Go Back   Cyber Tech Help Support Forums > Software > Malware Removal

Notices

Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs

Reply
 
Topic Tools
  #1  
Old December 31st, 2007, 06:26 PM
lisaoje lisaoje is offline
New Member
 
Join Date: Dec 2007
O/S: Windows XP Pro
Posts: 15
MalwareCrush Virus

Hello,

An icon recently appeared on my computer called MalwareCrush. It said I have 55 viruses on my computer. I did not install this program; it installed itself. I scanned it with AVG, no viruses found. I tried to delete it from my C: files, it replied that I couldn't delete this file. I tried to get rid of it through Pocket Killbox (it couldn't delete it). I need help fast!!!! I don't know anything about computers. I know know this is a big problem for me. Any help would be appreciated.

Thanks
Reply With Quote
  #2  
Old January 2nd, 2008, 03:44 AM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,284
Welcome to CTH lisaoje,

If you would, don't make any additional changes there for now and let's see what all is loaded at this time.

Please download HijackThis from Here. Then click on the downloaded file to install HijackThis. After it is installed open HijackThis and select Do a system scan and save logfile. Use copy/paste and post that log back here for review.


Also go Here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your AV queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here. You can use separate posts here if needed.
Reply With Quote
  #3  
Old January 2nd, 2008, 05:38 AM
lisaoje lisaoje is offline
New Member
 
Join Date: Dec 2007
O/S: Windows XP Pro
Posts: 15
Tom'

Thanks for your prompt reply. Here is my HijackThis Log you requested:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:59:48 PM, on 1/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\avg\avgamsvr.exe
C:\PROGRA~1\avg\avgupsvc.exe
C:\PROGRA~1\avg\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\avg\avgcc.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\wupeng.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MalwareCrush\MalwareCrush.exe
C:\Program Files\MalwareCrush\MalwareCrush.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\temp\Temporary Internet Files\Content.IE5\96XSD1M8\hijackthis[1].exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\avg\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\AdobeReader\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [Winupdate Engine] C:\WINDOWS\system32\wupeng.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\avg\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\avg\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\avg\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\avg\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1187923921843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187923974937
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\avg\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\avg\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\avg\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 5201 bytes

When I ran downloaded and ran the Silent Runners to my desktop. I never could locate the log it created. It was not in the Startup Programs. I even did a search of the file it created. Still no results. I did see the Startup Program files folder, but it was empty. I hope this information is helpful. Any assistance you can provide will be greatly appreciated. Thanks, Lisa
Reply With Quote
  #4  
Old January 2nd, 2008, 02:00 PM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,284
Might need a little rewording - the file itself is called Startup Programs, and if it was successful would be located in the same location as the Silent Runners.vbs tool you ran. But enough information from the HijackThis log for us to move forward here.


You will want to copy or have other access to these steps, as they will be done while offline.

Be sure to temporarily disable any protective software when running the scan tools we use here.

Download SDFix.exe and save it to your desktop.

Download ComboFix.exe from here to your desktop.

Then disconnect from net access. If cable/dsl physically disconnect the modem cable, if dial-up disconnect the phone line. This will keep infection from reinstalling right now.

================================================== =


Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).


In Safe Mode, click the SDFix.exe and allow it to extract to it's own folder (C:\SDFix). Navigate to that folder and double click RunThis.bat to start the script.

Next type Y to begin the script. Once the fix has run it will prompt you to restart your computer. Press any key to restart at this time. Your system will take longer that normal to restart as the fixtool will be running and removing files.

When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.

Then open the C:\SDFix folder and copy and paste the contents of the results file Report.txt back here.

=============================

After the reboot click on the downloaded ComboFix.exe to run the scan.

When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

(ComboFix will also disable any screensaver settings made, so know that at some point when we complete repairs you will need to reset your screensaver)

Reconnect to net access, and post back the C:\ComboFix.txt log as well as the SFDix report.txt and a new HijackThis log please.
Reply With Quote
  #5  
Old January 2nd, 2008, 07:42 PM
lisaoje lisaoje is offline
New Member
 
Join Date: Dec 2007
O/S: Windows XP Pro
Posts: 15
MalwareCrush Virus

Tom,

Again, thanks for your prompt reply. Below are the three logs you requested. Please advise me of my next move.


