All kinds of viruses, check hijackthis

[Santuzzo]

This is my problem, too. I can't get it turned off. Tried to delete all running AVG processes in the task manager, but they just come right back by themselves after I deleted them....
Did you also get that messager from combofix saying if you don't turn off AVG and run a combo fix scan, it might cause damage to your PC?

 

[memory]

Yes, I did get that message. Would it really do damage?

 

[Santuzzo]

Yes, I did get that message. Would it really do damage?

I don't know. That message just scared me, so I did not run combofix. Tried to ruen off AVG, but since I did not m anage to do so, I haven't run combofix yet ...
I'm a noob still, so I have no idea what could happen if I run combofix without turning off AVG. I have heard that it might just be fine, but I don't want to take any risk here....

 

[memory]

Well I ran combofix without turning off AVG and so far nothing has happened.

I did find out how to turn off AVG. Open up the control panel for AVG and double click on the Resident Shield icon and there is a box that says resident shield active with a checkmark next to it, just uncheck that.

 

[Santuzzo]

Well I ran combofix without turning off AVG and so far nothing has happened.

I did find out how to turn off AVG. Open up the control panel for AVG and double click on the Resident Shield icon and there is a box that says resident shield active with a checkmark next to it, just uncheck that.

Awesome, I will try that !

Thanks a lot !

 

[memory]

No problem. I found that out by googling it. Let me know if it works.

I scanned with Combofix in safe mode and malwarebytes in normal mode. Here are my logs.

Combofix:

ComboFix 09-05-11.08 - Kenneth Graf 05/12/2009 16:58.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.853 [GMT -7:00]
Running from: c:\documents and settings\Kenneth Graf\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-04-12 to 2009-05-12 )))))))))))))))))))))))))))))))
.

