Question

Killer.exe Trojan ,the fire wall killer

Asked by: vegetasharma

OS: windows xp sp2

The virus named killer.exe resides on c:\windows\killer.exe and this is a firewall killer which does not
let me install most of anti-virus and spyware.

Please help me to get rid of this.

I tried killbox,xoftspyware,spysweeper,adware,spybot s&D without success.
please I badly need your help.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2008-01-14 at 21:57:09ID23083086
Topics

Proxy/Firewall Anti-Virus

,

Anti-Virus

,

Microsoft Operating Systems

Participating Experts
6
Points
500
Comments
37

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Does SpyBot S&D have Spyware bundled with itself?
    Hi everyone! This is my first post here so please excuse my lack of knowledge about the posting rituals and conventions. Let me get to the question. Today I was at my local Best Buy (Electronics Store in USA) to service my Vaio Laptop. The tech guys, which are called Geek S...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: UmbiPosted on 2008-01-14 at 22:27:46ID: 20660554

first off make sure you boot into safe mode when you try to delete the .exe

then check your registry to make sure it's not loading up when you boot
run regedit and check the hkey_local_machine\software\microsoft\windows\currentversion\run folder and see if killer.exe is trying to load from there, if it is delete the key (backup your registry before you make any changes)
also check your startup programs from start button, start - programs - startup

once you've managed to stop it from loading, you can boot up normally, install AV software to fully remove it

 

by: top_rungPosted on 2008-01-14 at 22:44:28ID: 20660603

also as a tool, you can Install 'Autoruns'  from sysinternals...

http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Once in Safe Mode as suggested, Then follow the instructions posted here (specifically the section titled "How to Remove These Infections"   ...

http://www.bleepingcomputer.com/tutorials/tutorial101.html

 

by: IndiGenusPosted on 2008-01-15 at 03:30:14ID: 20661595

SDFix will also remove this I believe...

Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Open the SDFix folder and double click on RunThis.bat to start the script.
Type Y and press Enter to begin the script.
It will start cleaning your PC and then prompt you to press any key to Reboot.
Press any key to restart the PC.
Your system will take longer than normal to restart as the fixtool will be removing files.
When the desktop loads the Fixtool will complete the removal and display Finished.
Press any key to end the script and to load your desktop icons.

 

 

by: arshad_dellPosted on 2008-01-15 at 04:38:35ID: 20661938

Please follow the instructions below to run ComboFix.
Download this file -  http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double click combofix.exe & follow the prompts.
When finished, it will produce a log for you. Attach this log in the thread you are working in.
Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.

Also try Running ICESWORD and try deleting that file.seems like a Rootkit, if it doesnt delete try in safe mode
http://sheiky.net/tools/icesword.exe

 

by: vegetasharmaPosted on 2008-01-15 at 05:07:23ID: 20662138

The file is too dangerous. The file killer.exe does not let me open regedit.
As I told you it is firewall killer you know :)

But thanks for posing this thread. you guys gave me new solutions,Now let me try all of these.

I will let you know  , ok??

 

by: vegetasharmaPosted on 2008-01-15 at 05:13:57ID: 20662196

HijackThis Log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:43:28 PM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\killer.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\WINDOWS\smss.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\lsass.exe
D:\oracle\ora90\bin\agntsrvc.exe
D:\oracle\ora90\BIN\TNSLSNR.exe
C:\WINDOWS\system32\cmd.exe
D:\oracle\ora90\bin\dbsnmp.exe
d:\oracle\ora90\bin\ORACLE.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\JetAudio\JetAudio.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\NoAdware5.0\NoAdware5.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
F2 - REG:system.ini: Shell=explorer.exe, killer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe, explorer.exe
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKLM\..\Run: [wsaeclt] C:\WINDOWS\wsaeclt.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" -boot
O4 - HKLM\..\Run: [SNM] "C:\Program Files\SpyNoMore\SNM.exe" /startup
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [SpyEmergency] "C:\Program Files\NETGATE\Spy Emergency 2007\SpyEmergency.exe"
O4 - HKCU\..\Run: [Runonce] C:\WINDOWS\smss.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: lsass.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{259412EA-5E26-49A5-9ED1-87A3A56BDE8D}: NameServer = 218.248.240.23 218.248.240.135
O17 - HKLM\System\CS2\Services\Tcpip\..\{259412EA-5E26-49A5-9ED1-87A3A56BDE8D}: NameServer = 218.248.240.23 218.248.240.135
O18 - Protocol: x-cnote - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\system32\hsppp.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Oracle OLAP 9.0.1.0.1 (OLAPServer) - Oracle Corporation - D:\oracle\ora90\bin\xsolap.exe
O23 - Service: Oracle OLAP Agent - Unknown owner - D:\oracle\ora90\bin\xsaagent.exe
O23 - Service: OracleOraHome90Agent - Oracle Corporation - D:\oracle\ora90\bin\agntsrvc.exe
O23 - Service: OracleOraHome90ClientCache - Unknown owner - D:\oracle\ora90\BIN\ONRSD.EXE
O23 - Service: OracleOraHome90PagingServer - Unknown owner - D:\oracle\ora90/bin/pagntsrv.exe
O23 - Service: OracleOraHome90SNMPPeerEncapsulator - Unknown owner - D:\oracle\ora90\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome90SNMPPeerMasterAgent - Unknown owner - D:\oracle\ora90\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome90TNSListener - Unknown owner - D:\oracle\ora90\BIN\TNSLSNR.exe
O23 - Service: OracleServiceVEGETA - Oracle Corporation - d:\oracle\ora90\bin\ORACLE.EXE
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Visibroker Smart Agent (xsSmartAgent) - Unknown owner - D:\oracle\ora90\bin\osagent.exe

--
End of file - 7737 bytes

 

by: vegetasharmaPosted on 2008-01-15 at 05:25:58ID: 20662286

This is log of combofix

ComboFix 08-01-15.4 - abc 2008-01-15 18:47:07.1 - [color=red][b]FAT32[/b][/color]x86
Running from: C:\Documents and Settings\abc\Desktop\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
[color=purple]The following files were disabled during the run:[/color]
C:\Program Files\NoAdware5.0\nutils.dll
C:\Program Files\NoAdware5.0\nutils.dll


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\smss.exe
C:\WINDOWS\autorun.inf
C:\WINDOWS\smss.exe

.
(((((((((((((((((((((((((   Files Created from 2007-12-15 to 2008-01-15  )))))))))))))))))))))))))))))))
.