ComboFix Log
ComboFix 07-12-31.4 - lisa 2008-01-02 13:10:46.4 - NTFSx86
Running from: C:\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-02 to 2008-01-02 )))))))))))))))))))))))))))))))
.

2008-01-02 13:11 . 2008-01-02 13:11 <DIR> d-------- C:\temp\WPDNSE
2008-01-02 12:33 . 2008-01-02 12:33 1,484,544 --a------ C:\ComboFix.exe
2008-01-02 12:32 . 2008-01-02 12:32 1,212,248 --a------ C:\SDFix.exe
2008-01-02 12:17 . 2008-01-02 12:17 <DIR> d-------- C:\temp\Google Toolbar
2008-01-02 11:27 . 2008-01-02 11:27 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-02 11:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-31 12:37 . 2007-12-31 14:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-30 23:51 . 2007-10-10 18:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-30 23:44 . 2007-10-10 18:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-30 23:44 . 2007-04-17 04:28 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-30 23:44 . 2007-01-31 01:47 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-30 23:44 . 2007-10-10 18:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-30 23:44 . 2007-10-10 18:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-30 23:44 . 2007-10-10 18:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-30 23:44 . 2007-10-10 18:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-30 23:44 . 2007-10-10 05:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-30 16:52 . 2007-12-30 15:34 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-30 15:34 . 2007-12-30 15:58 <DIR> d-------- C:\Documents and Settings\lisa\.housecall6.6
2007-12-30 15:31 . 2007-12-30 15:31 <DIR> d-------- C:\WINDOWS\Sun
2007-12-30 15:30 . 2007-12-31 00:29 <DIR> d-------- C:\Program Files\Google
2007-12-30 15:30 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-30 15:29 . 2007-12-30 15:30 <DIR> d-------- C:\Program Files\Java
2007-12-30 15:29 . 2007-12-30 15:29 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-30 08:18 . 2008-01-02 09:41 <DIR> d-ah----- C:\Program Files\MalwareCrush
2007-12-27 19:27 . 2007-12-27 19:27 <DIR> d-------- C:\Program Files\PureEdge
2007-12-27 19:27 . 2007-12-27 19:27 <DIR> d-------- C:\Documents and Settings\lisa\Application Data\PureEdge
2007-12-27 19:27 . 2007-12-27 19:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PureEdge
2007-12-27 19:27 . 2003-11-21 18:02 2,101,248 --a------ C:\WINDOWS\system32\pe_cc.dll
2007-12-27 19:27 . 2003-11-21 18:02 1,167,360 --a------ C:\WINDOWS\system32\pe_java.dll
2007-12-27 19:27 . 2003-11-21 18:02 712,704 --a------ C:\WINDOWS\system32\uwi_java.dll
2007-12-27 19:27 . 2003-02-21 12:44 172,032 --a------ C:\WINDOWS\system32\SSCE5332.dll
2007-12-27 19:27 . 2003-02-21 10:44 167,936 --a------ C:\WINDOWS\system32\MSQOLE.DLL
2007-12-27 19:27 . 2007-12-27 19:27 61 --a------ C:\WINDOWS\PureEdgeAPI.ini
2007-12-05 07:35 . 2007-12-05 07:35 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-02 18:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-01-02 14:41 --------- d-----w C:\Program Files\avg
2007-12-31 05:35 --------- d-----w C:\Documents and Settings\lisa\Application Data\AVG7
2007-12-28 00:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-19 15:38 --------- d-----w C:\Documents and Settings\lisa\Application Data\SmartDraw
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-02_11.14.16.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-02 08:44:46 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-01-02 17:37:51 2,830,336 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-01-02 17:37:51 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-01-02 08:44:46 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-01-02 16:27:10 2,818,048 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-01-02 16:27:10 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 20:07 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 12:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 08:03 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 07:59 126976]
"AVG7_CC"="C:\PROGRA~1\avg\avgcc.exe" [2007-12-21 07:35 579072]
"Adobe Reader Speed Launcher"="C:\Program Files\AdobeReader\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]
"LTMSG"="LTMSG.exe" [2003-07-14 09:52 40960 C:\WINDOWS\ltmsg.exe]
"masqform.exe"="C:\Program Files\PureEdge\Viewer 6.0\masqform.exe" [2003-12-03 12:43 1052672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"MalwareCrush"="C:\Program Files\MalwareCrush\MalwareCrush.exe" [2007-12-31 14:01 1613824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\avg\avgw.exe" [2007-10-25 06:36 219136]

