Re: explorer.exe problem~Keeps restarting

Question

steeko7071 0 Newbie Poster

17 Years Ago

Having same issue with explorer.exe. ran combofix, which Temporarily fixes my system, but after another 15 min or so its back to acting up. I deleted all restore points (purposely) because they were all infected. Any ideas on what im missing? Here are combofix, hijack, vundofix logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:27, on 2007-11-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Safe mode with network support


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator.AS400.000\Desktop\HiJackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\iifghij.dll
O2 - BHO: (no name) - {6F910420-8761-479E-9085-1569ACC42CA1} - C:\WINDOWS\system32\awvvv.dll (file missing)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [combofix] "C:\WINDOWS\system32\cmd.exe" /c "cd /d C:\ComboFix\ & Combobatch.bat"
O4 - HKLM\..\RunOnce: [combofix] C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O20 - Winlogon Notify: iifghij - C:\WINDOWS\SYSTEM32\iifghij.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - cmd.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


--
End of file - 3672 bytes



ComboFix 07-11-08.1 - James Clark 2007-11-08 23:59:47.7 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.608 [GMT -5:00]
Running from: C:\Documents and Settings\James Clark\Desktop\ComboFix.exe
* Created a new restore point
.


Unable to gain System Privileges


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.


C:\WINDOWS\system32\awvtr.dll
C:\WINDOWS\system32\rtvwa.bak2
C:\WINDOWS\system32\rtvwa.ini
.
---- Previous Run -------
.
C:\WINDOWS\system32\jjllm.bak1
C:\WINDOWS\system32\jjllm.ini
C:\WINDOWS\system32\mlljj.dll


.
(((((((((((((((((((((((((   Files Created from 2007-10-09 to 2007-11-09  )))))))))))))))))))))))))))))))
.


2007-11-08 22:06    <DIR>    d--------   C:\Documents and Settings\James Clark\Application Data\Webroot
2007-11-08 22:01    <DIR>    d--------   C:\Documents and Settings\LocalService\Application Data\Webroot
2007-11-08 22:01    163,640 --a------   C:\WINDOWS\system32\drivers\ssidrv.sys
2007-11-08 22:01    23,864  --a------   C:\WINDOWS\system32\drivers\sskbfd.sys
2007-11-08 22:01    21,816  --a------   C:\WINDOWS\system32\drivers\sshrmd.sys
2007-11-08 22:01    20,280  --a------   C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-11-08 22:00    <DIR>    d--------   C:\Program Files\Webroot
2007-11-08 22:00    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Webroot
2007-11-08 22:00    <DIR>    d--------   C:\Documents and Settings\Administrator.AS400.000\Application Data\Webroot
2007-11-08 22:00    1,526,072   --a------   C:\WINDOWS\WRSetup.dll
2007-11-08 21:10    164 --a------   C:\install.dat
2007-11-08 20:39    <DIR>    d--------   C:\Program Files\Roguescanfix
2007-11-07 18:57    45,056  --a------   C:\WINDOWS\system32\WNASPI32.DLL
2007-11-07 18:57    17,005  --a------   C:\WINDOWS\system32\drivers\ASPI32.SYS
2007-11-07 18:57    5,600   --a------   C:\WINDOWS\system\WINASPI.DLL
2007-11-07 18:57    4,672   --a------   C:\WINDOWS\system\WOWPOST.EXE
2007-11-07 18:55    <DIR>    d--------   C:\Program Files\Symantec


.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-09 05:09    ---------   d-----w C:\Program Files\Windows Defender
2007-11-09 04:41    ---------   d-----w C:\Program Files\wxovqxxx
2007-11-07 23:57    ---------   d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-07 23:57    ---------   d-----w C:\Documents and Settings\James Clark\Application Data\Symantec
2007-11-07 23:55    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-07 20:42    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-07 18:29    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-04 06:11    7,467,056   ----a-w C:\spybotsd15.exe
2007-09-06 11:09    801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 11:00    95,608  ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-08-21 06:15    683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-02-16 22:09    23,352  ----a-w C:\Documents and Settings\James Clark\Application Data\GDIPFONTCACHEV1.DAT
2007-02-04 03:25    14,390  ----a-w C:\Program Files\INSTALL.LOG
2005-12-15 20:29    9,070   ----a-w C:\Program Files\Auto-Tune 4 PC VST Read Me.rtf
2005-03-28 19:28    6,461   ----a-w C:\Program Files\AT4 DX Read Me.rtf
2005-03-21 18:33    5,981   ----a-w C:\Program Files\ReadMe DX.txt
2005-03-17 17:20    29,696  ----a-w C:\Program Files\AT4 PC RTAS Read Me.doc
2004-03-16 17:12    594,571 ----a-w C:\Program Files\Auto-Tune4_Manual.pdf
2003-08-25 02:05    339,944 ----a-w C:\Program Files\UNWISE.EXE
.