2008-01-15 18:50 . 2008-01-15 18:50      <DIR>      d--------      C:\log
2008-01-15 18:46 . 2000-08-31 08:00      51,200      --a------      C:\WINDOWS\NirCmd.exe
2008-01-15 18:22 . 2008-01-15 18:22      <DIR>      d--------      C:\Program Files\NoAdware5.0
2008-01-15 17:17 . 2008-01-15 17:17      <DIR>      d--------      C:\WINDOWS\LastGood.Tmp
2008-01-15 17:11 . 2008-01-15 17:14      7,978      --a------      C:\WINDOWS\Ascd_tmp.ini
2008-01-15 17:11 . 2005-04-28 10:00      5,824      --a------      C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2008-01-15 15:18 . 2008-01-11 18:24      229,621      -rahs----      C:\WINDOWS\killer.exe
2008-01-15 14:56 . 2008-01-15 14:56      <DIR>      d--------      C:\WINDOWS\SxsCaPendDel
2008-01-15 14:33 . 2008-01-15 18:50      144      -rahs----      C:\autorun.inf
2008-01-15 12:33 . 2008-01-15 12:33      <DIR>      d--hs----      C:\FOUND.005
2008-01-15 12:23 . 2008-01-15 12:23      <DIR>      d--------      C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-01-15 11:45 . 2008-01-15 11:45      <DIR>      d--------      C:\Program Files\SUPERAntiSpyware
2008-01-15 11:45 . 2008-01-15 11:45      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-15 11:45 . 2008-01-15 11:45      <DIR>      d--------      C:\Documents and Settings\abc\Application Data\SUPERAntiSpyware.com
2008-01-15 11:29 . 2007-09-05 23:22      289,144      --a------      C:\WINDOWS\system32\VCCLSID.exe
2008-01-15 11:29 . 2006-04-27 16:49      288,417      --a------      C:\WINDOWS\system32\SrchSTS.exe
2008-01-15 11:29 . 2007-12-20 23:11      81,920      --a------      C:\WINDOWS\system32\IEDFix.exe
2008-01-15 11:29 . 2003-06-05 20:13      53,248      --a------      C:\WINDOWS\system32\Process.exe
2008-01-15 11:29 . 2004-07-31 17:50      51,200      --a------      C:\WINDOWS\system32\dumphive.exe
2008-01-15 11:29 . 2007-10-03 23:36      25,600      --a------      C:\WINDOWS\system32\WS2Fix.exe
2008-01-15 10:48 . 2008-01-15 10:48      <DIR>      d--hs----      C:\FOUND.004
2008-01-15 09:52 . 2008-01-11 18:24      229,621      --a------      C:\WINDOWS\Funny UST Scandal.exe
2008-01-15 09:52 . 2008-01-11 18:24      229,621      -rahs----      C:\Funny UST Scandal.avi.exe
2008-01-14 22:50 . 2008-01-14 22:50      1,152      --a------      C:\WINDOWS\system32\windrv.sys
2008-01-14 21:42 . 2008-01-14 21:42      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\NETGATE
2008-01-14 19:14 . 2008-01-14 19:14      <DIR>      d--hs----      C:\FOUND.003
2008-01-14 18:58 . 2008-01-14 18:58      <DIR>      d--hs----      C:\FOUND.002
2008-01-14 14:19 . 2008-01-14 14:19      <DIR>      d--------      C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-14 14:19 . 2007-10-01 16:24      163,640      --a------      C:\WINDOWS\system32\drivers\ssidrv.sys
2008-01-14 14:19 . 2007-10-01 16:24      23,864      --a------      C:\WINDOWS\system32\drivers\sskbfd.sys
2008-01-14 14:19 . 2007-10-01 16:24      21,816      --a------      C:\WINDOWS\system32\drivers\sshrmd.sys
2008-01-14 14:19 . 2007-10-01 16:24      20,280      --a------      C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-01-14 14:18 . 2008-01-14 14:18      <DIR>      d--------      C:\Program Files\Webroot
2008-01-14 14:18 . 2008-01-14 14:18      <DIR>      d--------      C:\Program Files\AskSBar
2008-01-14 14:18 . 2008-01-14 14:18      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\Webroot
2008-01-14 14:18 . 2008-01-14 14:18      <DIR>      d--------      C:\Documents and Settings\abc\Application Data\Webroot
2008-01-14 14:18 . 2007-10-01 16:40      1,526,072      --a------      C:\WINDOWS\WRSetup.dll
2008-01-14 13:48 . 2008-01-14 13:48      <DIR>      d--------      C:\Documents and Settings\abc\temp
2008-01-14 13:06 . 2008-01-14 13:06      <DIR>      d--------      C:\!KillBox
2008-01-13 21:44 . 2008-01-13 21:45      <DIR>      d--------      C:\Program Files\XoftSpySE
2008-01-13 21:41 . 2008-01-13 21:41      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-01-13 19:51 . 2008-01-13 19:51      <DIR>      d--------      C:\Program Files\Lavasoft Ad-Aware
2008-01-13 14:15 . 2008-01-07 14:29      352      --ah-----      C:\WINDOWS\nod32fixtemdono.reg
2008-01-13 14:11 . 2008-01-13 14:11      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\ESET
2008-01-13 13:41 . 2008-01-13 13:41      <DIR>      d--------      C:\Program Files\Alcohol Soft
2008-01-12 21:09 . 2008-01-12 21:09      <DIR>      d--------      C:\Program Files\Trend Micro
2008-01-12 21:09 . 2008-01-12 21:09      <DIR>      d--------      C:\Hijackthis
2008-01-12 19:52 . 2008-01-12 19:52      <DIR>      d--------      C:\Program Files\Trojan Remover
2008-01-12 19:52 . 2008-01-12 19:52      <DIR>      d--------      C:\Documents and Settings\abc\Application Data\Simply Super Software
2008-01-12 19:52 . 2006-05-25 14:52      162,304      --a------      C:\WINDOWS\system32\ztvunrar36.dll
2008-01-12 19:52 . 2003-02-02 19:06      153,088      --a------      C:\WINDOWS\system32\UNRAR3.dll
2008-01-12 19:52 . 2005-08-26 00:50      77,312      --a------      C:\WINDOWS\system32\ztvunace26.dll
2008-01-12 19:52 . 2002-03-06 00:00      75,264      --a------      C:\WINDOWS\system32\unacev2.dll
2008-01-12 19:52 . 2006-06-19 12:01      69,632      --a------      C:\WINDOWS\system32\ztvcabinet.dll
2008-01-12 19:44 . 2008-01-12 19:44      <DIR>      d--------      C:\Program Files\Enigma Software Group
2008-01-12 18:53 . 2004-05-11 10:56      423,784      --a------      C:\WINDOWS\system32\XceedBkp.dll
2008-01-12 18:53 . 2004-02-05 21:53      389,120      --a------      C:\WINDOWS\system32\ACTSKN43.OCX
2008-01-12 18:53 . 2001-07-28 13:50      265,753      --a------      C:\WINDOWS\system32\AS-Exp2.ocx
2008-01-12 18:53 . 2004-01-09 11:54      188,416      --a------      C:\WINDOWS\system32\actsplash.ocx
2008-01-12 18:53 . 2004-03-09 00:00      131,856      --a------      C:\WINDOWS\system32\MSADODC.ocx
2008-01-12 18:53 . 2000-07-15 06:00      101,888      --a------      C:\WINDOWS\system32\VB6STKIT.DLL
2008-01-12 18:53 . 2001-03-28 23:02      89,088      --a------      C:\WINDOWS\system32\ProgressBar4.ocx
2008-01-12 18:53 . 2001-04-20 02:28      28,672      --a------      C:\WINDOWS\system32\systray.ocx
2008-01-12 18:53 . 1999-01-26 20:36      11,012      --a------      C:\WINDOWS\system32\threadapi.tlb
2008-01-12 18:48 . 2008-01-12 18:48      <DIR>      d--------      C:\Program Files\PrevxCSI
2008-01-12 18:30 . 2008-01-12 18:30      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-12 18:30 . 2008-01-12 18:30      <DIR>      d--------      C:\Documents and Settings\abc\Application Data\PrevxCSI
2008-01-12 18:17 . 2008-01-12 18:21      16      --a------      C:\WINDOWS\QH32.INI
2008-01-12 18:08 . 2004-08-04 00:56      159,232      --a------      C:\WINDOWS\system32\ptpusd.dll
2008-01-12 18:08 . 2004-08-03 22:58      15,104      --a------      C:\WINDOWS\system32\drivers\usbscan.sys
2008-01-12 18:08 . 2004-08-03 22:58      15,104      --a------      C:\WINDOWS\system32\dllcache\usbscan.sys
2008-01-12 18:08 . 2001-08-17 22:36      5,632      --a------      C:\WINDOWS\system32\ptpusb.dll
2008-01-12 13:40 . 2007-12-14 19:26      102,664      --a------      C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-12 12:59 . 2008-01-12 12:59      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-12 11:07 . 2008-01-12 11:07      <DIR>      d--hs----      C:\FOUND.001
2008-01-12 11:02 . 2008-01-12 11:03      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-01-06 17:18 . 2007-10-12 15:14      3,734,536      --a------      C:\WINDOWS\system32\d3dx9_36.dll
2008-01-06 17:18 . 2007-10-12 15:14      1,374,232      --a------      C:\WINDOWS\system32\D3DCompiler_36.dll
2008-01-06 17:18 . 2007-07-19 18:14      1,358,192      --a------      C:\WINDOWS\system32\D3DCompiler_35.dll
2008-01-06 17:18 . 2007-10-02 09:56      444,776      --a------      C:\WINDOWS\system32\d3dx10_36.dll
2008-01-06 17:18 . 2007-07-19 18:14      444,776      --a------      C:\WINDOWS\system32\d3dx10_35.dll
2008-01-06 17:18 . 2007-10-22 03:39      267,272      --a------      C:\WINDOWS\system32\xactengine2_10.dll
2008-01-06 17:18 . 2007-07-20 00:57      267,112      --a------      C:\WINDOWS\system32\xactengine2_9.dll
2008-01-06 12:25 . 2008-01-06 12:26      <DIR>      d--------      C:\Program Files\Easy Video Downloader
2008-01-06 12:24 . 2008-01-06 12:24      <DIR>      d--------      C:\RealPlayer Downloads
2008-01-06 12:20 . 2008-01-06 12:20      <DIR>      d--------      C:\Program Files\SourceTec
2008-01-06 11:58 . 2008-01-06 11:58      <DIR>      d--------      C:\RealDownloads
2008-01-04 13:40 . 2008-01-04 13:40      <DIR>      d--------      C:\Documents and Settings\abc\workspace
2007-12-31 13:54 . 2007-12-31 13:54      <DIR>      d--------      C:\HTML
2007-12-30 10:17 . 2007-12-30 10:17      268      --ah-----      C:\sqmdata19.sqm
2007-12-30 10:17 . 2007-12-30 10:17      244      --ah-----      C:\sqmnoopt19.sqm
2007-12-30 09:53 . 2007-12-30 09:53      552      --a------      C:\WINDOWS\system32\d3d8caps.dat
2007-12-29 22:34 . 2007-12-29 22:34      268      --ah-----      C:\sqmdata18.sqm
2007-12-29 22:34 . 2007-12-29 22:34      244      --ah-----      C:\sqmnoopt18.sqm
2007-12-29 17:42 . 2007-12-29 17:43      268      --ah-----      C:\sqmdata17.sqm
2007-12-29 17:42 . 2007-12-29 17:43      244      --ah-----      C:\sqmnoopt17.sqm
2007-12-29 17:17 . 2007-12-29 17:17      <DIR>      d--------      C:\Program Files\WinAce
2007-12-29 17:16 . 2007-12-29 17:16      626      --a------      C:\WINDOWS\eReg.dat
2007-12-29 17:08 . 2007-12-29 17:08      <DIR>      d--------      C:\Program Files\EA GAMES
2007-12-29 16:45 . 2008-01-15 17:20      664      --a------      C:\WINDOWS\system32\d3d9caps.dat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 08:07      715,248      ----a-w      C:\WINDOWS\system32\drivers\sptd.sys
2008-01-12 12:48      45      ----a-w      C:\Program Files\InstErr.log
2008-01-11 12:54      229,621      --sha-r      C:\WINDOWS\smss.exe
2007-12-29 11:50      28,400      ----a-w      C:\WINDOWS\system32\drivers\secdrv.sys
2007-12-14 14:23      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\JCreator
2007-12-14 14:23      ---------      d-----w      C:\Documents and Settings\abc\Application Data\JCreator
2007-12-14 14:22      ---------      d-----w      C:\Program Files\Xinox Software
2007-12-14 14:22      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-13 13:14      ---------      d-----w      C:\Program Files\Apache Software Foundation
2007-12-12 15:33      ---------      d-----w      C:\Program Files\Sun
2007-12-11 17:08      ---------      d-----w      C:\Program Files\IBM HTTP Server
2007-12-11 16:58      ---------      d-----w      C:\Program Files\IBM
2007-12-11 15:02      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-11 08:22      ---------      d-----w      C:\Program Files\pass4sure
2007-12-11 08:04      ---------      d-----w      C:\Program Files\ActualtestsEngine
2007-12-10 13:27      ---------      d-----w      C:\Program Files\VideoLAN
2007-12-10 13:27      ---------      d-----w      C:\Documents and Settings\abc\Application Data\vlc
2007-12-06 10:50      ---------      d-----w      C:\Documents and Settings\abc\Application Data\CyberLink
2007-12-03 15:56      ---------      d-----w      C:\Program Files\Windows Unattended CD Creator
2007-12-01 05:42      ---------      d-----w      C:\Program Files\DAEMON Tools
2007-11-28 06:44      ---------      d-----w      C:\Program Files\DivX
2007-11-27 17:00      499,712      ----a-w      C:\WINDOWS\system32\msvcp71.dll
2007-11-27 17:00      348,160      ----a-w      C:\WINDOWS\system32\msvcr71.dll
2007-11-27 17:00      ---------      d-----w      C:\Program Files\Real
2007-11-27 17:00      ---------      d-----w      C:\Program Files\Common Files\xing shared
2007-11-27 17:00      ---------      d-----w      C:\Program Files\Common Files\Real
2007-11-27 15:02      ---------      d-----w      C:\Program Files\Oracle
2007-11-27 07:55      ---------      d-----w      C:\Program Files\Runtime Software
2007-11-27 07:44      ---------      d-----w      C:\Documents and Settings\abc\Application Data\COWON
2007-11-27 07:16      ---------      d-----w      C:\Program Files\Realtek
2007-11-27 07:15      315,392      ----a-w      C:\WINDOWS\HideWin.exe
2007-11-27 06:23      ---------      d-----w      C:\Program Files\AIDA32 - Enterprise System Information
2007-11-26 16:36      ---------      d-----w      C:\Program Files\Google
2007-11-26 16:23      ---------      d-----w      C:\Program Files\Java
2007-11-26 16:23      ---------      d-----w      C:\Program Files\Common Files\Java
2007-11-26 16:11      ---------      d-----w      C:\Program Files\uTorrent
2007-11-26 15:39      ---------      d-----w      C:\Program Files\MCE
2007-11-26 15:18      ---------      d-----w      C:\Documents and Settings\abc\Application Data\AdobeUM
2007-11-26 14:15      ---------      d-----w      C:\Documents and Settings\abc\Application Data\Microsoft Web Folders
2007-11-26 14:09      ---------      d-----w      C:\Program Files\CyberLink
2007-11-26 14:09      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\CyberLink
2007-11-26 14:08      ---------      d-----w      C:\Program Files\Common Files\Adobe
2007-11-26 14:06      ---------      d-----w      C:\Program Files\Winamp
2007-11-26 14:04      ---------      d-----w      C:\Program Files\Common Files\Ahead
2007-11-26 14:04      ---------      d-----w      C:\Program Files\Ahead
2007-11-26 14:00      ---------      d--h--w      C:\Program Files\InstallShield Installation Information
2007-11-26 14:00      ---------      d-----w      C:\Program Files\JetAudio
2007-11-26 14:00      ---------      d-----w      C:\Program Files\Common Files\InstallShield
2007-11-26 13:41      ---------      d-----w      C:\Program Files\microsoft frontpage
2007-11-07 12:01      1,191,936      ----a-r      C:\WINDOWS\RtlUpd.exe
2007-11-06 05:20      16,855,552      ----a-r      C:\WINDOWS\RTHDCPL.exe
2007-10-21 22:07      17,928      ----a-w      C:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-20 00:56      200,704      ----a-w      C:\WINDOWS\system32\ssldivx.dll
2007-10-20 00:56      1,044,480      ----a-w      C:\WINDOWS\system32\libdivx.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-01-14 14:18      66912      --a------      C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-14 14:18      267592      --a------      C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"µTorrent"="C:\Program Files\uTorrent\utorrent.exe" [2006-07-02 21:59 174163]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-11-28 11:25 171448]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-11-17 17:23 171464]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-12-28 21:31 497664]
"TridentTVIcon"="" []
"TridentVideoIcon"="" []
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-12-22 12:53 221568]
"SpyEmergency"="C:\Program Files\NETGATE\Spy Emergency 2007\SpyEmergency.exe" [ ]
"Runonce"="C:\WINDOWS\smss.exe" [2008-01-11 18:24 229621]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 10:50 16855552 C:\WINDOWS\RTHDCPL.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-27 22:30 185632]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 02:52 3739648]
"wsaeclt"="C:\WINDOWS\wsaeclt.exe" [ ]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 19:17 57344]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" [2008-01-13 20:17 92160]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [ ]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40 5367608]
"NWEReboot"="" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="explorer.exe, killer.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\Explore\Command - C:\smss.exe
\Shell\Open\Command - C:\smss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\Autoplay\Command - D:\smss.exe
\Shell\AutoRun\command - D:\smss.exe
\Shell\Explore\Command - D:\smss.exe
\Shell\Open\Command - D:\smss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\Autoplay\Command - E:\smss.exe
\Shell\AutoRun\command - E:\smss.exe
\Shell\Explore\Command - E:\smss.exe
\Shell\Open\Command - E:\smss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\Autoplay\Command - F:\smss.exe
\Shell\AutoRun\command - F:\smss.exe
\Shell\Explore\Command - F:\smss.exe
\Shell\Open\Command - F:\smss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{07c0afd4-b5ec-11dc-a6f4-003018ab4469}]
\Shell\AutoRun\command - I:\fooool.exe
\Shell\explore\Command - I:\fooool.exe
\Shell\open\Command - I:\fooool.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d253d3e-a550-11dc-a6af-003018ab4469}]
\Shell\AutoRun\command - I:\fooool.exe
\Shell\explore\Command - I:\fooool.exe
\Shell\open\Command - I:\fooool.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-13 16:15:02 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-01-15 13:21:36 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 18:50:22
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-15 18:53:20 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-15 13:23:18
.
2007-11-27 17:04:38      --- E O F ---  

 

by: vegetasharmaPosted on 2008-01-15 at 06:28:17ID: 20662806

SDFix LOG :


SDFix: Version 1.126

Run by abc on Tue 01/15/2008 at 07:50 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\lsass.exe  - Deleted
C:\autorun.inf  - Deleted
C:\WINDOWS\autorun.inf  - Deleted
C:\WINDOWS\smss.exe  - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\lsass.exe  - Deleted
C:\autorun.inf  - Deleted
C:\WINDOWS\autorun.inf  - Deleted
C:\WINDOWS\smss.exe  - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\lsass.exe  - Deleted
C:\autorun.inf  - Deleted
C:\WINDOWS\autorun.inf  - Deleted
C:\WINDOWS\smss.exe  - Deleted




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.
 