R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2004-08-06 07:50]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{2e910d79-51f0-11dc-bb2f-000c6ecb9e90}]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.
************************************************** ************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-02 13:17:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

************************************************** ************************
.
Completion time: 2008-01-02 13:19:26
C:\qoobox\ComboFix-quarantined-files.txt 2008-01-02 18:18:29
C:\qoobox\ComboFix2.txt 2008-01-02 16:14:54
.
2007-12-30 19:45:40 --- E O F ---



SFDix Report


SDFix: Version 1.122

Run by lisa on 2008-01-02 at 12:38

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFIX\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found





Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-02 12:59:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

IPC error: 2 The system cannot find the file specified.
scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

Thu 23 Aug 2007 211 A.SH. --- "C:\BOOT.BAK"
Mon 31 Dec 2007 1,613,824 A..H. --- "C:\Program Files\MalwareCrush\MalwareCrush.exe"
Sat 19 Feb 2005 1,697,280 A..H. --- "C:\0_OLD_DATA\My Documents\13346 Wilshire\~WRL0005.tmp"
Wed 13 Oct 2004 1,694,208 A.SH. --- "C:\0_OLD_DATA\Program Files\Messenger\msmsgs.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\0_OLD_DATA\Program Files\Outlook Express\msimn.exe"
Tue 11 Nov 2003 56 A.SHR --- "C:\0_OLD_DATA\WINDOWS\system32\6AC0C3163A.sys "
Fri 16 Jun 2006 4,348 A..H. --- "C:\0_OLD_DATA\My Documents\My Music\License Backup\drmv1key.bak"
Fri 16 Jun 2006 20 A..H. --- "C:\0_OLD_DATA\My Documents\My Music\License Backup\drmv1lic.bak"
Mon 9 May 2005 312 A.SH. --- "C:\0_OLD_DATA\My Documents\My Music\License Backup\drmv2key.bak"
Wed 29 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 25 Aug 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1a72abe4 120e101373a4e6a8f3333cc4\download\BIT64.tmp"

Finished!



HiackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:28:21 PM, on 1/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\avg\avgamsvr.exe
C:\PROGRA~1\avg\avgupsvc.exe
C:\PROGRA~1\avg\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\avg\avgcc.exe
C:\Program Files\AdobeReader\Reader\Reader_sl.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\MalwareCrush\MalwareCrush.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MalwareCrush\MalwareCrush.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\avg\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\AdobeReader\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [MalwareCrush] C:\Program Files\MalwareCrush\MalwareCrush.exe /h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\avg\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\avg\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\avg\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\avg\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1187923921843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187923974937
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\avg\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\avg\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\avg\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 5186 bytes
Reply With Quote
  #6  
Old January 3rd, 2008, 04:36 AM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,284
I am surprised that none of the infection (Zlob) known for these was picked up in that. Let's check for those then just give this one a complete removal. This is all assuming you have tried an uninstall through Add/Remove Programs (if not, do so now).

Download SmitfraudFix (by S!Ri)

Double-click SmitfraudFix.exe

Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually the C drive), and launch from there.

NOTE: Please do not run any other options from SmitfraudFix until we discuss the results.
Reply With Quote
  #7  
Old January 3rd, 2008, 02:55 PM
lisaoje lisaoje is offline
New Member
 
Join Date: Dec 2007
O/S: Windows XP Pro
Posts: 15
MalwareCrush Virus

Tom,

Thanks again. I really appreciate all of your support. Below is the SmithfraudFix report you requested.