2009-05-12 23:20 . 2009-05-12 23:21 -------- d-----w c:\documents and settings\Administrator
2009-05-12 14:52 . 2009-05-12 14:52 -------- d-----w c:\documents and settings\Kenneth Graf\Application Data\Malwarebytes
2009-05-12 14:52 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-12 14:52 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-12 14:51 . 2009-05-12 14:51 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-12 14:51 . 2009-05-12 14:52 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-12 00:26 . 2009-05-12 00:26 -------- d-----w c:\program files\Trend Micro
2009-05-09 15:12 . 2009-03-11 05:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-05-09 15:12 . 2009-03-11 05:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-05-09 15:12 . 2009-05-09 15:12 -------- d-----w c:\windows\system32\KB905474
2009-05-09 05:57 . 2009-05-09 05:57 310784 ----a-w c:\windows\sms.exe
2009-05-09 05:00 . 2009-05-09 05:00 18432 ----a-w c:\documents and settings\file.exe
2009-05-09 02:30 . 2009-05-09 02:30 109 --sha-w c:\windows\system32\2557805163.dat
2009-05-09 02:29 . 2009-05-09 02:29 41984 --sh--r c:\windows\system32\adptifr.exe
2009-05-08 20:23 . 2008-10-16 21:06 208744 ----a-w c:\windows\system32\muweb.dll
2009-05-08 20:23 . 2008-10-16 21:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-04-23 02:22 . 2009-05-08 20:33 -------- d-----w c:\windows\system32\CatRoot_bak
2009-04-22 21:18 . 2009-04-22 21:18 -------- d-s---w c:\documents and settings\Kenneth Graf\UserData
2009-04-22 19:07 . 2009-05-12 19:30 -------- d--h--w C:\$AVG8.VAULT$
2009-04-21 23:07 . 2009-04-21 23:07 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-04-21 21:29 . 2009-04-21 21:29 -------- d-----w C:\PDConduitUpDir
2009-04-21 21:29 . 2009-04-21 21:29 -------- d-----w C:\PDConduitDownDir
2009-04-21 20:19 . 2004-05-21 21:00 7680 ----a-w c:\windows\system32\CNMVS66.DLL
2009-04-21 20:19 . 2004-05-21 21:00 116736 ----a-w c:\windows\system32\CNMLM66.DLL
2009-04-21 20:19 . 2004-06-05 07:34 86016 ----a-w c:\windows\system32\CNMCP66.exe
2009-04-21 20:19 . 2009-04-21 20:19 -------- d--h--w C:\BJPrinter
2009-04-21 19:47 . 2009-04-21 19:47 -------- d-----w c:\windows\ShellNew
2009-04-21 19:45 . 2009-04-21 19:45 -------- d-----w c:\documents and settings\Kenneth Graf\Application Data\Microsoft Web Folders
2009-04-21 18:04 . 2009-04-21 18:04 -------- d--h--w c:\documents and settings\Kenneth Graf\Application Data\GTek
2009-04-21 18:03 . 2006-04-02 23:52 1851546 ----a-w c:\windows\system32\gdql_lsa.dll
2009-04-21 18:03 . 2009-04-21 18:03 29184 ----a-w c:\windows\system32\drivers\goprot51.sys
2009-04-21 18:03 . 2005-11-21 20:17 135168 ----a-w c:\windows\system32\GoProto.dll
2009-04-21 18:03 . 2005-03-13 23:54 6656 ----a-w c:\windows\system32\DLPT2.sys
2009-04-21 18:03 . 2004-06-09 16:29 6977 ----a-w c:\windows\system32\DDMI2.sys
2009-04-21 18:03 . 2009-04-21 18:04 -------- d--ha-w c:\documents and settings\All Users\Application Data\GTek
2009-04-21 18:03 . 2009-04-21 18:04 -------- d-----w c:\program files\Linksys EasyLink Advisor
2009-04-21 17:53 . 2009-04-21 17:53 -------- d-----w c:\documents and settings\Kenneth Graf\Local Settings\Application Data\Microsoft Help
2009-04-21 17:53 . 2009-04-21 19:42 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-21 17:23 . 2009-04-21 17:23 -------- d-----w c:\documents and settings\Kenneth Graf\Application Data\Apple Computer
2009-04-21 17:22 . 2008-04-17 19:12 107368 ----a-w c:\windows\system32\GEARAspi.dll
2009-04-21 17:22 . 2009-03-19 23:32 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-04-21 17:22 . 2009-04-21 17:22 -------- d-----w c:\program files\iPod
2009-04-21 17:22 . 2009-04-21 17:22 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-21 17:22 . 2009-04-21 17:22 -------- d-----w c:\program files\iTunes
2009-04-21 17:22 . 2009-04-21 17:22 -------- d-----w c:\program files\Bonjour
2009-04-21 17:22 . 2009-04-21 17:22 -------- d-----w c:\program files\QuickTime
2009-04-21 17:22 . 2009-04-21 17:22 -------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-04-21 17:21 . 2009-04-21 17:21 -------- d-----w c:\documents and settings\Kenneth Graf\Local Settings\Application Data\Apple
2009-04-21 17:21 . 2009-04-21 17:21 -------- d-----w c:\program files\Apple Software Update
2009-04-21 17:21 . 2009-04-21 17:22 -------- dc----w c:\windows\system32\DRVSTORE
2009-04-21 17:21 . 2009-04-21 17:22 -------- d-----w c:\program files\Common Files\Apple
2009-04-21 17:21 . 2009-04-21 17:21 -------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-04-21 17:21 . 2009-04-21 17:23 -------- d-----w c:\documents and settings\Kenneth Graf\Local Settings\Application Data\Apple Computer
2009-04-21 16:23 . 2009-04-21 16:23 -------- d-----w c:\program files\Borland