(((((((((((((((((((((((((((((   snapshot@2007-11-07_16.06.35.93   )))))))))))))))))))))))))))))))))))))))))
.
- 2006-11-01 23:31:34   315,904 ----a-w C:\WINDOWS\inf\unregmp2.exe
+ 2007-06-27 03:10:26   317,440 ----a-w C:\WINDOWS\inf\unregmp2.exe
+ 2007-11-07 23:57:12   32,768  ----a-r C:\WINDOWS\Installer\{BBAAACFA-B012-4367-ADDA-4DDCDFD48F96}\_D904164A6024_4D6A_BD1A_DF13008894B0.exe
+ 2007-11-07 23:57:12   10,134  ----a-r C:\WINDOWS\Installer\{BBAAACFA-B012-4367-ADDA-4DDCDFD48F96}\Ghost.exe
+ 2007-11-07 23:57:12   8,478   ----a-r C:\WINDOWS\Installer\{BBAAACFA-B012-4367-ADDA-4DDCDFD48F96}\ghostimage.exe
- 2006-10-19 02:47:16   414,208 -c--a-w C:\WINDOWS\system32\dllcache\msscp.dll
+ 2006-12-04 21:21:50   414,720 -c--a-w C:\WINDOWS\system32\dllcache\msscp.dll
- 2006-11-01 23:31:34   315,904 -c--a-w C:\WINDOWS\system32\dllcache\unregmp2.exe
+ 2007-06-27 03:10:26   317,440 -c--a-w C:\WINDOWS\system32\dllcache\unregmp2.exe
- 2006-10-19 02:47:20   10,834,432  -c--a-w C:\WINDOWS\system32\dllcache\wmp.dll
+ 2007-06-12 04:51:12   10,834,944  -c--a-w C:\WINDOWS\system32\dllcache\wmp.dll
+ 2007-10-11 19:12:48   1,468,968   ----a-w C:\WINDOWS\system32\LegitCheckControl.DLL
- 2006-10-19 02:47:16   414,208 ----a-w C:\WINDOWS\system32\msscp.dll
+ 2006-12-04 21:21:50   414,720 ----a-w C:\WINDOWS\system32\msscp.dll
+ 2007-10-01 21:24:34   16,184  ----a-w C:\WINDOWS\system32\ssiefr.EXE
- 2006-10-19 02:47:20   10,834,432  ----a-w C:\WINDOWS\system32\wmp.dll
+ 2007-06-12 04:51:12   10,834,944  ----a-w C:\WINDOWS\system32\wmp.dll
+ 2007-10-01 21:24:36   219,448 ----a-w C:\WINDOWS\system32\WRLogonNtf.dll
+ 2007-10-01 21:24:36   26,424  ----a-w C:\WINDOWS\system32\wrlzma.dll
+ 2007-11-09 05:12:20   16,384  ----atw C:\WINDOWS\temp\Perflib_Perfdata_1c4.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
2007-02-04 23:46    36352   --a------   C:\WINDOWS\system32\iifghij.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=0 (0x0)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"= C:\WINDOWS\system32\iifghij.dll [2007-02-04 23:46 36352]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifghij]
iifghij.dll 2007-02-04 23:46 36352 C:\WINDOWS\system32\iifghij.dll