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
 


                                 Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 19:52:59
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\lsass.exe  Found
C:\WINDOWS\smss.exe  Found
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\lsass.exe  Found
C:\WINDOWS\smss.exe  Found
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\lsass.exe  Found
C:\WINDOWS\smss.exe  Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Fri 11 Jan 2008       229,621 A.SHR --- "C:\smss.exe"
Fri 11 Jan 2008       229,621 A.SHR --- "C:\Funny UST Scandal.avi.exe"
Fri 11 Jan 2008       229,621 A.SHR --- "C:\WINDOWS\killer.exe"
Mon  7 Jan 2008           352 A..H. --- "C:\WINDOWS\nod32fixtemdono.reg"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1230492412c0d92c55a03b0de671f167\BIT6.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\021bbe9f2a0e31da1414f03ea6d62389\BIT7.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fc75a45b73372bd0c2a61e3a51d766ff\BIT9.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\05dc5f0b39a115d1962503e7297cdba7\BITA.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a7407b49e4a15c0b9a45c0426de5360\BITB.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4f686eb18ed8be61735e890e67439840\BITC.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b54528191e99a817679c5ba3ee641572\BITF.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4e28cc4378cd0807778e1b0917bd6312\BIT12.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4387300ca1dcf29784a47c30e67cb637\BIT15.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4b6ccd5ccf72ffca11e7f7e0165f2082\BIT1B.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0f8a5d0d09e527fa35dec9e085d4b802\BIT1C.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\da70638ee8e6f6c7eff37e755cd6f449\BIT1D.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\512e19b377bd5d52a1e190ecbd7a83eb\BIT20.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7b94d041c29d0b8d724c97ae0005e71b\BIT22.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\29f79ad83880337acafe2a37966d9d29\BIT25.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8a10de02595aa748279afc6c628f49a8\BIT26.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c3c3c6d9de8be474641d4bbceb22a36f\BIT27.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2abaeb659824de5967ddf7181c6befdb\BIT29.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2d7809720343ee9223ce4d88d99bf3c2\BIT2B.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0c114cf5b19927cfea8b29c83de1ed86\BIT2D.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\972f9ceb5c3be430fe6cdcb43653d74d\BIT2E.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa53e640686f7f15b5ee3f532304b804\BIT2F.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f934b30a3337b488590ef3c1f3bbfd68\BIT30.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d424e8f655073b64c82b6f4f138d5f7e\BIT32.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f1717a50ad70787e0b2e37537d202992\BIT37.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b79f0480d592be3a8c6db381ffc0c693\BIT3A.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\40a830826de015286a7a5523023b1e09\BIT3E.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\af772f1b25b38c833ba730dad6e4877d\BIT3F.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\881d7070640a4412a784782616794afa\BIT40.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\109fef93c24da62cf8f31668d6ba9060\BIT43.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e7d26e5776f9930c6ad9dff351940707\BIT44.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\495213e4cb2a90b1fa5505a5fab8e00b\BIT45.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\410ff09308a833491dba7686f0aee2eb\BIT48.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\55b5c397ff94db07e8c1c336efaf0a7b\BIT4B.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\04ca01d3516e62847eb74defda094165\BIT4C.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d820fbd6e1527bc9c51d0c3b240b96fd\BIT4D.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\080070f6461c8001578e5e4cd4bb024b\BIT51.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6f0fd10fc234123bcdf54ebca4b84cbd\BIT52.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab9217b6e5750f9481b4ee261d21b730\BIT53.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ee52836d5c671146809a1dc54498be1f\BIT54.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6b5f9b6e24a379bdb34ad3589556de3e\BIT55.tmp"
Wed 28 Nov 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\299966e551b4462ae94e39e251e277b6\download\BIT5A.tmp"
Fri 11 Jan 2008       229,621 A.SHR --- "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\lsass.exe"

Finished!

 

by: PSYCH0_SRBPosted on 2008-01-15 at 11:21:03ID: 20665553

 

by: vegetasharmaPosted on 2008-01-16 at 00:56:06ID: 20670140

sorry they did not work.

I tried many spyware and anti-virus program including XoftSE,spybot S&D,prevx CSI,Spy Sweeper,
Spy Emergency more over this virus does not let me install anti-virus program.

 

by: top_rungPosted on 2008-01-16 at 00:58:27ID: 20670152

can you report back with what is happening when you follow the recommendations in Safe Mode?

Also, if you haven't done so, you need to disconnect the PC from the network and from the internet.

 

by: vegetasharmaPosted on 2008-01-16 at 01:02:15ID: 20670169

sorry they did not work.

I tried many spyware and anti-virus program including XoftSE,spybot S&D,prevx CSI,Spy Sweeper,
Spy Emergency more over this virus does not let me install anti-virus program.
please tell me what is the origin of the software.I am ready to delete even windows files.
I just want to get rid of this program.
Check out the logs and tell me what should I remove to get rid of that.?

 

by: vegetasharmaPosted on 2008-01-16 at 01:04:27ID: 20670177

Sorry Top rung  I did not notice.

I will let you know brother/sister.

 

by: top_rungPosted on 2008-01-16 at 01:07:34ID: 20670186

No problem... yes.. you have to boot into Safe Mode so that it does not have a chance to load.  Once there, you can attemtp to disable it.

You can clean this up without wiping the machine, but you HAVE to be patient and follow the advice given.



 

by: vegetasharmaPosted on 2008-01-16 at 02:17:09ID: 20670480

I did what you told me bro but those viruses are stubborn and potential to destroy both my time and
my pc.
They come back right after I disable and/or delete  them.Every single time and I mean every time I do that they come back.

The viruses names are
 C:\windows\smss.exe
C:\windows\killer.exe
c:\smss.exe
C:\windows\Funny Scandal.avi.exe
C:\Funny Scandal.avi.exe
and their instances like autorun.inf and I dont know.
I tried both on safemode and normal but as I told you they come back. :(
now bro/sis tell me how to kill that killers.


 

by: top_rungPosted on 2008-01-16 at 02:42:27ID: 20670576

How important is the data on the machine?  Have you considered a clean installation of your operating system?  That would be my recommendation.  Leave no room for replication down the road, don't waste your time hunting this further, and move on.

If you really want to try and salvage it, you will have to try to boot to another environment like Bart PE and then manually try cleaning this.  But it is a lenghty process.

 

by: IndiGenusPosted on 2008-01-16 at 03:29:16ID: 20670778

vegetasharma

You may want to consider top rungs advice here and format this thing. But I have a question here. How many drives do you have on this thing? And what type are they? If you look at the combo log this thing is loading from everywhere, that's why they keep coming back. All of those drives as I indicated in the codebox are infected too, and will need to be wiped clean or cleaned.

If you would still like to try cleaning this I will give it a shot. Here's what we try (no guarantees here). Let me know what those drives are. Then, run combofix again and post the log. I will post a CFscript file back using CF and see if we can get this. Let me know what you want to do.

Dave

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\Open\Command - C:\smss.exe
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\Autoplay\Command - D:\smss.exe
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\Autoplay\Command - E:\smss.exe
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\Autoplay\Command - F:\smss.exe
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{07c0afd4-b5ec-11dc-a6f4-003018ab4469}]
\Shell\open\Command - I:\fooool.exe

                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:

Select allOpen in new window

 

by: vegetasharmaPosted on 2008-01-16 at 05:47:42ID: 20671688

Bart PE huh? I already tried it but it does not seem effective sorry to say.It closes Bart PE automatically.
I already did clean install without format my pc , I only wiped windows.But as I told you and you know
they came back.My PC is completely infected.

I want to clean that shit off without  wiping my machine. please help me as soon as possible.

 

by: vegetasharmaPosted on 2008-01-16 at 05:50:24ID: 20671713

All drives are FAT 32 system.
C:- FAT32
D:- FAT32
E:- FAT32
F:- FAT32

 

by: IndiGenusPosted on 2008-01-16 at 05:57:42ID: 20671786

>""I already did clean install without format my pc ""<

That's not a clean install. And even if you cleaned your C drive this thing is all over your PC. We will do our best to help but you are seriously infected here. What's the "I" drive? A flash drive?

Go ahead and run combofix again and I'll put something together with a CFScript to try and clean this. There are no guarantees though. We're trying....

Dave

 

by: IndiGenusPosted on 2008-01-16 at 05:58:49ID: 20671797

No need for profanity either.

 

by: vegetasharmaPosted on 2008-01-16 at 06:11:23ID: 20671932

I am sorry I made you angry.

I really need your help. O.K. I do what you say :)

ComboFix 08-01-16.4 - omi 2008-01-16 19:34:11.1 - [color=red][b]FAT32[/b][/color]x86
Running from: C:\Documents and Settings\omi\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\smss.exe
C:\WINDOWS\autorun.inf
C:\WINDOWS\smss.exe

.
(((((((((((((((((((((((((   Files Created from 2007-12-16 to 2008-01-16  )))))))))))))))))))))))))))))))
.

