items infected, should i delete?

aliEnRIK

thats it

Please download COMBOFIX

(If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe'))


Open notepad and copy/paste the text in RED below

File::
C:\Documents and Settings\tina deacon\.housecall6.6\Quarantine\NewSoftware2007Ins tall[1].cab'.bac_a03900
C:\Documents and Settings\tina deacon\DoctorWeb\Quarantine\A0034928.EXE
C:\Documents and Settings\tina deacon\DoctorWeb\Quarantine\A0034938.DLL
C:\Documents and Settings\tina deacon\DoctorWeb\Quarantine\A0035479.dll

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

crystal9

hmm just clicked on that link and it started to download etc then came up with naming error so clicked ok and now i cant find it?

sorry just clicked it again and saved this time

aliEnRIK

Usually in DOWNLOADS in your username?

eg C\USERS\TINA DEACON\DOCUMENTS\DOWNLOADS

Put it onto your desktop once youve found it

(Or download it again and look at where its being saved to)

crystal9

ok have saved to desktop the dragged it accross and it started the combofix again but then came up with error naming saying you cant call it ComboFix.exe

ignore this

aliEnRIK

Then RIGHT click the combofix file and rename to 'QWERTY'

crystal9

well think i done it right here is the log it gave me



ComboFix 09-05-03.4 - tina deacon 04/05/2009 15:08.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.488.167 [GMT 1:00]
Running from: c:\documents and settings\tina deacon\Desktop\QWERTY.exe.exe
Command switches used :: c:\documents and settings\tina deacon\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090504-0] *On-access scanning disabled* (Updated)
FW: PC Tools Firewall Plus *enabled*
FILE ::
c:\documents and settings\tina deacon\.housecall6.6\Quarantine\NewSoftware2007Ins tall[1].cab'.bac_a03900
c:\documents and settings\tina deacon\DoctorWeb\Quarantine\A0034928.EXE
c:\documents and settings\tina deacon\DoctorWeb\Quarantine\A0034938.DLL
c:\documents and settings\tina deacon\DoctorWeb\Quarantine\A0035479.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\pack.epk
c:\windows\system32\404Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2009-04-04 to 2009-05-04 )))))))))))))))))))))))))))))))
.
2009-05-03 13:23 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-03 13:23 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-03 13:23 . 2009-05-03 13:23

---

d

---

w c:\program files\Malwarebytes' Anti-Malware
2009-05-01 09:43 . 2009-05-01 09:43

---

d

---

w c:\program files\Common Files\Adobe AIR
2009-04-16 08:40 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 08:40 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe
2009-04-16 08:40 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 08:39 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 08:39 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 08:39 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 08:39 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 08:39 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 08:39 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 08:39 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 08:38 . 2008-05-03 11:55 2560

---

w c:\windows\system32\xpsp4res.dll
2009-04-16 08:37 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-04 14:05 . 2005-04-25 23:32 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-04 08:36 . 2009-01-30 09:07 330 ---ha-w c:\windows\Tasks\MP Scheduled Scan.job
2009-05-03 11:17 . 2007-05-01 10:02

---

d

---

w c:\program files\Google
2009-05-01 09:42 . 2008-06-04 10:19

---

d

---

w c:\program files\Common Files\Adobe
2009-04-08 08:51 . 2008-02-10 21:57

---

d

---

w c:\program files\Common Files\eMail ID
2009-04-07 19:17 . 2008-12-02 20:18 448 ----a-w c:\windows\Tasks\EasyShare Registration Task.job
2009-04-04 13:03 . 2009-04-04 13:03 266240 ----a-w c:\windows\system32\CSHelper.exe
2009-04-04 13:03 . 2009-04-04 13:03 225280 ----a-w c:\windows\system32\CSInstru.DLL
2009-04-01 15:03 . 2005-04-25 23:48

