Autorun.exe autorun.inf attack on drive double click

Dev Shed Forums Sponsor:

August 16th, 2008, 09:28 AM

jojoba

I love your chinese eyes :*

Dev Shed Intermediate (1500 - 1999 posts)

Join Date: Jan 2006

Location: Her heart... she claims!

Posts: 1,628

Time spent in forums: 2 Weeks 5 Days 18 h 17 m 5 sec
Reputation Power: 757

Autorun.exe autorun.inf attack on drive double click

Hi

A few days back I plugged in a colleague's USB drive into my laptop and after that I noticed autorun.exe and autorun.inf in my few folders and I was not able to double click to open a drive. I was able to right click and EXPLORE drive. I ran kesparsky with a full scan. After the scan, now I am not able to either double click or right click and Explore it.

When I double click it opens the programme manager which is opened when no programme is attached with a file as a default programme to edit the file.

Also I saw desktop.ini in few folders, not all. And my kesparsky is sleeping it does nothing to report them even I scanned such folders with it.

Is there any method to recover my laptop from this mess and make the drive open with double click like before or yet another new windows installation is required?

thank you

__________________
($tired) ? "working in PHP" : "PHP working in me";

PHP Manual | Free Email Based Contact Form | Free Guest Book | Free FAQs System | Backlink Checker
FREE Scripts Directory and Resource Repository
PHP,Apache,MySQL,Oracle,Linux,Telecommunications,Games and Cars Articles
Download Free Videos From Youtube,Google Video,MySpace,iFilm etc

August 16th, 2008, 09:58 AM

Porthos

Malware Warrior /AV forum Mod

Join Date: Nov 2006

Location: San Antonio Tx

Posts: 2,308

Time spent in forums: 2 Weeks 4 Days 16 h 2 m 11 sec
Reputation Power: 1081

Welcome back

Download Flash_Disinfector.exe by sUBs from HERE and save it to your desktop.

* Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
* The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
* Wait until it has finished scanning and then exit the program.
* Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Be sure your external devices are plugged in for the duration of our repairs..

Please download ComboFix by sUBs from HERE or HERE directly to your Desktop.

Note: If you already have ComboFix on your machine, please DELETE it from your desktop before downloading the newest version.

Make sure any antivirus or protective software is disabled.
Here is a tutorial for most programs.
http://www.bleepingcomputer.com/forums/topic114351.html

Go to

-> Run -> copy/paste the following single line command in the runbox & click OK

"%userprofile%\desktop\combofix.exe" /killall

* ComboFix will automatically start. Any monitoring programs will be shut down like your antivirus, antispyware programs for example.
* ComboFix may restart your computer, this is normal.
* When finished, it will produce a log, ComboFix.txt.
* Please post ComboFix.txt in your next reply along with a new HijackThis log.

Notes:
When starting ComboFix will cause your computer's internal speakers to produce two beeps, and during the start process display two warnings. These are intended to discourage people who are not getting help in the forum from just experimenting with tools they do not understand. Just to inform you so you will understand that the procedures are expected, and okay.

ComboFix will also disable any screensaver settings made, so know that at some point when we complete repairs you will need to reset your screensaver

Do not mouse-click Combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Post this log in your next reply together with a hijackthislog.

Download HijackThis
Here

Click "Scan", after click "Save Log".

__________________
Neera: The wraith will not allow us to escape.
Sheppard: Yeah, well I try not to let them tell me what I can and can't do.
Neera: You do not fear them?
Sheppard: The wraith, nah. Now clowns that's another story. They scare the crap out of me.

August 18th, 2008, 04:19 AM

jojoba

I love your chinese eyes :*

Join Date: Jan 2006

Location: Her heart... she claims!

Posts: 1,628

Time spent in forums: 2 Weeks 5 Days 18 h 17 m 5 sec
Reputation Power: 757

here is combofix log,

Code:

ComboFix 08-08-17.03 - haroon 2008-08-18 13:00:13.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.64 [GMT 5:00]
Running from: C:\Documents and Settings\haroon\desktop\combofix.exe
Command switches used :: /killall
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\Documents and Settings\haroon\Application Data\macromedia\Flash Player\#SharedObjects\CSTQ3EN9\interclick.com
C:\Documents and Settings\haroon\Application Data\macromedia\Flash Player\#SharedObjects\CSTQ3EN9\interclick.com\ud.sol
C:\Documents and Settings\haroon\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\haroon\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Program Files\XPCode\Games.lnk
C:\WINDOWS\system32\Cache
D:\Autorun.inf

.
(((((((((((((((((((((((((   Files Created from 2008-07-18 to 2008-08-18  )))))))))))))))))))))))))))))))
.