2008-01-16 19:33 . 2000-08-31 08:00      51,200      --a------      C:\WINDOWS\NirCmd.exe
2008-01-16 19:11 . 2008-01-16 19:11      <DIR>      d--------      C:\WINDOWS\LastGood
2008-01-16 17:51 . 2008-01-11 18:24      229,621      --a------      C:\WINDOWS\Funny UST Scandal.exe
2008-01-16 17:10 . 2008-01-16 17:10      664      --a------      C:\WINDOWS\system32\d3d9caps.dat
2008-01-16 14:54 . 2008-01-16 14:54      940,794      --a------      C:\WINDOWS\system32\LoopyMusic.wav
2008-01-16 14:54 . 2008-01-16 14:54      146,650      --a------      C:\WINDOWS\system32\BuzzingBee.wav
2008-01-16 14:28 . 2007-11-06 10:50      16,855,552      --a------      C:\WINDOWS\RTHDCPL.exe
2008-01-16 14:28 . 2007-11-14 17:14      4,625,408      --a------      C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-01-16 14:28 . 2006-05-04 16:26      2,808,832      --a------      C:\WINDOWS\alcwzrd.exe
2008-01-16 14:28 . 2007-06-28 16:44      2,165,760      --a------      C:\WINDOWS\MicCal.exe
2008-01-16 14:28 . 2007-07-26 17:09      520,192      --a------      C:\WINDOWS\RtlExUpd.dll
2008-01-16 14:28 . 2008-01-16 14:28      315,392      --a------      C:\WINDOWS\HideWin.exe
2008-01-16 14:28 . 2005-09-21 10:25      299,008      --a------      C:\WINDOWS\system32\ALSndMgr.cpl
2008-01-16 14:28 . 2005-05-03 18:43      69,632      --a------      C:\WINDOWS\Alcmtr.exe
2008-01-16 14:22 . 2008-01-16 14:22      <DIR>      d--------      C:\Documents and Settings\omi\Application Data\PrevxCSI
2008-01-16 14:22 . 2008-01-16 14:22      <DIR>      d--------      C:\Documents and Settings\All Users.WINDOWS\Application Data\Prevx
2008-01-16 12:45 . 2008-01-16 12:45      0      --a------      C:\WINDOWS\nsreg.dat
2008-01-16 12:16 . 2008-01-16 12:16      <DIR>      d--------      C:\Documents and Settings\omi\Application Data\AdobeUM
2008-01-16 12:14 . 2008-01-11 18:24      229,621      -rahs----      C:\WINDOWS\killer.exe
2008-01-16 02:22 . 2001-08-23 18:00      176,157      --a------      C:\WINDOWS\system32\dllcache\dgrpsetu.dll
2008-01-16 02:22 . 2001-08-23 18:00      103,424      --a------      C:\WINDOWS\system32\dllcache\eqnclass.dll
2008-01-16 02:22 . 2001-08-23 18:00      85,020      --a------      C:\WINDOWS\system32\dllcache\dgsetup.dll
2008-01-16 02:22 . 2001-08-23 18:00      66,082      --a------      C:\WINDOWS\system32\dllcache\c_20127.nls
2008-01-16 02:22 . 2004-08-04 01:26      8,704      --a------      C:\WINDOWS\system32\dllcache\batt.dll
2008-01-15 22:25 . 2008-01-15 22:25      8,192      --a------      C:\WINDOWS\REGLOCS.OLD
2008-01-15 22:23 . 2001-08-23 18:00      1,875,968      --a------      C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-01-15 22:22 . 2001-08-23 18:00      13,463,552      --a------      C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-01-15 22:21 . 2004-08-04 01:26      2,134,528      --a------      C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-01-15 22:20 . 2008-01-15 22:20      <DIR>      d--hs----      C:\Documents and Settings\All Users.WINDOWS\DRM
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\WindowsShell.Manifest
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\system32\sapi.cpl.manifest
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\system32\nwc.cpl.manifest
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\system32\ncpa.cpl.manifest
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\system32\cdplayer.exe.manifest
2008-01-15 22:20 . 2008-01-15 22:20      488      -rah-----      C:\WINDOWS\system32\WindowsLogon.manifest
2008-01-15 22:20 . 2008-01-15 22:20      488      -rah-----      C:\WINDOWS\system32\logonui.exe.manifest
2008-01-15 22:18 . 2004-08-04 01:26      768,512      --a------      C:\WINDOWS\system32\dllcache\helpctr.exe
2008-01-15 22:17 . 2004-08-04 01:26      1,352,192      --a------      C:\WINDOWS\system32\dllcache\cimwin32.dll
2008-01-15 22:05 . 2008-01-15 22:06      <DIR>      dr-------      C:\Documents and Settings\All Users.WINDOWS\Documents
2008-01-15 22:03 . 2004-08-03 20:57      1,086,058      -ra------      C:\WINDOWS\SET1F.tmp
2008-01-15 22:03 . 2004-08-03 21:03      1,042,903      -ra------      C:\WINDOWS\SET1C.tmp
2008-01-15 22:03 . 2004-08-03 20:58      13,753      -ra------      C:\WINDOWS\SET2B.tmp
2008-01-15 20:55 . 2001-08-17 13:59      3,072      --a------      C:\WINDOWS\system32\drivers\audstub.sys
2008-01-15 20:54 . 2004-08-04 00:56      74,240      --a------      C:\WINDOWS\system32\usbui.dll
2008-01-15 20:54 . 2004-08-03 22:59      57,472      --a------      C:\WINDOWS\system32\drivers\redbook.sys
2008-01-15 20:54 . 2004-08-03 22:31      20,992      --a------      C:\WINDOWS\system32\drivers\RTL8139.sys
2008-01-15 20:52 . 2001-08-23 12:30      176,157      --a------      C:\WINDOWS\system32\dgrpsetu.dll
2008-01-15 20:50 . 2004-08-03 20:58      2,012,670      --a------      C:\WINDOWS\system32\dllcache\NT5.CAT
2008-01-15 20:48 . 2008-01-15 22:24      261      --a------      C:\WINDOWS\system32\$winnt$.inf
2008-01-15 20:23 . 2008-01-11 18:24      229,621      -rahs----      C:\Funny UST Scandal.avi.exe
2008-01-15 20:18 . 2008-01-15 20:18      <DIR>      d--------      C:\Sbi
2008-01-15 19:43 . 2008-01-15 19:43      <DIR>      d--------      C:\WINDOWS\ERUNT
2008-01-15 19:23 . 2008-01-15 19:23      <DIR>      d--------      C:\Program Files\X-Cleaner
2008-01-15 18:22 . 2008-01-15 18:22      <DIR>      d--------      C:\Program Files\NoAdware5.0
2008-01-15 15:18 . 2008-01-11 18:24      229,621      -rahs----      C:\smss.exe
2008-01-15 14:56 . 2008-01-15 14:56      <DIR>      d--------      C:\WINDOWS\SxsCaPendDel
2008-01-15 12:33 . 2008-01-15 12:33      <DIR>      d--hs----      C:\FOUND.005
2008-01-15 12:23 . 2008-01-15 12:23      <DIR>      d--------      C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-01-15 11:45 . 2008-01-15 11:45      <DIR>      d--------      C:\Program Files\SUPERAntiSpyware
2008-01-15 11:45 . 2008-01-15 11:45      <DIR>      d--------      C:\Documents and Settings\abc\Application Data\SUPERAntiSpyware.com
2008-01-15 10:48 . 2008-01-15 10:48      <DIR>      d--hs----      C:\FOUND.004
2008-01-14 19:14 . 2008-01-14 19:14      <DIR>      d--hs----      C:\FOUND.003
2008-01-14 18:58 . 2008-01-14 18:58      <DIR>      d--hs----      C:\FOUND.002
2008-01-14 14:19 . 2008-01-14 14:19      <DIR>      d--------      C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-14 14:18 . 2008-01-14 14:18      <DIR>      d--------      C:\Program Files\Webroot
2008-01-14 14:18 . 2008-01-14 14:18      <DIR>      d--------      C:\Program Files\AskSBar
2008-01-14 14:18 . 2008-01-14 14:18      <DIR>      d--------      C:\Documents and Settings\abc\Application Data\Webroot
2008-01-14 13:48 . 2008-01-14 13:48      <DIR>      d--------      C:\Documents and Settings\abc\temp
2008-01-14 13:06 . 2008-01-14 13:06      <DIR>      d--------      C:\!KillBox
2008-01-13 21:44 . 2008-01-13 21:45      <DIR>      d--------      C:\Program Files\XoftSpySE
2008-01-13 19:51 . 2008-01-13 19:51      <DIR>      d--------      C:\Program Files\Lavasoft Ad-Aware
2008-01-13 13:41 . 2008-01-13 13:41      <DIR>      d--------      C:\Program Files\Alcohol Soft
2008-01-12 21:09 . 2008-01-12 21:09      <DIR>      d--------      C:\Program Files\Trend Micro
2008-01-12 21:09 . 2008-01-12 21:09      <DIR>      d--------      C:\Hijackthis
2008-01-12 19:52 . 2008-01-12 19:52      <DIR>      d--------      C:\Program Files\Trojan Remover
2008-01-12 19:52 . 2008-01-12 19:52      <DIR>      d--------      C:\Documents and Settings\abc\Application Data\Simply Super Software
2008-01-12 19:44 . 2008-01-12 19:44      <DIR>      d--------      C:\Program Files\Enigma Software Group
2008-01-12 18:48 . 2008-01-12 18:48      <DIR>      d--------      C:\Program Files\PrevxCSI
2008-01-12 18:30 . 2008-01-12 18:30      <DIR>      d--------      C:\Documents and Settings\abc\Application Data\PrevxCSI
2008-01-12 11:07 . 2008-01-12 11:07      <DIR>      d--hs----      C:\FOUND.001
2008-01-06 12:25 . 2008-01-06 12:26      <DIR>      d--------      C:\Program Files\Easy Video Downloader
2008-01-06 12:24 . 2008-01-06 12:24      <DIR>      d--------      C:\RealPlayer Downloads
2008-01-06 12:20 . 2008-01-06 12:20      <DIR>      d--------      C:\Program Files\SourceTec
2008-01-06 11:58 . 2008-01-06 11:58      <DIR>      d--------      C:\RealDownloads
2008-01-04 13:40 . 2008-01-04 13:40      <DIR>      d--------      C:\Documents and Settings\abc\workspace
2007-12-31 13:54 . 2007-12-31 13:54      <DIR>      d--------      C:\HTML
2007-12-30 10:17 . 2007-12-30 10:17      268      --ah-----      C:\sqmdata19.sqm
2007-12-30 10:17 . 2007-12-30 10:17      244      --ah-----      C:\sqmnoopt19.sqm
2007-12-29 22:34 . 2007-12-29 22:34      268      --ah-----      C:\sqmdata18.sqm
2007-12-29 22:34 . 2007-12-29 22:34      244      --ah-----      C:\sqmnoopt18.sqm
2007-12-29 17:42 . 2007-12-29 17:43      268      --ah-----      C:\sqmdata17.sqm
2007-12-29 17:42 . 2007-12-29 17:43      244      --ah-----      C:\sqmnoopt17.sqm
2007-12-29 17:17 . 2007-12-29 17:17      <DIR>      d--------      C:\Program Files\WinAce
2007-12-29 17:08 . 2007-12-29 17:08      <DIR>      d--------      C:\Program Files\EA GAMES
2007-12-29 15:40 . 2007-12-29 15:40      268      --ah-----      C:\sqmdata16.sqm
2007-12-29 15:40 . 2007-12-29 15:40      244      --ah-----      C:\sqmnoopt16.sqm
2007-12-29 14:04 . 2007-12-29 14:04      268      --ah-----      C:\sqmdata15.sqm
2007-12-29 14:04 . 2007-12-29 14:04      244      --ah-----      C:\sqmnoopt15.sqm
2007-12-29 13:59 . 2007-12-29 13:59      <DIR>      d--------      C:\Perl

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-12 12:48      45      ----a-w      C:\Program Files\InstErr.log
2008-01-11 12:54      229,621      --sha-r      C:\WINDOWS\smss.exe
2007-12-15 14:44      ---------      d-----w      C:\Program Files\Whizlabs Suite
2007-12-14 14:23      ---------      d-----w      C:\Documents and Settings\abc\Application Data\JCreator
2007-12-14 14:22      ---------      d-----w      C:\Program Files\Xinox Software
2007-12-13 13:14      ---------      d-----w      C:\Program Files\Apache Software Foundation
2007-12-12 15:33      ---------      d-----w      C:\Program Files\Sun
2007-12-11 17:08      ---------      d-----w      C:\Program Files\IBM HTTP Server
2007-12-11 16:58      ---------      d-----w      C:\Program Files\IBM
2007-12-11 08:22      ---------      d-----w      C:\Program Files\pass4sure
2007-12-11 08:04      ---------      d-----w      C:\Program Files\ActualtestsEngine
2007-12-10 13:27      ---------      d-----w      C:\Program Files\VideoLAN
2007-12-10 13:27      ---------      d-----w      C:\Documents and Settings\abc\Application Data\vlc
2007-12-06 10:50      ---------      d-----w      C:\Documents and Settings\abc\Application Data\CyberLink
2007-12-03 15:56      ---------      d-----w      C:\Program Files\Windows Unattended CD Creator
2007-12-01 05:42      ---------      d-----w      C:\Program Files\DAEMON Tools
2007-11-28 06:44      ---------      d-----w      C:\Program Files\DivX
2007-11-27 17:00      ---------      d-----w      C:\Program Files\Real
2007-11-27 17:00      ---------      d-----w      C:\Program Files\Common Files\xing shared
2007-11-27 17:00      ---------      d-----w      C:\Program Files\Common Files\Real
2007-11-27 15:02      ---------      d-----w      C:\Program Files\Oracle
2007-11-27 07:55      ---------      d-----w      C:\Program Files\Runtime Software
2007-11-27 07:44      ---------      d-----w      C:\Documents and Settings\abc\Application Data\COWON
2007-11-27 07:16      ---------      d-----w      C:\Program Files\Realtek
2007-11-27 06:23      ---------      d-----w      C:\Program Files\AIDA32 - Enterprise System Information
2007-11-26 16:36      ---------      d-----w      C:\Program Files\Google
2007-11-26 16:23      ---------      d-----w      C:\Program Files\Java
2007-11-26 16:23      ---------      d-----w      C:\Program Files\Common Files\Java
2007-11-26 16:11      ---------      d-----w      C:\Program Files\uTorrent
2007-11-26 15:39      ---------      d-----w      C:\Program Files\MCE
2007-11-26 15:18      ---------      d-----w      C:\Documents and Settings\abc\Application Data\AdobeUM
2007-11-26 14:15      ---------      d-----w      C:\Documents and Settings\abc\Application Data\Microsoft Web Folders
2007-11-26 14:09      ---------      d-----w      C:\Program Files\CyberLink
2007-11-26 14:08      ---------      d-----w      C:\Program Files\Common Files\Adobe
2007-11-26 14:06      ---------      d-----w      C:\Program Files\Winamp
2007-11-26 14:04      ---------      d-----w      C:\Program Files\Common Files\Ahead
2007-11-26 14:04      ---------      d-----w      C:\Program Files\Ahead
2007-11-26 14:00      ---------      d--h--w      C:\Program Files\InstallShield Installation Information
2007-11-26 14:00      ---------      d-----w      C:\Program Files\JetAudio
2007-11-26 14:00      ---------      d-----w      C:\Program Files\Common Files\InstallShield
2007-11-26 13:41      ---------      d-----w      C:\Program Files\microsoft frontpage
2007-11-07 12:01      1,191,936      ----a-w      C:\WINDOWS\RtlUpd.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Runonce"="C:\WINDOWS\smss.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 10:50 16855552 C:\WINDOWS\RTHDCPL.exe]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" [2008-01-16 15:06 92160]


*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 17:06:32 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-01-16 13:39:48 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 19:35:47
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-16 19:35:58
ComboFix-quarantined-files.txt  2008-01-16 14:05:58
.
2008-01-16 12:22:13      --- E O F ---  

 

by: vegetasharmaPosted on 2008-01-16 at 06:13:53ID: 20671965

I am sorry I made you angry.

I really need your help. O.K. I do what you say :)

ComboFix 08-01-16.4 - omi 2008-01-16 19:34:11.1 - [color=red][b]FAT32[/b][/color]x86
Running from: C:\Documents and Settings\omi\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\smss.exe
C:\WINDOWS\autorun.inf
C:\WINDOWS\smss.exe

.
(((((((((((((((((((((((((   Files Created from 2007-12-16 to 2008-01-16  )))))))))))))))))))))))))))))))
.