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awvtr.dll


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\d_kmd.sys]
@="Driver"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^James Clark^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]
path=C:\Documents and Settings\James Clark\Start Menu\Programs\Startup\Trend Micro Anti-Spyware.lnk
backup=C:\WINDOWS\pss\Trend Micro Anti-Spyware.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
"C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaISSDT]
"C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
"C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CU1]
C:\Program Files\Common Files\VCClient\VCClient.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CU2]
C:\Program Files\Common Files\VCClient\VCMain.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTrustPPAP]
"C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X6100 Series]
"C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LexPPS.exe]
C:\WINDOWS\system32\lexpps.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware12]
"C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QOELOADER]
"C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe


R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINDOWS\system32\Drivers\SSFS0BB9.SYS
R1 d_kmd;d_kmd;\??\C:\WINDOWS\system32\drivers\d_kmd.sys
R1 GhPciScan;GhostPciScanner;\??\C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys
R1 mapledxp;mapledxp;C:\WINDOWS\system32\drivers\mapledxp.SYS
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys
R2 RVIEG01;VSC Engine;\??\C:\Program Files\Image-Line\FL Studio 6\Plugins\VST\RVIEg01.sys
R2 RVIEGVST;VSC VST Engine;\??\C:\Program Files\Image-Line\FLStudio5\Plugins\VST\RVIEg01VST.sys
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys
S2 PLUSBRW;BUSlink USB-Optical Adapter;C:\WINDOWS\system32\DRIVERS\scd1pl.sys
S3 dalwdmservice;dal service;C:\WINDOWS\system32\drivers\dalwdm.sys
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe"
S3 mr97310c;CIF Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310c.sys
S3 PLSCSIRW;PLSCSIRW;C:\WINDOWS\system32\DRIVERS\scd0pl.sys
S3 RDID1045;Roland FANTOM-X;C:\WINDOWS\system32\Drivers\RDWM1045.SYS
S3 USBMIDI;UF USB MIDI Driver;C:\WINDOWS\system32\Drivers\Mdusb.sys


.
Contents of the 'Scheduled Tasks' folder
"2007-11-09 05:15:08 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-02-07 00:33:34 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************


catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-09 00:14:02
Windows 5.1.2600 Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden autostart entries ...


scanning hidden files ...


scan completed successfully
hidden files: 0


**************************************************************************
.
Completion time: 2007-11-09  0:17:21 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-07 18:04
C:\ComboFix3.txt ... 2007-11-07 16:08
.
--- E O F ---


Export SharedTaskScheduler key
------------------------------
REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"


VundoFix V6.5.11


Checking Java version...


Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.


Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.


Scan started at 7:59:47 PM 2/6/2007


Listing files found while scanning....


No infected files were found.



Beginning removal...


VundoFix V6.5.10


Checking Java version...


Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.


Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.


Scan started at 12:56:01 PM 2/7/2007


Listing files found while scanning....



VundoFix V6.5.10


Checking Java version...


Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.


Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.


Scan started at 1:50:57 PM 11/7/2007


Listing files found while scanning....


No infected files were found.



Beginning removal...

I KNOW ITS LONG..... THANKS FOR THE HELP... CHEERS

windows-virus

Edited 11 Years Ago by happygeek because: fixed formatting

2 Contributors
6 Replies
299 Views
5 Days Discussion Span
Latest Post 17 Years Ago Latest Post by gerbil

gerbil 216 Industrious Poster

17 Years Ago

Hi, steek, first up, please run hijackthis in normal mode if possible when you require a log for checking; in safe mode not all processes are started, we may miss things.
Right.
=Please make a restore point because an infected restore point is better than no restore point at all. We can get rid of it later. An infection can only get out of a restore point if that point is actually used.
Delete your C:\vundofix.txt. It is confusing.
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to a folder or your desktop.
__________________________________________________________

File::
C:\install.dat
C:\WINDOWS\system32\iifghij.dll

Folder::
C:\Program Files\wxovqxxx

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6F910420-8761-479E-9085-1569ACC42CA1}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifghij]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= hex(7):6d,73,76,31,5f,30,00,00
__________________________________________________________

Good. Now drag CFScript.txt onto Combofix [drag the icon if on your desktop, or the filename if in a folder]. Combofix will start, let it run, if your firewall prompts then allow all; post the log.

