Jump to content

Virus removal help needed!!!


Recommended Posts

I have a Trojan.Agent on my computer and i can't get rid of it. I did a scan with HijackThis and these were my results:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:52:05 PM, on 3/30/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Dell Network Assistant\hnm_svc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\userinit.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

C:\WINDOWS\system32\svchost.exe

c:\WINDOWS\system32\ZuneBusEnum.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Sophos\AutoUpdate\ALMon.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: My Faster PC.lnk.disabled

O4 - Startup: Picture Motion Browser Media Check Tool.lnk.disabled

O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe

O4 - Global Startup: Digital Line Detect.lnk.disabled

O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled

O4 - Global Startup: Lexibase Express.lnk.disabled

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?0e72f4ae2995436f98dab1584af57b5e

O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?0e72f4ae2995436f98dab1584af57b5e

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O11 - Options group: [searching] Search from the Address bar

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/instal...nosticsxp2k.cab

O16 - DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1216835024515

O16 - DPF: {644e432f-49d3-41a1-8dd5-e099162eeec5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{357C0D15-F05A-47F7-A671-0EC1F789ED45}: NameServer = 66.193.36.6,207.170.227.121

O17 - HKLM\System\CCS\Services\Tcpip\..\{FE6F35C8-5F11-4B76-B75A-CDCC204B848D}: NameServer = 66.193.36.6,207.170.227.121

O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL

O23 - Service: Intel

Link to post
Share on other sites

  • Staff

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Also, it is really important that you allow Combofix to install the Recovery console, because most probably your userinit.exe file is infected here and it won't be fixed if the recovery console is not installed.

Link to post
Share on other sites

Combofix said that i still had AVG Free installed, but i deleted it about 2 months ago? I even Checked. But here's the combofix log

ComboFix 09-03-30.04 - Morgans 2009-03-31 10:35:53.5 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1532 [GMT -7:00]

Running from: c:\documents and settings\Morgans\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)

AV: Sophos Anti-Virus *On-access scanning disabled* (Updated)

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\Morgans\Localdir

c:\documents and settings\Morgans\Localdir\winlogo.exe

C:\test.txt

----- BITS: Possible infected sites -----

hxxp://www.graboid.com

Infected copy of c:\windows\system32\userinit.exe was found and disinfected

Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe

.

((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 )))))))))))))))))))))))))))))))

.

2009-03-30 14:50 . 2009-03-30 14:50 <DIR> d-------- c:\program files\Trend Micro

2009-03-29 01:23 . 2009-03-28 23:58 97,796 --a------ c:\windows\mse.exe

2009-03-29 01:20 . 2009-03-28 23:58 97,796 --a------ c:\windows\msd.exe

2009-03-29 00:17 . 2009-03-28 23:58 97,796 --a------ c:\windows\msc.exe

2009-03-29 00:15 . 2009-03-28 23:58 97,796 --a------ c:\windows\msb.exe

2009-03-25 17:51 . 2009-03-25 17:51 <DIR> d-------- C:\Linksys Driver

2009-03-16 21:17 . 2009-03-16 21:17 <DIR> d-------- c:\program files\YouTube Downloader

2009-03-16 20:38 . 2009-03-16 20:38 54,156 --ah----- c:\windows\QTFont.qfn

2009-03-16 20:38 . 2009-03-16 20:38 1,409 --a------ c:\windows\QTFont.for

2009-03-14 12:07 . 2008-05-19 09:35 130,104 --a------ c:\windows\system32\sdccoinstaller.dll

2009-03-14 12:06 . 2009-03-14 12:06 <DIR> d-------- c:\program files\Common Files\Cisco Systems

2009-03-14 12:06 . 2009-03-14 12:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sophos

2009-03-14 12:06 . 2008-08-21 06:22 23,552 --a------ c:\windows\system32\SophosBootTasks.exe

2009-03-14 12:05 . 2008-05-23 00:38 14,976 --a------ c:\windows\system32\drivers\SophosBootDriver.sys

2009-03-13 13:44 . 2009-03-29 00:02 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-13 13:44 . 2009-03-13 13:44 <DIR> d-------- c:\documents and settings\Morgans\Application Data\Malwarebytes

