Solved

Virus/Spyware Removal

Posted on 2008-06-23
15
605 Views
Last Modified: 2013-12-06
I've just ran AVG and removed items.  Can someone please look at my hijackthis log and make see if it looks clean.  Thanks.
0
Comment
Question by:PCGalOfCal
  • 6
  • 6
  • 2
  • +1
15 Comments
 

Author Comment

by:PCGalOfCal
ID: 21850736
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:48:17 PM, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\WINDOWS\system32\sistray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
F:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5DD4EAD8-3240-4B68-8A0E-DAA0BD661E32} - C:\DOCUME~1\Jay\Desktop\mwie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [92731671071946491856519139946260] C:\Program Files\XP Antivirus\xpa.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107841019452
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 7615 bytes
0
 
LVL 2

Expert Comment

by:Journer
ID: 21850914
for future reference, attaching the file would be easier to read, anywho:
all process look fine (assuming you want google toolbar)

i have no idea what wormradar.com is so you might want to remove that BHO
you could remove google toolbar and yahoo tollbar if you don't want them


O4 - HKCU\..\Run: [92731671071946491856519139946260] C:\Program Files\XP Antivirus\xpa.exe

dont know what that is, might want to remove it, looks fishy.
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
same for that, look it up

everything else looks fine.  however, if you know you were infected, i would be more throught than an AVG scan and hijack this.  try running clamscan (it doesn't have an active agent so you can install with avg).  run a windows defender scan, maybe some other spyware too.

but to answer your question...in general, it looks fine.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21851278
If XP Antivirus still active SDFix also removes it.

Download SDFix and save it to your desktop.(either one below)
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and attach the contents of the results file "Report.txt" back


If you don't know this BHO also fix it.
O2 - BHO: (no name) - {5DD4EAD8-3240-4B68-8A0E-DAA0BD661E32} - C:\DOCUME~1\Jay\Desktop\mwie.dll
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21851298
>>>O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
same for that, look it up<<<

The above entry is legit, part of Adobe Reader.
0
 
LVL 23

Expert Comment

by:phototropic
ID: 21851625
"...i have no idea what wormradar.com is so you might want to remove that BHO..."

Worm radar is a legit component of AVG 8.0.
0
 

Author Comment

by:PCGalOfCal
ID: 21851958
Gamergirl,
I'm still infected with something, it just popped up. AVG says the file name is autorun.inf (I think, it's closed now).  Originally it was XP antivirus. Anyway, I'm running sdfix and will post back.  Thanks.
0
 

Author Comment

by:PCGalOfCal
ID: 21852147
SDFix text file
Report.txt
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 2

Expert Comment

by:Journer
ID: 21852225
i've never used sdfix before, but from what i can tell it looks ok, maybe the original poster will know more.
anyways, if you are still infected, it is best to run a pre-load scan such as avast's boot-time scanner or similar.  you could check out some of the boot CDs available such as bartPE and other bootable cds with virus scanning.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21853984
Let's use Combofix.
download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply as "Code Snippet".
Re-enable all the programs that were disabled during the running of ComboFix..


Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


This link tells you How to use Combofix as well as installing RC if you haven't yet.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 

Author Comment

by:PCGalOfCal
ID: 21855359
ComboFix 08-06-20.4 - Jay 2008-06-24  6:07:58.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.133 [GMT -7:00]
Running from: C:\Documents and Settings\Jay\Desktop\ComboFix.exe
 * Created a new restore point
 * Resident AV is active


[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Jay\err.log

.
(((((((((((((((((((((((((   Files Created from 2008-05-24 to 2008-06-24  )))))))))))))))))))))))))))))))
.