=Now run Vundofix again please [latest vsn is 6.5.0.11]
=Please believe this message/warning from Vundofix:
Java version is 1.5.0.6, Old versions of java are exploitable and should be removed.
Go control panel > java > update, & press update now. Restart after installing the update, and then go into control panel again, add/remove pgms and remove all old versions of java. Vsn 1.6.0.3 is current....

Post a fresh hijackthis, combofix and vundofix logs with your comments.

gerbil 216 Industrious Poster

17 Years Ago

"(could have swore that i already tried this method : )"... yeah, you did, kinda, but it's all in the wrist action :)
Your first combofix run pointed out some things that I fixed with the second run and then it was free to chase other stuff.
Okay, your hijackthis log is clean [it's so short there is just no room fer malware...] and the combofix log shows nothing else lurking. Is explorer still running? How is your sys, generally?

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

steeko7071 0 Newbie Poster · Answer 1 · 2007-11-12T20:13:56+00:00

Great, I will start this new method as soon as i get home. Thanks

steeko7071 0 Newbie Poster · Answer 2 · 2007-11-13T11:10:22+00:00

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:54 PM, on 11/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\James Clark\Desktop\imabunny.exe


O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


--
End of file - 2826 bytes

.

ComboFix 07-11-08.1 - James Clark 2007-11-12 18:01:27.16 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.558 [GMT -5:00]
Running from: C:\Documents and Settings\James Clark\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\James Clark\Desktop\CFScript.txt
* Created a new restore point


FILE
C:\install.dat
C:\WINDOWS\system32\iifghij.dll
.


Unable to gain System Privileges


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.


C:\install.dat
C:\WINDOWS\system32\dccdd.bak1
C:\WINDOWS\system32\dccdd.bak2
C:\WINDOWS\system32\dccdd.tmp
C:\WINDOWS\system32\ddccd.dll
C:\WINDOWS\system32\iifghij.dll


.
(((((((((((((((((((((((((   Files Created from 2007-10-12 to 2007-11-12  )))))))))))))))))))))))))))))))
.


2007-11-11 12:47    <DIR>    d--------   C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-11-10 13:49    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-10 13:48    <DIR>    d--------   C:\Program Files\SUPERAntiSpyware
2007-11-10 13:48    <DIR>    d--------   C:\Documents and Settings\James Clark\Application Data\SUPERAntiSpyware.com
2007-11-09 15:22    <DIR>    d--------   C:\Program Files\Real
2007-11-09 01:02    <DIR>    d--------   C:\Documents and Settings\Administrator.AS400.000\Application Data\EmuPatchMixDSP
2007-11-08 22:06    <DIR>    d--------   C:\Documents and Settings\James Clark\Application Data\Webroot
2007-11-08 22:01    <DIR>    d--------   C:\Documents and Settings\LocalService\Application Data\Webroot
2007-11-08 22:01    163,640 --a------   C:\WINDOWS\system32\drivers\ssidrv.sys
2007-11-08 22:01    23,864  --a------   C:\WINDOWS\system32\drivers\sskbfd.sys
2007-11-08 22:01    21,816  --a------   C:\WINDOWS\system32\drivers\sshrmd.sys
2007-11-08 22:01    20,280  --a------   C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-11-08 22:00    <DIR>    d--------   C:\Program Files\Webroot
2007-11-08 22:00    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Webroot
2007-11-08 22:00    <DIR>    d--------   C:\Documents and Settings\Administrator.AS400.000\Application Data\Webroot
2007-11-08 22:00    1,526,072   --a------   C:\WINDOWS\WRSetup.dll
2007-11-08 20:39    <DIR>    d--------   C:\Program Files\Roguescanfix
2007-11-07 18:57    45,056  --a------   C:\WINDOWS\system32\WNASPI32.DLL
2007-11-07 18:57    17,005  --a------   C:\WINDOWS\system32\drivers\ASPI32.SYS
2007-11-07 18:57    5,600   --a------   C:\WINDOWS\system\WINASPI.DLL
2007-11-07 18:57    4,672   --a------   C:\WINDOWS\system\WOWPOST.EXE
2007-11-07 18:55    <DIR>    d--------   C:\Program Files\Symantec