2009-04-21 16:23 . 2009-04-21 16:24 -------- d-----w C:\hw
2009-04-21 16:22 . 1996-01-09 17:38 283648 ----a-w c:\windows\uninst.exe
2009-04-21 16:22 . 2009-04-21 16:22 -------- d-----w c:\documents and settings\Kenneth Graf\WINDOWS
2009-04-21 16:14 . 2009-04-21 16:14 -------- d-----w C:\dell
2009-04-21 16:13 . 2000-03-23 19:50 446464 ----a-r c:\windows\system32\hhactivex.dll
2009-04-21 16:13 . 2002-01-09 00:00 176128 ----a-w c:\windows\system32\RcdScan.dll
2009-04-21 16:13 . 1998-06-18 06:00 89360 ----a-w c:\windows\system32\VB5DB.DLL
2009-04-21 16:13 . 2001-08-22 15:42 13632 ------w c:\windows\system32\drivers\omci.sys
2009-04-21 16:13 . 2009-04-21 16:13 -------- d-----w c:\program files\Common Files\InstallShield
2009-04-21 16:11 . 2008-06-13 13:10 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-04-21 16:11 . 2008-06-13 13:10 272128 ------w c:\windows\system32\drivers\bthport.sys
2009-04-21 16:10 . 2008-10-24 11:10 453632 -c----w c:\windows\system32\dllcache\mrxsmb.sys
2009-04-21 16:09 . 2008-02-27 20:49 3840 ----a-w c:\windows\system32\drivers\BANTExt.sys
2009-04-21 16:09 . 2009-04-21 16:09 -------- d-----w c:\program files\Belarc
2009-04-21 16:09 . 2009-02-06 17:22 2136064 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-21 16:09 . 2009-02-06 17:24 2180480 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-21 16:09 . 2009-02-06 16:49 2015744 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-21 16:09 . 2009-02-06 16:49 2057728 -c----w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-04-21 07:33 . 2009-05-09 15:14 -------- d--h--w c:\windows\$hf_mig$
2009-04-21 03:09 . 2009-04-21 20:36 42576 ----a-w c:\documents and settings\Kenneth Graf\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-21 03:08 . 2006-04-12 17:11 1933312 ----a-w c:\windows\system32\cdintf250.dll
2009-04-21 03:08 . 2009-04-21 03:08 -------- d-----w c:\documents and settings\Kenneth Graf\Application Data\Intuit
2009-04-21 03:08 . 2009-04-21 03:08 -------- d-----w c:\program files\Common Files\Palo Alto Software
2009-04-21 03:08 . 2009-04-21 03:08 -------- d-----w c:\program files\Common Files\Intuit
2009-04-21 03:08 . 2009-05-03 16:56 -------- d-----w c:\program files\Quicken
2009-04-21 03:03 . 2009-04-21 03:03 -------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2009-04-21 02:36 . 2009-04-21 02:36 -------- d-----w c:\documents and settings\Kenneth Graf\Local Settings\Application Data\Identities
2009-04-20 23:40 . 2003-01-29 18:13 167936 ----a-w c:\windows\system32\dzip32.dll
2009-04-20 23:40 . 2003-01-29 18:13 139264 ----a-w c:\windows\system32\dunzip32.dll
2009-04-20 23:40 . 2008-05-16 19:29 192512 ----a-w c:\windows\system32\SFDLLStorage.dll
2009-04-20 23:40 . 2008-12-09 00:04 249856 ----a-w c:\windows\system32\SFConduit.dll
2009-04-20 23:40 . 2003-08-26 17:59 241664 ----a-w c:\windows\system32\CARFSW20.DLL
2009-04-20 23:40 . 2002-09-17 23:05 40960 ----a-w c:\windows\system32\CARFSW16.DLL
2009-04-20 23:40 . 2003-02-06 16:17 233472 ----a-w c:\windows\system32\CARCLW60.DLL
2009-04-20 23:40 . 2009-05-08 20:03 -------- d-----w C:\PCDART
2009-04-20 23:40 . 2009-04-21 16:15 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-20 23:39 . 2009-04-20 23:39 -------- d-----w c:\documents and settings\Kenneth Graf\Application Data\InstallShield
2009-04-20 23:04 . 2009-04-20 23:04 -------- d-----w c:\program files\Windows Media Connect 2
2009-04-20 23:03 . 2009-04-20 23:03 -------- d-----w c:\windows\system32\drivers\UMDF
2009-04-20 23:03 . 2009-04-20 23:03 -------- d-----w c:\windows\system32\LogFiles
2009-04-20 23:03 . 2008-07-09 07:38 26488 ----a-w c:\windows\system32\spupdsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-07 15:29 . 2009-04-20 22:58 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-07 15:29 . 2009-04-20 22:58 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-07 15:29 . 2009-04-20 22:58 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-21 16:15 . 2009-04-21 16:15 -------- d-----w c:\program files\Analog Devices
2009-04-21 06:09 . 2009-04-20 22:43 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-20 22:58 . 2009-04-20 22:58 -------- d-----w c:\program files\AVG
2009-04-20 22:53 . 2009-04-20 22:53 0 ----a-w c:\windows\nsreg.dat
2009-04-20 22:44 . 2009-04-20 22:44 -------- d-----w c:\program files\microsoft frontpage
2009-04-20 22:44 . 2004-08-04 12:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-04-20 22:41 . 2009-04-20 22:41 21640 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-06 14:44 . 2004-08-04 12:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:30 . 2004-08-04 12:00 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-20 08:30 . 2004-08-04 12:00 659456 ----a-w c:\windows\system32\wininet.dll
.

