Solved RSIT Error and Random I/E pop-ups

Geri,

Copied the new CFscript.txt and running right now. Will give you a log soon.


Yes, I'm still getting the error on load-up.

 

Latest combofix.log

I rebooted and the error message is still there.

=======


ComboFix 08-11-16.04 - DSC 2008-11-18 22:01:04.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.936.1.1033.18.365 [GMT -5:00]
Ö´ÃÃÃŽ»Ã–Ã: c:\documents and settings\DSC\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\DSC\Desktop\CFScript.txt
* ³Ã‰¹¦´´Ã”ìû¹Ã”*µÃ£

עÒâ - Õą̂µÃ§Ã„ÔûÓð²Ã—°»Ã–¸´¿Ã˜Ã–Æ̨ £¡£¡
.

((((((((((((((((((((((((( 2008-10-19 Öà 2008-11-19 µÃ„õĵµ°¸ )))))))))))))))))))))))))))))))
.

2008-11-18 21:49 . 2008-11-18 21:50 1,393 --a------ c:\windows\imsins.BAK
2008-11-17 01:47 . 2008-11-17 01:47 <DIR> d-------- c:\temp\dial
2008-11-16 19:26 . 2008-11-16 19:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-16 19:26 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-16 19:26 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-16 17:38 . 2008-11-18 09:34 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-16 17:35 . 2008-11-16 17:35 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-16 17:35 . 2008-11-16 17:35 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-16 17:34 . 2008-11-16 17:34 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-16 17:34 . 2008-11-16 17:34 <DIR> d-------- c:\program files\AVG
2008-11-16 17:34 . 2008-11-16 17:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-16 17:34 . 2008-11-16 17:34 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-16 12:40 . 2008-11-16 12:40 <DIR> d-------- C:\rsit
2008-11-16 01:18 . 2005-03-15 20:11 283,904 -ra------ c:\windows\system32\drivers\A5AGU.sys
2008-11-16 01:18 . 2005-03-15 20:11 143,688 -ra------ c:\windows\system32\drivers\ar5523.bin
2008-11-16 01:18 . 2005-03-15 20:11 43,392 -ra------ c:\windows\system32\drivers\Athfmwdl.sys
2008-11-16 01:00 . 2008-11-16 01:00 <DIR> d-------- c:\program files\ANI
2008-11-16 01:00 . 2004-07-27 11:20 36,864 --a------ c:\windows\system32\ANIOApi.dll
2008-11-16 01:00 . 2004-07-27 11:20 28,205 --a------ c:\windows\system32\ANIO.sys
2008-11-16 01:00 . 2004-07-27 11:20 16,997 --a------ c:\windows\system32\ANIO.VXD
2008-11-16 01:00 . 2004-07-27 11:20 11,904 --a------ c:\windows\system32\anio4.sys
2008-11-16 00:56 . 2008-11-16 00:56 <DIR> d-------- c:\program files\D-Link

.
(((((((((((((((((((((((((((((((((((((((( ÔÚÈý¸Ã¶Ã”ÂÄÚ±»Ã޸ĵĵµ°¸ ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-18 02:41 --------- d-----w c:\program files\NetZero
2008-11-17 04:47 --------- d-----w c:\documents and settings\All Users\Application Data\MapQuest Toolbar
2008-11-16 15:11 --------- d-----w c:\program files\ewido anti-malware
2008-11-16 07:31 --------- d-----w c:\program files\SUPERAntiSpyware
2008-11-16 07:16 --------- d-----w c:\program files\Common Files\Real
2008-11-16 06:47 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-16 06:47 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-16 06:00 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-12 01:00 --------- d-----w c:\documents and settings\DSC\Application Data\Malwarebytes
2008-10-12 01:00 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-12 00:18 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-11 22:06 --------- d-----w c:\program files\Panda Security
2008-10-03 20:25 --------- d-----w c:\documents and settings\NetworkService\Application Data\VOL_TOOLBAR
2008-09-29 17:24 272,116 ----a-w c:\windows\system32\test3.exe
2008-09-29 17:22 8,447 ----a-w c:\windows\system32\test2.exe
2008-09-29 17:22 16,384 ----a-w c:\windows\system32\test1.exe
2008-09-22 02:31 --------- d-----w c:\program files\Sun
2008-09-22 02:30 --------- d-----w c:\program files\Java
2008-09-21 23:46 --------- d-----w c:\program files\Lavasoft
2008-09-21 23:44 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-09-19 19:36 --------- d-----w c:\program files\PPLive
2008-09-19 19:34 --------- d-----w c:\documents and settings\All Users\Application Data\PPLive
2005-12-20 03:51 184,808 -c--a-w c:\documents and settings\DSC\Application Data\shb.dat
.