2008-08-14 16:37 . 2008-08-14 16:37	<DIR>	d--h-----	C:\WINDOWS\PIF
2008-08-14 15:38 . 2008-08-18 13:05	2,024,992	--ahs----	C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-14 15:38 . 2008-08-18 13:05	237,600	--ahs----	C:\WINDOWS\system32\drivers\fidbox2.dat
2008-08-14 15:38 . 2008-08-14 16:25	96,976	--a------	C:\WINDOWS\system32\drivers\klin.dat
2008-08-14 15:38 . 2008-08-14 16:25	87,855	--a------	C:\WINDOWS\system32\drivers\klick.dat
2008-08-14 15:38 . 2008-08-18 13:05	17,948	--ahs----	C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-14 15:38 . 2008-08-18 13:05	2,940	--ahs----	C:\WINDOWS\system32\drivers\fidbox2.idx
2008-08-14 15:37 . 2008-08-14 15:37	<DIR>	d--------	C:\Program Files\Kaspersky Lab
2008-08-14 15:37 . 2008-08-18 13:07	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-14 15:28 . 2008-08-14 15:28	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-08-14 14:51 . 2008-08-14 15:15	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-08-12 23:53 . 2008-08-12 23:53	1,411	--a------	C:\WINDOWS\system32\Setup.lnk
2008-08-11 23:13 . 2008-08-18 13:00	<DIR>	d--------	C:\Program Files\XPCode
2008-07-28 23:19 . 2008-07-28 23:19	<DIR>	d--------	C:\Documents and Settings\haroon\Application Data\Nokia Multimedia Player

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-16 15:57	---------	d-----w	C:\Program Files\FlashGet
2008-08-14 11:35	---------	d-----w	C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-08-14 10:35	---------	d-----w	C:\Program Files\Trend Micro
2008-08-13 16:46	---------	d-----w	C:\Documents and Settings\haroon\Application Data\Skype
2008-08-13 15:07	---------	d-----w	C:\Documents and Settings\haroon\Application Data\skypePM
2008-08-09 04:53	---------	d-----w	C:\Program Files\Trillian
2008-07-17 06:26	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-07-17 06:25	---------	d-----w	C:\Documents and Settings\haroon\Application Data\Thinstall
2008-06-26 11:37	---------	d-----w	C:\Documents and Settings\haroon\Application Data\SonicWALL
2008-06-26 11:31	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-06-26 11:31	---------	d-----w	C:\Program Files\SonicWALL
2008-06-26 11:31	---------	d-----w	C:\Program Files\Common Files\Deterministic Networks
2008-06-26 11:30	---------	d-----w	C:\Documents and Settings\haroon\Application Data\InstallShield
2008-06-18 03:53	---------	d-----w	C:\Documents and Settings\haroon\Application Data\CoreFTP
2008-04-27 19:03	32	----a-w	C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-31 05:43 4670704]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 13:06 1667584]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-04-16 12:53 1079808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DSLSTATEXE"="C:\Program Files\Conexant\Adsl\dslstat.exe" [2005-08-25 14:59 344064]
"DSLAGENTEXE"="C:\Program Files\Conexant\Adsl\dslagent.exe" [2005-08-25 14:47 65536]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-04-25 18:21 201992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-12 10:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-05-26 09:00 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-05-22 23:17 289088 C:\Program Files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 23:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
--a------ 2008-03-26 18:41 1232896 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a------ 2008-04-16 12:53 1079808 C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--a------ 2004-09-24 00:41 860160 C:\Program Files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 21:11 1388544 C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 16:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-31 05:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"ServiceLayer"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R1 RCFOX;SonicWALL IPsec Driver;C:\WINDOWS\system32\Drivers\RCFOX.sys [2007-09-27 15:49]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07]
S3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys [2005-11-08 09:58]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b42c6626-4bfb-11dd-9a15-00061bd85014}]
\shell\explore\Command - F:\boot.exe
\shell\open\Command - F:\boot.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-DW6 - C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
MSConfigStartUp-UfSeAgnt - C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\haroon\Application Data\Mozilla\Firefox\Profiles\lb0ibaw5.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.gmail.com