2009-03-13 13:44 . 2009-03-13 13:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-03-13 13:44 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-13 13:44 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-13 13:41 . 2009-03-13 13:41 <DIR> d--h----- c:\windows\PIF

2009-03-13 11:24 . 2009-03-14 12:06 <DIR> d-------- c:\program files\Sophos

2009-03-13 11:23 . 2009-03-13 11:23 <DIR> d-------- C:\savxpsa

2009-03-13 11:23 . 2009-01-05 03:41 110,848 --a------ c:\windows\system32\drivers\savonaccesscontrol.sys

2009-03-13 11:23 . 2009-01-05 03:41 38,528 --a------ c:\windows\system32\drivers\savonaccessfilter.sys

2009-03-10 16:42 . 2009-03-11 15:41 147,456 --a------ c:\windows\system32\vbzip10.dll

2009-02-22 20:59 . 2009-03-30 22:17 189,496 --a------ c:\windows\system32\PnkBstrB.xtr

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-31 03:31 139,984 ----a-w c:\windows\system32\drivers\PnkBstrK.sys

2009-03-30 04:18 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater

2009-03-13 18:02 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-03-13 18:02 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-03-13 17:56 --------- d-----w c:\documents and settings\All Users\Application Data\avg8

2009-03-11 23:17 --------- d--h--w c:\program files\InstallShield Installation Information

2009-03-11 23:17 --------- d-----w c:\program files\Common Files\InstallShield

2009-03-11 23:16 --------- d-----w c:\program files\LimeWire

2009-03-11 23:15 --------- d-----w c:\program files\Graboid

2009-03-10 23:16 --------- d-----w c:\documents and settings\Morgans\Application Data\LimeWire

2009-02-26 17:42 --------- d-----w c:\program files\Microsoft Silverlight

2009-02-02 03:43 --------- d-----w c:\program files\My Faster PC

2009-01-31 23:01 --------- d-----w c:\program files\Cloudbrain

2009-01-31 22:13 --------- d-----w c:\program files\Aimersoft

2009-01-19 05:06 22,328 -c--a-w c:\documents and settings\Morgans\Application Data\PnkBstrK.sys

2007-09-13 03:16 154 -c--a-w c:\documents and settings\Morgan Scharff\Application Data\wklnhst.dat

2007-08-25 14:47 76 -csha-r c:\windows\CT4CET.bin

.

((((((((((((((((((((((((((((( snapshot_2009-03-07_11.20.15.75 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-02-09 11:08:53 1,847,552 ----a-w c:\windows\$hf_mig$\KB958690\SP3QFE\win32k.sys

+ 2008-07-09 07:38:24 17,272 ----a-w c:\windows\$hf_mig$\KB958690\spmsg.dll

+ 2008-07-09 07:38:25 231,288 ----a-w c:\windows\$hf_mig$\KB958690\spuninst.exe

+ 2008-07-09 07:38:24 26,488 ----a-w c:\windows\$hf_mig$\KB958690\update\spcustom.dll

+ 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB958690\update\update.exe

+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB958690\update\updspapi.dll

+ 2008-12-05 06:58:08 144,896 ----a-w c:\windows\$hf_mig$\KB960225\SP3QFE\schannel.dll

+ 2007-11-30 11:18:51 17,272 ----a-w c:\windows\$hf_mig$\KB960225\spmsg.dll

+ 2007-11-30 11:18:51 231,288 ----a-w c:\windows\$hf_mig$\KB960225\spuninst.exe

+ 2007-11-30 11:18:51 26,488 ----a-w c:\windows\$hf_mig$\KB960225\update\spcustom.dll

+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB960225\update\update.exe

+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB960225\update\updspapi.dll

- 2005-10-21 04:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE

+ 2005-10-21 03:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE

- 2005-10-21 04:02:28 163,328 -c--a-w c:\windows\ERDNT\subs\ERDNT.EXE

+ 2005-10-21 03:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE

- 2000-08-31 16:00:00 89,504 -c--a-w c:\windows\fdsv.exe

+ 2000-08-31 15:00:00 89,504 ----a-w c:\windows\fdsv.exe

- 2000-08-31 16:00:00 80,412 -c--a-w c:\windows\grep.exe

+ 2000-08-31 15:00:00 80,412 ----a-w c:\windows\grep.exe

+ 2009-03-14 20:02:09 25,214 ----a-r c:\windows\Installer\{034759DA-E21A-4795-BFB3-C66D17FAD183}\ARPPRODUCTICON.exe