2008-01-16 19:33 . 2000-08-31 08:00      51,200      --a------      C:\WINDOWS\NirCmd.exe
2008-01-16 19:11 . 2008-01-16 19:11      <DIR>      d--------      C:\WINDOWS\LastGood
2008-01-16 17:51 . 2008-01-11 18:24      229,621      --a------      C:\WINDOWS\Funny UST Scandal.exe
2008-01-16 17:10 . 2008-01-16 17:10      664      --a------      C:\WINDOWS\system32\d3d9caps.dat
2008-01-16 14:54 . 2008-01-16 14:54      940,794      --a------      C:\WINDOWS\system32\LoopyMusic.wav
2008-01-16 14:54 . 2008-01-16 14:54      146,650      --a------      C:\WINDOWS\system32\BuzzingBee.wav
2008-01-16 14:28 . 2007-11-06 10:50      16,855,552      --a------      C:\WINDOWS\RTHDCPL.exe
2008-01-16 14:28 . 2007-11-14 17:14      4,625,408      --a------      C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-01-16 14:28 . 2006-05-04 16:26      2,808,832      --a------      C:\WINDOWS\alcwzrd.exe
2008-01-16 14:28 . 2007-06-28 16:44      2,165,760      --a------      C:\WINDOWS\MicCal.exe
2008-01-16 14:28 . 2007-07-26 17:09      520,192      --a------      C:\WINDOWS\RtlExUpd.dll
2008-01-16 14:28 . 2008-01-16 14:28      315,392      --a------      C:\WINDOWS\HideWin.exe
2008-01-16 14:28 . 2005-09-21 10:25      299,008      --a------      C:\WINDOWS\system32\ALSndMgr.cpl
2008-01-16 14:28 . 2005-05-03 18:43      69,632      --a------      C:\WINDOWS\Alcmtr.exe
2008-01-16 14:22 . 2008-01-16 14:22      <DIR>      d--------      C:\Documents and Settings\omi\Application Data\PrevxCSI
2008-01-16 14:22 . 2008-01-16 14:22      <DIR>      d--------      C:\Documents and Settings\All Users.WINDOWS\Application Data\Prevx
2008-01-16 12:45 . 2008-01-16 12:45      0      --a------      C:\WINDOWS\nsreg.dat
2008-01-16 12:16 . 2008-01-16 12:16      <DIR>      d--------      C:\Documents and Settings\omi\Application Data\AdobeUM
2008-01-16 12:14 . 2008-01-11 18:24      229,621      -rahs----      C:\WINDOWS\killer.exe
2008-01-16 02:22 . 2001-08-23 18:00      176,157      --a------      C:\WINDOWS\system32\dllcache\dgrpsetu.dll
2008-01-16 02:22 . 2001-08-23 18:00      103,424      --a------      C:\WINDOWS\system32\dllcache\eqnclass.dll
2008-01-16 02:22 . 2001-08-23 18:00      85,020      --a------      C:\WINDOWS\system32\dllcache\dgsetup.dll
2008-01-16 02:22 . 2001-08-23 18:00      66,082      --a------      C:\WINDOWS\system32\dllcache\c_20127.nls
2008-01-16 02:22 . 2004-08-04 01:26      8,704      --a------      C:\WINDOWS\system32\dllcache\batt.dll
2008-01-15 22:25 . 2008-01-15 22:25      8,192      --a------      C:\WINDOWS\REGLOCS.OLD
2008-01-15 22:23 . 2001-08-23 18:00      1,875,968      --a------      C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-01-15 22:22 . 2001-08-23 18:00      13,463,552      --a------      C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-01-15 22:21 . 2004-08-04 01:26      2,134,528      --a------      C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-01-15 22:20 . 2008-01-15 22:20      <DIR>      d--hs----      C:\Documents and Settings\All Users.WINDOWS\DRM
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\WindowsShell.Manifest
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\system32\sapi.cpl.manifest
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\system32\nwc.cpl.manifest
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\system32\ncpa.cpl.manifest
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\system32\cdplayer.exe.manifest
2008-01-15 22:20 . 2008-01-15 22:20      488      -rah-----      C:\WINDOWS\system32\WindowsLogon.manifest
2008-01-15 22:20 . 2008-01-15 22:20      488      -rah-----      C:\WINDOWS\system32\logonui.exe.manifest
2008-01-15 22:18 . 2004-08-04 01:26      768,512      --a------      C:\WINDOWS\system32\dllcache\helpctr.exe
2008-01-15 22:17 . 2004-08-04 01:26      1,352,192      --a------      C:\WINDOWS\system32\dllcache\cimwin32.dll
2008-01-15 22:05 . 2008-01-15 22:06      <DIR>      dr-------      C:\Documents and Settings\All Users.WINDOWS\Documents
2008-01-15 22:03 . 2004-08-03 20:57      1,086,058      -ra------      C:\WINDOWS\SET1F.tmp
2008-01-15 22:03 . 2004-08-03 21:03      1,042,903      -ra------      C:\WINDOWS\SET1C.tmp
2008-01-15 22:03 . 2004-08-03 20:58      13,753      -ra------      C:\WINDOWS\SET2B.tmp
2008-01-15 20:55 . 2001-08-17 13:59      3,072      --a------      C:\WINDOWS\system32\drivers\audstub.sys
2008-01-15 20:54 . 2004-08-04 00:56      74,240      --a------      C:\WINDOWS\system32\usbui.dll
2008-01-15 20:54 . 2004-08-03 22:59      57,472      --a------      C:\WINDOWS\system32\drivers\redbook.sys
2008-01-15 20:54 . 2004-08-03 22:31      20,992      --a------      C:\WINDOWS\system32\drivers\RTL8139.sys
2008-01-15 20:52 . 2001-08-23 12:30      176,157      --a------      C:\WINDOWS\system32\dgrpsetu.dll
2008-01-15 20:50 . 2004-08-03 20:58      2,012,670      --a------      C:\WINDOWS\system32\dllcache\NT5.CAT
2008-01-15 20:48 . 2008-01-15 22:24      261      --a------      C:\WINDOWS\system32\$winnt$.inf
2008-01-15 20:23 . 2008-01-11 18:24      229,621      -rahs----      C:\Funny UST Scandal.avi.exe
2008-01-15 20:18 . 2008-01-15 20:18      <DIR>      d--------      C:\Sbi
2008-01-15 19:43 . 2008-01-15 19:43      <DIR>      d--------      C:\WINDOWS\ERUNT
2008-01-15 19:23 . 2008-01-15 19:23      <DIR>      d--------      C:\Program Files\X-Cleaner
2008-01-15 18:22 . 2008-01-15 18:22      <DIR>      d--------      C:\Program Files\NoAdware5.0
2008-01-15 15:18 . 2008-01-11 18:24      229,621      -rahs----      C:\smss.exe
2008-01-15 14:56 . 2008-01-15 14:56      <DIR>      d--------      C:\WINDOWS\SxsCaPendDel
2008-01-15 12:33 . 2008-01-15 12:33      <DIR>      d--hs----      C:\FOUND.005
2008-01-15 12:23 . 2008-01-15 12:23      <DIR>      d--------      C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-01-15 11:45 . 2008-01-15 11:45      <DIR>      d--------      C:\Program Files\SUPERAntiSpyware
2008-01-15 11:45 . 2008-01-15 11:45      <DIR>      d--------      C:\Documents and Settings\abc\Application Data\SUPERAntiSpyware.com
2008-01-15 10:48 . 2008-01-15 10:48      <DIR>      d--hs----      C:\FOUND.004
2008-01-14 19:14 . 2008-01-14 19:14      <DIR>      d--hs----      C:\FOUND.003
2008-01-14 18:58 . 2008-01-14 18:58      <DIR>      d--hs----      C:\FOUND.002
2008-01-14 14:19 . 2008-01-14 14:19      <DIR>      d--------      C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-14 14:18 . 2008-01-14 14:18      <DIR>      d--------      C:\Program Files\Webroot
2008-01-14 14:18 . 2008-01-14 14:18      <DIR>      d--------      C:\Program Files\AskSBar
2008-01-14 14:18 . 2008-01-14 14:18      <DIR>      d--------      C:\Documents and Settings\abc\Application Data\Webroot
2008-01-14 13:48 . 2008-01-14 13:48      <DIR>      d--------      C:\Documents and Settings\abc\temp
2008-01-14 13:06 . 2008-01-14 13:06      <DIR>      d--------      C:\!KillBox
2008-01-13 21:44 . 2008-01-13 21:45      <DIR>      d--------      C:\Program Files\XoftSpySE
2008-01-13 19:51 . 2008-01-13 19:51      <DIR>      d--------      C:\Program Files\Lavasoft Ad-Aware
2008-01-13 13:41 . 2008-01-13 13:41      <DIR>      d--------      C:\Program Files\Alcohol Soft
2008-01-12 21:09 . 2008-01-12 21:09      <DIR>      d--------      C:\Program Files\Trend Micro
2008-01-12 21:09 . 2008-01-12 21:09      <DIR>      d--------      C:\Hijackthis
2008-01-12 19:52 . 2008-01-12 19:52      <DIR>      d--------      C:\Program Files\Trojan Remover
2008-01-12 19:52 . 2008-01-12 19:52      <DIR>      d--------      C:\Documents and Settings\abc\Application Data\Simply Super Software
2008-01-12 19:44 . 2008-01-12 19:44      <DIR>      d--------      C:\Program Files\Enigma Software Group
2008-01-12 18:48 . 2008-01-12 18:48      <DIR>      d--------      C:\Program Files\PrevxCSI
2008-01-12 18:30 . 2008-01-12 18:30      <DIR>      d--------      C:\Documents and Settings\abc\Application Data\PrevxCSI
2008-01-12 11:07 . 2008-01-12 11:07      <DIR>      d--hs----      C:\FOUND.001
2008-01-06 12:25 . 2008-01-06 12:26      <DIR>      d--------      C:\Program Files\Easy Video Downloader
2008-01-06 12:24 . 2008-01-06 12:24      <DIR>      d--------      C:\RealPlayer Downloads
2008-01-06 12:20 . 2008-01-06 12:20      <DIR>      d--------      C:\Program Files\SourceTec
2008-01-06 11:58 . 2008-01-06 11:58      <DIR>      d--------      C:\RealDownloads
2008-01-04 13:40 . 2008-01-04 13:40      <DIR>      d--------      C:\Documents and Settings\abc\workspace
2007-12-31 13:54 . 2007-12-31 13:54      <DIR>      d--------      C:\HTML
2007-12-30 10:17 . 2007-12-30 10:17      268      --ah-----      C:\sqmdata19.sqm
2007-12-30 10:17 . 2007-12-30 10:17      244      --ah-----      C:\sqmnoopt19.sqm
2007-12-29 22:34 . 2007-12-29 22:34      268      --ah-----      C:\sqmdata18.sqm
2007-12-29 22:34 . 2007-12-29 22:34      244      --ah-----      C:\sqmnoopt18.sqm
2007-12-29 17:42 . 2007-12-29 17:43      268      --ah-----      C:\sqmdata17.sqm
2007-12-29 17:42 . 2007-12-29 17:43      244      --ah-----      C:\sqmnoopt17.sqm
2007-12-29 17:17 . 2007-12-29 17:17      <DIR>      d--------      C:\Program Files\WinAce
2007-12-29 17:08 . 2007-12-29 17:08      <DIR>      d--------      C:\Program Files\EA GAMES
2007-12-29 15:40 . 2007-12-29 15:40      268      --ah-----      C:\sqmdata16.sqm
2007-12-29 15:40 . 2007-12-29 15:40      244      --ah-----      C:\sqmnoopt16.sqm
2007-12-29 14:04 . 2007-12-29 14:04      268      --ah-----      C:\sqmdata15.sqm
2007-12-29 14:04 . 2007-12-29 14:04      244      --ah-----      C:\sqmnoopt15.sqm
2007-12-29 13:59 . 2007-12-29 13:59      <DIR>      d--------      C:\Perl

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-12 12:48      45      ----a-w      C:\Program Files\InstErr.log
2008-01-11 12:54      229,621      --sha-r      C:\WINDOWS\smss.exe
2007-12-15 14:44      ---------      d-----w      C:\Program Files\Whizlabs Suite
2007-12-14 14:23      ---------      d-----w      C:\Documents and Settings\abc\Application Data\JCreator
2007-12-14 14:22      ---------      d-----w      C:\Program Files\Xinox Software
2007-12-13 13:14      ---------      d-----w      C:\Program Files\Apache Software Foundation
2007-12-12 15:33      ---------      d-----w      C:\Program Files\Sun
2007-12-11 17:08      ---------      d-----w      C:\Program Files\IBM HTTP Server
2007-12-11 16:58      ---------      d-----w      C:\Program Files\IBM
2007-12-11 08:22      ---------      d-----w      C:\Program Files\pass4sure
2007-12-11 08:04      ---------      d-----w      C:\Program Files\ActualtestsEngine
2007-12-10 13:27      ---------      d-----w      C:\Program Files\VideoLAN
2007-12-10 13:27      ---------      d-----w      C:\Documents and Settings\abc\Application Data\vlc
2007-12-06 10:50      ---------      d-----w      C:\Documents and Settings\abc\Application Data\CyberLink
2007-12-03 15:56      ---------      d-----w      C:\Program Files\Windows Unattended CD Creator
2007-12-01 05:42      ---------      d-----w      C:\Program Files\DAEMON Tools
2007-11-28 06:44      ---------      d-----w      C:\Program Files\DivX
2007-11-27 17:00      ---------      d-----w      C:\Program Files\Real
2007-11-27 17:00      ---------      d-----w      C:\Program Files\Common Files\xing shared
2007-11-27 17:00      ---------      d-----w      C:\Program Files\Common Files\Real
2007-11-27 15:02      ---------      d-----w      C:\Program Files\Oracle
2007-11-27 07:55      ---------      d-----w      C:\Program Files\Runtime Software
2007-11-27 07:44      ---------      d-----w      C:\Documents and Settings\abc\Application Data\COWON
2007-11-27 07:16      ---------      d-----w      C:\Program Files\Realtek
2007-11-27 06:23      ---------      d-----w      C:\Program Files\AIDA32 - Enterprise System Information
2007-11-26 16:36      ---------      d-----w      C:\Program Files\Google
2007-11-26 16:23      ---------      d-----w      C:\Program Files\Java
2007-11-26 16:23      ---------      d-----w      C:\Program Files\Common Files\Java
2007-11-26 16:11      ---------      d-----w      C:\Program Files\uTorrent
2007-11-26 15:39      ---------      d-----w      C:\Program Files\MCE
2007-11-26 15:18      ---------      d-----w      C:\Documents and Settings\abc\Application Data\AdobeUM
2007-11-26 14:15      ---------      d-----w      C:\Documents and Settings\abc\Application Data\Microsoft Web Folders
2007-11-26 14:09      ---------      d-----w      C:\Program Files\CyberLink
2007-11-26 14:08      ---------      d-----w      C:\Program Files\Common Files\Adobe
2007-11-26 14:06      ---------      d-----w      C:\Program Files\Winamp
2007-11-26 14:04      ---------      d-----w      C:\Program Files\Common Files\Ahead
2007-11-26 14:04      ---------      d-----w      C:\Program Files\Ahead
2007-11-26 14:00      ---------      d--h--w      C:\Program Files\InstallShield Installation Information
2007-11-26 14:00      ---------      d-----w      C:\Program Files\JetAudio
2007-11-26 14:00      ---------      d-----w      C:\Program Files\Common Files\InstallShield
2007-11-26 13:41      ---------      d-----w      C:\Program Files\microsoft frontpage
2007-11-07 12:01      1,191,936      ----a-w      C:\WINDOWS\RtlUpd.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Runonce"="C:\WINDOWS\smss.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 10:50 16855552 C:\WINDOWS\RTHDCPL.exe]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" [2008-01-16 15:06 92160]


*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 17:06:32 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-01-16 13:39:48 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 19:35:47
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-16 19:35:58
ComboFix-quarantined-files.txt  2008-01-16 14:05:58
.
2008-01-16 12:22:13      --- E O F ---  

 

by: vegetasharmaPosted on 2008-01-16 at 06:24:26ID: 20672096

I am sorry I made you angry.

I really need your help. O.K. I do what you say :)

ComboFix 08-01-16.4 - omi 2008-01-16 19:34:11.1 - [color=red][b]FAT32[/b][/color]x86
Running from: C:\Documents and Settings\omi\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\smss.exe
C:\WINDOWS\autorun.inf
C:\WINDOWS\smss.exe

.
(((((((((((((((((((((((((   Files Created from 2007-12-16 to 2008-01-16  )))))))))))))))))))))))))))))))
.

2008-01-16 19:33 . 2000-08-31 08:00      51,200      --a------      C:\WINDOWS\NirCmd.exe
2008-01-16 19:11 . 2008-01-16 19:11      <DIR>      d--------      C:\WINDOWS\LastGood
2008-01-16 17:51 . 2008-01-11 18:24      229,621      --a------      C:\WINDOWS\Funny UST Scandal.exe
2008-01-16 17:10 . 2008-01-16 17:10      664      --a------      C:\WINDOWS\system32\d3d9caps.dat
2008-01-16 14:54 . 2008-01-16 14:54      940,794      --a------      C:\WINDOWS\system32\LoopyMusic.wav
2008-01-16 14:54 . 2008-01-16 14:54      146,650      --a------      C:\WINDOWS\system32\BuzzingBee.wav
2008-01-16 14:28 . 2007-11-06 10:50      16,855,552      --a------      C:\WINDOWS\RTHDCPL.exe
2008-01-16 14:28 . 2007-11-14 17:14      4,625,408      --a------      C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-01-16 14:28 . 2006-05-04 16:26      2,808,832      --a------      C:\WINDOWS\alcwzrd.exe
2008-01-16 14:28 . 2007-06-28 16:44      2,165,760      --a------      C:\WINDOWS\MicCal.exe
2008-01-16 14:28 . 2007-07-26 17:09      520,192      --a------      C:\WINDOWS\RtlExUpd.dll
2008-01-16 14:28 . 2008-01-16 14:28      315,392      --a------      C:\WINDOWS\HideWin.exe
2008-01-16 14:28 . 2005-09-21 10:25      299,008      --a------      C:\WINDOWS\system32\ALSndMgr.cpl
2008-01-16 14:28 . 2005-05-03 18:43      69,632      --a------      C:\WINDOWS\Alcmtr.exe
2008-01-16 14:22 . 2008-01-16 14:22      <DIR>      d--------      C:\Documents and Settings\omi\Application Data\PrevxCSI
2008-01-16 14:22 . 2008-01-16 14:22      <DIR>      d--------      C:\Documents and Settings\All Users.WINDOWS\Application Data\Prevx
2008-01-16 12:45 . 2008-01-16 12:45      0      --a------      C:\WINDOWS\nsreg.dat
2008-01-16 12:16 . 2008-01-16 12:16      <DIR>      d--------      C:\Documents and Settings\omi\Application Data\AdobeUM
2008-01-16 12:14 . 2008-01-11 18:24      229,621      -rahs----      C:\WINDOWS\killer.exe
2008-01-16 02:22 . 2001-08-23 18:00      176,157      --a------      C:\WINDOWS\system32\dllcache\dgrpsetu.dll
2008-01-16 02:22 . 2001-08-23 18:00      103,424      --a------      C:\WINDOWS\system32\dllcache\eqnclass.dll
2008-01-16 02:22 . 2001-08-23 18:00      85,020      --a------      C:\WINDOWS\system32\dllcache\dgsetup.dll
2008-01-16 02:22 . 2001-08-23 18:00      66,082      --a------      C:\WINDOWS\system32\dllcache\c_20127.nls
2008-01-16 02:22 . 2004-08-04 01:26      8,704      --a------      C:\WINDOWS\system32\dllcache\batt.dll
2008-01-15 22:25 . 2008-01-15 22:25      8,192      --a------      C:\WINDOWS\REGLOCS.OLD
2008-01-15 22:23 . 2001-08-23 18:00      1,875,968      --a------      C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-01-15 22:22 . 2001-08-23 18:00      13,463,552      --a------      C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-01-15 22:21 . 2004-08-04 01:26      2,134,528      --a------      C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-01-15 22:20 . 2008-01-15 22:20      <DIR>      d--hs----      C:\Documents and Settings\All Users.WINDOWS\DRM
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\WindowsShell.Manifest
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\system32\sapi.cpl.manifest
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\system32\nwc.cpl.manifest
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\system32\ncpa.cpl.manifest
2008-01-15 22:20 . 2008-01-15 22:20      749      -rah-----      C:\WINDOWS\system32\cdplayer.exe.manifest
2008-01-15 22:20 . 2008-01-15 22:20      488      -rah-----      C:\WINDOWS\system32\WindowsLogon.manifest
2008-01-15 22:20 . 2008-01-15 22:20      488      -rah-----      C:\WINDOWS\system32\logonui.exe.manifest
2008-01-15 22:18 . 2004-08-04 01:26      768,512      --a------      C:\WINDOWS\system32\dllcache\helpctr.exe
2008-01-15 22:17 . 2004-08-04 01:26      1,352,192      --a------      C:\WINDOWS\system32\dllcache\cimwin32.dll
2008-01-15 22:05 . 2008-01-15 22:06      <DIR>      dr-------      C:\Documents and Settings\All Users.WINDOWS\Documents
2008-01-15 22:03 . 2004-08-03 20:57      1,086,058      -ra------      C:\WINDOWS\SET1F.tmp
2008-01-15 22:03 . 2004-08-03 21:03      1,042,903      -ra------      C:\WINDOWS\SET1C.tmp
2008-01-15 22:03 . 2004-08-03 20:58      13,753      -ra------      C:\WINDOWS\SET2B.tmp
2008-01-15 20:55 . 2001-08-17 13:59      3,072      --a------      C:\WINDOWS\system32\drivers\audstub.sys
2008-01-15 20:54 . 2004-08-04 00:56      74,240      --a------      C:\WINDOWS\system32\usbui.dll
2008-01-15 20:54 . 2004-08-03 22:59      57,472      --a------      C:\WINDOWS\system32\drivers\redbook.sys
2008-01-15 20:54 . 2004-08-03 22:31      20,992      --a------      C:\WINDOWS\system32\drivers\RTL8139.sys
2008-01-15 20:52 . 2001-08-23 12:30      176,157      --a------      C:\WINDOWS\system32\dgrpsetu.dll
2008-01-15 20:50 . 2004-08-03 20:58      2,012,670      --a------      C:\WINDOWS\system32\dllcache\NT5.CAT
2008-01-15 20:48 . 2008-01-15 22:24      261      --a------      C:\WINDOWS\system32\$winnt$.inf
2008-01-15 20:23 . 2008-01-11 18:24      229,621      -rahs----      C:\Funny UST Scandal.avi.exe
2008-01-15 20:18 . 2008-01-15 20:18      <DIR>      d--------      C:\Sbi
2008-01-15 19:43 . 2008-01-15 19:43      <DIR>      d--------      C:\WINDOWS\ERUNT
2008-01-15 19:23 . 2008-01-15 19:23      <DIR>      d--------      C:\Program Files\X-Cleaner
2008-01-15 18:22 . 2008-01-15 18:22      <DIR>      d--------      C:\Program Files\NoAdware5.0
2008-01-15 15:18 . 2008-01-11 18:24      229,621      -rahs----      C:\smss.exe
2008-01-15 14:56 . 2008-01-15 14:56      <DIR>      d--------      C:\WINDOWS\SxsCaPendDel
2008-01-15 12:33 . 2008-01-15 12:33      <DIR>      d--hs----      C:\FOUND.005
2008-01-15 12:23 . 2008-01-15 12:23      <DIR>      d--------      C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-01-15 11:45 . 2008-01-15 11:45      <DIR>      d--------      C:\Program Files\SUPERAntiSpyware
2008-01-15 11:45 . 2008-01-15 11:45      <DIR>      d--------      C:\Documents and Settings\abc\Application Data\SUPERAntiSpyware.com
2008-01-15 10:48 . 2008-01-15 10:48      <DIR>      d--hs----      C:\FOUND.004
2008-01-14 19:14 . 2008-01-14 19:14      <DIR>      d--hs----      C:\FOUND.003
2008-01-14 18:58 . 2008-01-14 18:58      <DIR>      d--hs----      C:\FOUND.002
2008-01-14 14:19 . 2008-01-14 14:19      <DIR>      d--------      C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-14 14:18 . 2008-01-14 14:18      <DIR>      d--------      C:\Program Files\Webroot
2008-01-14 14:18 . 2008-01-14 14:18      <DIR>      d--------      C:\Program Files\AskSBar
2008-01-14 14:18 . 2008-01-14 14:18      <DIR>      d--------      C:\Documents and Settings\abc\Application Data\Webroot
2008-01-14 13:48 . 2008-01-14 13:48      <DIR>      d--------      C:\Documents and Settings\abc\temp
2008-01-14 13:06 . 2008-01-14 13:06      <DIR>      d--------      C:\!KillBox
2008-01-13 21:44 . 2008-01-13 21:45      <DIR>      d--------      C:\Program Files\XoftSpySE
2008-01-13 19:51 . 2008-01-13 19:51      <DIR>      d--------      C:\Program Files\Lavasoft Ad-Aware
2008-01-13 13:41 . 2008-01-13 13:41      <DIR>      d--------      C:\Program Files\Alcohol Soft
2008-01-12 21:09 . 2008-01-12 21:09      <DIR>      d--------      C:\Program Files\Trend Micro
2008-01-12 21:09 . 2008-01-12 21:09      <DIR>      d--------      C:\Hijackthis
2008-01-12 19:52 . 2008-01-12 19:52      <DIR>      d--------      C:\Program Files\Trojan Remover
2008-01-12 19:52 . 2008-01-12 19:52      <DIR>      d--------      C:\Documents and Settings\abc\Application Data\Simply Super Software
2008-01-12 19:44 . 2008-01-12 19:44      <DIR>      d--------      C:\Program Files\Enigma Software Group
2008-01-12 18:48 . 2008-01-12 18:48      <DIR>      d--------      C:\Program Files\PrevxCSI
2008-01-12 18:30 . 2008-01-12 18:30      <DIR>      d--------      C:\Documents and Settings\abc\Application Data\PrevxCSI
2008-01-12 11:07 . 2008-01-12 11:07      <DIR>      d--hs----      C:\FOUND.001
2008-01-06 12:25 . 2008-01-06 12:26      <DIR>      d--------      C:\Program Files\Easy Video Downloader
2008-01-06 12:24 . 2008-01-06 12:24      <DIR>      d--------      C:\RealPlayer Downloads
2008-01-06 12:20 . 2008-01-06 12:20      <DIR>      d--------      C:\Program Files\SourceTec
2008-01-06 11:58 . 2008-01-06 11:58      <DIR>      d--------      C:\RealDownloads
2008-01-04 13:40 . 2008-01-04 13:40      <DIR>      d--------      C:\Documents and Settings\abc\workspace
2007-12-31 13:54 . 2007-12-31 13:54      <DIR>      d--------      C:\HTML
2007-12-30 10:17 . 2007-12-30 10:17      268      --ah-----      C:\sqmdata19.sqm
2007-12-30 10:17 . 2007-12-30 10:17      244      --ah-----      C:\sqmnoopt19.sqm
2007-12-29 22:34 . 2007-12-29 22:34      268      --ah-----      C:\sqmdata18.sqm
2007-12-29 22:34 . 2007-12-29 22:34      244      --ah-----      C:\sqmnoopt18.sqm
2007-12-29 17:42 . 2007-12-29 17:43      268      --ah-----      C:\sqmdata17.sqm
2007-12-29 17:42 . 2007-12-29 17:43      244      --ah-----      C:\sqmnoopt17.sqm
2007-12-29 17:17 . 2007-12-29 17:17      <DIR>      d--------      C:\Program Files\WinAce
2007-12-29 17:08 . 2007-12-29 17:08      <DIR>      d--------      C:\Program Files\EA GAMES
2007-12-29 15:40 . 2007-12-29 15:40      268      --ah-----      C:\sqmdata16.sqm
2007-12-29 15:40 . 2007-12-29 15:40      244      --ah-----      C:\sqmnoopt16.sqm
2007-12-29 14:04 . 2007-12-29 14:04      268      --ah-----      C:\sqmdata15.sqm
2007-12-29 14:04 . 2007-12-29 14:04      244      --ah-----      C:\sqmnoopt15.sqm
2007-12-29 13:59 . 2007-12-29 13:59      <DIR>      d--------      C:\Perl