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 13:06:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-08-18 13:10:39 - machine was rebooted
ComboFix-quarantined-files.txt  2008-08-18 08:10:27

Pre-Run: 2,233,094,144 bytes free
Post-Run: 2,786,394,112 bytes free

159

and here is hijackthis log

Code:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:19, on 2008-08-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Conexant\Adsl\dslstat.exe
C:\Program Files\Conexant\Adsl\dslagent.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Conexant\Adsl\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Conexant\Adsl\dslagent.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{1494C1B0-D3AA-4B50-BAB1-6865ED1F31F6}: NameServer = 202.165.244.2 202.125.155.27
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0998FFC-B957-4F5C-9460-A702EF122095}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1494C1B0-D3AA-4B50-BAB1-6865ED1F31F6}: NameServer = 202.165.244.2 202.125.155.27
O17 - HKLM\System\CS2\Services\Tcpip\..\{1494C1B0-D3AA-4B50-BAB1-6865ED1F31F6}: NameServer = 202.165.244.2 202.125.155.27
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6015 bytes

August 18th, 2008, 08:56 AM

Porthos

Malware Warrior /AV forum Mod

Join Date: Nov 2006

Location: San Antonio Tx

Posts: 2,308

Time spent in forums: 2 Weeks 4 Days 16 h 2 m 11 sec
Reputation Power: 1081

* Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the Quote box below:

Quote:

File::
F:\boot.exe
C:\WINDOWS\system32\Setup.lnk
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b42c6626-4bfb-11dd-9a15-00061bd85014}]

* Save this as CFScript.txt and place it on your desktop.

* Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
* ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
* When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

With a new HJT log DO NOT use the code function. Makes it hard to read.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

August 19th, 2008, 12:03 AM

jojoba

I love your chinese eyes :*

Join Date: Jan 2006

Location: Her heart... she claims!

Posts: 1,628

Time spent in forums: 2 Weeks 5 Days 18 h 17 m 5 sec
Reputation Power: 757

ComboFix Log

ComboFix 08-08-17.03 - haroon 2008-08-18 20:47:51.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.31 [GMT 5:00]
Running from: C:\Documents and Settings\haroon\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\haroon\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\Setup.lnk
F:\boot.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\Setup.lnk

.
((((((((((((((((((((((((( Files Created from 2008-07-18 to 2008-08-18 )))))))))))))))))))))))))))))))
.

2008-08-18 08:20 . 2008-08-18 08:20 1,024 --a------ C:\WINDOWS\system32\pdf2html.dat
2008-08-18 08:20 . 2008-08-18 08:21 143 --a------ C:\WINDOWS\PDF2HTML.INI
2008-08-14 16:37 . 2008-08-14 16:37 <DIR> d--h----- C:\WINDOWS\PIF
2008-08-14 15:38 . 2008-08-18 12:09 2,024,992 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-14 15:38 . 2008-08-18 12:09 245,792 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-08-14 15:38 . 2008-08-14 16:25 96,976 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-08-14 15:38 . 2008-08-14 16:25 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-08-14 15:38 . 2008-08-18 12:09 17,948 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-14 15:38 . 2008-08-18 12:09 2,968 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-08-14 15:37 . 2008-08-14 15:37 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-08-14 15:37 . 2008-08-18 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-14 15:28 . 2008-08-14 15:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-08-14 14:51 . 2008-08-14 15:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-08-11 23:13 . 2008-08-18 13:00 <DIR> d-------- C:\Program Files\XPCode
2008-07-28 23:19 . 2008-07-28 23:19 <DIR> d-------- C:\Documents and Settings\haroon\Application Data\Nokia Multimedia Player