+ 2009-03-14 20:02:09 25,214 ----a-r c:\windows\Installer\{034759DA-E21A-4795-BFB3-C66D17FAD183}\MainGUIShortcut.exe

+ 2009-03-14 19:08:46 65,536 ----a-r c:\windows\Installer\{15C418EB-7675-42be-B2B3-281952DA014D}\ARPPRODUCTICON.exe

+ 2007-04-02 18:25:59 19,456 ----a-w c:\windows\msagent\intl\agt0401.dll

+ 2007-04-02 18:26:00 19,456 ----a-w c:\windows\msagent\intl\agt040d.dll

- 2000-08-31 16:00:00 28,672 -c--a-w c:\windows\NIRCMD.exe

+ 2000-08-31 15:00:00 29,696 ----a-w c:\windows\NIRCMD.exe

- 2000-08-31 16:00:00 98,816 -c--a-w c:\windows\sed.exe

+ 2000-08-31 15:00:00 98,816 ----a-w c:\windows\sed.exe

- 2000-08-31 16:00:00 161,792 -c--a-w c:\windows\SWREG.exe

+ 2000-08-31 15:00:00 161,792 ----a-w c:\windows\SWREG.exe

- 2000-08-31 16:00:00 136,704 -c--a-w c:\windows\SWSC.exe

+ 2000-08-31 15:00:00 136,704 ----a-w c:\windows\SWSC.exe

- 2000-08-31 16:00:00 212,480 -c--a-w c:\windows\SWXCACLS.exe

+ 2000-08-31 15:00:00 212,480 ----a-w c:\windows\SWXCACLS.exe

+ 2007-04-02 18:25:59 19,456 -c--a-w c:\windows\system32\dllcache\agt0401.dll

+ 2007-04-02 18:26:00 19,456 -c--a-w c:\windows\system32\dllcache\agt040d.dll

+ 2008-04-14 00:09:55 6,144 -c--a-w c:\windows\system32\dllcache\kbdinbe1.dll

+ 2008-04-14 00:09:55 6,144 -c--a-w c:\windows\system32\dllcache\kbdinben.dll

+ 2008-04-14 00:09:55 6,656 -c--a-w c:\windows\system32\dllcache\kbdinmal.dll

+ 2008-04-14 00:09:55 6,144 -c--a-w c:\windows\system32\dllcache\kbdnepr.dll

+ 2008-04-14 00:09:55 6,144 -c--a-w c:\windows\system32\dllcache\kbdpash.dll

+ 2008-12-05 06:54:55 144,896 -c----w c:\windows\system32\dllcache\schannel.dll

+ 2004-08-04 10:00:00 24,576 -c--a-w c:\windows\system32\dllcache\userinit.exe

- 2008-09-15 12:12:56 1,846,400 -c----w c:\windows\system32\dllcache\win32k.sys

+ 2009-02-09 11:13:27 1,846,784 -c----w c:\windows\system32\dllcache\win32k.sys

- 2007-06-12 07:51:12 10,834,944 -c--a-w c:\windows\system32\dllcache\wmp.dll

+ 2008-11-12 01:34:42 10,838,016 -c--a-w c:\windows\system32\dllcache\wmp.dll

- 2006-09-29 07:57:04 489,216 ----a-w c:\windows\system32\drivers\MRVW245.sys

+ 2007-11-18 18:42:52 461,952 ----a-w c:\windows\system32\drivers\MRVW245.sys

- 2009-01-15 22:22:01 243,128 ----a-w c:\windows\system32\FNTCACHE.DAT

+ 2009-03-15 20:34:19 243,128 ----a-w c:\windows\system32\FNTCACHE.DAT

+ 2008-04-14 00:12:38 26,112 ----a-w c:\windows\system32\init32.exe

+ 2009-02-03 02:07:18 240,544 ----a-r c:\windows\system32\Macromed\Flash\FlashUtil10b.exe

- 2009-01-31 22:08:50 89,102 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe

+ 2009-03-15 04:16:51 88,590 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe

- 2009-02-03 23:21:12 21,244,864 ----a-w c:\windows\system32\MRT.exe

+ 2009-02-25 19:55:00 24,768,960 ----a-w c:\windows\system32\MRT.exe

- 2009-03-05 04:22:16 157,737 ----a-w c:\windows\system32\nvModes.dat

+ 2009-03-31 05:17:46 157,737 ----a-w c:\windows\system32\nvModes.dat

- 2009-03-05 00:11:50 65,442 ----a-w c:\windows\system32\perfc009.dat

+ 2009-03-31 17:04:18 65,442 ----a-w c:\windows\system32\perfc009.dat

- 2009-03-05 00:11:50 409,672 ----a-w c:\windows\system32\perfh009.dat

+ 2009-03-31 17:04:18 409,672 ----a-w c:\windows\system32\perfh009.dat

- 2009-03-05 04:05:53 189,496 ----a-w c:\windows\system32\PnkBstrB.exe

+ 2009-03-31 03:31:01 189,496 ----a-w c:\windows\system32\PnkBstrB.exe

- 2008-04-14 00:12:05 144,384 ----a-w c:\windows\system32\schannel.dll

+ 2008-12-05 06:54:55 144,896 ----a-w c:\windows\system32\schannel.dll

- 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll

+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll

- 2007-08-11 04:46:18 26,488 ----a-w c:\windows\system32\spupdsvc.exe

+ 2007-07-27 16:41:38 26,488 ----a-w c:\windows\system32\spupdsvc.exe

- 2008-04-14 00:12:38 26,112 ----a-w c:\windows\system32\userinit.exe

+ 2004-08-04 10:00:00 24,576 ----a-w c:\windows\system32\userinit.exe

- 2008-09-15 12:12:56 1,846,400 ----a-w c:\windows\system32\win32k.sys

+ 2009-02-09 11:13:27 1,846,784 ----a-w c:\windows\system32\win32k.sys

- 2007-06-12 07:51:12 10,834,944 ----a-w c:\windows\system32\wmp.dll

+ 2008-11-12 01:34:42 10,838,016 ----a-w c:\windows\system32\wmp.dll

- 2000-08-31 16:00:00 49,152 -c--a-w c:\windows\VFIND.exe

+ 2000-08-31 15:00:00 49,152 ----a-w c:\windows\VFIND.exe

+ 2009-03-13 18:24:33 82,432 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\msxml4r.dll

+ 2008-04-15 17:47:33 1,724,416 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\GdiPlus.dll

- 2000-08-31 16:00:00 68,096 -c--a-w c:\windows\zip.exe

+ 2000-08-31 15:00:00 68,096 ----a-w c:\windows\zip.exe

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-06 8429568]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-30 282624]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]

"NvMediaCenter"="NvMCTray.dll" [2007-06-06 c:\windows\system32\nvmctray.dll]

c:\documents and settings\Morgans\Start Menu\Programs\Startup\

My Faster PC.lnk.disabled [2008-10-27 678]

Picture Motion Browser Media Check Tool.lnk.disabled [2008-12-09 1941]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2008-12-23 245760]

Digital Line Detect.lnk.disabled [2007-08-25 1618]

HP Digital Imaging Monitor.lnk.disabled [2007-09-18 1808]

Lexibase Express.lnk.disabled [2008-01-11 1869]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]

@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

--a------ 2007-01-19 12:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"ctfmon.exe"=c:\windows\system32\ctfmon.exe

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" /background

"MySpaceIM"=c:\program files\MySpace\IM\MySpaceIM.exe

"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

"NVHotkey"=rundll32.exe nvHotkey.dll,Start

"NvMediaCenter"=RunDLL32.exe NvMCTray.dll,NvTaskbarInit

"nwiz"=nwiz.exe /installquiet

"OEM02Mon.exe"=c:\windows\OEM02Mon.exe

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

"SigmatelSysTrayApp"=stsystra.exe

"SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe

"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\DELL\\MediaDirect\\PCMService.exe"=

"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=

"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=

"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol

"10426:UDP"= 10426:UDP:SingleClick ICC

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2009-03-13 110848]

R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2009-03-13 38528]

R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2008-09-22 69632]

R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [2008-08-21 98304]

R3 oem02afx;Provides a software interface to control audio effects of OEM002 camera.;c:\windows\system32\drivers\OEM02Afx.sys [2007-08-25 141376]

R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2007-08-25 235584]

R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2007-08-25 7424]

S1 8783930b;8783930b;c:\windows\system32\drivers\8783930b.sys --> c:\windows\system32\drivers\8783930b.sys [?]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv; [x]

S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2009-03-14 14976]

.

Contents of the 'Scheduled Tasks' folder

2009-03-31 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 20:41]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://www.google.com

IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?0e72f4ae2995436f98dab1584af57b5e

IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?0e72f4ae2995436f98dab1584af57b5e

TCP: {357C0D15-F05A-47F7-A671-0EC1F789ED45} = 66.193.36.6,207.170.227.121

TCP: {FE6F35C8-5F11-4B76-B75A-CDCC204B848D} = 66.193.36.6,207.170.227.121

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-31 10:40:48

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3491885251-2573279539-1191741295-1007\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKEEPER.exe

c:\program files\Dell Network Assistant\hnm_svc.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\PnkBstrB.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

c:\program files\Sophos\AutoUpdate\ALsvc.exe

c:\windows\system32\ZuneBusEnum.exe

c:\program files\Zune\ZuneNss.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\rundll32.exe

.

**************************************************************************

.

Completion time: 2009-03-31 10:43:48 - machine was rebooted [Morgans]

ComboFix-quarantined-files.txt 2009-03-31 17:43:45

ComboFix2.txt 2009-03-08 20:34:34

ComboFix3.txt 2009-03-07 19:21:16

ComboFix4.txt 2008-11-08 03:21:06

Pre-Run: 52,305,911,808 bytes free

Post-Run: 54,008,008,704 bytes free

303 --- E O F --- 2009-03-15 19:47:25

Link to post
Share on other sites

  • Staff

Hi,

Combofix said that i still had AVG Free installed, but i deleted it about 2 months ago? I even Checked.
Don't worry about that. This is AVG fault, because it didn't unregister in WMI.

Anyway, your userinit.exe was restored again.

Navigate to and delete the following files:

c:\windows\mse.exe

c:\windows\msd.exe

c:\windows\msc.exe

c:\windows\msb.exe

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

  • Staff

Hi,

Do you know how to navigate to files?

Go to C:\ then to the Windows directory and in there, you'll find the files: mse.exe, msd.exe, msc.exe and msb.exe

rightclick them and select delete from the context menu.

If this is still too difficult or confusing for you, please let me know.

Link to post
Share on other sites

  • Staff

Ok, let's make this easy for you instead...

If you have not uninstalled Combofix yet, do next please..

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

File::

c:\windows\mse.exe

c:\windows\msd.exe

c:\windows\msc.exe

c:\windows\msb.exe

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

  • Staff

I guess you did something wrong.. and yes, your Antivirus should be disabled when using Combofix

I created the CFScript for you instead, so download it from here:

Place it on your desktop

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

Hmm ok..............This is wierd.........After i did the FIRST ComboFix scan my computer was working fine. And when you told me to manually delete the files i actually got there myself but i didn't see them. That's when i asked you to expand. Then when you showed me what to do i did it. And i think i accidently ran two combofixes at the same time. then my computer crashed and i got the blue screen of death. So i pulled the plug on my comp, and i rebooted it. It rebooted faster and smoother. and the popups i kept getting before, never came back up. And so then just to make sure myself i did a scan with malwarebytes after i updated it and it ran 3x as fast, and it didn't find the Trojan.Agent i kept finding. Did it delete it?

Link to post
Share on other sites

  • Staff

Hi,

I don't know if it deleted it, because I really have no clue what you've done.

The files I asked you to delete are just leftovers.

Anyway, it looks like those instructions are too confusing for you as well, even with the precreated cfscript, so do not use Combofix anymore before you break everything or drag the wrong things in Combofix.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know if you could perform above instruction to uninstall Combofix

Link to post
Share on other sites

  • Staff

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.