((((((((((((((((((((((((((((( snapshot@2008-11-17_ 0.25.39.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-23 16:11:40 1,024,000 ----a-w c:\windows\$hf_mig$\KB953838\SP2QFE\browseui.dll
+ 2008-06-23 16:11:40 151,040 ----a-w c:\windows\$hf_mig$\KB953838\SP2QFE\cdfview.dll
+ 2008-06-23 16:11:42 1,054,208 ----a-w c:\windows\$hf_mig$\KB953838\SP2QFE\danim.dll
+ 2008-06-23 16:11:43 357,888 ----a-w c:\windows\$hf_mig$\KB953838\SP2QFE\dxtmsft.dll
+ 2008-06-23 16:11:43 205,312 ----a-w c:\windows\$hf_mig$\KB953838\SP2QFE\dxtrans.dll
+ 2008-06-23 16:11:43 55,808 ----a-w c:\windows\$hf_mig$\KB953838\SP2QFE\extmgr.dll
+ 2008-06-23 09:53:58 18,432 ----a-w c:\windows\$hf_mig$\KB953838\SP2QFE\iedw.exe
+ 2008-06-23 16:11:52 251,904 ----a-w c:\windows\$hf_mig$\KB953838\SP2QFE\iepeers.dll
+ 2008-06-23 16:11:52 96,256 ----a-w c:\windows\$hf_mig$\KB953838\SP2QFE\inseng.dll
+ 2008-06-23 16:11:52 16,384 ----a-w c:\windows\$hf_mig$\KB953838\SP2QFE\jsproxy.dll
+ 2008-06-23 16:11:58 3,067,392 ----a-w c:\windows\$hf_mig$\KB953838\SP2QFE\mshtml.dll
+ 2008-06-23 16:12:00 449,024 ----a-w c:\windows\$hf_mig$\KB953838\SP2QFE\mshtmled.dll
+ 2008-06-23 16:12:02 146,432 ----a-w c:\windows\$hf_mig$\KB953838\SP2QFE\msrating.dll
+ 2008-06-23 16:12:02 532,480 ----a-w c:\windows\$hf_mig$\KB953838\SP2QFE\mstime.dll
+ 2008-06-23 16:12:02 39,424 ----a-w c:\windows\$hf_mig$\KB953838\SP2QFE\pngfilt.dll
+ 2008-06-23 16:12:05 1,499,136 ----a-w c:\windows\$hf_mig$\KB953838\SP2QFE\shdocvw.dll
+ 2008-06-23 16:12:05 474,112 ----a-w c:\windows\$hf_mig$\KB953838\SP2QFE\shlwapi.dll
+ 2008-06-23 16:12:06 618,496 ----a-w c:\windows\$hf_mig$\KB953838\SP2QFE\urlmon.dll
+ 2008-06-23 16:12:08 667,136 ----a-w c:\windows\$hf_mig$\KB953838\SP2QFE\wininet.dll
+ 2008-07-03 09:14:02 351,744 ----a-w c:\windows\$hf_mig$\KB953838\SP2QFE\xpsp3res.dll
+ 2008-06-23 15:09:27 3,067,392 ----a-w c:\windows\$hf_mig$\KB953838\SP3GDR\mshtml.dll
+ 2008-06-26 08:15:29 1,499,136 ----a-w c:\windows\$hf_mig$\KB953838\SP3GDR\shdocvw.dll
+ 2008-06-26 08:15:30 619,520 ----a-w c:\windows\$hf_mig$\KB953838\SP3GDR\urlmon.dll
+ 2008-06-23 15:09:27 666,112 ----a-w c:\windows\$hf_mig$\KB953838\SP3GDR\wininet.dll
+ 2008-06-25 04:24:48 3,067,904 ----a-w c:\windows\$hf_mig$\KB953838\SP3QFE\mshtml.dll
+ 2008-06-26 08:00:52 1,499,136 ----a-w c:\windows\$hf_mig$\KB953838\SP3QFE\shdocvw.dll
+ 2008-06-26 08:00:52 619,520 ----a-w c:\windows\$hf_mig$\KB953838\SP3QFE\urlmon.dll
+ 2008-06-23 14:54:47 666,624 ----a-w c:\windows\$hf_mig$\KB953838\SP3QFE\wininet.dll
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB953838\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB953838\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB953838\update\spcustom.dll
+ 2007-11-30 12:39:18 755,576 ----a-w c:\windows\$hf_mig$\KB953838\update\update.exe
+ 2007-11-30 12:39:19 382,840 ----a-w c:\windows\$hf_mig$\KB953838\update\updspapi.dll
- 2008-04-21 07:03:56 1,023,488 ----a-w c:\windows\system32\browseui.dll
+ 2008-06-23 15:38:28 1,023,488 ----a-w c:\windows\system32\browseui.dll
- 2008-04-21 07:03:56 151,040 ----a-w c:\windows\system32\cdfview.dll
+ 2008-06-23 15:38:29 151,040 ----a-w c:\windows\system32\cdfview.dll
- 2008-04-21 07:03:57 1,054,208 ----a-w c:\windows\system32\danim.dll
+ 2008-06-23 15:38:30 1,054,208 ----a-w c:\windows\system32\danim.dll
- 2008-04-21 07:03:56 1,023,488 -c----w c:\windows\system32\dllcache\browseui.dll
+ 2008-06-23 15:38:28 1,023,488 -c----w c:\windows\system32\dllcache\browseui.dll
- 2008-04-21 07:03:56 151,040 -c----w c:\windows\system32\dllcache\cdfview.dll
+ 2008-06-23 15:38:29 151,040 -c----w c:\windows\system32\dllcache\cdfview.dll
- 2008-04-21 07:03:57 1,054,208 -c----w c:\windows\system32\dllcache\danim.dll
+ 2008-06-23 15:38:30 1,054,208 -c----w c:\windows\system32\dllcache\danim.dll
- 2008-04-21 07:03:57 357,888 -c----w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-06-23 15:38:30 357,888 -c----w c:\windows\system32\dllcache\dxtmsft.dll
- 2008-04-21 07:03:57 205,312 -c----w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-06-23 15:38:30 205,312 -c----w c:\windows\system32\dllcache\dxtrans.dll
- 2008-04-21 07:03:57 55,808 -c----w c:\windows\system32\dllcache\extmgr.dll
+ 2008-06-23 15:38:30 55,808 -c----w c:\windows\system32\dllcache\extmgr.dll
- 2008-04-17 10:52:54 18,432 -c--a-w c:\windows\system32\dllcache\iedw.exe
+ 2008-06-23 09:49:29 18,432 -c--a-w c:\windows\system32\dllcache\iedw.exe
- 2008-04-21 07:03:58 251,392 -c----w c:\windows\system32\dllcache\iepeers.dll
+ 2008-06-23 15:38:31 251,392 -c----w c:\windows\system32\dllcache\iepeers.dll
- 2008-04-21 07:03:58 96,256 -c----w c:\windows\system32\dllcache\inseng.dll
+ 2008-06-23 15:38:31 96,256 -c----w c:\windows\system32\dllcache\inseng.dll
- 2008-04-21 07:03:58 16,384 -c----w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-06-23 15:38:31 16,384 -c----w c:\windows\system32\dllcache\jsproxy.dll
- 2004-08-04 07:56:42 331,776 -c--a-w c:\windows\system32\dllcache\msadce.dll
+ 2008-05-01 14:30:33 331,776 -c--a-w c:\windows\system32\dllcache\msadce.dll
- 2008-04-21 07:03:59 3,059,712 -c----w c:\windows\system32\dllcache\mshtml.dll
+ 2008-06-23 15:38:33 3,059,712 -c----w c:\windows\system32\dllcache\mshtml.dll
- 2008-04-21 07:03:59 449,024 -c----w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-06-23 15:38:33 449,024 -c----w c:\windows\system32\dllcache\mshtmled.dll
- 2008-04-21 07:03:59 146,432 -c----w c:\windows\system32\dllcache\msrating.dll
+ 2008-06-23 15:38:33 146,432 -c----w c:\windows\system32\dllcache\msrating.dll
- 2008-04-21 07:03:59 532,480 -c----w c:\windows\system32\dllcache\mstime.dll
+ 2008-06-23 15:38:33 532,480 -c----w c:\windows\system32\dllcache\mstime.dll
- 2008-04-21 07:03:59 39,424 -c----w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-06-23 15:38:33 39,424 -c----w c:\windows\system32\dllcache\pngfilt.dll
- 2008-04-21 07:04:00 1,494,528 -c----w c:\windows\system32\dllcache\shdocvw.dll
+ 2008-06-23 15:38:34 1,494,528 -c----w c:\windows\system32\dllcache\shdocvw.dll
- 2008-04-21 07:04:00 474,112 -c----w c:\windows\system32\dllcache\shlwapi.dll
+ 2008-06-23 15:38:34 474,112 -c----w c:\windows\system32\dllcache\shlwapi.dll
- 2008-04-21 07:04:00 615,936 -c----w c:\windows\system32\dllcache\urlmon.dll
+ 2008-06-23 15:38:34 615,936 -c----w c:\windows\system32\dllcache\urlmon.dll
- 2008-04-21 07:04:00 659,456 -c----w c:\windows\system32\dllcache\wininet.dll
+ 2008-06-23 15:38:34 659,456 -c----w c:\windows\system32\dllcache\wininet.dll
- 2008-04-21 07:03:57 357,888 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-06-23 15:38:30 357,888 ----a-w c:\windows\system32\dxtmsft.dll
- 2008-04-21 07:03:57 205,312 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-06-23 15:38:30 205,312 ----a-w c:\windows\system32\dxtrans.dll
- 2008-04-21 07:03:57 55,808 ------w c:\windows\system32\extmgr.dll
+ 2008-06-23 15:38:30 55,808 ------w c:\windows\system32\extmgr.dll
- 2008-04-21 07:03:58 251,392 ----a-w c:\windows\system32\iepeers.dll
+ 2008-06-23 15:38:31 251,392 ----a-w c:\windows\system32\iepeers.dll
- 2008-04-21 07:03:58 96,256 ----a-w c:\windows\system32\inseng.dll
+ 2008-06-23 15:38:31 96,256 ----a-w c:\windows\system32\inseng.dll
- 2008-04-21 07:03:58 16,384 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-06-23 15:38:31 16,384 ----a-w c:\windows\system32\jsproxy.dll
- 2008-04-21 07:03:59 3,059,712 ----a-w c:\windows\system32\mshtml.dll
+ 2008-06-23 15:38:33 3,059,712 ----a-w c:\windows\system32\mshtml.dll
- 2008-04-21 07:03:59 449,024 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-06-23 15:38:33 449,024 ----a-w c:\windows\system32\mshtmled.dll
- 2008-04-21 07:03:59 146,432 ----a-w c:\windows\system32\msrating.dll
+ 2008-06-23 15:38:33 146,432 ----a-w c:\windows\system32\msrating.dll
- 2008-04-21 07:03:59 532,480 ----a-w c:\windows\system32\mstime.dll
+ 2008-06-23 15:38:33 532,480 ----a-w c:\windows\system32\mstime.dll
- 2008-04-21 07:03:59 39,424 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-06-23 15:38:33 39,424 ----a-w c:\windows\system32\pngfilt.dll
- 2008-04-21 07:04:00 1,494,528 ----a-w c:\windows\system32\shdocvw.dll
+ 2008-06-23 15:38:34 1,494,528 ----a-w c:\windows\system32\shdocvw.dll
- 2008-04-21 07:04:00 474,112 ----a-w c:\windows\system32\shlwapi.dll
+ 2008-06-23 15:38:34 474,112 ----a-w c:\windows\system32\shlwapi.dll
- 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
- 2008-04-21 07:04:00 615,936 ----a-w c:\windows\system32\urlmon.dll
+ 2008-06-23 15:38:34 615,936 ----a-w c:\windows\system32\urlmon.dll
- 2008-04-21 07:04:00 659,456 ----a-w c:\windows\system32\wininet.dll
+ 2008-06-23 15:38:34 659,456 ----a-w c:\windows\system32\wininet.dll
- 2008-04-17 10:37:04 351,744 ----a-w c:\windows\system32\xpsp3res.dll
+ 2008-07-03 09:14:02 351,744 ----a-w c:\windows\system32\xpsp3res.dll
.
-- ¿Ã¬Ã•Ã•¼¼ÃŠÃµÃ–ØÃÂÉèÖà --
.
((((((((((((((((((((((((((((((((((((( ÖØÒªµÃ‡ÃˆÃ«µÃ£ ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*עÒâ* ¿Ã•°Ã—ÓëºÃ·¨Ãˆ±ÃŠ¡µÃ‡Ã‚¼½«²»»Ã¡±»ÃÔʾ
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark X74-X75 "= "c:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-06-24 57344]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1 "= "c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-18 44032]
"MSPY2002 "= "c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-28 59392]
"PHIME2002ASync "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 455168]
"PHIME2002A "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 455168]
"SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Verizon_McciTrayApp "= "c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"VerizonServicepoint.exe "= "c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 2061816]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-16 1234712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a--c--- 2004-12-14 02:12 483328 c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
--a--c--- 2004-06-07 11:07 1097728 c:\progra~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 09:36 256576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a--c--- 2000-07-13 15:00 28739 c:\program files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a--c--- 2004-05-21 09:41 148992 c:\progra~1\Nokia\NOKIAP~1\TRAYAP~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service "=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe "=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe "=
"c:\\Program Files\\PPLive\\PPLive.exe "=
"c:\\WINDOWS\\system32\\LEXPPS.EXE "=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=

R0 mtudh;mtudh;c:\windows\system32\drivers\mtudh.sys [2004-01-01 23392]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-10-11 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-16 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-16 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-16 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-16 76040]
S0 kpqmw;kpqmw;c:\windows\system32\drivers\kpqmw.sys []
S2 mscrtu;mscrtu;\??\c:\windows\system32\drivers\mscrtu.sys []
S2 msfkcy;msfkcy;\??\c:\windows\system32\drivers\msfkcy.sys []
S2 mslbpr;mslbpr;\??\c:\windows\system32\drivers\mslbpr.sys []
S2 msnhoi;msnhoi;\??\c:\windows\system32\drivers\msnhoi.sys []
S2 msuwrl;msuwrl;\??\c:\windows\system32\drivers\msuwrl.sys []
S2 mswhia;mswhia;\??\c:\windows\system32\drivers\mswhia.sys []
S2 msxulk;msxulk;\??\c:\windows\system32\drivers\msxulk.sys []
S2 msyzut;msyzut;\??\c:\windows\system32\drivers\msyzut.sys []
S2 nsbopx;nsbopx;\??\c:\windows\system32\drivers\nsbopx.sys []
S2 nseoew;nseoew;\??\c:\windows\system32\drivers\nseoew.sys []
S2 nshpme;nshpme;\??\c:\windows\system32\drivers\nshpme.sys []
S2 nsjngk;nsjngk;\??\c:\windows\system32\drivers\nsjngk.sys []
S2 nsnvnr;nsnvnr;\??\c:\windows\system32\drivers\nsnvnr.sys []
S2 nspkxi;nspkxi;\??\c:\windows\system32\drivers\nspkxi.sys []
S2 nsqafs;nsqafs;\??\c:\windows\system32\drivers\nsqafs.sys []
S2 nsumkl;nsumkl;\??\c:\windows\system32\drivers\nsumkl.sys []
S2 nszset;nszset;\??\c:\windows\system32\drivers\nszset.sys []
S2 osduiq;osduiq;\??\c:\windows\system32\drivers\osduiq.sys []
S2 osetgd;osetgd;\??\c:\windows\system32\drivers\osetgd.sys []
S2 osfpec;osfpec;\??\c:\windows\system32\drivers\osfpec.sys []
S2 osjygb;osjygb;\??\c:\windows\system32\drivers\osjygb.sys []
S2 osmopb;osmopb;\??\c:\windows\system32\drivers\osmopb.sys []
S2 osqszm;osqszm;\??\c:\windows\system32\drivers\osqszm.sys []
S2 osrhpa;osrhpa;\??\c:\windows\system32\drivers\osrhpa.sys []
S2 osyjmi;osyjmi;\??\c:\windows\system32\drivers\osyjmi.sys []
S2 XaWin;XaWin;c:\windows\System32\svchost.exe -k netsvcs [2002-08-01 14336]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\DRIVERS\A5AGU.sys [2008-11-16 283904]
S3 ATHFMWDL;D-Link predator Bootloader driver;c:\windows\system32\Drivers\ATHFMWDL.sys [2008-11-16 43392]
S4 hpt3xx;hpt3xx; []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
XaWin
.
¡®¼Ã†»®ÃˆÃŽÃŽÃ±¡¯ Îļþ¼Ã ÀïµÃ„ÄÚÈÃ

2008-10-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 17:13]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-18 22:04:41
Windows 5.1.2600 Service Pack 2 NTFS

ɨÃ豻Òþ²Ã˜µÃ„½Ã¸³ÃŒ¡£¡£¡£ ...

ɨÃ豻Òþ²Ã˜µÃ„Æô¶¯Ã—é¡£¡£¡£

ɨÃ豻Òþ²Ã˜„Îļþ¡£¡£¡£

ɨÃèÃê³Ã‰
±»Ã’þ²Ã˜µÃ„µµ°¸: 0

**************************************************************************
.
Ãê³Ã‰ÃŠ±¼Ã¤: 2008-11-18 22:08:01
ComboFix-quarantined-files.txt 2008-11-19 03:07:48
ComboFix2.txt 2008-11-18 14:47:13
ComboFix3.txt 2008-11-18 05:35:47
ComboFix4.txt 2008-11-17 05:27:21

Pre-Run: 20,591,276,032 bytes free
Post-Run: 20,574,867,456 bytes free

285 --- E O F --- 2008-11-19 02:54:42

 

P.S. -- I was researching why my dad's updates were not being processed. I was able to manually process a couple. I'll stop the research until we resolve this issue -- sorry if that added stuff to the combofix.log

 

Hi

Thanks, that would be a good thing.

CF doesn't want to delete those entries, I'm askin for advice from noahdfear.

Delete RSIT.exe if you have it and see if it will download and run yet.

• Download RSIT by random/random and save it to your desktop.
• Double click RSIT.exe to start the tool.
• At the disclaimer, please use the drop down box to select 3 months for the file/folder search, then click Continue.
• If prompted by your firewall to allow RSIT to access the internet, please allow it. It will be updating yourr version of HijackThis.
• When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
• Please post the contents of log.txt here in your next reply.

Thanks

 

Hi Geri,

It's currently off the network, but I got a flash drive with the latest RSIT and I keep getting that AutoIt Error "Line -1: Error: Subscript used with non-array variable. "

Do you have any suggestions?

 

Hi
Does your dad have or use XaWin game(s)

Please do this.

Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan "box on the top of the page:
  
  • c:\windows\system32\drivers\mtudh.sys
• Click on the submit button
  
• Please post the results in your next reply.

RSIT - Do you have any suggestions?
Not yet, I'll let you knw as soon as I do.

Thanks

 

No, my dad does not use or play any games. I tried to copy and paste the file onto flash drive to upload to the website. Windows would not allow me to copy - say it's being used by another program. Tried to copy it in Safe Mode -- but, same error. Interesting, I do not get the RUNDLL error message in Safe Mode.

I need to drag the computer to the router to get it connected later on tonight.

 

Geri,

This is the answer from the Jotti Scan:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

 

Regarding the Jotti Scan, I don't have a firewall on the computer and I couldn't copy the file from the File Explorer. So, not sure if it's malware or not.

Also, I realized I didn't copy:

File::
c:\windows\system32\test3.exe
c:\windows\system32\test2.exe
c:\windows\system32\test1.exe

from your CFScript.txt above.

I've copied the whole thing again and am running ComboFix with it.

Also, when I moved the computer down, I hooked it to the network. It tried to goto your website and my mouse locked up 5 minutes into and I couldn't get control back while the HD light was going wild. 5 minutes later, I just turned the computer down.

 

After the ComboFix run. I still have that error message. Also, with the computer connected to the network, I d/led RSIT again and I am getting the same error.

The Combofix log:

ComboFix 08-11-16.04 - DSC 2008-11-19 22:26:59.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.936.1.1033.18.284 [GMT -5:00]
Ö´ÃÃÃŽ»Ã–Ã: c:\documents and settings\DSC\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\DSC\Desktop\CFScript.txt
* ³Ã‰¹¦´´Ã”ìû¹Ã”*µÃ£

עÒâ - Õą̂µÃ§Ã„ÔûÓð²Ã—°»Ã–¸´¿Ã˜Ã–Æ̨ £¡£¡

FILE ::
c:\windows\system32\test1.exe
c:\windows\system32\test2.exe
c:\windows\system32\test3.exe
.

((((((((((((((((((((((((((((((((((((((( ±»Ã‰¾³Ã½µÃ„µµ°¸ )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\test1.exe
c:\windows\system32\test2.exe
c:\windows\system32\test3.exe

.
((((((((((((((((((((((((( 2008-10-20 Öà 2008-11-20 µÃ„õĵµ°¸ )))))))))))))))))))))))))))))))
.

2008-11-19 21:56 . 2008-11-19 21:56 <DIR> d-------- c:\windows\LastGood
2008-11-18 21:49 . 2008-11-18 21:50 1,393 --a------ c:\windows\imsins.BAK
2008-11-17 01:47 . 2008-11-17 01:47 <DIR> d-------- c:\temp\dial
2008-11-16 19:26 . 2008-11-16 19:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-16 19:26 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-16 19:26 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-16 17:38 . 2008-11-18 09:34 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-16 17:35 . 2008-11-16 17:35 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-16 17:35 . 2008-11-16 17:35 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-16 17:34 . 2008-11-19 21:44 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-16 17:34 . 2008-11-16 17:34 <DIR> d-------- c:\program files\AVG
2008-11-16 17:34 . 2008-11-16 17:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-16 17:34 . 2008-11-16 17:34 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-16 12:40 . 2008-11-16 12:40 <DIR> d-------- C:\rsit
2008-11-16 01:18 . 2005-03-15 20:11 283,904 -ra------ c:\windows\system32\drivers\A5AGU.sys
2008-11-16 01:18 . 2005-03-15 20:11 143,688 -ra------ c:\windows\system32\drivers\ar5523.bin
2008-11-16 01:18 . 2005-03-15 20:11 43,392 -ra------ c:\windows\system32\drivers\Athfmwdl.sys
2008-11-16 01:00 . 2008-11-16 01:00 <DIR> d-------- c:\program files\ANI
2008-11-16 01:00 . 2004-07-27 11:20 36,864 --a------ c:\windows\system32\ANIOApi.dll
2008-11-16 01:00 . 2004-07-27 11:20 28,205 --a------ c:\windows\system32\ANIO.sys
2008-11-16 01:00 . 2004-07-27 11:20 16,997 --a------ c:\windows\system32\ANIO.VXD
2008-11-16 01:00 . 2004-07-27 11:20 11,904 --a------ c:\windows\system32\anio4.sys
2008-11-16 00:56 . 2008-11-16 00:56 <DIR> d-------- c:\program files\D-Link

.
(((((((((((((((((((((((((((((((((((((((( ÔÚÈý¸Ã¶Ã”ÂÄÚ±»Ã޸ĵĵµ°¸ ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-18 02:41 --------- d-----w c:\program files\NetZero
2008-11-17 04:47 --------- d-----w c:\documents and settings\All Users\Application Data\MapQuest Toolbar
2008-11-16 15:11 --------- d-----w c:\program files\ewido anti-malware
2008-11-16 07:31 --------- d-----w c:\program files\SUPERAntiSpyware
2008-11-16 07:16 --------- d-----w c:\program files\Common Files\Real
2008-11-16 06:47 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-16 06:47 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-16 06:00 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-12 01:00 --------- d-----w c:\documents and settings\DSC\Application Data\Malwarebytes
2008-10-12 01:00 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-12 00:18 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-11 22:06 --------- d-----w c:\program files\Panda Security
2008-10-03 20:25 --------- d-----w c:\documents and settings\NetworkService\Application Data\VOL_TOOLBAR
2008-09-22 02:31 --------- d-----w c:\program files\Sun
2008-09-22 02:30 --------- d-----w c:\program files\Java
2008-09-21 23:46 --------- d-----w c:\program files\Lavasoft
2008-09-21 23:44 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2005-12-20 03:51 184,808 -c--a-w c:\documents and settings\DSC\Application Data\shb.dat
.

((((((((((((((((((((((((((((( snapshot_2008-11-18_22.06.52.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 07:56:56 8,192 ----a-w c:\windows\system32\spdwnwxp.exe
+ 2008-04-14 00:12:36 7,680 ----a-w c:\windows\system32\spdwnwxp.exe
+ 2008-11-20 03:19:45 16,384 ----atw c:\windows\temp\Perflib_Perfdata_2d8.dat
.
((((((((((((((((((((((((((((((((((((( ÖØÒªµÃ‡ÃˆÃ«µÃ£ ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*עÒâ* ¿Ã•°Ã—ÓëºÃ·¨Ãˆ±ÃŠ¡µÃ‡Ã‚¼½«²»»Ã¡±»ÃÔʾ
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate "= "c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2007-03-27 190696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark X74-X75 "= "c:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-06-24 57344]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1 "= "c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-18 44032]
"MSPY2002 "= "c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-28 59392]
"PHIME2002ASync "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 455168]
"PHIME2002A "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 455168]
"SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Verizon_McciTrayApp "= "c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"VerizonServicepoint.exe "= "c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 2061816]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-16 1234712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a--c--- 2004-12-14 02:12 483328 c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
--a--c--- 2004-06-07 11:07 1097728 c:\progra~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 09:36 256576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a--c--- 2000-07-13 15:00 28739 c:\program files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a--c--- 2004-05-21 09:41 148992 c:\progra~1\Nokia\NOKIAP~1\TRAYAP~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service "=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe "=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe "=
"c:\\Program Files\\PPLive\\PPLive.exe "=
"c:\\WINDOWS\\system32\\LEXPPS.EXE "=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=

R0 mtudh;mtud;c:\windows\system32\drivers\mtudh.sys [2004-01-01 23392]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-10-11 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-16 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-16 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-16 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-16 76040]
S0 kpqmw;kpqmw;c:\windows\system32\drivers\kpqmw.sys []
S2 mscrtu;mscrtu;\??\c:\windows\system32\drivers\mscrtu.sys []
S2 msfkcy;msfkcy;\??\c:\windows\system32\drivers\msfkcy.sys []
S2 mslbpr;mslbpr;\??\c:\windows\system32\drivers\mslbpr.sys []
S2 msnhoi;msnhoi;\??\c:\windows\system32\drivers\msnhoi.sys []
S2 msuwrl;msuwrl;\??\c:\windows\system32\drivers\msuwrl.sys []
S2 mswhia;mswhia;\??\c:\windows\system32\drivers\mswhia.sys []
S2 msxulk;msxulk;\??\c:\windows\system32\drivers\msxulk.sys []
S2 msyzut;msyzut;\??\c:\windows\system32\drivers\msyzut.sys []
S2 nsbopx;nsbopx;\??\c:\windows\system32\drivers\nsbopx.sys []
S2 nseoew;nseoew;\??\c:\windows\system32\drivers\nseoew.sys []
S2 nshpme;nshpme;\??\c:\windows\system32\drivers\nshpme.sys []
S2 nsjngk;nsjngk;\??\c:\windows\system32\drivers\nsjngk.sys []
S2 nsnvnr;nsnvnr;\??\c:\windows\system32\drivers\nsnvnr.sys []
S2 nspkxi;nspkxi;\??\c:\windows\system32\drivers\nspkxi.sys []
S2 nsqafs;nsqafs;\??\c:\windows\system32\drivers\nsqafs.sys []
S2 nsumkl;nsumkl;\??\c:\windows\system32\drivers\nsumkl.sys []
S2 nszset;nszset;\??\c:\windows\system32\drivers\nszset.sys []
S2 osduiq;osduiq;\??\c:\windows\system32\drivers\osduiq.sys []
S2 osetgd;osetgd;\??\c:\windows\system32\drivers\osetgd.sys []
S2 osfpec;osfpec;\??\c:\windows\system32\drivers\osfpec.sys []
S2 osjygb;osjygb;\??\c:\windows\system32\drivers\osjygb.sys []
S2 osmopb;osmopb;\??\c:\windows\system32\drivers\osmopb.sys []
S2 osqszm;osqszm;\??\c:\windows\system32\drivers\osqszm.sys []
S2 osrhpa;osrhpa;\??\c:\windows\system32\drivers\osrhpa.sys []
S2 osyjmi;osyjmi;\??\c:\windows\system32\drivers\osyjmi.sys []
S2 XaWin;XaWin;c:\windows\System32\svchost.exe -k netsvcs [2002-08-01 14336]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\DRIVERS\A5AGU.sys [2008-11-16 283904]
S3 ATHFMWDL;D-Link predator Bootloader driver;c:\windows\system32\Drivers\ATHFMWDL.sys [2008-11-16 43392]
S4 hpt3xx;hpt3xx; []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
XaWin
.
¡®¼Ã†»®ÃˆÃŽÃŽÃ±¡¯ Îļþ¼Ã ÀïµÃ„ÄÚÈÃ

2008-10-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 17:13]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-19 22:31:43
Windows 5.1.2600 Service Pack 2 NTFS

ɨÃ豻Òþ²Ã˜µÃ„½Ã¸³ÃŒ¡£¡£¡£ ...

ɨÃ豻Òþ²Ã˜µÃ„Æô¶¯Ã—é¡£¡£¡£

ɨÃ豻Òþ²Ã˜µÃ„Îļþ¡¡£¡£

ɨÃèÃê³Ã‰
±»Ã’þ²Ã˜µÃ„µµ°¸: 0

**************************************************************************
.
Ãê³Ã‰ÃŠ±¼Ã¤: 2008-11-19 22:35:33
ComboFix-quarantined-files.txt 2008-11-20 03:34:58
ComboFix2.txt 2008-11-19 03:08:05
ComboFix3.txt 2008-11-18 14:47:13
ComboFix4.txt 2008-11-18 05:35:47
ComboFix5.txt 2008-11-20 03:25:24

Pre-Run: 20,450,598,912 bytes free
Post-Run: 20,433,727,488 bytes free

182 --- E O F --- 2008-11-19 12:37:39

 

Hi
OK lets try this again.
Delete the CFScript you have and run this one.

Code:

File::
c:\windows\system32\drivers\mtudh.sys

RootKit::
XaWin
mtudh
osetgd
kpqmw
mscrtu
msfkcy
mslbpr
msnhoi
msuwrl
mswhia
msxulk
msyzut
nsbopx
nseoew
nshpme
nsjngk
nsnvnr
nspkxi
nsqafs
nsumkl
nszset
osduiq
osfpec
osjygb
osmopb
osqszm
osrhpa
osyjmi 

Driver::
XaWin
mtudh
osetgd
kpqmw
mscrtu
msfkcy
mslbpr
msnhoi
msuwrl
mswhia
msxulk
msyzut
nsbopx
nseoew
nshpme
nsjngk
nsnvnr
nspkxi
nsqafs
nsumkl
nszset
osduiq
osfpec
osjygb
osmopb
osqszm
osrhpa
osyjmi 

Please post the Combofix log.

Thanks.

 

Geri,

I think that did the trick. The error message is gone and when I launch IE I can change my start page now.

Please check my latest ComboFix.log!

ComboFix 08-11-16.04 - DSC 2008-11-20 10:56:48.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.936.1.1033.18.357 [GMT -5:00]
Ö´ÃÃÃŽ»Ã–Ã: c:\documents and settings\DSC\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\DSC\Desktop\CFScript.txt
* ³Ã‰¹¦´´Ã”ìû¹Ã”*µÃ£

עÒâ - Õą̂µÃ§Ã„ÔûÓð²Ã—°»Ã–¸´¿Ã˜Ã–Æ̨ £¡£¡

FILE ::
c:\windows\system32\drivers\mtudh.sys
.

((((((((((((((((((((((((((((((((((((((( ±»Ã‰¾³Ã½µÃ„µµ°¸ )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\mtudh.sys

.
((((((((((((((((((((((((((((((((((((((( Çý¶¯/·Ã¾ÃŽÃ± )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KPQMW
-------\Legacy_MSCRTU
-------\Legacy_MSFKCY
-------\Legacy_MSLBPR
-------\Legacy_MSNHOI
-------\Legacy_MSUWRL
-------\Legacy_MSWHIA
-------\Legacy_MSXULK
-------\Legacy_MSYZUT
-------\Legacy_MTUDH
-------\Legacy_NSBOPX
-------\Legacy_NSEOEW
-------\Legacy_NSHPME
-------\Legacy_NSJNGK
-------\Legacy_NSNVNR
-------\Legacy_NSPKXI
-------\Legacy_NSQAFS
-------\Legacy_NSUMKL
-------\Legacy_NSZSET
-------\Legacy_OSDUIQ
-------\Legacy_OSETGD
-------\Legacy_OSFPEC
-------\Legacy_OSJYGB
-------\Legacy_OSMOPB
-------\Legacy_OSQSZM
-------\Legacy_OSRHPA
-------\Legacy_OSYJMI
-------\Legacy_XAWIN
-------\Service_kpqmw
-------\Service_mscrtu
-------\Service_msfkcy
-------\Service_mslbpr
-------\Service_msnhoi
-------\Service_msuwrl
-------\Service_mswhia
-------\Service_msxulk
-------\Service_msyzut
-------\Service_mtudh
-------\Service_nsbopx
-------\Service_nseoew
-------\Service_nshpme
-------\Service_nsjngk
-------\Service_nsnvnr
-------\Service_nspkxi
-------\Service_nsqafs
-------\Service_nsumkl
-------\Service_nszset
-------\Service_osduiq
-------\Service_osetgd
-------\Service_osfpec
-------\Service_osjygb
-------\Service_osmopb
-------\Service_osqszm
-------\Service_osrhpa
-------\Service_osyjmi
-------\Service_XaWin


((((((((((((((((((((((((( 2008-10-20 Öà 2008-11-20 µÃ„õĵµ°¸ )))))))))))))))))))))))))))))))
.

2008-11-18 21:49 . 2008-11-18 21:50 1,393 --a------ c:\windows\imsins.BAK
2008-11-17 01:47 . 2008-11-17 01:47 <DIR> d-------- c:\temp\dial
2008-11-16 19:26 . 2008-11-16 19:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-16 19:26 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-16 19:26 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-16 17:38 . 2008-11-20 10:54 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-16 17:35 . 2008-11-16 17:35 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-16 17:35 . 2008-11-16 17:35 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-16 17:34 . 2008-11-19 21:44 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-16 17:34 . 2008-11-16 17:34 <DIR> d-------- c:\program files\AVG
2008-11-16 17:34 . 2008-11-16 17:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-16 17:34 . 2008-11-16 17:34 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-16 12:40 . 2008-11-16 12:40 <DIR> d-------- C:\rsit
2008-11-16 01:18 . 2005-03-15 20:11 283,904 -ra------ c:\windows\system32\drivers\A5AGU.sys
2008-11-16 01:18 . 2005-03-15 20:11 143,688 -ra------ c:\windows\system32\drivers\ar5523.bin
2008-11-16 01:18 . 2005-03-15 20:11 43,392 -ra------ c:\windows\system32\drivers\Athfmwdl.sys
2008-11-16 01:00 . 2008-11-16 01:00 <DIR> d-------- c:\program files\ANI
2008-11-16 01:00 . 2004-07-27 11:20 36,864 --a------ c:\windows\system32\ANIOApi.dll
2008-11-16 01:00 . 2004-07-27 11:20 28,205 --a------ c:\windows\system32\ANIO.sys
2008-11-16 01:00 . 2004-07-27 11:20 16,997 --a------ c:\windows\system32\ANIO.VXD
2008-11-16 01:00 . 2004-07-27 11:20 11,904 --a------ c:\windows\system32\anio4.sys
2008-11-16 00:56 . 2008-11-16 00:56 <DIR> d-------- c:\program files\D-Link

.
(((((((((((((((((((((((((((((((((((((((( ÔÚÈý¸Ã¶Ã”ÂÄÚ±»Ã޸ĵĵµ°¸ ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-20 12:54 --------- d-----w c:\program files\Verizon
2008-11-18 02:41 --------- d-----w c:\program files\NetZero
2008-11-17 04:47 --------- d-----w c:\documents and settings\All Users\Application Data\MapQuest Toolbar
2008-11-16 15:11 --------- d-----w c:\program files\ewido anti-malware
2008-11-16 07:31 --------- d-----w c:\program files\SUPERAntiSpyware
2008-11-16 07:16 --------- d-----w c:\program files\Common Files\Real
2008-11-16 06:47 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-16 06:47 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-16 06:00 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-12 01:00 --------- d-----w c:\documents and settings\DSC\Application Data\Malwarebytes
2008-10-12 01:00 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-12 00:18 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-11 22:06 --------- d-----w c:\program files\Panda Security
2008-10-03 20:25 --------- d-----w c:\documents and settings\NetworkService\Application Data\VOL_TOOLBAR
2008-09-22 02:31 --------- d-----w c:\program files\Sun
2008-09-22 02:30 --------- d-----w c:\program files\Java
2008-09-21 23:46 --------- d-----w c:\program files\Lavasoft
2008-09-21 23:44 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2005-12-20 03:51 184,808 -c--a-w c:\documents and settings\DSC\Application Data\shb.dat
.

((((((((((((((((((((((((((((( snapshot_2008-11-18_22.06.52.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 07:56:56 8,192 ----a-w c:\windows\system32\spdwnwxp.exe
+ 2008-04-14 00:12:36 7,680 ----a-w c:\windows\system32\spdwnwxp.exe
.
-- ¿Ã¬Ã•Ã•¼¼ÃŠÃµÃ–ØÃÂÉèÖà --
.
((((((((((((((((((((((((((((((((((((( ÖØÒªµÃ‡ÃˆÃ«µÃ£ ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*עÒâ* ¿Ã•°Ã—ÓëºÃ·¨Ãˆ±ÃŠ¡µÃ‡Ã‚¼½«²»»Ã¡±»ÃÔʾ
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark X74-X75 "= "c:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-06-24 57344]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1 "= "c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-18 44032]
"MSPY2002 "= "c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-28 59392]
"PHIME2002ASync "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 455168]
"PHIME2002A "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 455168]
"SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Verizon_McciTrayApp "= "c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-16 1234712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a--c--- 2004-12-14 02:12 483328 c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
--a--c--- 2004-06-07 11:07 1097728 c:\progra~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 09:36 256576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a--c--- 2000-07-13 15:00 28739 c:\program files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a--c--- 2004-05-21 09:41 148992 c:\progra~1\Nokia\NOKIAP~1\TRAYAP~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service "=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe "=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe "=
"c:\\Program Files\\PPLive\\PPLive.exe "=
"c:\\WINDOWS\\system32\\LEXPPS.EXE "=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-10-11 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-16 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-16 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-16 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-16 76040]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\DRIVERS\A5AGU.sys [2008-11-16 283904]
S3 ATHFMWDL;D-Link predator Bootloader driver;c:\windows\system32\Drivers\ATHFMWDL.sys [2008-11-16 43392]
S4 hpt3xx;hpt3xx; []
.
¡®¼Ã†»®ÃˆÃŽÃŽÃ±¡¯ Îļþ¼Ã ÀïµÃ„ÄÚÈÃ

2008-10-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 17:13]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-20 11:04:23
Windows 5.1.2600 Service Pack 2 NTFS

ɨÃ豻Òþ²Ã˜µÃ„½Ã¸³ÃŒ¡£¡£¡£ ...

ɨÃ豻Òþ²Ã˜µÃ„Æô¶¯Ã—é¡£¡£¡£

ɨÃ豻Òþ²Ã˜µÃ„Îļþ¡£¡£¡£

ɨÃèÃê³Ã‰
±»Ã’þ²Ã˜µÃ„µµ°¸: 0

**************************************************************************
.
------------------------ ÆäËûÔËÃýø³ÃŒ ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\conime.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lexmark X7X75\lxbbbmon.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\program files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Ãê³Ã‰ÃŠ±¼Ã¤: 2008-11-20 11:11:02 - µÃ§Ã„ÔÒÑÖØÃÂÆô¶¯
ComboFix-quarantined-files.txt 2008-11-20 16:10:41
ComboFix2.txt 2008-11-20 03:35:37
ComboFix3.txt 2008-11-19 03:08:05
ComboFix4.txt 2008-11-18 14:47:13
ComboFix5.txt 2008-11-20 15:55:24

Pre-Run: 20,832,935,936 bytes free
Post-Run: 20,817,981,440 bytes free

218 --- E O F --- 2008-11-20 12:48:02

 

Hi
OK good.
Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete these files (if present):

c:\windows\imsins.BAK
c:\temp\dial
c:\documents and settings\DSC\Application Data\shb.dat

Empty your recycle bin.

Can you tell me what these say?

ɨÃ豻Òþ²Ã˜µÃ„½Ã¸³ÃŒ¡£¡£¡£ ...

ɨÃ豻Òþ²Ã˜µÃ„Æô¶¯Ã—é¡£¡£¡£

ɨÃ豻ÒþصÄÎļþ¡£¡£¡£

ɨÃèÃê³Ã‰
±»Ã’þ²Ã˜µÃ„µµ°¸: 0

Thanks

 

Thanks, Geri. I've shut the computer down, but will remove those files in the morning. As for the funny characters... they're Chinese characters. For some odd reason, when I ran ComboFix, the Chinese translation came out. That's how it copied. I'm not fluent like my dad, so I've just been clicking ok.. and yes to any ComboFix prompt. =)

 

Hi
OK, is there a way you could ask your dad?

Those are showing in a Rootkit scanner that CF uses, so I don't know if they are OK or bad.

What is the E Drive on the machine?

 

Hi Geri,

I'll have to make a visit to my dad's house to the message deciphered. The E drive is the flash drive I was putting the CFScript.txt on, since I was trying to keep it off the network.

 

Hi
OK let me know what you find out.

See if RSIT will download and run now. If so please post the logs.

Try to get a new one, not the one on your flash drive.

Thanks

 

hi Geri,

I connect my dad's computer to the web and d/led RSIT. Same error.

 

Hi
OK thanks.

Lets get a on line scan, you will need to connect your dads computer to the net to do this. It may take a while to scan.

Please do this.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Now the scan.

Please do an online scan with Kaspersky WebScanner

It's best to disable real time protection applications as they sometimes interfere with the scan.
Check this link for any applicable programs you may have.

Click on "Accept" If your pop "“up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.

• The program will launch and then begin downloading the latest definition files:
• Under Scan on the left side.Click on My Computer
• This will start the program and scan your system.
• Click the "Scan Report" On the left side.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
• Save the text file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky results.

Thanks

 

Geri,

I ran Kaspersky first and the log is below. Also, realized I didn't delete the directories you wanted -- did that AFTER the Kaspersky run. Also, since then, I've cleared my old Windows Savepoints and just created one new one.

The Kaspersky log is below:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, November 24, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, November 24, 2008 01:50:45
Records in database: 1406501
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 50317
Threat name: 10
Infected objects: 12
Suspicious objects: 0
Duration of the scan: 03:45:41


File name / Threat name / Threats count
C:\Program Files\QuickTime\QuickTimeUpdater.exe Infected: Virus.Win9x.CIH.dam 1
C:\Qoobox\Quarantine\C\toskngr.exe.vir Infected: Trojan-Downloader.Win32.VB.ibk 1
C:\Qoobox\Quarantine\C\WINDOWS\qqshel.exe.vir Infected: Trojan.Win32.BHO.gtt 1
C:\Qoobox\Quarantine\C\WINDOWS\system\zyndld32081012.dll.vir Infected: Worm.Win32.AutoRun.qoa 1
C:\Qoobox\Quarantine\C\WINDOWS\system\zyndld32081012jt.dll.vir Infected: Worm.Win32.AutoRun.qoa 1
C:\Qoobox\Quarantine\C\WINDOWS\system\zyndle081012.exe.vir Infected: Worm.Win32.AutoRun.qoc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\sslsocket.dll.vir Infected: not-a-virus:AdWare.Win32.Cinmus.vog 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\test1.exe.vir Infected: Trojan-Spy.Win32.Flux.arm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\test3.exe.vir Infected: Trojan-Spy.Win32.Pophot.cse 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\JZEV290S\01[1].kdg Infected: not-a-virus:AdWare.Win32.Cinmus.wsa 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\JZEV290S\logo1[2].gif Infected: Trojan.Win32.Shutdowner.awy 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\MJHPGFWM\logo1[1].gif Infected: Trojan.Win32.Shutdowner.awy 1

The selected area was scanned.