.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-10 18:47    ---------   d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-10 18:16    ---------   d-----w C:\Program Files\Lavasoft
2007-11-10 18:16    ---------   d-----w C:\Documents and Settings\James Clark\Application Data\Lavasoft
2007-11-09 05:09    ---------   d-----w C:\Program Files\Windows Defender
2007-11-07 23:57    ---------   d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-07 23:57    ---------   d-----w C:\Documents and Settings\James Clark\Application Data\Symantec
2007-11-07 23:55    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-07 20:42    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-07 18:29    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-04 06:11    7,467,056   ----a-w C:\spybotsd15.exe
2007-09-06 11:09    801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 11:00    95,608  ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-08-21 06:15    683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-02-16 22:09    23,352  ----a-w C:\Documents and Settings\James Clark\Application Data\GDIPFONTCACHEV1.DAT
2007-02-04 03:25    14,390  ----a-w C:\Program Files\INSTALL.LOG
2005-12-15 20:29    9,070   ----a-w C:\Program Files\Auto-Tune 4 PC VST Read Me.rtf
2005-03-28 19:28    6,461   ----a-w C:\Program Files\AT4 DX Read Me.rtf
2005-03-21 18:33    5,981   ----a-w C:\Program Files\ReadMe DX.txt
2005-03-17 17:20    29,696  ----a-w C:\Program Files\AT4 PC RTAS Read Me.doc
2004-03-16 17:12    594,571 ----a-w C:\Program Files\Auto-Tune4_Manual.pdf
2003-08-25 02:05    339,944 ----a-w C:\Program Files\UNWISE.EXE
.


(((((((((((((((((((((((((((((   snapshot@2007-11-07_16.06.35.93   )))))))))))))))))))))))))))))))))))))))))
.
- 2006-11-01 23:31:34   315,904 ----a-w C:\WINDOWS\inf\unregmp2.exe
+ 2007-06-27 03:10:26   317,440 ----a-w C:\WINDOWS\inf\unregmp2.exe
+ 2007-11-07 23:57:12   32,768  ----a-r C:\WINDOWS\Installer\{BBAAACFA-B012-4367-ADDA-4DDCDFD48F96}\_D904164A6024_4D6A_BD1A_DF13008894B0.exe
+ 2007-11-07 23:57:12   10,134  ----a-r C:\WINDOWS\Installer\{BBAAACFA-B012-4367-ADDA-4DDCDFD48F96}\Ghost.exe
+ 2007-11-07 23:57:12   8,478   ----a-r C:\WINDOWS\Installer\{BBAAACFA-B012-4367-ADDA-4DDCDFD48F96}\ghostimage.exe
+ 2007-11-10 18:48:49   29,696  ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-11-10 18:48:49   18,944  ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-11-10 18:48:50   65,024  ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2001-07-14 22:32:24   69,632  ----a-w C:\WINDOWS\setupupd\temp\wsdueng.dll
- 2006-10-19 02:47:16   414,208 -c--a-w C:\WINDOWS\system32\dllcache\msscp.dll
+ 2006-12-04 21:21:50   414,720 -c--a-w C:\WINDOWS\system32\dllcache\msscp.dll
- 2006-11-01 23:31:34   315,904 -c--a-w C:\WINDOWS\system32\dllcache\unregmp2.exe
+ 2007-06-27 03:10:26   317,440 -c--a-w C:\WINDOWS\system32\dllcache\unregmp2.exe
- 2006-10-19 02:47:20   10,834,432  -c--a-w C:\WINDOWS\system32\dllcache\wmp.dll
+ 2007-06-12 04:51:12   10,834,944  -c--a-w C:\WINDOWS\system32\dllcache\wmp.dll
+ 2007-10-11 19:12:48   1,468,968   ----a-w C:\WINDOWS\system32\LegitCheckControl.DLL
- 2006-10-19 02:47:16   414,208 ----a-w C:\WINDOWS\system32\msscp.dll
+ 2006-12-04 21:21:50   414,720 ----a-w C:\WINDOWS\system32\msscp.dll
+ 2007-10-01 21:24:34   16,184  ----a-w C:\WINDOWS\system32\ssiefr.EXE
- 2006-10-19 02:47:20   10,834,432  ----a-w C:\WINDOWS\system32\wmp.dll
+ 2007-06-12 04:51:12   10,834,944  ----a-w C:\WINDOWS\system32\wmp.dll
+ 2007-10-01 21:24:36   219,448 ----a-w C:\WINDOWS\system32\WRLogonNtf.dll
+ 2007-10-01 21:24:36   26,424  ----a-w C:\WINDOWS\system32\wrlzma.dll
+ 2007-11-12 23:14:36   16,384  ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_e8.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 07:24]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=0 (0x0)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^James Clark^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]
path=C:\Documents and Settings\James Clark\Start Menu\Programs\Startup\Trend Micro Anti-Spyware.lnk
backup=C:\WINDOWS\pss\Trend Micro Anti-Spyware.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
"C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaISSDT]
"C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
"C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CU1]
C:\Program Files\Common Files\VCClient\VCClient.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CU2]
C:\Program Files\Common Files\VCClient\VCMain.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTrustPPAP]
"C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X6100 Series]
"C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LexPPS.exe]
C:\WINDOWS\system32\lexpps.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware12]
"C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QOELOADER]
"C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"niSvcLoc"=2 (0x2)
"NIDomainService"=2 (0x2)
"MDM"=2 (0x2)
"IDriverT"=3 (0x3)
"GoogleDesktopManager-093007-112848"=3 (0x3)