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-12 12:48      45      ----a-w      C:\Program Files\InstErr.log
2008-01-11 12:54      229,621      --sha-r      C:\WINDOWS\smss.exe
2007-12-15 14:44      ---------      d-----w      C:\Program Files\Whizlabs Suite
2007-12-14 14:23      ---------      d-----w      C:\Documents and Settings\abc\Application Data\JCreator
2007-12-14 14:22      ---------      d-----w      C:\Program Files\Xinox Software
2007-12-13 13:14      ---------      d-----w      C:\Program Files\Apache Software Foundation
2007-12-12 15:33      ---------      d-----w      C:\Program Files\Sun
2007-12-11 17:08      ---------      d-----w      C:\Program Files\IBM HTTP Server
2007-12-11 16:58      ---------      d-----w      C:\Program Files\IBM
2007-12-11 08:22      ---------      d-----w      C:\Program Files\pass4sure
2007-12-11 08:04      ---------      d-----w      C:\Program Files\ActualtestsEngine
2007-12-10 13:27      ---------      d-----w      C:\Program Files\VideoLAN
2007-12-10 13:27      ---------      d-----w      C:\Documents and Settings\abc\Application Data\vlc
2007-12-06 10:50      ---------      d-----w      C:\Documents and Settings\abc\Application Data\CyberLink
2007-12-03 15:56      ---------      d-----w      C:\Program Files\Windows Unattended CD Creator
2007-12-01 05:42      ---------      d-----w      C:\Program Files\DAEMON Tools
2007-11-28 06:44      ---------      d-----w      C:\Program Files\DivX
2007-11-27 17:00      ---------      d-----w      C:\Program Files\Real
2007-11-27 17:00      ---------      d-----w      C:\Program Files\Common Files\xing shared
2007-11-27 17:00      ---------      d-----w      C:\Program Files\Common Files\Real
2007-11-27 15:02      ---------      d-----w      C:\Program Files\Oracle
2007-11-27 07:55      ---------      d-----w      C:\Program Files\Runtime Software
2007-11-27 07:44      ---------      d-----w      C:\Documents and Settings\abc\Application Data\COWON
2007-11-27 07:16      ---------      d-----w      C:\Program Files\Realtek
2007-11-27 06:23      ---------      d-----w      C:\Program Files\AIDA32 - Enterprise System Information
2007-11-26 16:36      ---------      d-----w      C:\Program Files\Google
2007-11-26 16:23      ---------      d-----w      C:\Program Files\Java
2007-11-26 16:23      ---------      d-----w      C:\Program Files\Common Files\Java
2007-11-26 16:11      ---------      d-----w      C:\Program Files\uTorrent
2007-11-26 15:39      ---------      d-----w      C:\Program Files\MCE
2007-11-26 15:18      ---------      d-----w      C:\Documents and Settings\abc\Application Data\AdobeUM
2007-11-26 14:15      ---------      d-----w      C:\Documents and Settings\abc\Application Data\Microsoft Web Folders
2007-11-26 14:09      ---------      d-----w      C:\Program Files\CyberLink
2007-11-26 14:08      ---------      d-----w      C:\Program Files\Common Files\Adobe
2007-11-26 14:06      ---------      d-----w      C:\Program Files\Winamp
2007-11-26 14:04      ---------      d-----w      C:\Program Files\Common Files\Ahead
2007-11-26 14:04      ---------      d-----w      C:\Program Files\Ahead
2007-11-26 14:00      ---------      d--h--w      C:\Program Files\InstallShield Installation Information
2007-11-26 14:00      ---------      d-----w      C:\Program Files\JetAudio
2007-11-26 14:00      ---------      d-----w      C:\Program Files\Common Files\InstallShield
2007-11-26 13:41      ---------      d-----w      C:\Program Files\microsoft frontpage
2007-11-07 12:01      1,191,936      ----a-w      C:\WINDOWS\RtlUpd.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Runonce"="C:\WINDOWS\smss.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 10:50 16855552 C:\WINDOWS\RTHDCPL.exe]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" [2008-01-16 15:06 92160]


*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 17:06:32 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-01-16 13:39:48 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 19:35:47
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-16 19:35:58
ComboFix-quarantined-files.txt  2008-01-16 14:05:58
.
2008-01-16 12:22:13      --- E O F ---  

 

by: vegetasharmaPosted on 2008-01-16 at 06:30:17ID: 20672153

smss.exe
autorun.inf
smss.exe
Funny UST Scandal.avi.exe
killer.exe

those all are threats and you guys better know how many are they :)

 

by: IndiGenusPosted on 2008-01-16 at 06:35:39ID: 20672204

You didn't make me angry, just stating the need for no profanity. We all get frustrated...

So you did re-install Windows? Are the other drives still connected? Can you post a new HJT log please? Please put the logs in a Code Window by selecting the Attach Code Snippet and putting the log text there.

 

by: vegetasharmaPosted on 2008-01-16 at 06:45:48ID: 20672275

ok sir :)

but you told me you would give me shot with CFScript. Never Mind.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:14:26 PM, on 1/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\killer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\smss.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.paretologic.com/go.aspx?aid=3&vid=31245&pid=1&lid=en&uid=0
F2 - REG:system.ini: Shell=explorer.exe, killer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" -boot
O4 - HKCU\..\Run: [Runonce] C:\WINDOWS\smss.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0D82B6F-245B-40E6-B778-7B6977AA5EE6}: NameServer = 218.248.240.23 218.248.240.135
 
--
End of file - 1673 bytes
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:

Select allOpen in new window

 

by: vegetasharmaPosted on 2008-01-16 at 06:48:38ID: 20672297

The other drives are still connected.

 

by: IndiGenusPosted on 2008-01-16 at 07:30:14ID: 20672668

Well there doesn't appear to be too much left, but that doesn't mean it won't go easily. Let's give this a shot...

1. Open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:

---------------------------------------------------------------------------------------------------------------

File::
C:\smss.exe
C:\WINDOWS\autorun.inf
C:\WINDOWS\smss.exe
C:\WINDOWS\killer.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Runonce"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="explorer.exe"

---------------------------------------------------------------------------------------------------------------


3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-Combofix.txt
-A new HijackThis log

Please put them in the code snippet window...thanks.

Dave

 

by: vegetasharmaPosted on 2008-01-16 at 08:18:43ID: 20673176

Yes Sir :)

ComboFix 08-01-16.4 - omi 2008-01-16 21:43:57.3 - [color=red][b]FAT32[/b][/color]x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.742 [GMT 5.5:30]
Running from: C:\Documents and Settings\omi\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\omi\Desktop\CFScript.txt
 * Created a new restore point
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
C:\smss.exe
C:\WINDOWS\autorun.inf
C:\WINDOWS\smss.exe
 
.
(((((((((((((((((((((((((   Files Created from 2007-12-16 to 2008-01-16  )))))))))))))))))))))))))))))))
.
 