SmitFraudFix v2.274

Scan done at 8:49:28.76, Thu 01/03/2008
Run from C:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\avg\avgamsvr.exe
C:\PROGRA~1\avg\avgupsvc.exe
C:\PROGRA~1\avg\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\avg\avgcc.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\MalwareCrush\MalwareCrush.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MalwareCrush\MalwareCrush.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\lisa


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\lisa\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\lisa\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 68.87.77.130
DNS Server Search Order: 68.87.72.130
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4524D3B1-A79A-421E-86D3-4FEB22211092}: DhcpNameServer=68.87.77.130 68.87.72.130 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4524D3B1-A79A-421E-86D3-4FEB22211092}: DhcpNameServer=68.87.77.130 68.87.72.130 192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{4524D3B1-A79A-421E-86D3-4FEB22211092}: DhcpNameServer=68.87.77.130 68.87.72.130 192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130 192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130 192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Please advise.

Lisa
Reply With Quote
  #8  
Old January 3rd, 2008, 03:51 PM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,284
Just the startup and the associated Malware Crush files so far, which we surely will remove now.

Be sure to temporarily disable any protective software when running the scan tools we use here.

Open HijackThis, and choose None of the above, just start the program. Click Config – Misc Tools – Open process manager. From the list, click any instances of the following if it is present, and Kill Process. Close HijackThis.

C:\Program Files\MalwareCrush\MalwareCrush.exe

-----------------------------------

Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:

Code:
Folder::
C:\Program Files\MalwareCrush
C:\temp
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MalwareCrush"=-
Save this as "CFScript"

(include the "quotation marks" with the name)




Referring to the picture above, drag CFScript.txt into ComboFix.exe

ComboFix will now run as it did before. When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

-----------------------

Also Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).

To use the scan, once the download has completed click Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click My Computer to begin the scan. Save the Report as a text file and post that back here.

To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".

Post back that log along with with ComboFix log and a new HijackThis log please.
Reply With Quote
  #9  
Old January 3rd, 2008, 07:09 PM
lisaoje lisaoje is offline
New Member
 
Join Date: Dec 2007
O/S: Windows XP Pro
Posts: 15
MalwareCrush Virus - Kaspersky Report & Combo Fix Log

Tom,

Thanks!

FYI, When I started the first part of the process with the HijackThis and Kill process; I received an air message that stated :

"The selected process could not be killed. It may be protected by Windows".

Then I saw the *C:\Program Files\MalwareCrush\MalwareCrush.exe* disappear from the list of items.

Just thought you needed to know that. Nevertheless, below are the reports you requested. Thanks Abundantly!!

------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, January 03, 2008 12:44:28 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0

Kaspersky Anti-Virus database last update: 3/01/2008
Kaspersky Anti-Virus database records: 502025
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
F:\
G:\
H:\
I:\
X:\
Y:\

Scan Statistics:
Total number of scanned objects: 84047
Number of viruses found: 2
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 01:18:27

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\lisa\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\lisa\Local Settings\Application Data\Identities\{94D76E0B-8986-4AE8-8BD3-2BB71AEF0DA3}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\lisa\Local Settings\Application Data\Identities\{94D76E0B-8986-4AE8-8BD3-2BB71AEF0DA3}\Microsoft\Outlook Express\Inbox.dbx Object is locked skipped
C:\Documents and Settings\lisa\Local Settings\Application Data\Identities\{94D76E0B-8986-4AE8-8BD3-2BB71AEF0DA3}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\lisa\Local Settings\Application Data\Identities\{94D76E0B-8986-4AE8-8BD3-2BB71AEF0DA3}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped
C:\Documents and Settings\lisa\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\lisa\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\lisa\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\lisa\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\lisa\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\MalwareCrush\MalwareCrush.exe.vir Infected: not-a-virus:FraudTool.Win32.MalwareCrush.a skipped
C:\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{16363A7F-51A0-4467-9016-3F7C5D75E9CA}\RP4\A0000394.exe Infected: not-a-virus:FraudTool.Win32.MalwareCrush.a skipped
C:\System Volume Information\_restore{16363A7F-51A0-4467-9016-3F7C5D75E9CA}\RP4\change.log Object is locked skipped
C:\temp\avg\emc.log Object is locked skipped
C:\temp\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.lo g Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Combo Fix Log:

ComboFix 07-12-31.4 - lisa 2008-01-03 10:51:30.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.250 [GMT -5:00]
Running from: C:\ComboFix.exe
Command switches used :: C:\CFScript
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\MalwareCrush
C:\Program Files\MalwareCrush\blacklist.txt
C:\Program Files\MalwareCrush\Lang\English.ini
C:\Program Files\MalwareCrush\MalwareCrush.exe
C:\Program Files\MalwareCrush\MalwareCrush.url
C:\Program Files\MalwareCrush\msvcp71.dll
C:\Program Files\MalwareCrush\msvcr71.dll
C:\Program Files\MalwareCrush\ref.dat
C:\Program Files\MalwareCrush\uninst.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-03 to 2008-01-03 )))))))))))))))))))))))))))))))
.