R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINDOWS\system32\Drivers\SSFS0BB9.SYS
R1 GhPciScan;GhostPciScanner;\??\C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys
R1 mapledxp;mapledxp;C:\WINDOWS\system32\drivers\mapledxp.SYS
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys
R2 RVIEG01;VSC Engine;\??\C:\Program Files\Image-Line\FL Studio 6\Plugins\VST\RVIEg01.sys
R2 RVIEGVST;VSC VST Engine;\??\C:\Program Files\Image-Line\FLStudio5\Plugins\VST\RVIEg01VST.sys
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys
S2 PLUSBRW;BUSlink USB-Optical Adapter;C:\WINDOWS\system32\DRIVERS\scd1pl.sys
S3 dalwdmservice;dal service;C:\WINDOWS\system32\drivers\dalwdm.sys
S3 mr97310c;CIF Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310c.sys
S3 PLSCSIRW;PLSCSIRW;C:\WINDOWS\system32\DRIVERS\scd0pl.sys
S3 RDID1045;Roland FANTOM-X;C:\WINDOWS\system32\Drivers\RDWM1045.SYS
S3 USBMIDI;UF USB MIDI Driver;C:\WINDOWS\system32\Drivers\Mdusb.sys


.
Contents of the 'Scheduled Tasks' folder
"2007-11-12 22:03:05 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-02-07 00:33:34 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************


catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-12 18:15:26
Windows 5.1.2600 Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden autostart entries ...


scanning hidden files ...


scan completed successfully
hidden files: 0


**************************************************************************
.
Completion time: 2007-11-12 18:17:16 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-10 18:06
C:\ComboFix3.txt ... 2007-11-10 15:33
.
--- E O F ---


P.S. VUNDO FIX Yielded no results!! NOTHING WAS FOUND

Comments: Ironically, this is the longest that explorer.exe has stayed on...(could have swore that i already tried this method : )

steeko7071 0 Newbie Poster · Answer 3 · 2007-11-14T00:51:53+00:00

"yeah, you did, kinda, but it's all in the wrist action :)

LMAO, We have to start calling you the MJ of virus removal : ) So far my system has sustained throughout the night (I left it on) My system seems to be stable, or visually back to normal. I do understand that my security may never be the same.. XoftSpySE just popped up telling me about its results, which are rather surprising, seems as though ive been infected with....

MyWebSearch (high)
Smitfraud (high)
IEPlugin (severe)
Best Offers Smiley Source (high)
EPS E-Mail Password Sender (severe)
and a few other low risk files/regkeys

gerbil 216 Industrious Poster · Answer 4 · 2007-11-14T07:10:44+00:00

I don't see any MyWebSearch entries, Smitfraud if it was working would be feeding you popups... May I suggest that you empty all spyware tools' etc bins? eg C:\Qoobox is combofix's bin. Then see what Xoft has to say. Run a cleaner and then an online scan:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.