------- Sigcheck -------

[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2004-08-04 12:00 359040 1745B00FC1141404B28F4B94F69A8871 c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\sp2gdr\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\sp2qfe\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\sp3gdr\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\sp3qfe\tcpip.sys
[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\tcpip.sys
[-] 2008-06-20 10:45 360320 1CC09561E21A48A7F649A40F18235860 c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 10:45 360320 1CC09561E21A48A7F649A40F18235860 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-03 389120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-07 1947928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"sms"="c:\windows\sms.exe" [2009-05-09 310784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-20 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-07 15:29 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/20/2009 3:58 PM 325896]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/20/2009 3:58 PM 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [4/20/2009 3:58 PM 908568]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/20/2009 3:58 PM 298776]
.
Contents of the 'Scheduled Tasks' folder

2009-05-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-05-12 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-09 05:18]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kenneth Graf\Application Data\Mozilla\Firefox\Profiles\wlu92dzd.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-05-12 17:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-05-13 17:02
ComboFix-quarantined-files.txt 2009-05-13 00:02
ComboFix2.txt 2009-05-12 14:39

Pre-Run: 73,159,749,632 bytes free
Post-Run: 73,157,591,040 bytes free

198 --- E O F --- 2009-05-09 15:14


Malwarebytes log:

Malwarebytes' Anti-Malware 1.36
Database version: 2116
Windows 5.1.2600 Service Pack 2

5/12/2009 8:55:46 PM
mbam-log-2009-05-12 (20-55-39).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 110613
Time elapsed: 31 minute(s), 6 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
C:\WINDOWS\sms.exe (Trojan.PWS) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{02ffac45-0b10-5633-4296-1801f1a36678} (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{f710fa10-2031-3106-8872-93a2b5c5c620} (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sms (Worm.P2P) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\UpdateWin (Worm.Sdbot) -> No action taken.
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\file.exe (Rootkit.Dropper) -> No action taken.
C:\PCDART\CopySharedFile.exe (Trojan.FakeAlert) -> No action taken.
D:\PCDART\CopySharedFile.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\sms.exe (Worm.P2P) -> No action taken.

 

[Osiris]

Run SDFIX

How To Use Sdfix


Tools needed for this fix:

• SDFix

SDFix Instructions:

1. <LI itxtvisited="1">Please print these instructions as they will be needed later when Internet access is not available.
   
   <LI itxtvisited="1">Logon to your computer with an account that has Administrator privileges.
   