2008-06-23 20:04 . 2008-06-23 21:30      <DIR>      d--------      C:\Documents and Settings\Jay\.housecall6.6
2008-06-23 18:59 . 2008-06-23 18:59      <DIR>      d--------      C:\WINDOWS\ERUNT
2008-06-23 18:40 . 2008-06-23 19:19      <DIR>      d--------      C:\SDFix
2008-06-23 13:36 . 2008-06-23 20:31      <DIR>      d--h-----      C:\$AVG8.VAULT$
2008-06-23 13:28 . 2008-06-23 13:28      96,520      --a------      C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-23 13:28 . 2008-06-23 13:28      75,272      --a------      C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-23 13:28 . 2008-06-23 13:28      10,520      --a------      C:\WINDOWS\system32\avgrsstx.dll
2008-06-23 13:27 . 2008-06-23 13:34      <DIR>      d--------      C:\WINDOWS\system32\drivers\Avg
2008-06-23 13:27 . 2008-06-23 13:27      <DIR>      d--------      C:\Program Files\AVG
2008-06-23 13:27 . 2008-06-23 14:53      <DIR>      d--------      C:\Documents and Settings\Jay\Application Data\AVGTOOLBAR
2008-06-23 13:27 . 2008-06-23 13:27      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\avg8
2008-06-22 15:55 . 2008-06-22 15:55      <DIR>      d--------      C:\Program Files\Windows Defender
2008-06-22 15:48 . 2008-06-22 15:48      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-22 15:47 . 2008-06-22 15:47      <DIR>      d--------      C:\Program Files\Common Files\Wise Installation Wizard
2008-06-22 15:45 . 2008-06-22 15:49      <DIR>      d--------      C:\Program Files\Eusing Free Registry Cleaner
2008-06-21 09:55 . 2008-06-21 09:55      <DIR>      d--h-----      C:\WINDOWS\system32\GroupPolicy
2008-06-11 03:02 . 2008-06-11 03:02      276      --a------      C:\WINDOWS\system32\MRT.INI
2008-06-10 16:53 . 2008-06-13 06:10      272,128      -----c---      C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 05:57 . 2008-06-18 18:42      124,409      -r-hs----      C:\f.bat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 23:04      ---------      d-----w      C:\Program Files\Common Files\DriveCleaner 2006 Free
2008-06-20 23:18      ---------      d-----w      C:\Program Files\DivX
2008-06-13 13:10      272,128      ------w      C:\WINDOWS\system32\drivers\bthport.sys
2008-05-11 03:34      ---------      d-----w      C:\Program Files\Safari
2008-05-11 03:31      ---------      d-----w      C:\Program Files\Apple Software Update
2008-05-09 15:35      ---------      d-----w      C:\Documents and Settings\Jay\Application Data\AdobeUM
2008-05-08 12:28      202,752      ----a-w      C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18      1,287,680      ----a-w      C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16      826,368      ----a-w      C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12      151,583      ----a-w      C:\WINDOWS\system32\msjint40.dll
2001-11-23 04:08      712,704      ----a-r      C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5DD4EAD8-3240-4B68-8A0E-DAA0BD661E32}]
2008-06-16 16:21      487936      --a------      C:\DOCUME~1\Jay\Desktop\mwie.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-24 02:58 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 03:15 106496]
"SiSPower"="SiSPower.dll" [2004-09-01 22:47 49152 C:\WINDOWS\system32\SiSPower.dll]
"Cmaudio"="cmicnfg.cpl,CMICtrlWnd" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46 57344]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 22:31 208952]
"IMEKRMIG6.1"="" []
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-28 04:39 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 04:39 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 04:39 455168]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-23 13:27 1177368]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-04-22 11:02:24 98304]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-04-22 11:02:24 98304]
Monitor.lnk - C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2007-11-30 14:04:48 114688]
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2005-02-07 23:39:17 331776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIVF"= DivX412.dll
"vidc.XVID"= xvid.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-23 13:28]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-23 13:27]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-23 13:27]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-23 13:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\DTSP_Launcher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5b172f43-b5a0-11dc-b550-00115b6fb490}]
\Shell\AutoRun\command - F:\ek.com
\Shell\explore\Command - F:\ek.com
\Shell\open\Command - F:\ek.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6f0c0b99-5193-11dc-b52c-00115b6fb490}]
\Shell\AutoRun\command - G:\DTSP_Launcher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6f0c0b9a-5193-11dc-b52c-00115b6fb490}]
\Shell\AutoRun\command - H:\nncu6kk.com
\Shell\explore\Command - H:\nncu6kk.com
\Shell\open\Command - H:\nncu6kk.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ddbe68e-cc39-11dc-b557-00115b6fb490}]
\Shell\AutoRun\command - F:\nncu6kk.com
\Shell\explore\Command - F:\nncu6kk.com
\Shell\open\Command - F:\nncu6kk.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cee25bd4-9ed4-11dc-b548-00115b6fb490}]
\Shell\AutoRun\command - F:\1i.com
\Shell\explore\Command - F:\1i.com
\Shell\open\Command - F:\1i.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d42ed5b0-0668-11dd-b563-00115b6fb490}]
\Shell\AutoRun\command - F:\cubp.bat
\Shell\explore\Command - F:\cubp.bat
\Shell\open\Command - F:\cubp.bat

.
Contents of the 'Scheduled Tasks' folder
"2008-06-18 02:01:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-24 08:47:31 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-24 06:10:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-24  6:12:40
ComboFix-quarantined-files.txt  2008-06-24 13:12:17

Pre-Run: 25,169,117,184 bytes free
Post-Run: 25,298,223,104 bytes free

139      --- E O F ---      2008-06-21 01:46:22
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 21856302
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
F:\ek.com
H:\nncu6kk.com
F:\nncu6kk.com
F:\1i.com
F:\cubp.bat
C:\DOCUME~1\Jay\Desktop\mwie.dll

Folder::
DriveCleaner 2006 Free

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5DD4EAD8-3240-4B68-8A0E-DAA0BD661E32}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5b172f43-b5a0-11dc-b550-00115b6fb490}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6f0c0b9a-5193-11dc-b52c-00115b6fb490}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ddbe68e-cc39-11dc-b557-00115b6fb490}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cee25bd4-9ed4-11dc-b548-00115b6fb490}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d42ed5b0-0668-11dd-b563-00115b6fb490}]
------------------------------------------------------------------------

3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.



After you've done that, runFlash_Disinfector, it
Download Flash_Disinfector.exe by sUBs.
http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe
and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future spread of infection.
0
 

Author Comment

by:PCGalOfCal
ID: 21857118
Thank you everyone for your time and comments.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21861985
I assume problem's been resolved.

Please uninstall combofix.
Go to Start > Run and copy and paste next command in the field:

ComboFix /u


Thanks!
0
 

Author Comment

by:PCGalOfCal
ID: 21866046
I already returned pc to client.  I did delete combo fix icons from root of c and also the desktop but I did not un-install it properly. Oppps.  Shouldn't matter as long as they don't find it and run it, correct?  Thanks
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21870750
>>>as long as they don't find it and run it, correct?<<<
it's okay, don't worry about it, thanks.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now