Completely Infected...Help!

**PaulaKoala** · 10-30-2007, 01:34 PM

ComboFix 07-10-29.1 - Paula 2007-10-30 14:20:04.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.419 [GMT -4:00]
Running from: C:\Documents and Settings\Paula\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Temp\fCOe
C:\WINDOWS\b147.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\dbasbbvx.dll
C:\WINDOWS\system32\ddlvepbs.dll
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\npqss.bak1
C:\WINDOWS\system32\npqss.bak2
C:\WINDOWS\system32\npqss.ini
C:\WINDOWS\system32\oTt06e
C:\WINDOWS\system32\oTt08e
C:\WINDOWS\system32\oyjerxoa.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\ptpckcpx.dll
C:\WINDOWS\system32\rwpqjiwy.dllbox
C:\WINDOWS\system32\sbpevldd.ini
C:\WINDOWS\system32\xbgjzuai.dllbox
C:\WINDOWS\system32\xfinkknv.dll
C:\WINDOWS\system32\xpckcptp.ini
C:\WINDOWS\system32\xvbbsabd.ini
C:\WINDOWS\winshow.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NWSAPAGENT
-------\NwSapAgent

((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-30 )))))))))))))))))))))))))))))))
.

2007-10-30 14:17 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-30 09:44 <DIR> d-------- C:\KAV
2007-10-30 08:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-30 08:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-30 08:29 <DIR> d-------- C:\Program Files\Windows Defender
2007-10-30 08:15 1,083,424 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-30 01:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-30 01:03 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-10-30 01:01 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-10-30 01:01 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-10-30 00:55 <DIR> d-------- C:\WINDOWS\Sun
2007-10-30 00:51 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-30 00:28 12,413,440 --a------ C:\Program Files\avgas-setup-7.5.1.43.exe
2007-10-29 15:52 589 --a------ C:\WINDOWS\system32\upiakhxm.dll
2007-10-29 11:35 <DIR> d-------- C:\Documents and Settings\Paula\Application Data\Grisoft
2007-10-29 11:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-29 11:35 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-29 11:06 <DIR> d-------- C:\Deckard
2007-10-29 10:50 <DIR> d-------- C:\Program Files\PC Registry Cleaner
2007-10-29 10:09 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-10-29 02:58 <DIR> d-------- C:\Program Files\Hijack This
2007-10-29 01:47 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-28 13:53 <DIR> d-------- C:\VundoFix Backups
2007-10-26 21:51 3,334 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-26 21:42 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-26 21:42 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-26 21:42 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-26 21:42 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-26 21:42 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-26 20:15 <DIR> d-------- C:\Program Files\SpyNoMore
2007-10-26 20:15 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2007-10-10 11:02 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-05 20:27 <DIR> d-------- C:\Program Files\iTunes
2007-10-05 20:27 <DIR> d-------- C:\Program Files\iPod
2007-10-05 20:22 <DIR> d-------- C:\Program Files\Apple Software Update
2007-10-04 16:56 <DIR> d-------- C:\Documents and Settings\Paula\Application Data\Leadertech
2007-10-04 15:17 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Gtek
2007-10-04 15:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2007-10-04 15:16 <DIR> d-------- C:\Program Files\Linksys EasyLink Advisor
2007-10-04 13:36 61,440 -ra------ C:\WINDOWS\system32\vuins32.dll
2007-10-04 13:36 43,008 -ra------ C:\WINDOWS\system32\drivers\dlkfet5b.sys
2007-10-03 12:52 <DIR> d-------- C:\Program Files\support.com
2007-10-03 12:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Support.com
2007-10-01 11:37 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-10-01 11:37 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-09-05 18:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-09-05 18:12 <DIR> d-------- C:\Program Files\Common Files\aolshare
2007-09-05 18:12 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-09-05 18:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2007-09-05 18:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-10-30 18:28 13,724 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-30 18:05 --------- d-----w C:\Program Files\Java
2007-10-30 12:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-29 14:50 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-23 04:51 --------- d-----w C:\Program Files\Picasa2
2007-10-04 19:17 --------- d--h--w C:\Documents and Settings\Paula\Application Data\GTek
2007-10-04 18:59 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-10-04 18:59 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-09-16 14:43 --------- d-----w C:\Documents and Settings\Paula\Application Data\U3
2007-09-14 19:59 --------- d-----w C:\Program Files\AIM
2007-09-14 19:58 --------- d-----w C:\Documents and Settings\Paula\Application Data\Aim
2007-09-06 20:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-09-06 20:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-07-30 23:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-09 13:16 582,656 ----a-w C:\WINDOWS\system32\rpcrt4.dll
2007-06-27 03:31 17,896,352 ----a-w C:\Program Files\aaw2007.exe
2007-06-07 22:37 32,168 -c--a-w C:\Documents and Settings\Paula\Application Data\GDIPFONTCACHEV1.DAT
2006-02-19 08:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C24D5130-56F2-4185-9B8D-176699246E07}]
C:\WINDOWS\system32\ssqpn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 21:17]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 18:16]

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\addyw32.exe]
C:\WINDOWS\addyw32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
\Program\

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
???
?

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MISAggregator]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

R2 elagopro;GoProto Protocol Driver for LELA;C:\WINDOWS\system32\DRIVERS\elagopro.sys
R2 elaunidr;UniDriver for LELA;C:\WINDOWS\system32\DRIVERS\elaunidr.sys
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S3 pc22nd5;Toshiba PCX2200 USB Cable Modem networking driver (NDIS);C:\WINDOWS\system32\DRIVERS\pc22nd5.sys
S3 pc22unic;Toshiba PCX2200 USB Cable Modem WDM driver;C:\WINDOWS\system32\DRIVERS\pc22unic.sys
S3 W8335XP;IEEE 802.11g Wireless Cardbus/PCI Adapter HW51;C:\WINDOWS\system32\DRIVERS\Mrv8000c.sys

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{d9479720-2cd7-11db-a491-00018036482e}]
AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{e2ffe6f0-2bdd-11db-a489-000039727365}]
AutoRun\command - F:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-25 22:45:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-10-30 18:18:08 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
************************************************** ************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-30 14:31:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2007-10-30 14:33:56 - machine was rebooted
.
--- E O F ---

**PaulaKoala** · 10-30-2007, 01:38 PM

Here is my new Hijackthis log. Can you give me the steps to take to turn off AdAware2007 and AVG Anti-spy? I'm going to take another look at the sticky and let you know what I wasn't able to complete. Thank you!

**PaulaKoala** · 10-30-2007, 01:38 PM

Sorry. HERE is the log...

**PaulaKoala** · 10-30-2007, 01:51 PM

I think it was just the Kapersky that I was getting frustrated with. I wanted to download their free trial antivirus software, but it kept giving me a message during the installation process that says,

Error 1304.Error writing to file
C:\WINDOWS\system32\drivers\kl1.sys. Verify that
you have access to that folder.

I did all of this early this morning, but as far as I can remember, that was the only problem.

Oh, and I can't seem to delete my old version of Java from my Add/Remove Programs list.

Thread: Completely Infected...Help!

Thread Tools

Display

Hybrid View

Thread Information

Users Browsing this Thread

Posting Permissions