   <LI itxtvisited="1">Download SDFix.exe from the following link and save it to your desktop:
   
   SDFix Download LinkConfirm that the file SDFix.exe now resides on your desktop, but do not double-click on the icon as of yet. We will use it in later steps. The icon will look like the one below:
   
   
   
   
   <LI itxtvisited="1">Now, double-click on the SDFix icon that should now be residing on your desktop. If a Open File - Security Warning box opens, click on the Run button.
   
   <LI itxtvisited="1">A window will now open showing SDFix being extracted into the C:\SDFix folder. Once the installation program has finished extracting SDFix, it will open a Notepad with further instructions as shown below.
   
   
   
   ​
   
   
   <LI itxtvisited="1">Next, please reboot your computer into Safe Mode by doing the following:
   
   1. <LI itxtvisited="1">Restart your computer
      
      <LI itxtvisited="1">After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
      
      <LI itxtvisited="1">Instead of Windows loading as normal, a menu should appear
      
      <LI itxtvisited="1">Select the first option, to run Windows in Safe Mode.
      
   2. When you are at the logon prompt, log in as the same user that you had performed the previous steps as.
   <LI itxtvisited="1">When your computer has started in safe mode, and you see the desktop, close all open Windows.
   
   <LI itxtvisited="1">Click on the Start button, click on the Run menu option, and type the following into the Open: field:
   
   C:\SDFix\RunThis.bat
   
   Then press the OK button.
   
   <LI itxtvisited="1">The SDFix window will open, as shown below, containing some brief info and a disclaimer on the use of the tool.
   
   
   
   ​
   
   
   If you want to continue, please press the Y key on your keyboard and then press enter. Otherwise, you can press the N key to exit the program.
   
   <LI itxtvisited="1">SDFix will now start scanning your computer for known infections as seen in the image below.
   
   
   
   ​
   
   
   This process can take a while, so you may want to do something else and periodically check back on the status of SDFix. As the scanning process continues you will continue to see new messages on the screen as shown in the figure below.
   
   
   
   ​
   
   
   
   <LI itxtvisited="1">When the scanning process has finished you will see a new screen stating that you need to restart your computer in order to continue.
   
   
   
   
   ​
   
   
   At this point you should press any key on your computer's keyboard in order to restart the computer.
   
   <LI itxtvisited="1">After your computer reboots SDFix will automatically start and perform a last check.
   
   
   
   
   
   ​
   <LI itxtvisited="1">You will now be presented with a screen stating that SDFix has finished.
   
   
   
   ​
   
   
   At this point you should press any key on your computer's keyboard in order to continue to your desktop.
   
2. When you are back at your Windows desktop, the SDFix log will automatically be opened in notepad.
   
   
   
   ​
   
   
   Review the log as necessary to see what was removed and then close the Notepad window.

Now that SDFix has finished running, any Worms or Trojans that it knows how to remove should have been deleted from your computer.

 

[memory]

I have a little problem. The ps2 keyboard does not work in safe mode. I have tried 2 different keyboards. Is there a way to get the keyboard working or is there a way around it?

 

[Osiris]

Thas weird, I would think you would have an issue with USB.

Do you have a USB?

 

[memory]

I found a USB keyboard and it worked. Why wouldn't the ps2 keyboard in safe mode?

Here is the report from SDFix. Do you need any other logs?

b]SDFix: Version 1.240 [/b]
Run by Kenneth Graf on Wed 05/13/2009 at 10:31 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-05-13 10:35:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile"=str(2):"c:\windows\system32\ESENT.dll"
"CategoryMessageFile"=str(2):"c:\windows\system32\ESENT.dll"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"

Remaining Files :



Files with Hidden Attributes :

Fri 8 May 2009 41,984 ..SHR --- "C:\WINDOWS\system32\adptifr.exe"
Sun 3 May 2009 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 20 Apr 2009 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 21 Apr 2009 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Tue 21 Apr 2009 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"

Finished!