# Help!! I am really scared!! *urgent*



## techmoron (Apr 27, 2007)

I posted this in the general security, but i think this is the more appropriate place to post.
Please help, this is urgent. im really really scared..

Today when i switched on my computer, instead of the usual windows welcome message there was a strange message which read something like this

"dont kill me, im just send message from your computer"
and there was more, but i couldnt understand what it was..the only thing i understood was the above message which was in english..and read exactly the way i have written it here. the rest were english alphabets but i think it was some other language

at the top it was dated 24.1.2007 and there was a name samara...(some strange name).

This message came before windows could boot, so i could'nt turn off the computer, so i turned off the main switch to which the desktop is connected.
when i switched on again the message came and until i click ok on the message it doesnt allow windows to boot( only after i click the ok on the message the windows welcome message comes up)

Help! I m really scared. I dont know what this could be.
very recently, about a month back, i reinstalled windows on my computer. it was working ok till today. and this message came up suddently now when i turned on my computer. i also turned on my computer today about an hour back but this message didnt show up..

I tried to just close the message box but until i click ok on the message box my computer doesnt start. I had to click ok and immediately logged on to this site to find out what i should be doing to get rid of this..

is my computer at risk?
has it got anything to do with the new copy of windows intstalled on my pc..
please help! im worried!

*EDIT:*
I had to boot again, and this time i copied the message, im pasting it here..hope it helps you detect the problem. and im sorry the name was not samara it was surabaya.

*"Surabaya in my birthday
Don't kill me, i'm just send message from your computer
Terima kasih telah menemaniku walaupun hanya sesaat, tapi bagiku sangat berarti
Maafkan jika kebahagiaan yang kuminta adalah teman sepanjang hidupku
Seharusnya aku mengerti bahwa keberadaanku bukanlah disisimu, hanyalah lamunan dalam sesal
Untuk kekasih yang tak kan pernah kumiliki 3r1k1m0"*


----------



## techmoron (Apr 27, 2007)

Ok, in the other forum, moderator Elvandil figured that it is a boot virus and gave me a link.
http://www.viruslist.com/en/viruses/...?virusid=19044

he also suggested that if i need professional help cleaning the system i post here.

please help me, i dont have any antivirus intstalled on my computer. and from the link above, i read that if infected by the virus its best to disconnect from the internet, but i cant disconnect from the internet while im on the forum...not until i find a solution to my problem.
i dont have another pc, im posting from the same infected pc.

please help me with the clean up or whatever needs to be done, and i will need your help through the entire procedure. from start to end.

*EDIT:*
I think the mod gave me a link to the samara type viruses, because in my original message i wrote the name was samara. when i booted again i could copy the messsage, and the name was not samara but surabaya. 
so i think its something else..


----------



## techmoron (Apr 27, 2007)

I am posting the log. i hope i did this right. i copy pasted the log from the hjt note pad that opened up when i did a scan. when i got this log the the topmost line in the hjt scan
O2 was highlighted and below that were O2 O4 O6 do i need to click on each of these and do a separate log?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:15:33 AM, on 11/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\abc\Start Menu\Programs\Startup\Adobe update.com
C:\Documents and Settings\abc\Start Menu\Programs\Startup\Adobe Online.com
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe update.com
O4 - Startup: Adobe Online.com
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

--
End of file - 2275 bytes


----------



## techmoron (Apr 27, 2007)

I tried removing the surabaya virus manually following the steps given in these two links..
the problem still persists.

http://softwarestips.blogspot.com/2008/01/how-to-remove-surabaya-virus.html

http://techfreakindia.blogspot.com/2008/07/surabaya-virus-manually-remove-get-rid.html

Obviously, im doing something wrong. can you suggest a more simpler/ easy way to fix this.

i tried the method given in the first link, and deleted the surabaya text and the login caption by typing "regedit". When I restarted my computer i found the surabaya message again.

Second time I tried the second link, followed all the steps but when I tried deleting autorun, I got the message that autorun does not exist. I am not sure if i had deleted autorun while removing the surabaya virus by the method suggested in the first link..i dont recall having done that. the only thing im sure of is that i deleted the login caption and the login surabaya text
I tried this many times and finally after changing the value to 1(hidden folders)..i dodnt understand what to do next.
Also, In the command prompt (step 4), i get messages that label syntax is incorrect and also that "Attrib *. * -S -H -R /D /S " is not identified as internal or external command, although there is a space between d and s.

When I restarted again, I found the surabaya message still there.


----------



## techmoron (Apr 27, 2007)

I did an HJT again after trying to remove the virus manually. 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:29 PM, on 11/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\abc\Start Menu\Programs\Startup\Adobe update.com
C:\Documents and Settings\abc\Start Menu\Programs\Startup\Adobe Online.com
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe update.com
O4 - Startup: Adobe Online.com
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

--
End of file - 2276 bytes


----------



## techmoron (Apr 27, 2007)

i THINK i got rid of it. Thanks to AVAST.

i downloaded avast and when i first installed avast it did a boot scan and detected TROJAN
and while scanning it detected and deleted WIN32:VB EIK
But the surabaya message appeared again just before windows started.
I did a thorough system scan again and deleted the login caption and text that contained the word surabaya from "regedit" and restarted the system, the surabaya message did not appear this time. looks like i got rid of it, but im not sure..

how can i know if i have gotten rid of all traces of surabaya? is there any way.

also, i dont understand why i cant delete autorun from the command prompt, either i have already deleted autorun yesterday and dont remember doing it or its some error. i cant do anything on the command prompt as suggested in the two links above, the only message i get when i type anything on the command promt is "file not found" or label syntax incorrect.


----------



## techmoron (Apr 27, 2007)

My intention is not to bump this thread, but only to keep the experts here posted of what i've done since i first saw the virus.

I dont see the surabaya virus message anymore, but like i said, im not sure if i've followed the manual removal procedure correctly and removed it completely. I was waiting for the experts to help me check if its gone completely, in the mean time, i checked the sticky on this board and found this link

https://www.prevx.com/

I downloaded this and run a scan, it did not detect anything harmful.

However, i'd prefer an expert tell me my computer is safe.

EDIT:
i uninstalled prevx from my computer soon after scanning.


----------



## techmoron (Apr 27, 2007)

I also downloaded spyware sweeper from this site
http://www.webroot.com/En_US/consumer-products-spysweeper.html and did a complete scan, it did not detect any harmful stuff.

My computer became extremely slow after downloading this, so i uninstalled the spyware after the scan. Its fine now.

I'll post a log nonetheless

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:43:32 PM, on 11/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [IgfxTray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [SoundMan] "C:\WINDOWS\SOUNDMAN.EXE"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\WINDOWS\system32\NeroCheck.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 3334 bytes


----------



## Cookiegal (Aug 27, 2003)

Please download Malwarebytes Anti-Malware form *Here* or *Here*

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply along with a new HijackThis log please.

Extra Note:
*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. 
Also, if you receive an (Error Loading) error on reboot please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it returns on future reboots. *


----------



## techmoron (Apr 27, 2007)

cookiegal,
Thanks 

Today when i started the computer, while booting, i got this error message

"cannot find program c:, make sure you typed it correctly"

I clicked ok, logged in here and downloaded the antimalware as suggested. Didnt see this message again when computer restarted.

MBAM Log: (sorry i did a full scan instead of a quick scan, i missed the instructions )

Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (Adware.AskSBAR) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{f0d4b230-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0d4b23a-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0d4b23c-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b15fd82e-85bc-430d-90cb-65db1b030510} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f0d4b23b-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{f0d4b23b-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (%1) Good: ("%1" /S) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (Adware.AskSBAR) -> Delete on reboot.

---------------------------------------------------------------------------------------------------------------------------------------------

HJT LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:27:02 PM, on 11/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [IgfxTray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [SoundMan] "C:\WINDOWS\SOUNDMAN.EXE"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\WINDOWS\system32\NeroCheck.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 3100 bytes


----------



## Cookiegal (Aug 27, 2003)

Please visit *Combofix Guide & Instructions * for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished.


----------



## techmoron (Apr 27, 2007)

I hope i did this right, I followed the instructions in the link, combo fix initially gave a message that the recovery console needs to be installed, and i think while installing i got another message which "this machine already has a recovery console" and it aborted the recovery console installation. 