2008-01-03 10:51 . 2008-01-03 10:51 <DIR> d-------- C:\temp\WPDNSE
2008-01-03 08:49 . 2008-01-03 08:49 2,220 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-03 08:48 . 2008-01-03 08:50 <DIR> d-------- C:\SmitfraudFix
2008-01-03 08:48 . 2008-01-03 08:48 1,129,580 --a------ C:\SmitfraudFix.exe
2008-01-02 13:27 . 2008-01-02 13:27 <DIR> d-------- C:\temp\Google Toolbar
2008-01-02 13:27 . 2008-01-02 13:27 401,720 --a------ C:\hijackthis.exe
2008-01-02 12:33 . 2008-01-02 12:33 1,484,544 --a------ C:\ComboFix.exe
2008-01-02 12:32 . 2008-01-02 12:32 1,212,248 --a------ C:\SDFix.exe
2008-01-02 11:27 . 2008-01-02 11:27 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-02 11:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-31 12:37 . 2007-12-31 14:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-30 23:51 . 2007-10-10 18:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-30 23:44 . 2007-10-10 18:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-30 23:44 . 2007-04-17 04:28 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-30 23:44 . 2007-01-31 01:47 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-30 23:44 . 2007-10-10 18:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-30 23:44 . 2007-10-10 18:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-30 23:44 . 2007-10-10 18:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-30 23:44 . 2007-10-10 18:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-30 23:44 . 2007-10-10 05:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-30 16:52 . 2007-12-30 15:34 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-30 15:34 . 2007-12-30 15:58 <DIR> d-------- C:\Documents and Settings\lisa\.housecall6.6
2007-12-30 15:31 . 2007-12-30 15:31 <DIR> d-------- C:\WINDOWS\Sun
2007-12-30 15:30 . 2007-12-31 00:29 <DIR> d-------- C:\Program Files\Google
2007-12-30 15:30 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-30 15:29 . 2007-12-30 15:30 <DIR> d-------- C:\Program Files\Java
2007-12-30 15:29 . 2007-12-30 15:29 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-27 19:27 . 2007-12-27 19:27 <DIR> d-------- C:\Program Files\PureEdge
2007-12-27 19:27 . 2007-12-27 19:27 <DIR> d-------- C:\Documents and Settings\lisa\Application Data\PureEdge
2007-12-27 19:27 . 2007-12-27 19:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PureEdge
2007-12-27 19:27 . 2003-11-21 18:02 2,101,248 --a------ C:\WINDOWS\system32\pe_cc.dll
2007-12-27 19:27 . 2003-11-21 18:02 1,167,360 --a------ C:\WINDOWS\system32\pe_java.dll
2007-12-27 19:27 . 2003-11-21 18:02 712,704 --a------ C:\WINDOWS\system32\uwi_java.dll
2007-12-27 19:27 . 2003-02-21 12:44 172,032 --a------ C:\WINDOWS\system32\SSCE5332.dll
2007-12-27 19:27 . 2003-02-21 10:44 167,936 --a------ C:\WINDOWS\system32\MSQOLE.DLL
2007-12-27 19:27 . 2007-12-27 19:27 61 --a------ C:\WINDOWS\PureEdgeAPI.ini
2007-12-05 07:35 . 2007-12-05 07:35 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-02 18:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-01-02 14:41 --------- d-----w C:\Program Files\avg
2007-12-31 05:35 --------- d-----w C:\Documents and Settings\lisa\Application Data\AVG7
2007-12-28 00:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-19 15:38 --------- d-----w C:\Documents and Settings\lisa\Application Data\SmartDraw
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-02_11.14.16.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-02 08:44:46 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-01-02 17:37:51 2,830,336 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-01-02 17:37:51 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-01-02 08:44:46 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-01-02 16:27:10 2,818,048 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-01-02 16:27:10 151,552 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 20:07 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 12:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 08:03 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 07:59 126976]
"AVG7_CC"="C:\PROGRA~1\avg\avgcc.exe" [2007-12-21 07:35 579072]
"Adobe Reader Speed Launcher"="C:\Program Files\AdobeReader\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]
"LTMSG"="LTMSG.exe" [2003-07-14 09:52 40960 C:\WINDOWS\ltmsg.exe]
"masqform.exe"="C:\Program Files\PureEdge\Viewer 6.0\masqform.exe" [2003-12-03 12:43 1052672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\avg\avgw.exe" [2007-10-25 06:36 219136]

R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2004-08-06 07:50]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{2e910d79-51f0-11dc-bb2f-000c6ecb9e90}]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

.
************************************************** ********

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 10:54:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ********
.
Completion time: 2008-01-03 10:55:41
C:\qoobox\ComboFix-quarantined-files.txt 2008-01-03 15:55:20
C:\qoobox\ComboFix2.txt 2008-01-02 18:19:27
C:\qoobox\ComboFix3.txt 2008-01-02 16:14:54
.
2007-12-30 19:45:40 --- E O F ---
Reply With Quote
  #10  
Old January 3rd, 2008, 07:10 PM
lisaoje lisaoje is offline
New Member
 
Join Date: Dec 2007
O/S: Windows XP Pro
Posts: 15
Below is the HijackThis Log. I couldn't post it with the other two. It was too long. Lisa
HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:03 PM, on 1/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\avg\avgamsvr.exe
C:\PROGRA~1\avg\avgupsvc.exe
C:\PROGRA~1\avg\avgemc.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\avg\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\AdobeReader\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\avg\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\avg\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\avg\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\avg\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1187923921843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187923974937
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\avg\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\avg\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\avg\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 5074 bytes
Reply With Quote
  #11  
Old January 4th, 2008, 02:34 AM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,284
Very good - Kaspersky only shows normally locked system functions, infection removed by ComboFix to it's Qoobox folder and mis-ID'd SmitFraudFix as a bad one (wish they would update and correct that). Only one folder I would like you to check for now - are there any problems there at this time?

Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"

Do a search ( Start - Search/Find - Files or Folders) for the following hilighted files/folders (shown in Bold), and tell me what type of files you find there (in general):

C:\temp\WPDNSE
Reply With Quote
  #12  
Old January 4th, 2008, 03:50 PM
lisaoje lisaoje is offline
New Member
 
Join Date: Dec 2007
O/S: Windows XP Pro
Posts: 15
Tom,

Thanks again!

I performed the search for Hidden Files and the Search/Find files and folders task. I found the C:\temp\WPDNSE file, but no files or documents were stored in it. The folder was EMPTY.

Please advise.

Lisa
Reply With Quote
  #13  
Old January 4th, 2008, 09:11 PM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,284
It can be deleted without issues. Any problems you see there at this time?
Reply With Quote
  #14  
Old January 5th, 2008, 04:47 AM
lisaoje lisaoje is offline
New Member
 
Join Date: Dec 2007
O/S: Windows XP Pro
Posts: 15
Tom,

How do you want me to delete it?

Lisa
Reply With Quote
  #15  
Old January 5th, 2008, 05:00 AM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,284
Sure - it is an empty folder in a temp location, so no issue either way. Before we clean up what we added to your system how are things running there now?
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Topics
Topic Topic Starter Forum Replies Last Post
Win32myd virus, how to check any trace of virus, urgent stars_l Malware Removal 1 November 19th, 2011 06:48 PM
Virus made desktop dissappear and blocking anti virus ducttape Malware Removal 26 October 20th, 2009 12:25 AM
please help...virus wont let me run any anti virus...redirects all searches...!! simmu88 Malware Removal 26 July 16th, 2009 02:45 AM
Removal of Winfixer 2006, Win Anti Virus Pro & Black Worm Virus flyladiebugs Malware Removal 28 April 21st, 2006 02:06 AM
Virus Hoax: Microsoft Debugger Registrar for Java (Jdbgmgr.exe) Is Not a Virus squirekat Malware Removal 3 March 19th, 2003 04:25 AM


All times are GMT +1. The time now is 10:52 AM.