---

d

---

w c:\program files\Java
2009-03-20 18:44 . 2008-11-06 22:33

---

d

---

w c:\program files\SUPERAntiSpyware
2009-03-18 12:16 . 2008-11-25 22:27

---

d

---

w c:\program files\PC Tools Firewall Plus
2009-03-13 10:51 . 2009-01-29 20:19 130424 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-03-09 04:19 . 2008-11-03 22:40 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2007-05-01 16:34 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2007-05-01 16:34 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-24 21:23 . 2009-01-29 20:19 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-02-24 21:23 . 2009-01-29 20:18 95640 ----a-w c:\windows\system32\drivers\pctplfw.sys
2009-02-20 18:09 . 2007-05-01 16:32 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-14 09:43 . 2007-05-01 14:52 42352 ----a-w c:\documents and settings\tina deacon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-09 12:10 . 2007-05-01 16:33 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2007-05-01 16:34 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2007-05-01 16:33 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2007-05-01 16:30 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2007-05-01 16:34 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 18:02 . 2007-05-01 17:56 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2007-05-01 16:34 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2007-05-01 16:33 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2007-05-01 16:34 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2007-05-01 16:34 56832 ----a-w c:\windows\system32\secur32.dll
2006-06-15 20:33 . 2009-02-14 09:33 233472 ----a-w c:\program files\mozilla firefox\plugins\CrazyTalk4Native.dll
2006-05-25 18:43 . 2009-02-14 09:33 204895 ----a-w c:\program files\mozilla firefox\plugins\ctdomemhelper.dll
2005-09-29 14:41 . 2009-02-14 09:33 77824 ----a-w c:\program files\mozilla firefox\plugins\ctframeplayerobject.dll
2006-06-19 13:10 . 2009-02-14 09:33 426081 ----a-w c:\program files\mozilla firefox\plugins\ctplayerobject.dll
2005-02-02 12:19 . 2009-02-14 09:32 458752 ----a-w c:\program files\mozilla firefox\plugins\imagickrt.dll
2006-04-10 18:35 . 2009-02-14 09:33 139264 ----a-w c:\program files\mozilla firefox\plugins\rlcontentclass.dll
2005-11-09 11:10 . 2009-02-14 09:32 204800 ----a-w c:\program files\mozilla firefox\plugins\RLMusicPacker.dll
2005-11-09 11:42 . 2009-02-14 09:32 106496 ----a-w c:\program files\mozilla firefox\plugins\RLMusicUnpacker.dll
2006-01-04 11:22 . 2009-02-14 09:32 212992 ----a-w c:\program files\mozilla firefox\plugins\RLVoicePacker.dll
2006-01-04 11:21 . 2009-02-14 09:32 167936 ----a-w c:\program files\mozilla firefox\plugins\RLVoiceUnpacker.dll
2008-08-22 14:37 . 2009-02-23 12:58 163840 ----a-w c:\program files\mozilla firefox\components\nsgkff30_meter1.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
"Creative Live! Cam Manager"="c:\program files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [2007-06-07 155648]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-12-03 1205760]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-04-11 160592]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-15 966656]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 53248]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-25 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-25 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-25 114688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"IconixOEAddOn"="c:\program files\eMail ID\OEAddOn\OEdmn_5.exe" [2009-03-10 335632]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2009-02-24 2652056]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"BigD!!!03"="c:\windows\VM303_STI.EXE" [2005-06-23 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2005-05-03 543232]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-09-22 14854144]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Install Pending Files.LNK - c:\program files\SIFXINST\SIFXINST.EXE [2007-5-1 729088]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-5-10 282624]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-12-01 33752]
R3 iadusb;MT882; [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]
R4 PanelSvc;PanelSvc;c:\program files\Valued Opinions\PanelApp\PanelSvc.exe [2007-05-17 77312]
S1 aswSP;avast! Self Protection; [x]
S1 nnrnstdi;nnrnstdi; [x]
S1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2008-12-11 159600]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-09-03 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-09-03 55024]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-04-04 266240]
S2 IconixService;Iconix Update Service;c:\program files\Common Files\eMail ID\IconixService.exe [2009-03-10 279824]
S2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2009-02-24 73840]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 km_filter;km_filter;c:\windows\system32\drivers\km_filter.sys [2008-08-22 8832]
S3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2009-02-24 95640]
.
Contents of the 'Scheduled Tasks' folder
2009-05-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -
Toolbar-SITEguard - (no file)
ShellIconOverlayIdentifiers-{B8A03725-03B9-485F-BB22-E848799D4C2A} - (no file)

.

---

Supplementary Scan

---

.
uStart Page = hxxp://www.sky.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Customize Menu - [URL]file://c:\program[/URL] files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - [URL]file://c:\program[/URL] files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Lookup on Merriam Webster - [URL]file://c:\program[/URL] files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - [URL]file://c:\program[/URL] files\ieSpell\wikipedia.HTM
IE: RoboForm Toolbar - [URL]file://c:\program[/URL] files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - [URL]file://c:\program[/URL] files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
FF - ProfilePath - c:\documents and settings\tina deacon\Application Data\Mozilla\Firefox\Profiles\i1mfh43p.default\
FF - component: c:\documents and settings\tina deacon\Local Settings\Application Data\Valued Opinions\PanelApp\ff\components\FFoxAddinStub.dll
FF - component: c:\program files\Mozilla Firefox\components\nsgkff30_meter1.dll
FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRLCT4Player.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-04 15:15
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigD!!!03 = c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)????????????????0?????????@??????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.

---

DLLs Loaded Under Running Processes

---

- - - - - - - > 'winlogon.exe'(920)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-05-04 15:18
ComboFix-quarantined-files.txt 2009-05-04 14:18
Pre-Run: 180,577,832,960 bytes free
Post-Run: 181,012,246,528 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
215 --- E O F --- 2009-05-02 09:19

aliEnRIK

Combofix has deleted quite a few things (Oddly not what I posted though which im slightly baffled about)

anyways ~
Run DR WEBS CURE IT
It will auto run a QUICK scan
Once thats completed run a FULL scan

crystal9

aliEnRIK wrote: »

Combofix has deleted quite a few things (Oddly not what I posted though which im slightly baffled about)

anyways ~
Run DR WEBS CURE IT
It will auto run a QUICK scan
Once thats completed run a FULL scan

my pc wont let me download it ive turned my anti virus off to

aliEnRIK

very odd
what softwares stopping it?

reboot and keep pressing F8 until the safe mode screen pops up
Select SAFE MODE WITH NETWORKING
Download and run it from there

crystal9

aliEnRIK wrote: »

very odd
what softwares stopping it?

reboot and keep pressing F8 until the safe mode screen pops up
Select SAFE MODE WITH NETWORKING
Download and run it from there

oh hang on turned anti v back on and now its started. quick scan found nothing so started full scan.
it found them infected file (qwerty) so far so looking good