Posting the Combo-Fix log:

ComboFix 08-11-07.01 - abc 2008-11-09 2:28:49.1 - *FAT32*x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.73 [GMT 5.5:30]
Running from: c:\documents and settings\abc\Desktop\Combo-Fix.exe.exe
Command switches used :: c:\documents and settings\abc\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
D:\Autorun.inf
E:\Autorun.inf
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-10-08 to 2008-11-08 )))))))))))))))))))))))))))))))
.

2008-11-07 16:00 . 2008-11-07 16:00 d--------	c:\program files\Malwarebytes' Anti-Malware
2008-11-07 16:00 . 2008-10-22 16:10	38,496	--a------	c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-07 16:00 . 2008-10-22 16:10	15,504	--a------	c:\windows\system32\drivers\mbam.sys
2008-11-07 14:01 . 2008-11-07 14:01 d--------	c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-07 14:01 . 2008-11-07 14:01 d--------	c:\documents and settings\abc\Application Data\Malwarebytes
2008-11-06 19:27 . 2008-11-06 19:27 d--hs----	C:\FOUND.002
2008-11-06 13:20 . 2008-11-06 13:20 d--------	c:\program files\AskSBar
2008-11-06 13:12 . 2008-11-06 13:12	164	--a------	C:\install.dat
2008-11-06 02:02 . 2008-11-06 02:02 d--------	c:\documents and settings\All Users\Application Data\TEMP
2008-11-06 00:31 . 2008-11-06 00:31 d--------	c:\documents and settings\All Users\Application Data\PrevxCSI
2008-11-05 15:28 . 2008-11-05 15:28 d--------	c:\program files\Alwil Software
2008-11-05 15:28 . 2003-03-19 02:50	1,060,864	--a------	c:\windows\system32\MFC71.dll
2008-11-04 01:12 . 2008-11-04 01:12 d--------	c:\program files\Trend Micro
2008-11-03 23:28 . 2008-11-03 23:28	426	--a------	c:\documents and settings\abc\Autoexec.bat
2008-10-27 15:22 . 2004-08-03 23:08	31,616	--a------	c:\windows\system32\drivers\usbccgp.sys
2008-10-27 15:22 . 2004-08-03 23:08	31,616	--a------	c:\windows\system32\dllcache\usbccgp.sys
2008-10-27 15:22 . 2004-08-04 00:56	21,504	--a------	c:\windows\system32\hidserv.dll
2008-10-27 15:22 . 2004-08-04 00:56	21,504	--a------	c:\windows\system32\dllcache\hidserv.dll
2008-10-27 15:22 . 2004-08-03 22:58	14,848	--a------	c:\windows\system32\drivers\kbdhid.sys
2008-10-27 15:22 . 2004-08-03 22:58	14,848	--a------	c:\windows\system32\dllcache\kbdhid.sys
2008-10-27 15:22 . 2001-08-17 14:02	9,600	--a------	c:\windows\system32\drivers\hidusb.sys
2008-10-27 15:22 . 2001-08-17 14:02	9,600	--a------	c:\windows\system32\dllcache\hidusb.sys
2008-10-24 15:19 . 2008-10-24 15:19 d--h-----	C:\FOUND.001

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 06:32	---------	d-----w	c:\documents and settings\abc\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2008-09-22 06:29	---------	d-----w	c:\program files\Common Files\Adobe AIR
2008-09-19 17:05	---------	d-----w	c:\documents and settings\abc\Application Data\AdobeUM
2008-09-11 12:54	---------	d-----w	c:\documents and settings\abc\Application Data\CyberLink
2008-09-11 12:43	---------	d-----w	c:\program files\Microsoft.NET
2008-09-11 12:43	---------	d-----w	c:\program files\Microsoft ActiveSync
2008-09-11 12:42	---------	d-----w	c:\documents and settings\All Users\Application Data\CyberLink
2008-09-11 11:33	---------	d-----w	c:\program files\Common Files\Adobe
2008-09-11 11:31	---------	d-----w	c:\program files\CyberLink
2008-09-11 11:29	---------	d-----w	c:\program files\Common Files\Ahead
2008-09-11 11:29	---------	d-----w	c:\program files\Ahead
2008-09-11 11:16	---------	d-----w	c:\program files\Intel
2008-09-11 11:16	---------	d-----w	c:\program files\Common Files\InstallShield
2008-09-11 11:13	---------	d--h--w	c:\program files\InstallShield Installation Information
2008-09-11 11:06	---------	d-----w	c:\program files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-11-06 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-11-06 13:20	66912	--a------	c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"SoundMan"="c:\windows\SOUNDMAN.EXE" [2004-12-01 77824]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-09-11 113664]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18d29529-801d-11dd-a11f-806d6172696f}]
\Shell\auto\command - Thumbs.com
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Thumbs.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18d2952a-801d-11dd-a11f-806d6172696f}]
\Shell\auto\command - Thumbs.com
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Thumbs.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18d2952b-801d-11dd-a11f-806d6172696f}]
\Shell\auto\command - Thumbs.com
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Thumbs.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18d2952d-801d-11dd-a11f-806d6172696f}]
\Shell\auto\command - Thumbs.com
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Thumbs.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d24b3a14-a9c4-11dd-96ff-0013d3084e8c}]
\Shell\auto\command - H:\Thumbs.com
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Thumbs.com

*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\abc\Application Data\Mozilla\Firefox\Profiles\tyuzobgt.default\
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-09 02:29:30
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-09 2:29:51
ComboFix-quarantined-files.txt 2008-11-08 20:59:50

Pre-Run: 11,371,315,200 bytes free
Post-Run: 11,401,125,888 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

128

------------------------------------------------------------------------------------------------------------------------------------

HJT LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:36:45 AM, on 11/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [IgfxTray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [SoundMan] "C:\WINDOWS\SOUNDMAN.EXE"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\WINDOWS\system32\NeroCheck.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 3278 bytes

As for the autorun, If its a mandatory requirement when using clean usb pen-drives and cd's in future, i'd like to install it. If i can manage without autorun, i do not want to install it .


----------



## Cookiegal (Aug 27, 2003)

Can you tell me what are you D, E, F and H drives?

Also, do you recognize this? *H:\Thumbs.com*

As for the autoruns, they are now disabled. All this means is nothing can execute automatically when you insert a USB flash or other type of external drive. You just to click on them to open them up and run what you want to run.

Go to Control Panel - Add/Remove programs and remove:

*Ask Toolbar*

Open Notepad and copy and paste the text in the code box below into it:


```
File::
C:\program files\Mozilla Firefox\plugins\NPAskSBr.dll

Folder::
c:\program files\AskSBar

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"=-
[-HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*


----------



## techmoron (Apr 27, 2007)

From my user name i think its clear that im a 'moron'. This time again i didnt follow the instructions completely.

First mistake I made; I forgot to remove Ask Toolbar, before i did the combofix scan.

Second, When i first did the combofix scan, didn't realize that my avast anti virus was not turned off.

So, i turned off the anti-virus and did a combofix scan again. I now have 2 combofix scans, i will post both because i dont know which one i should be posting.

However, I have only one HJT log, because i made this after the second combofix scan.

At the end, I tried to remove the Ask Toolbar from the control panel. When i clicked on Ask Toolbar to remove, I got an error message that the tool bar could not be found.
It shows up on the add remove programs though..

I dont know what H:\Thumbs.com is. Could it be the new picture folder i downloaded from my brothers infected pen drive?
I opened the picture folder, it seems to be saved in C: drive. Its on my desktop, and its named new folder. This is the location its saved.
"C:\Documents and Settings\abc\Desktop\New Folder"

I dont have a H: drive. All i have is C:, E:, F:, and D:. 
All my stuff is stored in C: drive. I have nothing in the other drives.

There are some games in the D: and these games were already there in my computer when i bought it from the LG dealer few yrs back. Never checked what they are. Dont know if E: and F: drives were present when i got this computer. Perhaps they were, because I didnt make these drives.

I dont have much in the C: drive either, because I got windows reinstalled about a month back.

and Thanks for the autorun information, I can manage without it.

The combofix scan log( first report with avast antivirus on)

ComboFix 08-11-07.01 - abc 2008-11-09 14:00:49.2 - *FAT32*x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.58 [GMT 5.5:30]
Running from: c:\documents and settings\abc\Desktop\Combo-Fix.exe.exe
Command switches used :: c:\documents and settings\abc\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AskSBar
c:\program files\AskSBar\bar\1.bin\A2FFXTBR.JAR
c:\program files\AskSBar\bar\1.bin\A2FFXTBR.MANIFEST
c:\program files\AskSBar\bar\1.bin\A2HIGHIN.EXE
c:\program files\AskSBar\bar\1.bin\A2NTSTBR.JAR
c:\program files\AskSBar\bar\1.bin\A2NTSTBR.MANIFEST
c:\program files\AskSBar\bar\1.bin\A2PLUGIN.DLL
c:\program files\AskSBar\bar\1.bin\NPASKSBR.DLL
c:\program files\AskSBar\bar\Cache\0003D87F
c:\program files\AskSBar\bar\Cache\00040A8B
c:\program files\AskSBar\bar\Cache\00040E73.bin
c:\program files\AskSBar\bar\Cache\000411FE.bin
c:\program files\AskSBar\bar\Cache\0004174D.bin
c:\program files\AskSBar\bar\Cache\00041A99.bin
c:\program files\AskSBar\bar\Cache\00041D87.bin
c:\program files\AskSBar\bar\Cache\00042334.bin
c:\program files\AskSBar\bar\Cache\00042612.bin
c:\program files\AskSBar\bar\Cache\000428C2.bin
c:\program files\AskSBar\bar\Cache\files.ini
c:\program files\AskSBar\bar\History\search2
c:\program files\AskSBar\bar\Settings\prevcfg2.htm
c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-09 to 2008-11-09 )))))))))))))))))))))))))))))))
.

2008-11-07 16:00 . 2008-11-07 16:00 d--------	c:\program files\Malwarebytes' Anti-Malware
2008-11-07 16:00 . 2008-10-22 16:10	38,496	--a------	c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-07 16:00 . 2008-10-22 16:10	15,504	--a------	c:\windows\system32\drivers\mbam.sys
2008-11-07 14:01 . 2008-11-07 14:01 d--------	c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-07 14:01 . 2008-11-07 14:01 d--------	c:\documents and settings\abc\Application Data\Malwarebytes
2008-11-06 19:27 . 2008-11-06 19:27 d--hs----	C:\FOUND.002
2008-11-06 13:12 . 2008-11-06 13:12	164	--a------	C:\install.dat
2008-11-06 02:02 . 2008-11-06 02:02 d--------	c:\documents and settings\All Users\Application Data\TEMP
2008-11-06 00:31 . 2008-11-06 00:31 d--------	c:\documents and settings\All Users\Application Data\PrevxCSI
2008-11-05 15:28 . 2008-11-05 15:28 d--------	c:\program files\Alwil Software
2008-11-05 15:28 . 2003-03-19 02:50	1,060,864	--a------	c:\windows\system32\MFC71.dll
2008-11-04 01:12 . 2008-11-04 01:12 d--------	c:\program files\Trend Micro
2008-11-03 23:28 . 2008-11-03 23:28	426	--a------	c:\documents and settings\abc\Autoexec.bat
2008-10-27 15:22 . 2004-08-03 23:08	31,616	--a------	c:\windows\system32\drivers\usbccgp.sys
2008-10-27 15:22 . 2004-08-03 23:08	31,616	--a------	c:\windows\system32\dllcache\usbccgp.sys
2008-10-27 15:22 . 2004-08-04 00:56	21,504	--a------	c:\windows\system32\hidserv.dll
2008-10-27 15:22 . 2004-08-04 00:56	21,504	--a------	c:\windows\system32\dllcache\hidserv.dll
2008-10-27 15:22 . 2004-08-03 22:58	14,848	--a------	c:\windows\system32\drivers\kbdhid.sys
2008-10-27 15:22 . 2004-08-03 22:58	14,848	--a------	c:\windows\system32\dllcache\kbdhid.sys
2008-10-27 15:22 . 2001-08-17 14:02	9,600	--a------	c:\windows\system32\drivers\hidusb.sys
2008-10-27 15:22 . 2001-08-17 14:02	9,600	--a------	c:\windows\system32\dllcache\hidusb.sys
2008-10-24 15:19 . 2008-10-24 15:19 d--h-----	C:\FOUND.001

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 06:32	---------	d-----w	c:\documents and settings\abc\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2008-09-22 06:29	---------	d-----w	c:\program files\Common Files\Adobe AIR
2008-09-19 17:05	---------	d-----w	c:\documents and settings\abc\Application Data\AdobeUM
2008-09-11 12:54	---------	d-----w	c:\documents and settings\abc\Application Data\CyberLink
2008-09-11 12:43	---------	d-----w	c:\program files\Microsoft.NET
2008-09-11 12:43	---------	d-----w	c:\program files\Microsoft ActiveSync
2008-09-11 12:42	---------	d-----w	c:\documents and settings\All Users\Application Data\CyberLink
2008-09-11 11:33	---------	d-----w	c:\program files\Common Files\Adobe
2008-09-11 11:31	---------	d-----w	c:\program files\CyberLink
2008-09-11 11:29	---------	d-----w	c:\program files\Common Files\Ahead
2008-09-11 11:29	---------	d-----w	c:\program files\Ahead
2008-09-11 11:16	---------	d-----w	c:\program files\Intel
2008-09-11 11:16	---------	d-----w	c:\program files\Common Files\InstallShield
2008-09-11 11:13	---------	d--h--w	c:\program files\InstallShield Installation Information
2008-09-11 11:06	---------	d-----w	c:\program files\microsoft frontpage
.

((((((((((((((((((((((((((((( [email protected]_ 2.29.35.92 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-09 08:25:34	16,384	----a-w	c:\windows\Temp\Perflib_Perfdata_4cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"SoundMan"="c:\windows\SOUNDMAN.EXE" [2004-12-01 77824]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-09-11 113664]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d24b3a14-a9c4-11dd-96ff-0013d3084e8c}]
\Shell\auto\command - H:\Thumbs.com
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Thumbs.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-09 14:01:43
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-09 14:02:04
ComboFix-quarantined-files.txt 2008-11-09 08:32:02
ComboFix2.txt 2008-11-08 20:59:52

Pre-Run: 11,392,049,152 bytes free
Post-Run: 11,383,799,808 bytes free

122

-------------------------------------------------------------------------------------------------------------------------------------------

Second combofix Log (Avast anti virus turned off)

ComboFix 08-11-07.01 - abc 2008-11-09 14:09:06.3 - *FAT32*x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.81 [GMT 5.5:30]
Running from: c:\documents and settings\abc\Desktop\Combo-Fix.exe.exe
Command switches used :: c:\documents and settings\abc\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
.

((((((((((((((((((((((((( Files Created from 2008-10-09 to 2008-11-09 )))))))))))))))))))))))))))))))
.

2008-11-07 16:00 . 2008-11-07 16:00 d--------	c:\program files\Malwarebytes' Anti-Malware
2008-11-07 16:00 . 2008-10-22 16:10	38,496	--a------	c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-07 16:00 . 2008-10-22 16:10	15,504	--a------	c:\windows\system32\drivers\mbam.sys
2008-11-07 14:01 . 2008-11-07 14:01 d--------	c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-07 14:01 . 2008-11-07 14:01 d--------	c:\documents and settings\abc\Application Data\Malwarebytes
2008-11-06 19:27 . 2008-11-06 19:27 d--hs----	C:\FOUND.002
2008-11-06 13:12 . 2008-11-06 13:12	164	--a------	C:\install.dat
2008-11-06 02:02 . 2008-11-06 02:02 d--------	c:\documents and settings\All Users\Application Data\TEMP
2008-11-06 00:31 . 2008-11-06 00:31 d--------	c:\documents and settings\All Users\Application Data\PrevxCSI
2008-11-05 15:28 . 2008-11-05 15:28 d--------	c:\program files\Alwil Software
2008-11-05 15:28 . 2003-03-19 02:50	1,060,864	--a------	c:\windows\system32\MFC71.dll
2008-11-04 01:12 . 2008-11-04 01:12 d--------	c:\program files\Trend Micro
2008-11-03 23:28 . 2008-11-03 23:28	426	--a------	c:\documents and settings\abc\Autoexec.bat
2008-10-27 15:22 . 2004-08-03 23:08	31,616	--a------	c:\windows\system32\drivers\usbccgp.sys
2008-10-27 15:22 . 2004-08-03 23:08	31,616	--a------	c:\windows\system32\dllcache\usbccgp.sys
2008-10-27 15:22 . 2004-08-04 00:56	21,504	--a------	c:\windows\system32\hidserv.dll
2008-10-27 15:22 . 2004-08-04 00:56	21,504	--a------	c:\windows\system32\dllcache\hidserv.dll
2008-10-27 15:22 . 2004-08-03 22:58	14,848	--a------	c:\windows\system32\drivers\kbdhid.sys
2008-10-27 15:22 . 2004-08-03 22:58	14,848	--a------	c:\windows\system32\dllcache\kbdhid.sys
2008-10-27 15:22 . 2001-08-17 14:02	9,600	--a------	c:\windows\system32\drivers\hidusb.sys
2008-10-27 15:22 . 2001-08-17 14:02	9,600	--a------	c:\windows\system32\dllcache\hidusb.sys
2008-10-24 15:19 . 2008-10-24 15:19 d--h-----	C:\FOUND.001

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 06:32	---------	d-----w	c:\documents and settings\abc\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2008-09-22 06:29	---------	d-----w	c:\program files\Common Files\Adobe AIR
2008-09-19 17:05	---------	d-----w	c:\documents and settings\abc\Application Data\AdobeUM
2008-09-11 12:54	---------	d-----w	c:\documents and settings\abc\Application Data\CyberLink
2008-09-11 12:43	---------	d-----w	c:\program files\Microsoft.NET
2008-09-11 12:43	---------	d-----w	c:\program files\Microsoft ActiveSync
2008-09-11 12:42	---------	d-----w	c:\documents and settings\All Users\Application Data\CyberLink
2008-09-11 11:33	---------	d-----w	c:\program files\Common Files\Adobe
2008-09-11 11:31	---------	d-----w	c:\program files\CyberLink
2008-09-11 11:29	---------	d-----w	c:\program files\Common Files\Ahead
2008-09-11 11:29	---------	d-----w	c:\program files\Ahead
2008-09-11 11:16	---------	d-----w	c:\program files\Intel
2008-09-11 11:16	---------	d-----w	c:\program files\Common Files\InstallShield
2008-09-11 11:13	---------	d--h--w	c:\program files\InstallShield Installation Information
2008-09-11 11:06	---------	d-----w	c:\program files\microsoft frontpage
.

((((((((((((((((((((((((((((( [email protected]_ 2.29.35.92 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-09 08:25:34	16,384	----a-w	c:\windows\Temp\Perflib_Perfdata_4cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"SoundMan"="c:\windows\SOUNDMAN.EXE" [2004-12-01 77824]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-09-11 113664]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d24b3a14-a9c4-11dd-96ff-0013d3084e8c}]
\Shell\auto\command - H:\Thumbs.com
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Thumbs.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-09 14:09:52
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-09 14:10:10
ComboFix-quarantined-files.txt 2008-11-09 08:40:10
ComboFix3.txt 2008-11-08 20:59:52
ComboFix2.txt 2008-11-09 08:32:06

Pre-Run: 11,360,051,200 bytes free
Post-Run: 11,351,924,736 bytes free

97
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

HJT LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:10:43 PM, on 11/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [IgfxTray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [SoundMan] "C:\WINDOWS\SOUNDMAN.EXE"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\WINDOWS\system32\NeroCheck.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 2973 bytes

PS:
I dont know if this is important or anyway related to the surabaya virus....I'll write this nonetheless.
I use mozilla firefox, and suddenly the look seems to have changed. There is an additional bar below the address bar. anyways, when i keep my cursor there it shows as
chrome://a2ffxtbr/content/toolbarembedhtml#

EDIT: Sorry, i bothered you. I could fix the tool bar stuff myself, dont think it had anything to do with the virus. Once again sorry, if my stupidity is annoying you. :embarrassed:
.


----------



## Cookiegal (Aug 27, 2003)

Since you forgot to uninstall the Ask Toobar first, removing the folder has broken the uninstaller but we can deal with that later.

The thumbs.com is part of this virus. When you insert your brother's flash drive does it show up as your H drive? Of course it depends what else you have inserted in the USB ports.

Please right-click on the following file and select "Edit" from the right-click menu. Then copy and paste the contents here in a reply please.

c:\documents and settings\abc\*Autoexec.bat*


----------



## techmoron (Apr 27, 2007)

Copy pasting the content:

@Echo Off
Echo 81u3f4nt45y - 24.01.2007
Echo Don't kill me, i'm just send message from your computer
Echo Terima kasih telah menemaniku walaupun hanya sesaat, tapi bagiku sangat berarti
Echo Maafkan jika kebahagiaan yang kuminta adalah teman sepanjang hidupku
Echo Seharusnya aku mengerti bahwa keberadaanku bukanlah disisimu, hanyalah lamunan dalam sesal
Echo Untuk kekasih yang tak kan pernah kumiliki 3r1k1m0
pause



I think my brothers flash drive shows up as H drive, im not sure. Normally, i dont insert anything in the USB ports except the flash drive.
My computer is a desktop, my keyboard is connected to one of the usb ports. The one i was using earlier was a psp type keyboard, the mouse i' am using currently is still a psp type. (i think its called psp, its round unlike the flat usb end)
So at the moment its only the keyboard connected to the usb port.


----------



## Cookiegal (Aug 27, 2003)

Although the mouse and keyboard plug into USB ports they don't show up as drives.

Do you have access to his flash drive? We need to disinfect it at the same time.

If you do, please insert it before proceeding and leave it inserted until you have finished all of the instructions.

Download *Flash_Disinfector.exe by sUBs* from *here* and save it to your desktop.
 Double-click *Flash_Disinfector.exe* to run it and follow any prompts that may appear.
 The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
 Wait until it has finished scanning and then exit the program.
 Reboot your computer when done.
*Note*: _Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection._

Open Notepad and copy and paste the text in the code box below into it:


```
File::
c:\documents and settings\abc\Autoexec.bat
C:\install.dat
H:\Thumbs.com
C:\Thumbs.com

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d24b3a14-a9c4-11dd-96ff-0013d3084e8c}]
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*


----------



## techmoron (Apr 27, 2007)

I dont have his flash drive at the moment. I can get it tomorrow when i meet him.

Do we need to disinfect his flash drive in order to prevent future infections to my computer through his flash drive 

OR

To get rid of whatever H:thumbs is

OR

Is it because, the port itself is infected and any clean usb inserted in the future could also get infected/ or cause infection through the port.


----------



## Cookiegal (Aug 27, 2003)

Ports don't get infected. It's the flash drive that's infected. We don't have to disinfect the flash drive as long as you're never going to use it again. But we should because he will remain infected and if he uses it to transfer to other people's computer they will get infected as well.


----------



## techmoron (Apr 27, 2007)

I couldn't get my brothers flash drive. He says he will disinfect his flashdrive and computer when he's free. Now that he's aware the flash drive is infected he will not use it on any computer. He might post here next week.



I have 2 flash drives 
1) Brand new, never used.
2) an old one. I dont have any imortant data in that. It was clean when it was with me, but recently, i gave it to a friend. Never checked after I got it from her, and now, I dont have the courage to plug it in and check if its clean. We are half way through the clean up process, i dont want to risk anymore infection either surabaya or anything else (if there is) from this flash drive.I might never use it, Just to be safe.

If you want me to plug both my flash drives and check, i will..
Should i?


----------



## techmoron (Apr 27, 2007)

I continued with the combofix scan

I dragged the CFScript into the ComboFix, and when it opened up, it asked if I would want to update ComboFix. I clicked yes, ComboFix first downloaded the new update and then continued to deletion/scan process.

CFScript Log:

ComboFix 08-11-09.04 - abc 2008-11-10 22:35:57.4 - *FAT32*x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.64 [GMT 5.5:30]
Running from: c:\documents and settings\abc\Desktop\Combo-Fix.exe.exe
Command switches used :: c:\documents and settings\abc\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\documents and settings\abc\Autoexec.bat
C:\install.dat
C:\Thumbs.com
H:\Thumbs.com
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\abc\Autoexec.bat
C:\install.dat

.
((((((((((((((((((((((((( Files Created from 2008-10-10 to 2008-11-10 )))))))))))))))))))))))))))))))
.

2008-11-07 16:00 . 2008-11-07 16:00 d--------	c:\program files\Malwarebytes' Anti-Malware
2008-11-07 16:00 . 2008-10-22 16:10	38,496	--a------	c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-07 16:00 . 2008-10-22 16:10	15,504	--a------	c:\windows\system32\drivers\mbam.sys
2008-11-07 14:01 . 2008-11-07 14:01 d--------	c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-07 14:01 . 2008-11-07 14:01 d--------	c:\documents and settings\abc\Application Data\Malwarebytes
2008-11-06 19:27 . 2008-11-06 19:27 d--hs----	C:\FOUND.002
2008-11-06 02:02 . 2008-11-06 02:02 d--------	c:\documents and settings\All Users\Application Data\TEMP
2008-11-06 00:31 . 2008-11-06 00:31 d--------	c:\documents and settings\All Users\Application Data\PrevxCSI
2008-11-05 15:28 . 2008-11-05 15:28 d--------	c:\program files\Alwil Software
2008-11-05 15:28 . 2003-03-19 02:50	1,060,864	--a------	c:\windows\system32\MFC71.dll
2008-11-04 01:12 . 2008-11-04 01:12 d--------	c:\program files\Trend Micro
2008-10-27 15:22 . 2004-08-03 23:08	31,616	--a------	c:\windows\system32\drivers\usbccgp.sys
2008-10-27 15:22 . 2004-08-03 23:08	31,616	--a------	c:\windows\system32\dllcache\usbccgp.sys
2008-10-27 15:22 . 2004-08-04 00:56	21,504	--a------	c:\windows\system32\hidserv.dll
2008-10-27 15:22 . 2004-08-04 00:56	21,504	--a------	c:\windows\system32\dllcache\hidserv.dll
2008-10-27 15:22 . 2004-08-03 22:58	14,848	--a------	c:\windows\system32\drivers\kbdhid.sys
2008-10-27 15:22 . 2004-08-03 22:58	14,848	--a------	c:\windows\system32\dllcache\kbdhid.sys
2008-10-27 15:22 . 2001-08-17 14:02	9,600	--a------	c:\windows\system32\drivers\hidusb.sys
2008-10-27 15:22 . 2001-08-17 14:02	9,600	--a------	c:\windows\system32\dllcache\hidusb.sys
2008-10-24 15:19 . 2008-10-24 15:19 d--h-----	C:\FOUND.001

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 06:32	---------	d-----w	c:\documents and settings\abc\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2008-09-22 06:29	---------	d-----w	c:\program files\Common Files\Adobe AIR
2008-09-19 17:05	---------	d-----w	c:\documents and settings\abc\Application Data\AdobeUM
2008-09-11 12:54	---------	d-----w	c:\documents and settings\abc\Application Data\CyberLink
2008-09-11 12:43	---------	d-----w	c:\program files\Microsoft.NET
2008-09-11 12:43	---------	d-----w	c:\program files\Microsoft ActiveSync
2008-09-11 12:42	---------	d-----w	c:\documents and settings\All Users\Application Data\CyberLink
2008-09-11 11:33	---------	d-----w	c:\program files\Common Files\Adobe
2008-09-11 11:31	---------	d-----w	c:\program files\CyberLink
2008-09-11 11:29	---------	d-----w	c:\program files\Common Files\Ahead
2008-09-11 11:29	---------	d-----w	c:\program files\Ahead
2008-09-11 11:16	---------	d-----w	c:\program files\Intel
2008-09-11 11:16	---------	d-----w	c:\program files\Common Files\InstallShield
2008-09-11 11:13	---------	d--h--w	c:\program files\InstallShield Installation Information
2008-09-11 11:06	---------	d-----w	c:\program files\microsoft frontpage
.

((((((((((((((((((((((((((((( [email protected]_ 2.29.35.92 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-09 11:40:12	16,384	----a-w	c:\windows\Temp\Perflib_Perfdata_4d8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"SoundMan"="c:\windows\SOUNDMAN.EXE" [2004-12-01 77824]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-09-11 113664]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 22:36:42
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-10 22:37:00
ComboFix-quarantined-files.txt 2008-11-10 17:07:00
ComboFix4.txt 2008-11-08 20:59:52
ComboFix3.txt 2008-11-09 08:32:06
ComboFix2.txt 2008-11-09 08:40:12

Pre-Run: 11,251,859,456 bytes free
Post-Run: 11,244,011,520 bytes free

101

-----------------------------------------------------------------------------------------------------------

HJT LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:38:01 PM, on 11/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [IgfxTray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [SoundMan] "C:\WINDOWS\SOUNDMAN.EXE"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\WINDOWS\system32\NeroCheck.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 2975 bytes


----------



## techmoron (Apr 27, 2007)

I forgot to write this:

I haven't inserted any flash drive. So i skipped the Flash_Disinfector part and continued with the ComboFix Scan.


----------



## Cookiegal (Aug 27, 2003)

You can insert the flash drives if you want to check them. Let me know. I can have you run a small batch file to check for malware on them.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have Java then you will need to go to the following link and download the latest version (it's the fifith one down the list :

*Java Runtime Environment (JRE) 6 Update 7*

Instructions for Kaspersky scan:


Read through the requirements and privacy statement and click on *Accept* button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click *Run*.
When the downloads have finished, click on *Settings*.
Make sure the following is checked. 
*Spyware, Adware, Dialers, and other potentially dangerous programs 
Archives
Mail databases*

Click on *My Computer* under *Scan*.
Once the scan is complete, it will display the results. Click on *View Scan Report*.
You will see a list of infected items there. Click on *Save Report As...*.
Save this report to a convenient place. Change the *Files of type* to *Text file (.txt)* before clicking on the *Save* button.
Please post this log in your next reply.


----------



## techmoron (Apr 27, 2007)

If I have to insert the flash drives should i do that before Kaspersky scan? Not sure if I want to...


----------



## techmoron (Apr 27, 2007)

I downloaded Java from the link you gave me. jre 6 u 7. I could not install it.
I got this error message when i tried to install 
"This installation package is not supported by this processor type, contact vendor"

My processor is Intel Pentium 4, and I have Windows XP Profession service pack 2

Right now, (after downloading the recovery console from microsoft), while start up it shows as 
intel pentium 4, 
Recovery Console
microsoft xp professional.


----------



## Cookiegal (Aug 27, 2003)

techmoron said:


> If I have to insert the flash drives should i do that before Kaspersky scan? Not sure if I want to...


No, don't insert the flash drives. Please go ahead with the scan. As long as you have some version of Java it should work.


----------



## techmoron (Apr 27, 2007)

Thanks, i will go ahead with the scan and post back in a while. 
and no, I did not the insert the flash drives.


----------



## Cookiegal (Aug 27, 2003)

OK. :up:


----------



## techmoron (Apr 27, 2007)

Initially, i could not proceed with Kaspersky because it did not detect java in my computer. I downloaded a plug in from the same website, because it showed as a java plug in , after which, i could do the scan.

while saving the plug in, i noted the information, i'll write it here just in case, you need to know

xpiinstall.exe
binary file
from: http://sdlc-esd.sun.com

Its a coffe cup icon, shows as Java TM platform SE binary

After installing this plug in , kaspersky detected java on my system as
OS type: Windows xp
Web browser fireforx 3.0.0(Gecko:1.9.0.3)
Java vendor sun microsystems inc
Java version 1.6_10
java architecture :x86
java enabled true

Here's the Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, November 12, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, November 12, 2008 05:18:02
Records in database: 1381160
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 29333
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 00:46:56

File name / Threat name / Threats count
C:\System Volume Information\_restore{C9FC6BF1-0CB3-4DE4-B587-7A827B03869F}\RP35\A0028666.DLL	Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.dw	1
C:\Qoobox\Quarantine\C\Program Files\AskSBar\bar\1.bin\A2PLUGIN.DLL.vir	Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.dw	1

The selected area was scanned.

PS:
what's the infected ask tool bar, is it the one i wrote about in post #14?
The java i installed also came along with a new yahoo tool bar.


----------



## Cookiegal (Aug 27, 2003)

The Ask Toolbar showing in the scan is already in quarantine by ComboFix.

I'm sure there was an option not to install the Yahoo toolbar when downloading the plugin, which I don't know why you needed anyway. You can uninstall the Yahoo Toolbar.

Please post a new HijackThis log.


----------



## techmoron (Apr 27, 2007)

Cookiegal said:


> I'm sure there was an option not to install the Yahoo toolbar when downloading the plugin, which I don't know why you needed anyway. You can uninstall the Yahoo Toolbar.


Sorry, I didn't get it. Did you ask me why i needed the the yahoo toolbar or did you ask me why i needed the plugin?

I downloaded the plugin because it was a version of java.

As for the yahoo tool bar, I didn't want it, i think i could have unchecked it and continued with the plug in installation, but don't know why i didn't do that.

I don't know how to uninstall a tool bar. All i know is, view option, click toolbar, un check yahoo toolbar. it hides the yahoo toolbar. I did the same thing to the ask toolbar i mentioned in my post #14.

How should i uninstall it?
Should i keep that version of java?

Here's the HJT LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:32:36 PM, on 11/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [SoundMan] "C:\WINDOWS\SOUNDMAN.EXE"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\WINDOWS\system32\NeroCheck.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 3870 bytes


----------



## Cookiegal (Aug 27, 2003)

I meant you shouldn't need a plugin to run the scan as long as you have Java installed.

Open HijackThis and click on "Config" and then on the "Misc Tools" button. If you're viewing HijackThis from the Main Menu then click on "Open the Misc Tools Section". Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here please.


----------



## techmoron (Apr 27, 2007)

Since, I didn't have Java installed in my computer, and Kaspersky woudn't run without it, I thought downloading the plug in might help.
I will uinstall it after we are done with the virus clean up.



I couldn't find the "Config" button on hijack this, I could directly accesse "Misc Tools"

Here's the list

Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player Plugin
Adobe Photoshop 7.0
Adobe Reader 9
Ask Toolbar
avast! Antivirus
HijackThis 2.0.2
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 10
Malwarebytes' Anti-Malware
Microsoft Office Professional Edition 2003
Mozilla Firefox (3.0.4)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
Nero 6
PowerDVD
Realtek AC'97 Audio


----------



## Cookiegal (Aug 27, 2003)

Sorry for the confusion. I was under the impression you had an older version of Java already installed on the machine.

That looks like an imcomplete uninstall list. Please post the entire list.


----------



## techmoron (Apr 27, 2007)

> Sorry for the confusion


.
No problem 



> That looks like an imcomplete uninstall list. Please post the entire list


It is the complete list, i double checked again. My control panel/add and remove also shows the same stuff except MSXML 4.0 SP2 and SOAP Toolkit 3.0


----------



## Cookiegal (Aug 27, 2003)

So you have absolutely no Microsoft critical updates installed on this computer? 

Because they would show in the list.


----------



## techmoron (Apr 27, 2007)

If that is something i can download from the microsoft website, like the way i downloaded windows reconsole, i will get that.
btw, my computer still boots as windows reconsole, is that okay?
and is the virus completely gone from my computer?


----------



## Cookiegal (Aug 27, 2003)

Click on *Tools *- *Windows Updates* and follow the prompts for Microsoft to verify what updates you need for your computer. You will have to allow the ActiveX control to download. Once you've gotten all the updates, reboot the machine and then post a new HijackThis uninstall list please.


----------



## techmoron (Apr 27, 2007)

oh..you mean windows automatic updates? I think after formatting i forgot to turn on automatic updates. it's on now.

Here's the new list:

Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player Plugin
Adobe Photoshop 7.0
Adobe Reader 9
Ask Toolbar
avast! Antivirus
HijackThis 2.0.2
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 10
Malwarebytes' Anti-Malware
Microsoft Office Professional Edition 2003
Mozilla Firefox (3.0.4)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
Nero 6
PowerDVD
Realtek AC'97 Audio
Update for Windows XP (KB898461)


----------



## Cookiegal (Aug 27, 2003)

You need to get all the critical updates. There should be a long list of them in the uninstall list and I see only one there.


----------



## techmoron (Apr 27, 2007)

I asked this before, but i think you missed it..
My computer still boots as windows reconsole, is that okay. i am worried that, IF reconsole is a Temporary thing, then after a few days, reconsole will not run and my computer may not boot at all.

as for the windows updates, can you please write what they are, i will download them from the microsoft website. 
Along with that, if you can also suggest other security tools(anti virus,spyware and stuff), i will download them. I've read the sticky here, but the choices are too many and confusing for a novice like me. 
I had norton anitvirus and and symantec, i didn't renew them, because there are many free security tools available online.


----------



## Cookiegal (Aug 27, 2003)

I can't list all the updates you need. There are way too many. When you click on Tools - Windows Updates, does it not tell you which ones you need?

I'm not sure what you mean by booting as windows reconsole. Do you mean you're seeing the Recovery Console as an option when booting? This just means that you have to select your operating system rather than the RC when booting. It's not meant to be temporary and it can help you recover your system in the event of a crash.


----------



## techmoron (Apr 27, 2007)

> When you click on Tools - Windows Updates, does it not tell you which ones you need?


That is the only update i got.



> I'm not sure what you mean by booting as windows reconsole. Do you mean you're seeing the Recovery Console as an option when booting? This just means that you have to select your operating system rather than the RC when booting. It's not meant to be temporary and it can help you recover your system in the event of a crash.


I don't know if its booting as RC or if its an option . While booting it shows both
windows recovery console and windows xp professional 
I assumed it was booting as recovery console since it shows up and is listed above XP while booting.
in case its not booting as xp, how can i get it to boot as xp.


----------



## Cookiegal (Aug 27, 2003)

You have to select the XP operating system when booting. The RC only shows up to give you the option of booting to the RC if you're in trouble and need to recover the machine. You should not boot to the RC.

When you click on the Windows Updates, does it do a scan to see what updates are needed for your machine?


----------



## techmoron (Apr 27, 2007)

> When you click on the Windows Updates, does it do a scan to see what updates are needed for your machine?


Yes, it did a scan the first time. 
Now, it doesn't. Automatic updates is also turned on.
Is something wrong..??


----------



## Cookiegal (Aug 27, 2003)

Something is wrong somewhere indeed.

Please run HijackThis again and post a new uninstall list.


----------



## techmoron (Apr 27, 2007)

Sorry, it took me a while to reply.

I was worried so i did a mbam scan and kaspersky scan.

kaspersky log:--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, November 28, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, November 28, 2008 09:06:01
Records in database: 1423069
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 34454
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 00:50:37

File name / Threat name / Threats count
C:\System Volume Information\_restore{C9FC6BF1-0CB3-4DE4-B587-7A827B03869F}\RP35\A0028666.DLL	Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.dw	1
C:\Qoobox\Quarantine\C\Program Files\AskSBar\bar\1.bin\A2PLUGIN.DLL.vir	Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.dw	1

The selected area was scanned.

New HJT LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:24:48 PM, on 11/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [SoundMan] "C:\WINDOWS\SOUNDMAN.EXE"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\WINDOWS\system32\NeroCheck.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1226987101562
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4090 bytes

Uninstall list:
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player Plugin
Adobe Photoshop 7.0
Adobe Reader 9
Ask Toolbar
avast! Antivirus
HijackThis 2.0.2
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 10
Malwarebytes' Anti-Malware
Microsoft Office Professional Edition 2003
Mozilla Firefox (3.0.4)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
Nero 6
PowerDVD
Realtek AC'97 Audio
Update for Windows XP (KB898461)


----------



## Cookiegal (Aug 27, 2003)

Download *OTScanIt.exe *to your Desktop and double-click on it to extract the files. It will create a folder named *OTScanIt* on your desktop.

Close any open browsers.
Disconnect from the Internet.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of OTScanIt.
Open the *OTScanIt* folder and double-click on OTScanIt.exe to start the program.
Check the box that says *Scan All Users*
Under Drivers select the radio button for *All*
Under Rootkit Search select the radio button for *Yes*
Check the Radio buttons for Files/Folders Created Within *30 Days* and Files/Folders Modified Within *30 Days. These are the defaults so don't make any changes.* 
Under Additional Scans check the following:
Reg - BotCheck
Reg - Disabled MS Config Items
Reg - Security Settings
Reg - Software Policy Settings
Reg - Uninstall List
Evnt - EventViewer Logs (last 10 errors)

Now click the *Run Scan* button on the toolbar.
The program may be scanning large amounts of data so depending on the scans requested and your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it automatically.
Save that Notepad file. Click the *Format* menu and make sure that *Word wrap* is not checked. If it is then click on it to uncheck it.
Use the *Reply* button and upload the Notepad file here as an attachment please.


----------



## techmoron (Apr 27, 2007)

Actually, I downloaded the OTScanit, and extracted following the instructions. But, in the folder OTScanit, i couldn't find OTScanit.exe file. There were 2 things in the folder, something called catch me, and the other green icon called OTScanit.(it was not OTScanit.exe). 
I double clicked on the OTScanIt and followed the rest of the instructions.
The total scan time was only about a few seconds. 

So, i think i messed it
one, because i couldnt find the .exe file
two, cause it took only a few seconds to scan.

Please tell me if I need to redo this ..


----------



## Cookiegal (Aug 27, 2003)

Start *OTScanIt*. Copy/Paste the information in the code box below into the pane where it says *"Paste fix here"* and then click the "Run Fix" button.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the OK button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new HijackThis log please.


```
[Kill Explorer]
[Files/Folders - Created Within 30 days]
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files/Folders - Modified Within 30 days]
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```


----------



## techmoron (Apr 27, 2007)

I clicked the run fix, and then it asked to reboot my system, and it gave me a log after reboot.
I copied that log
Here it is:
Explorer killed successfully
[Files/Folders - Created Within 30 days]
[Files/Folders - Modified Within 30 days]
[Empty Temp Folders]
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_4e0.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_ec.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.19.0 fix logfile created on 12042008_153928

Files moved on Reboot...
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
File C:\WINDOWS\temp\_avast4_\Webshlock.txt not found!
File C:\WINDOWS\temp\Perflib_Perfdata_4e0.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_ec.dat not found!

PS: I need to know if the files that were moved, were all temporary internet files or other important files that i might need ...
and where have they been moved?

New HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:45:26 PM, on 12/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [SoundMan] "C:\WINDOWS\SOUNDMAN.EXE"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\WINDOWS\system32\NeroCheck.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1226987101562
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4056 bytes


----------



## Cookiegal (Aug 27, 2003)

They were all temporary files and you shouldn't need them. Nothing of any worth should be saved to temp files.

How are things with the system now?


----------



## techmoron (Apr 27, 2007)

Cookiegal said:


> How are things with the system now?


Fine! Thanks for all the help.


----------



## techmoron (Apr 27, 2007)

oops!!
I wanted to delete the java i had downloaded (if you remember, i had told you that i would get rid of the java once we were done with the virus clean up) but, just before uninstalling java i thought i should run a final kaspersky scan, because once java was uninstalled i cannot run kaspersky.
so i started the kaspersky scan, while kaspersky scan was updating the data base i got a security alert from windows stating that windows firewall was blocking the java program from connecting to internet. I should have uninstalled java immediately, but since i was already on kaspersky i thought i'll allow it to update and scan for any stuff .. in case my computer got infected. 
Kaspersky showed a clean result. But I'm still worried..

I wasn't sure if i should do a Combo Fix scan or an OTscan again to detect any virus..

I read somewhere that stuff like combo fix and ot scans are updated regularly, and my combo fix was downloaded almost a month back. Impulsively, i uninstalled combo fix and ot scan it, so that i could download the latest versions and run a scan. After uninstalling both, it occured to me, that i should have asked you before doing any such thing. 

I should have waited for your instructions..before i do anything. sorry! I was really worried. 

dont worry about how i unistalled those things. I keep reading other posts, i followed proper instruction to uninstall them.
otscanit, i clicked clean up and then did a reboot
for combofix i went to start>run>combofix /u>ok

No, I havent downloaded combo fix or otscan it again. waiting for your instructions..


----------



## techmoron (Apr 27, 2007)

in case you need the hjt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:04:38 PM, on 12/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [SoundMan] "C:\WINDOWS\SOUNDMAN.EXE"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\WINDOWS\system32\NeroCheck.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1226987101562
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 3507 bytes


----------



## Cookiegal (Aug 27, 2003)

I don't know why you want to uninstall Java as it's handy to have. It was likely just Java updating itself.

Please do a new scan with the newer version of ComboFix you downloaded and post the log.


----------



## techmoron (Apr 27, 2007)

I panicked when i saw the security alert. Also, the java i had was an old version. I downloaded that as a plug in while running kaspersky the first time on my system. I couldnt install the latest version of java you had suggested, it couldnt be installed on my machine.

I havent downloaded the new combo fix, yet.
If you think the alert was nothing to worry about, i will not do the combo fix scan.
what do you suggest?


----------



## Cookiegal (Aug 27, 2003)

Well it is a bid odd because Windows firewall doesn't block outgoing connections, only incoming.

Can you post a new HijackThis uninstall list for me please?


----------



## techmoron (Apr 27, 2007)

Here it is

Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player Plugin
Adobe Photoshop 7.0
Adobe Reader 9
Ask Toolbar
avast! Antivirus
HijackThis 2.0.2
Intel(R) Graphics Media Accelerator Driver
Microsoft Office Professional Edition 2003
Mozilla Firefox (3.0.4)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
Nero 6
PowerDVD
Realtek AC'97 Audio
Update for Windows XP (KB898461)


----------



## techmoron (Apr 27, 2007)

If you think i need to do a combo fix scan, please let me know.
I think i already have the recovery console from my previous combo fix download. while downloading and running the combo fix this time, do i have to just skip the steps that ask recovery console download and install?


----------



## Cookiegal (Aug 27, 2003)

Yes, you're right. You don't have to install the recovery console again once it's installed.

Please run a new ComboFix scan.


----------



## techmoron (Apr 27, 2007)

I did the scan. Hope everything is alright.

I ran the scan soon after downloading it, the log was saved somewhere on my computer..i couldnt find it. Normally, i just copy paste the log on a notepad.
I redid the scan again, and this time i copy pasted it on a notepad.

Here's the log:

ComboFix 08-12-06.03 - abc 2008-12-07 2:59:28.6 - *FAT32*x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.14 [GMT 5.5:30]
Running from: c:\documents and settings\abc\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-05 23:49 . 2008-12-05 23:49 d--------	C:\Combo-Fix.exe
2008-12-05 22:32 . 2008-12-05 22:32 d--hs----	C:\FOUND.006
2008-12-03 20:38 . 2008-12-03 20:38 d--hs----	C:\FOUND.005
2008-12-03 20:00 . 2008-12-03 20:00 d--hs----	C:\FOUND.004
2008-11-21 12:29 . 2008-11-21 12:29 d--hs----	C:\FOUND.003
2008-11-19 13:45 . 2008-11-19 13:45 d--------	c:\windows\system32\CatRoot_bak
2008-11-19 10:56 . 2008-10-16 14:07	23,576	--a------	c:\windows\system32\wuapi.dll.mui
2008-11-18 11:29 . 2008-11-18 11:29 d--h-----	c:\windows\$hf_mig$
2008-11-18 11:29 . 2005-02-25 09:05	22,752	--a------	c:\windows\system32\spupdsvc.exe
2008-11-18 11:16 . 2008-10-16 14:09	43,544	--a------	c:\windows\system32\wups2.dll
2008-11-18 11:16 . 2008-10-16 14:09	31,768	--a------	c:\windows\system32\wucltui.dll.mui
2008-11-18 11:16 . 2008-10-16 14:07	23,576	--a------	c:\windows\system32\wuaucpl.cpl.mui
2008-11-18 11:16 . 2008-10-16 14:07	18,456	--a------	c:\windows\system32\wuaueng.dll.mui
2008-11-12 11:28 . 2008-11-12 11:28 d--------	c:\windows\Sun
2008-11-12 11:26 . 2008-11-12 11:26	410,976	--a------	c:\windows\system32\deploytk.dll
2008-11-07 14:01 . 2008-11-07 14:01 d--------	c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-07 14:01 . 2008-11-07 14:01 d--------	c:\documents and settings\abc\Application Data\Malwarebytes
2008-11-06 19:27 . 2008-11-06 19:27 d--hs----	C:\FOUND.002
2008-11-06 02:02 . 2008-11-06 02:02 d--------	c:\documents and settings\All Users\Application Data\TEMP
2008-11-06 00:31 . 2008-11-06 00:31 d--------	c:\documents and settings\All Users\Application Data\PrevxCSI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-05 09:58	---------	d-----w	c:\program files\Alwil Software
2008-11-03 19:42	---------	d-----w	c:\program files\Trend Micro
2008-10-16 08:43	1,809,944	----a-w	c:\windows\system32\wuaueng.dll
2008-10-16 08:43	1,809,944	----a-w	c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 08:42	561,688	----a-w	c:\windows\system32\wuapi.dll
2008-10-16 08:42	561,688	----a-w	c:\windows\system32\dllcache\wuapi.dll
2008-10-16 08:42	323,608	----a-w	c:\windows\system32\wucltui.dll
2008-10-16 08:42	323,608	----a-w	c:\windows\system32\dllcache\wucltui.dll
2008-10-16 08:39	92,696	----a-w	c:\windows\system32\dllcache\cdm.dll
2008-10-16 08:39	92,696	----a-w	c:\windows\system32\cdm.dll
