcombo folder in C:\ along with DSS and Deckard and then ran ATF cleaner. so is that ok?

    secondly is the avast on your USB drive the standard home edition or is it specifically meant for USB Drives.

    well then thank you for all the help and its goodbye is it?

    regards
     
    niftytrader,
    #16
  18. 2008/04/08
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi
    Sorry about the combofix delete, I forgot I had you rename it. :p
    Look for and delete these also if present.
    C:\WINDOWS\nircmd.exe
    C:\QOOBOX
    C:\fixCombo quarantine files.txt

    As for Avast on my usb thumb, "It's Avast Anti-Virus U3 Edition" it came already installed when I bought the SanDisk, I just had to activate and then update the virus dats.

    They have it on their web site, under "download-Programs ".
    http://www.avast.com/eng/download-avast-home.html

    Free 60 day trial,
    1-year subscription now for only $19.95 (reg. $24.95)
    2-year subscription now for only $28.95 (reg. $33.95)- that's less than $1.25 per month!

    avast! U3 Edition - System Requirements

    U3 smart drive
    30 MB free on the U3 smart drive
    otherwise, the requirements are the same as for the U3 Launchpad itself, i.e. Windows 2000 SP4, Windows XP, Windows 2003 Server or Windows Vista (all editions)

    So I would check your thumb drives to see if they match.

    You're welcome and I'm glad I could help. :)
    and no hard feelings...but I hope to not see you here in spyware and virus Removal anyway. :p

    Surf Safely
    Geri
     
    Geri,
    #17

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...