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-16 15:57 --------- d-----w C:\Program Files\FlashGet
2008-08-14 11:35 --------- d-----w C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-08-14 10:35 --------- d-----w C:\Program Files\Trend Micro
2008-08-13 16:46 --------- d-----w C:\Documents and Settings\haroon\Application Data\Skype
2008-08-13 15:07 --------- d-----w C:\Documents and Settings\haroon\Application Data\skypePM
2008-08-09 04:53 --------- d-----w C:\Program Files\Trillian
2008-07-17 06:26 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-17 06:25 --------- d-----w C:\Documents and Settings\haroon\Application Data\Thinstall
2008-06-26 11:37 --------- d-----w C:\Documents and Settings\haroon\Application Data\SonicWALL
2008-06-26 11:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-26 11:31 --------- d-----w C:\Program Files\SonicWALL
2008-06-26 11:31 --------- d-----w C:\Program Files\Common Files\Deterministic Networks
2008-06-26 11:30 --------- d-----w C:\Documents and Settings\haroon\Application Data\InstallShield
2008-06-18 03:53 --------- d-----w C:\Documents and Settings\haroon\Application Data\CoreFTP
2008-04-27 19:03 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((( snapshot@2008-08-18_13.09.47.18 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-18 08:06:14 215,120 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-08-18 15:36:31 215,111 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-31 05:43 4670704]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 13:06 1667584]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-04-16 12:53 1079808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DSLSTATEXE"="C:\Program Files\Conexant\Adsl\dslstat.exe" [2005-08-25 14:59 344064]
"DSLAGENTEXE"="C:\Program Files\Conexant\Adsl\dslagent.exe" [2005-08-25 14:47 65536]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-04-25 18:21 201992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-12 10:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-05-26 09:00 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-05-22 23:17 289088 C:\Program Files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 23:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
--a------ 2008-03-26 18:41 1232896 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a------ 2008-04-16 12:53 1079808 C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--a------ 2004-09-24 00:41 860160 C:\Program Files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 21:11 1388544 C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 16:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-31 05:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"ServiceLayer"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R1 RCFOX;SonicWALL IPsec Driver;C:\WINDOWS\system32\Drivers\RCFOX.sys [2007-09-27 15:49]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07]
S3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys [2005-11-08 09:58]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 20:52:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-18 20:55:21
ComboFix-quarantined-files.txt 2008-08-18 15:55:15
ComboFix2.txt 2008-08-18 08:10:41

Pre-Run: 2,229,248,000 bytes free
Post-Run: 2,223,140,864 bytes free

143

HiJackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:02, on 2008-08-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Conexant\Adsl\dslstat.exe
C:\Program Files\Conexant\Adsl\dslagent.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Conexant\Adsl\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Conexant\Adsl\dslagent.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{1494C1B0-D3AA-4B50-BAB1-6865ED1F31F6}: NameServer = 202.165.244.2 202.125.155.27
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0998FFC-B957-4F5C-9460-A702EF122095}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1494C1B0-D3AA-4B50-BAB1-6865ED1F31F6}: NameServer = 202.165.244.2 202.125.155.27
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5925 bytes

August 19th, 2008, 12:14 AM

Porthos

Malware Warrior /AV forum Mod

Join Date: Nov 2006

Location: San Antonio Tx

Posts: 2,308

Time spent in forums: 2 Weeks 4 Days 16 h 2 m 11 sec
Reputation Power: 1081

Open HJT and click scan only, place a check by these entries DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Close all windows and browsers except HJT and click fix checked.

Next

Please follow these steps to remove older version Java components and update.

* Download the latest version of Java Runtime Environment (JRE) 6 Update 7HERE
* Scroll to Java Runtime Environment (JRE) 6 Update 7 and click on the download button
Click on the Accept License Agreement button
Next select
Download Now! Windows Offline Installation, Multi-language

Now close all windows, including your browser.
Double click on the Java installation that you downloaded and follow the prompts.

NEXT-remove all older versions of Java
Go to Start > Control Panel double-click on the Software icon > add/remove programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
Select it and click Remove.
* Close any programs you may have running - especially your web browser.
* Repeat as many times as necessary to remove each Java versions.
* Reboot your computer once all Java components are removed.

How are things running there now??

Comments on this post

jojoba agrees: you are really awesome at what you do

August 19th, 2008, 12:17 PM

jojoba

I love your chinese eyes :*

Join Date: Jan 2006

Location: Her heart... she claims!