2008-10-16 08:39	51,224	----a-w	c:\windows\system32\wuauclt.exe
2008-10-16 08:39	51,224	----a-w	c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 08:38	34,328	----a-w	c:\windows\system32\wups.dll
2008-10-16 08:38	34,328	----a-w	c:\windows\system32\dllcache\wups.dll
.

((((((((((((((((((((((((((((( [email protected]_ 2.53.01.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-06 21:27:38	16,384	----a-w	c:\windows\Temp\Perflib_Perfdata_4cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"SoundMan"="c:\windows\SOUNDMAN.EXE" [2004-12-01 77824]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-09-11 113664]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-05 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-05 20560]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\abc\Application Data\Mozilla\Firefox\Profiles\tyuzobgt.default\
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 03:00:23
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-07 3:00:48
ComboFix-quarantined-files.txt 2008-12-06 21:30:48
ComboFix2.txt 2008-12-06 21:23:20

Pre-Run: 12,278,857,728 bytes free
Post-Run: 12,289,736,704 bytes free

94


----------



## techmoron (Apr 27, 2007)

The HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:22:47 AM, on 12/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [SoundMan] "C:\WINDOWS\SOUNDMAN.EXE"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\WINDOWS\system32\NeroCheck.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1226987101562
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 3507 bytes


----------



## Cookiegal (Aug 27, 2003)

Look in the following folder and see if you can find the log from the earlier run. I really need to see that one to see if it removed anything.

C:\*qoobox*


----------



## techmoron (Apr 27, 2007)

Ok, I'll post it here. Strangely, there is only one log there although i did two scans 

It was titled combofix2 (if we look at the time in this log, it seems like its the first log, not sure though..)

ComboFix 08-12-06.03 - abc 2008-12-07 2:52:08.5 - *FAT32*x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.60 [GMT 5.5:30]
Running from: c:\documents and settings\abc\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-05 23:49 . 2008-12-05 23:49 d--------	C:\Combo-Fix.exe
2008-12-05 22:32 . 2008-12-05 22:32 d--hs----	C:\FOUND.006
2008-12-03 20:38 . 2008-12-03 20:38 d--hs----	C:\FOUND.005
2008-12-03 20:00 . 2008-12-03 20:00 d--hs----	C:\FOUND.004
2008-11-21 12:29 . 2008-11-21 12:29 d--hs----	C:\FOUND.003
2008-11-19 13:45 . 2008-11-19 13:45 d--------	c:\windows\system32\CatRoot_bak
2008-11-19 10:56 . 2008-10-16 14:07	23,576	--a------	c:\windows\system32\wuapi.dll.mui
2008-11-18 11:29 . 2008-11-18 11:29 d--h-----	c:\windows\$hf_mig$
2008-11-18 11:29 . 2005-02-25 09:05	22,752	--a------	c:\windows\system32\spupdsvc.exe
2008-11-18 11:16 . 2008-10-16 14:09	43,544	--a------	c:\windows\system32\wups2.dll
2008-11-18 11:16 . 2008-10-16 14:09	31,768	--a------	c:\windows\system32\wucltui.dll.mui
2008-11-18 11:16 . 2008-10-16 14:07	23,576	--a------	c:\windows\system32\wuaucpl.cpl.mui
2008-11-18 11:16 . 2008-10-16 14:07	18,456	--a------	c:\windows\system32\wuaueng.dll.mui
2008-11-12 11:28 . 2008-11-12 11:28 d--------	c:\windows\Sun
2008-11-12 11:26 . 2008-11-12 11:26	410,976	--a------	c:\windows\system32\deploytk.dll
2008-11-07 14:01 . 2008-11-07 14:01 d--------	c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-07 14:01 . 2008-11-07 14:01 d--------	c:\documents and settings\abc\Application Data\Malwarebytes
2008-11-06 19:27 . 2008-11-06 19:27 d--hs----	C:\FOUND.002
2008-11-06 02:02 . 2008-11-06 02:02 d--------	c:\documents and settings\All Users\Application Data\TEMP
2008-11-06 00:31 . 2008-11-06 00:31 d--------	c:\documents and settings\All Users\Application Data\PrevxCSI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-05 09:58	---------	d-----w	c:\program files\Alwil Software
2008-11-03 19:42	---------	d-----w	c:\program files\Trend Micro
2008-10-16 08:43	1,809,944	----a-w	c:\windows\system32\wuaueng.dll
2008-10-16 08:43	1,809,944	----a-w	c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 08:42	561,688	----a-w	c:\windows\system32\wuapi.dll
2008-10-16 08:42	561,688	----a-w	c:\windows\system32\dllcache\wuapi.dll
2008-10-16 08:42	323,608	----a-w	c:\windows\system32\wucltui.dll
2008-10-16 08:42	323,608	----a-w	c:\windows\system32\dllcache\wucltui.dll
2008-10-16 08:39	92,696	----a-w	c:\windows\system32\dllcache\cdm.dll
2008-10-16 08:39	92,696	----a-w	c:\windows\system32\cdm.dll
2008-10-16 08:39	51,224	----a-w	c:\windows\system32\wuauclt.exe
2008-10-16 08:39	51,224	----a-w	c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 08:38	34,328	----a-w	c:\windows\system32\wups.dll
2008-10-16 08:38	34,328	----a-w	c:\windows\system32\dllcache\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"SoundMan"="c:\windows\SOUNDMAN.EXE" [2004-12-01 77824]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-09-11 113664]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-05 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-05 20560]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\abc\Application Data\Mozilla\Firefox\Profiles\tyuzobgt.default\
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 02:52:55
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-07 2:53:18
ComboFix-quarantined-files.txt 2008-12-06 21:23:18

Pre-Run: 12,302,483,456 bytes free
Post-Run: 12,294,291,456 bytes free

90

I might aswell post another thing i found in the qoobox, just in case you need to see that.

here's another notepad thats titled combofix-quarantined-files
copy pasting from there
2008-12-07 02:51:22 A------- 116 C:\Qoobox\Quarantine\catchme.log
2008-12-07 02:52:41 A------- 4,842 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-12-07 02:53:01 A------- 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-12-07 02:53:01 A------- 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-12-07 02:53:01 A------- 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat

I really hope everything is ok. has the combofix removed something it should not?
Its over a month can't believe i havent gotten rid of that virus. or did a new virus get into my system recently?


----------



## Cookiegal (Aug 27, 2003)

It's hard to say as I don't really know where the warning came from or what it said exactly but ComboFix doesn't show anything and it hasn't deleted anything.

Let's try this again.

Download *OTScanIt.exe *to your Desktop and double-click on it to extract the files. It will create a folder named *OTScanIt* on your desktop.

Close any open browsers.
Disconnect from the Internet.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of OTScanIt.
Open the *OTScanIt* folder and double-click on OTScanIt.exe to start the program.
Check the box that says *Scan All Users*
Under Drivers select the radio button for *All*
Under Rootkit Search select the radio button for *Yes*
Check the Radio buttons for Files/Folders Created Within *30 Days* and Files/Folders Modified Within *30 Days. These are the defaults so don't make any changes.* 
Under Additional Scans check the following:
Reg - BotCheck
Reg - Disabled MS Config Items
Reg - Mountpoints2
Reg - Security Settings
Reg - Software Policy Settings
Reg - Uninstall List
Evnt - EventViewer Logs (last 10 errors)

Now click the *Run Scan* button on the toolbar.
The program may be scanning large amounts of data so depending on the scans requested and your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it automatically.
Save that Notepad file. Click the *Format* menu and make sure that *Word wrap* is not checked. If it is then click on it to uncheck it.
Use the *Reply* button and upload the Notepad file here as an attachment please.


----------



## techmoron (Apr 27, 2007)

The OTScanIt report is attached

I also did an HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:18 AM, on 12/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [SoundMan] "C:\WINDOWS\SOUNDMAN.EXE"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\WINDOWS\system32\NeroCheck.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1226987101562
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 3508 bytes


----------



## Cookiegal (Aug 27, 2003)

I don't see anything there. Are you having any problems?


----------



## techmoron (Apr 27, 2007)

Cookiegal said:


> I don't see anything there. Are you having any problems?


No


----------



## Cookiegal (Aug 27, 2003)

Here are some final instructions for you.

*Follow these steps to uninstall Combofix and all of its files and components.*

 Click *START* then *RUN*
 Now type *Combo-Fix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

Delete Temporary Files:

Go to *Start* - *Run* and type in *cleanmgr* and click OK. 
Let it scan your system for files to remove. 
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked. 
Press OK to remove them.


----------