2008-01-16 20:12 . 2008-01-16 21:40	144	-rahs----	C:\autorun.inf
2008-01-16 19:33 . 2000-08-31 08:00	51,200	--a------	C:\WINDOWS\NirCmd.exe
2008-01-16 17:51 . 2008-01-11 18:24	229,621	--a------	C:\WINDOWS\Funny UST Scandal.exe
2008-01-16 17:10 . 2008-01-16 17:10	664	--a------	C:\WINDOWS\system32\d3d9caps.dat
2008-01-16 14:54 . 2008-01-16 14:54	940,794	--a------	C:\WINDOWS\system32\LoopyMusic.wav
2008-01-16 14:54 . 2008-01-16 14:54	146,650	--a------	C:\WINDOWS\system32\BuzzingBee.wav
2008-01-16 14:28 . 2007-11-06 10:50	16,855,552	--a------	C:\WINDOWS\RTHDCPL.exe
2008-01-16 14:28 . 2007-11-14 17:14	4,625,408	--a------	C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-01-16 14:28 . 2006-05-04 16:26	2,808,832	--a------	C:\WINDOWS\alcwzrd.exe
2008-01-16 14:28 . 2007-06-28 16:44	2,165,760	--a------	C:\WINDOWS\MicCal.exe
2008-01-16 14:28 . 2007-07-26 17:09	520,192	--a------	C:\WINDOWS\RtlExUpd.dll
2008-01-16 14:28 . 2008-01-16 14:28	315,392	--a------	C:\WINDOWS\HideWin.exe
2008-01-16 14:28 . 2005-09-21 10:25	299,008	--a------	C:\WINDOWS\system32\ALSndMgr.cpl
2008-01-16 14:28 . 2005-05-03 18:43	69,632	--a------	C:\WINDOWS\Alcmtr.exe
2008-01-16 14:22 . 2008-01-16 14:22	<DIR>	d--------	C:\Documents and Settings\omi\Application Data\PrevxCSI
2008-01-16 14:22 . 2008-01-16 14:22	<DIR>	d--------	C:\Documents and Settings\All Users.WINDOWS\Application Data\Prevx
2008-01-16 12:45 . 2008-01-16 12:45	0	--a------	C:\WINDOWS\nsreg.dat
2008-01-16 12:16 . 2008-01-16 12:16	<DIR>	d--------	C:\Documents and Settings\omi\Application Data\AdobeUM
2008-01-16 12:14 . 2008-01-11 18:24	229,621	-rahs----	C:\WINDOWS\killer.exe
2008-01-16 02:22 . 2001-08-23 18:00	176,157	--a------	C:\WINDOWS\system32\dllcache\dgrpsetu.dll
2008-01-16 02:22 . 2001-08-23 18:00	103,424	--a------	C:\WINDOWS\system32\dllcache\eqnclass.dll
2008-01-16 02:22 . 2001-08-23 18:00	85,020	--a------	C:\WINDOWS\system32\dllcache\dgsetup.dll
2008-01-16 02:22 . 2001-08-23 18:00	66,082	--a------	C:\WINDOWS\system32\dllcache\c_20127.nls
2008-01-16 02:22 . 2004-08-04 01:26	8,704	--a------	C:\WINDOWS\system32\dllcache\batt.dll
2008-01-15 22:25 . 2008-01-15 22:25	8,192	--a------	C:\WINDOWS\REGLOCS.OLD
2008-01-15 22:23 . 2001-08-23 18:00	1,875,968	--a------	C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-01-15 22:22 . 2001-08-23 18:00	13,463,552	--a------	C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-01-15 22:21 . 2004-08-04 01:26	2,134,528	--a------	C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-01-15 22:20 . 2008-01-15 22:20	<DIR>	d--hs----	C:\Documents and Settings\All Users.WINDOWS\DRM
2008-01-15 22:20 . 2008-01-15 22:20	749	-rah-----	C:\WINDOWS\WindowsShell.Manifest
2008-01-15 22:20 . 2008-01-15 22:20	749	-rah-----	C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-01-15 22:20 . 2008-01-15 22:20	749	-rah-----	C:\WINDOWS\system32\sapi.cpl.manifest
2008-01-15 22:20 . 2008-01-15 22:20	749	-rah-----	C:\WINDOWS\system32\nwc.cpl.manifest
2008-01-15 22:20 . 2008-01-15 22:20	749	-rah-----	C:\WINDOWS\system32\ncpa.cpl.manifest
2008-01-15 22:20 . 2008-01-15 22:20	749	-rah-----	C:\WINDOWS\system32\cdplayer.exe.manifest
2008-01-15 22:20 . 2008-01-15 22:20	488	-rah-----	C:\WINDOWS\system32\WindowsLogon.manifest
2008-01-15 22:20 . 2008-01-15 22:20	488	-rah-----	C:\WINDOWS\system32\logonui.exe.manifest
2008-01-15 22:18 . 2004-08-04 01:26	768,512	--a------	C:\WINDOWS\system32\dllcache\helpctr.exe
2008-01-15 22:17 . 2004-08-04 01:26	1,352,192	--a------	C:\WINDOWS\system32\dllcache\cimwin32.dll
2008-01-15 22:05 . 2008-01-15 22:06	<DIR>	dr-------	C:\Documents and Settings\All Users.WINDOWS\Documents
2008-01-15 22:03 . 2004-08-03 20:57	1,086,058	-ra------	C:\WINDOWS\SET1F.tmp
2008-01-15 22:03 . 2004-08-03 21:03	1,042,903	-ra------	C:\WINDOWS\SET1C.tmp
2008-01-15 22:03 . 2004-08-03 20:58	13,753	-ra------	C:\WINDOWS\SET2B.tmp
2008-01-15 20:55 . 2001-08-17 13:59	3,072	--a------	C:\WINDOWS\system32\drivers\audstub.sys
2008-01-15 20:54 . 2004-08-04 00:56	74,240	--a------	C:\WINDOWS\system32\usbui.dll
2008-01-15 20:54 . 2004-08-03 22:59	57,472	--a------	C:\WINDOWS\system32\drivers\redbook.sys
2008-01-15 20:54 . 2004-08-03 22:31	20,992	--a------	C:\WINDOWS\system32\drivers\RTL8139.sys
2008-01-15 20:52 . 2001-08-23 12:30	176,157	--a------	C:\WINDOWS\system32\dgrpsetu.dll
2008-01-15 20:50 . 2004-08-03 20:58	2,012,670	--a------	C:\WINDOWS\system32\dllcache\NT5.CAT
2008-01-15 20:48 . 2008-01-15 22:24	261	--a------	C:\WINDOWS\system32\$winnt$.inf
2008-01-15 20:23 . 2008-01-11 18:24	229,621	-rahs----	C:\Funny UST Scandal.avi.exe
2008-01-15 20:18 . 2008-01-15 20:18	<DIR>	d--------	C:\Sbi
2008-01-15 19:43 . 2008-01-15 19:43	<DIR>	d--------	C:\WINDOWS\ERUNT
2008-01-15 19:23 . 2008-01-15 19:23	<DIR>	d--------	C:\Program Files\X-Cleaner
2008-01-15 18:22 . 2008-01-15 18:22	<DIR>	d--------	C:\Program Files\NoAdware5.0
2008-01-15 14:56 . 2008-01-15 14:56	<DIR>	d--------	C:\WINDOWS\SxsCaPendDel
2008-01-15 12:33 . 2008-01-15 12:33	<DIR>	d--hs----	C:\FOUND.005
2008-01-15 12:23 . 2008-01-15 12:23	<DIR>	d--------	C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-01-15 11:45 . 2008-01-15 11:45	<DIR>	d--------	C:\Program Files\SUPERAntiSpyware
2008-01-15 11:45 . 2008-01-15 11:45	<DIR>	d--------	C:\Documents and Settings\abc\Application Data\SUPERAntiSpyware.com
2008-01-15 10:48 . 2008-01-15 10:48	<DIR>	d--hs----	C:\FOUND.004
2008-01-14 19:14 . 2008-01-14 19:14	<DIR>	d--hs----	C:\FOUND.003
2008-01-14 18:58 . 2008-01-14 18:58	<DIR>	d--hs----	C:\FOUND.002
2008-01-14 14:19 . 2008-01-14 14:19	<DIR>	d--------	C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-14 14:18 . 2008-01-14 14:18	<DIR>	d--------	C:\Program Files\Webroot
2008-01-14 14:18 . 2008-01-14 14:18	<DIR>	d--------	C:\Program Files\AskSBar
2008-01-14 14:18 . 2008-01-14 14:18	<DIR>	d--------	C:\Documents and Settings\abc\Application Data\Webroot
2008-01-14 13:48 . 2008-01-14 13:48	<DIR>	d--------	C:\Documents and Settings\abc\temp
2008-01-14 13:06 . 2008-01-14 13:06	<DIR>	d--------	C:\!KillBox
2008-01-13 21:44 . 2008-01-13 21:45	<DIR>	d--------	C:\Program Files\XoftSpySE
2008-01-13 19:51 . 2008-01-13 19:51	<DIR>	d--------	C:\Program Files\Lavasoft Ad-Aware
2008-01-13 13:41 . 2008-01-13 13:41	<DIR>	d--------	C:\Program Files\Alcohol Soft
2008-01-12 21:09 . 2008-01-12 21:09	<DIR>	d--------	C:\Program Files\Trend Micro
2008-01-12 21:09 . 2008-01-12 21:09	<DIR>	d--------	C:\Hijackthis
2008-01-12 19:52 . 2008-01-12 19:52	<DIR>	d--------	C:\Program Files\Trojan Remover
2008-01-12 19:52 . 2008-01-12 19:52	<DIR>	d--------	C:\Documents and Settings\abc\Application Data\Simply Super Software
2008-01-12 19:44 . 2008-01-12 19:44	<DIR>	d--------	C:\Program Files\Enigma Software Group
2008-01-12 18:48 . 2008-01-12 18:48	<DIR>	d--------	C:\Program Files\PrevxCSI
2008-01-12 18:30 . 2008-01-12 18:30	<DIR>	d--------	C:\Documents and Settings\abc\Application Data\PrevxCSI
2008-01-12 11:07 . 2008-01-12 11:07	<DIR>	d--hs----	C:\FOUND.001
2008-01-06 12:25 . 2008-01-06 12:26	<DIR>	d--------	C:\Program Files\Easy Video Downloader
2008-01-06 12:24 . 2008-01-06 12:24	<DIR>	d--------	C:\RealPlayer Downloads
2008-01-06 12:20 . 2008-01-06 12:20	<DIR>	d--------	C:\Program Files\SourceTec
2008-01-06 11:58 . 2008-01-06 11:58	<DIR>	d--------	C:\RealDownloads
2008-01-04 13:40 . 2008-01-04 13:40	<DIR>	d--------	C:\Documents and Settings\abc\workspace
2007-12-31 13:54 . 2007-12-31 13:54	<DIR>	d--------	C:\HTML
2007-12-30 10:17 . 2007-12-30 10:17	268	--ah-----	C:\sqmdata19.sqm
2007-12-30 10:17 . 2007-12-30 10:17	244	--ah-----	C:\sqmnoopt19.sqm
2007-12-29 22:34 . 2007-12-29 22:34	268	--ah-----	C:\sqmdata18.sqm
2007-12-29 22:34 . 2007-12-29 22:34	244	--ah-----	C:\sqmnoopt18.sqm
2007-12-29 17:42 . 2007-12-29 17:43	268	--ah-----	C:\sqmdata17.sqm
2007-12-29 17:42 . 2007-12-29 17:43	244	--ah-----	C:\sqmnoopt17.sqm
2007-12-29 17:17 . 2007-12-29 17:17	<DIR>	d--------	C:\Program Files\WinAce
2007-12-29 17:08 . 2007-12-29 17:08	<DIR>	d--------	C:\Program Files\EA GAMES
2007-12-29 15:40 . 2007-12-29 15:40	268	--ah-----	C:\sqmdata16.sqm
2007-12-29 15:40 . 2007-12-29 15:40	244	--ah-----	C:\sqmnoopt16.sqm
2007-12-29 14:04 . 2007-12-29 14:04	268	--ah-----	C:\sqmdata15.sqm
2007-12-29 14:04 . 2007-12-29 14:04	244	--ah-----	C:\sqmnoopt15.sqm
2007-12-29 13:59 . 2007-12-29 13:59	<DIR>	d--------	C:\Perl
2007-12-29 12:59 . 2007-12-29 12:59	<DIR>	d--------	C:\Program Files\DzSoft
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-12 12:48	45	----a-w	C:\Program Files\InstErr.log
2007-12-15 14:44	---------	d-----w	C:\Program Files\Whizlabs Suite
2007-12-14 14:23	---------	d-----w	C:\Documents and Settings\abc\Application Data\JCreator
2007-12-14 14:22	---------	d-----w	C:\Program Files\Xinox Software
2007-12-13 13:14	---------	d-----w	C:\Program Files\Apache Software Foundation
2007-12-12 15:33	---------	d-----w	C:\Program Files\Sun
2007-12-11 17:08	---------	d-----w	C:\Program Files\IBM HTTP Server
2007-12-11 16:58	---------	d-----w	C:\Program Files\IBM
2007-12-11 08:22	---------	d-----w	C:\Program Files\pass4sure
2007-12-11 08:04	---------	d-----w	C:\Program Files\ActualtestsEngine
2007-12-10 13:27	---------	d-----w	C:\Program Files\VideoLAN
2007-12-10 13:27	---------	d-----w	C:\Documents and Settings\abc\Application Data\vlc
2007-12-06 10:50	---------	d-----w	C:\Documents and Settings\abc\Application Data\CyberLink
2007-12-03 15:56	---------	d-----w	C:\Program Files\Windows Unattended CD Creator
2007-12-01 05:42	---------	d-----w	C:\Program Files\DAEMON Tools
2007-11-28 06:44	---------	d-----w	C:\Program Files\DivX
2007-11-27 17:00	---------	d-----w	C:\Program Files\Real
2007-11-27 17:00	---------	d-----w	C:\Program Files\Common Files\xing shared
2007-11-27 17:00	---------	d-----w	C:\Program Files\Common Files\Real
2007-11-27 15:02	---------	d-----w	C:\Program Files\Oracle
2007-11-27 07:55	---------	d-----w	C:\Program Files\Runtime Software
2007-11-27 07:44	---------	d-----w	C:\Documents and Settings\abc\Application Data\COWON
2007-11-27 07:16	---------	d-----w	C:\Program Files\Realtek
2007-11-27 06:23	---------	d-----w	C:\Program Files\AIDA32 - Enterprise System Information
2007-11-26 16:36	---------	d-----w	C:\Program Files\Google
2007-11-26 16:23	---------	d-----w	C:\Program Files\Java
2007-11-26 16:23	---------	d-----w	C:\Program Files\Common Files\Java
2007-11-26 16:11	---------	d-----w	C:\Program Files\uTorrent
2007-11-26 15:39	---------	d-----w	C:\Program Files\MCE
2007-11-26 15:18	---------	d-----w	C:\Documents and Settings\abc\Application Data\AdobeUM
2007-11-26 14:15	---------	d-----w	C:\Documents and Settings\abc\Application Data\Microsoft Web Folders
2007-11-26 14:09	---------	d-----w	C:\Program Files\CyberLink
2007-11-26 14:08	---------	d-----w	C:\Program Files\Common Files\Adobe
2007-11-26 14:06	---------	d-----w	C:\Program Files\Winamp
2007-11-26 14:04	---------	d-----w	C:\Program Files\Common Files\Ahead
2007-11-26 14:04	---------	d-----w	C:\Program Files\Ahead
2007-11-26 14:00	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-11-26 14:00	---------	d-----w	C:\Program Files\JetAudio
2007-11-26 14:00	---------	d-----w	C:\Program Files\Common Files\InstallShield
2007-11-26 13:41	---------	d-----w	C:\Program Files\microsoft frontpage
2007-11-07 12:01	1,191,936	----a-w	C:\WINDOWS\RtlUpd.exe
.
 
(((((((((((((((((((((((((((((   snapshot@2008-01-16_19.35.50.62   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-16 14:03:54	229,376	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-01-16 16:13:56	229,376	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
- 2008-01-16 14:03:54	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-01-16 16:13:56	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat
- 2008-01-16 14:03:54	229,376	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT
+ 2008-01-16 16:13:56	229,376	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT
- 2008-01-16 14:03:56	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
+ 2008-01-16 16:13:56	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
- 2008-01-16 14:03:56	872,448	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT
+ 2008-01-16 16:13:56	888,832	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT
- 2008-01-16 14:03:56	12,288	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
+ 2008-01-16 16:13:56	12,288	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
+ 2000-08-31 02:30:00	163,328	----a-w	C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Runonce"="C:\WINDOWS\smss.exe" [2008-01-11 18:24 229621]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 10:50 16855552 C:\WINDOWS\RTHDCPL.exe]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" [2008-01-16 15:06 92160]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="explorer.exe, killer.exe"
 
.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 17:06:32 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-01-16 16:10:38 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************
 
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 21:45:44
Windows 5.1.2600 Service Pack 2 FAT NTAPI
 
scanning hidden processes ... 
 
scanning hidden autostart entries ...
 
scanning hidden files ... 
 
scan completed successfully 
hidden files: 0 
 
**************************************************************************
.
Completion time: 2008-01-16 21:45:55
ComboFix-quarantined-files.txt  2008-01-16 16:15:56
ComboFix3.txt  2008-01-16 14:06:00
ComboFix2.txt  2008-01-16 14:40:00
.
2008-01-16 12:22:13	--- E O F ---  
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:

Select allOpen in new window

 

by: vegetasharmaPosted on 2008-01-16 at 08:19:56ID: 20673190

Here is Hijack Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:49:35 PM, on 1/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\killer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.paretologic.com/go.aspx?aid=3&vid=31245&pid=1&lid=en&uid=0
F2 - REG:system.ini: Shell=explorer.exe, killer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" -boot
O4 - HKCU\..\Run: [Runonce] C:\WINDOWS\smss.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0D82B6F-245B-40E6-B778-7B6977AA5EE6}: NameServer = 218.248.240.23 218.248.240.135
 
--
End of file - 1631 bytes
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:

Select allOpen in new window

 

by: top_rungPosted on 2008-01-16 at 08:43:16ID: 20673438

Dave is giving you great help.

You might want to physically open your computer (or go into BIOS), and disconnect/disable every drive but your Primary (C:).  Start with cleaning that one.  Once you have that one locked down via antivirus, firewall, disabling accounts, you can attempt to  enable another drive and clean via command line or similar route.  Don't be surprised if you get reinfected though.

Again, if you have backed up data or can stand to do without it, really, start clean by fully formatting (not quick formatting) every drive.   If you try to save data, you better scan every piece of it before introducing to another system.

 

by: IndiGenusPosted on 2008-01-16 at 08:53:51ID: 20673565

Yea this thing just won't go away. Try this...keep the drives connected for now and try sUBs flash disinfector to see if that will stop it from just coming back.

Flash_Disinfector from sUBs.

http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe

Doubleclick on Flash_Disinfector.exe to run it and follow the prompts.
Wait until it has finished scanning and then exit the program.
The utility may ask you to insert your flash drive and/or other removable drives. This may include your mobile phone.
Please do so and allow the utility to clean up those drives as well.

Give us a new HJT log after. I've also asked our top expert in this area to look in here as this one has me stumped right now.

 

by: eXpeLLeD_4RM_heLLPosted on 2008-01-16 at 10:39:16ID: 20674679

 

by: eXpeLLeD_4RM_heLLPosted on 2008-01-16 at 10:50:46ID: 20674781

Since you already downloaded SDFix, go into the SDFix Folder and run run this in normal mode.Download SAV32CLI and run it.It should Download to C:SAV32CLI. Restart your computer and press F8 before the windows logo comes up. Choose the option "Safe Mode with Command Prompt."
In the Command Prompt Type :
cd..
your command prompt should look like "c:\>", if not carrying on typing cd.. until it does.
now type > cd sav32cli
>sav32cli -remove -p=c:\logfile.txt
let the scan run and it will ask you on deleting each virus that it detects.
There after post ur logfile wich will be found in your c: drive here.

Thanks

 

by: vegetasharmaPosted on 2008-01-16 at 23:06:03ID: 31421671

You hit direct into the heart not mine but the virus. hahahahaha

thanks

 

by: vegetasharmaPosted on 2008-01-16 at 23:08:11ID: 20679289

<<heres a website:
http://piyushlabs.wordpress.com/smss/>>
That solution help me.
thanks a lot.
by the way thanks to all who tried to help me.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...