Posts: 1,628

Time spent in forums: 2 Weeks 5 Days 18 h 17 m 5 sec
Reputation Power: 757

my windows is back to normal. I never thought i could restore my windows to normal once it is attacked by viruses. In past I always used to format HDD and reinstall it and praise Bill Gate

I appreciate your continuous support indeed. You are awesome! Thank you!

Comments on this post

Porthos agrees: Back at ya

August 19th, 2008, 12:22 PM

Porthos

Malware Warrior /AV forum Mod

Join Date: Nov 2006

Location: San Antonio Tx

Posts: 2,308

Time spent in forums: 2 Weeks 4 Days 16 h 2 m 11 sec
Reputation Power: 1081

Quote:

A few days back I plugged in a colleague's USB drive into my laptop

Between Flash disinfector and Combofix turning off autorun you should be able to avoid these flash infections.

* Click Start, then click Run.
Enter into the command box that opens: combofix /u and then click OK.

Your logs are clear. If are not having any issues you are good to go.

If things are okay now you just need to clear the System Restore. To do this, right-click My Computer and select Properties. Click the System Restore tab in the window that appears, and check the box that says "Turn off System Restore on all drives" and click Apply.

You will be asked if you are sure, click Yes. This will delete the restore points. Then click OK in the Properties window and reboot your computer.

When your desktop appears, right-click My Computer and select Properties once more. Uncheck the "Turn off System Restore..." box and click Apply. OK.

In order to protect yourself against spyware,Trojans ect.

* Avoid illegal sites,P2P programs,Adult sites and poker type sites because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.
If you are a MySpace user stay clear of programs used to "pimp" your account and allowing any unknown ActiveX content to run on your computer. If you not 100% sure dont allow it.

Also consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your Protective software regularly, and to keep it up-to-date.

If all is well Safe Surfing.

August 21st, 2008, 02:50 AM

jojoba

I love your chinese eyes :*

Join Date: Jan 2006

Location: Her heart... she claims!

Posts: 1,628

Time spent in forums: 2 Weeks 5 Days 18 h 17 m 5 sec
Reputation Power: 757

thanks for the tip. I have noticed one problem though. My laptop time is incorrect now and it has no option to set AM or PM. It is running in 24 hours mode. I checked control panel date and time options but cannot see anywhere the option of AM/PM. Even when I double click time and open it for editing, the am and pm is disappeared. in start of combofix it showed an alert that my pc time will be changed. Not sure if it has damaged something.

#10

August 21st, 2008, 09:03 AM

Porthos

Malware Warrior /AV forum Mod

Join Date: Nov 2006

Location: San Antonio Tx

Posts: 2,308

Time spent in forums: 2 Weeks 4 Days 16 h 2 m 11 sec
Reputation Power: 1081

Lets correct the time issue.

Copy and paste the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fixtime.reg to your desktop.
Then double click on the fix.reg file on your desktopand agree to merge it into the registry,then reboot...

Quote:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Control Panel\International]
"iCountry"="1"
"iCurrDigits"="2"
"iCurrency"="0"
"iDate"="0"
"iDigits"="2"
"iLZero"="1"
"iMeasure"="1"
"iNegCurr"="0"
"iTime"="0"
"iTLZero"="0"
"Locale"="00000409"
"s1159"="AM"
"s2359"="PM"
"sCountry"="United States"
"sCurrency"="$"
"sDate"="/"
"sDecimal"="."
"sLanguage"="ENU"
"sList"=","
"sLongDate"="dddd, MMMM dd, yyyy"
"sShortDate"="M/d/yyyy"
"sThousand"=","
"sTime"=":"
"sTimeFormat"="h:mm:ss tt"
"iTimePrefix"="0"
"sMonDecimalSep"="."
"sMonThousandSep"=","
"iNegNumber"="1"
"sNativeDigits"="0123456789"
"NumShape"="1"
"iCalendarType"="1"
"iFirstDayOfWeek"="6"
"iFirstWeekOfYear"="0"
"sGrouping"="3;0"
"sMonGrouping"="3;0"
"sPositiveSign"=""
"sNegativeSign"="-"

This topic seems to be resolved If there are any more issues feel free to post.

This applies only to the original topic starter. Everyone else please begin a .

Last edited by Porthos : September 7th, 2008 at 02:16 AM.

Thread Tools	Search this Thread
Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: