Worm.AutoRun.HXB ( Help )

View previous topic View next topic Go down

Worm.AutoRun.HXB ( Help )

Post by Quicktrance on 16th July 2009, 8:45 pm

Hey, first time poster. First off, i was recomended to this site by friends in a game. As the title says, i have Worm.AutoRun.HXB in my computer. Every time that i try to remove it. it just comes back up again. I downloaded the combofix.exe, used it. This is what my Vexira Antivirus says.

Virus found!
Virus information:
Name: Worm.AutoRun.HXB
Removability: killable
Found information:
Location: Memory
File: C:\WINDOWS\system32\cfeeeeec.dll
The following processes use the cfeeeeec.dll file:
winlogon.exe


And this is the Combofix info.
ComboFix 09-07-14.08 - HP_Administrator 07/16/2009 16:01.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.469 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Vexira Antivirus Professional *On-access scanning enabled* (Updated) {76CEA918-5D0F-48D5-BEC6-7BB54A3735C3}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\HP_Administrator\Application Data\02000000b23054d2625C.manifest
c:\documents and settings\HP_Administrator\Application Data\02000000b23054d2625O.manifest
c:\documents and settings\HP_Administrator\Application Data\02000000b23054d2625P.manifest
c:\documents and settings\HP_Administrator\Application Data\02000000b23054d2625S.manifest
c:\documents and settings\HP_Administrator\Local Settings\Temp\IadHide5.dll
c:\documents and settings\HP_Administrator\nah_log.dat
C:\fwdrv.sys
c:\program files\Common
c:\windows\Downloaded Program Files\ijjiPreNotify2.exe
c:\windows\GnuHashes.ini
c:\windows\Installer\118f12.msi
c:\windows\Installer\152c4dbe.msi
c:\windows\Installer\15bcc.msi
c:\windows\Installer\15bd2.msi
c:\windows\Installer\15bd8.msi
c:\windows\Installer\15bde.msi
c:\windows\Installer\17f67098.msp
c:\windows\Installer\1a30a.msi
c:\windows\Installer\1a312.msp
c:\windows\Installer\1a322.msi
c:\windows\Installer\1acb4a5.msi
c:\windows\Installer\1acb4c3.msi
c:\windows\Installer\1acb4eb.msi
c:\windows\Installer\1acb4fd.msi
c:\windows\Installer\1e4c6d3.msi
c:\windows\Installer\25f755dc.msi
c:\windows\Installer\2907a81.msp
c:\windows\Installer\31235e5.msi
c:\windows\Installer\3233a40.msp
c:\windows\Installer\445ff58.msi
c:\windows\Installer\445ff62.msi
c:\windows\Installer\536aa.msi
c:\windows\Installer\82cc85.msp
c:\windows\Installer\c650df.msi
c:\windows\Installer\e213.msp
c:\windows\Installer\e3a4071.msi
c:\windows\Installer\e428.msp
c:\windows\Readme.txt
c:\windows\system32\1.tmp
c:\windows\system32\1FD.tmp
c:\windows\system32\6F.tmp
c:\windows\System32\capesnpn32.dll
c:\windows\system32\DGHbm.vbs
c:\windows\system32\GroupPolicy000.dat
c:\windows\system32\kdpini.dll
c:\windows\system32\KiBypass.dll
c:\windows\system32\ydyDR.vbs
D:\Autorun.inf
c:\recycler\S-1-5-21-3847298872-3323431910-380601516-1008 . . . . failed to delete

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\system32\winlogon.old

Quicktrance
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 27042
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Worm.AutoRun.HXB ( Help )

Post by Quicktrance on 16th July 2009, 8:46 pm

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ILVMONEYDRIVER53
-------\Legacy_NPF
-------\Legacy_TDSSSERV.SYS
-------\Service_IlvMoneyDRIVER53
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2009-06-16 to 2009-07-16 )))))))))))))))))))))))))))))))
.

2009-07-15 11:02 . 2009-07-15 11:02 -------- d-----w- c:\windows\system32\MpEngineStore
2009-07-12 06:37 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-07-01 19:00 . 2009-07-01 19:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2009-06-30 13:13 . 2009-07-11 20:04 -------- d-sh--w- c:\windows\system32\SystemX86
2009-06-30 02:34 . 2009-06-30 02:35 -------- d-----w- C:\bff578460d5402cea55bb72fd0ccc157
2009-06-30 02:34 . 2009-06-30 03:22 -------- d-----w- c:\windows\SxsCaPendDel
2009-06-29 07:03 . 2009-07-12 00:46 -------- d-----w- c:\program files\Incomplete
2009-06-29 06:59 . 2009-07-16 19:05 -------- d-----w- c:\program files\AskBarDis
2009-06-25 20:11 . 2009-06-25 20:11 -------- d-sh--w- c:\documents and settings\HP_Administrator\IECompatCache
2009-06-25 20:10 . 2009-06-25 20:10 -------- d-sh--w- c:\documents and settings\HP_Administrator\PrivacIE
2009-06-25 20:09 . 2009-06-25 20:09 -------- d-sh--w- c:\documents and settings\HP_Administrator\IETldCache
2009-06-25 18:39 . 2009-06-25 18:39 -------- d-----w- c:\windows\ie8updates
2009-06-25 18:23 . 2009-06-25 18:34 -------- dc-h--w- c:\windows\ie8
2009-06-25 17:57 . 2009-06-02 10:12 102912 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-06-25 17:57 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-25 17:57 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-17 04:52 . 2009-06-17 04:52 2560 ----a-w- c:\windows\_MSRSTRT.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-16 19:05 . 2005-08-09 12:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-16 18:48 . 2007-12-29 09:15 -------- d-----w- c:\program files\World of Warcraft
2009-07-12 06:46 . 2008-08-12 19:12 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\FrostWire
2009-07-11 23:50 . 2009-07-11 20:07 205 ----a-w- c:\documents and settings\HP_Administrator\udpcrawl.tmp
2009-07-10 21:21 . 2009-07-10 21:21 0 ----a-w- c:\windows\system32\67.tmp
2009-07-10 21:21 . 2009-07-10 21:21 0 ----a-w- c:\windows\system32\66.tmp
2009-06-30 03:34 . 2009-06-15 17:33 -------- d-----w- c:\program files\Diablo II
2009-06-30 03:22 . 2007-05-10 06:34 58096 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-29 06:50 . 2005-08-09 13:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-29 06:48 . 2009-05-29 00:08 -------- d-----w- c:\program files\Norton Security Scan
2009-06-28 05:35 . 2007-08-01 04:53 -------- d-----w- c:\program files\Starcraft
2009-06-25 08:42 . 2008-05-27 04:14 -------- d-----w- c:\program files\Warcraft III
2009-06-17 05:01 . 2006-04-07 15:40 -------- d-----w- c:\program files\Common Files\AOL
2009-06-16 14:36 . 2004-08-10 19:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-10 19:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 17:42 . 2005-12-08 04:21 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-06-12 06:18 . 2009-06-03 00:56 35190 ----a-w- c:\windows\scunin.dat
2009-06-12 06:18 . 2009-06-03 00:56 967 ----a-w- c:\windows\ScUnin.pif
2009-06-12 06:18 . 2009-06-03 00:56 94208 ----a-w- c:\windows\ScUnin.exe
2009-06-03 19:09 . 2004-08-10 19:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-13 05:15 . 2004-08-10 19:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2004-08-10 19:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-04 03:18 . 2007-03-26 03:10 482 ----a-w- c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2009-05-01 05:13 . 2009-05-01 05:11 34 ----a-w- c:\documents and settings\HP_Administrator\jagex_runescape_preferences.dat
2009-04-19 04:08 . 2009-04-19 04:08 152576 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2008-11-19 11:56 . 2008-11-19 11:56 16771 ----a-w- c:\program files\Common Files\jana.dat
2008-11-19 11:56 . 2008-11-19 11:56 13985 ----a-w- c:\program files\Common Files\gipuv.vbs
2008-11-19 11:56 . 2008-11-19 11:56 13188 ----a-w- c:\program files\Common Files\azezuzu.ban
2008-11-19 11:56 . 2008-11-19 11:56 11322 ----a-w- c:\program files\Common Files\gynebyboru.sys
2008-11-19 11:56 . 2008-11-19 11:56 11170 ----a-w- c:\program files\Common Files\sada.reg
2008-11-19 11:49 . 2008-11-19 11:49 16918 ----a-w- c:\program files\Common Files\ivima.pif
2008-11-19 11:49 . 2008-11-19 11:49 15994 ----a-w- c:\program files\Common Files\isawerewun.bat
2008-11-19 11:49 . 2008-11-19 11:49 14649 ----a-w- c:\program files\Common Files\quvum.com
2008-11-19 11:49 . 2008-11-19 11:49 13172 ----a-w- c:\program files\Common Files\dyrisiz.inf
2008-11-19 11:49 . 2008-11-19 11:49 12930 ----a-w- c:\program files\Common Files\apene.exe
.

------- Sigcheck -------

[-] 2004-08-10 19:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtServicePackUninstall$\termsrv.dll
[7] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-11-19 10:08 295424 63999D0ABD8DABFD76A9C07F6E104868 c:\windows\system32\termsrv.dll

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-16 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-08-09 180269]
"VBSysTray"="c:\progra~1\VEXIRA~1\Bin\vbsystry.exe" [2008-11-13 239000]
"AVLoginToDo"="c:\progra~1\VEXIRA~1\Bin\avltd.exe" [2008-11-13 50552]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"ScreenPrint32"="c:\program files\ScreenPrint32 v3\ScreenPrint32.exe" [2008-11-24 446464]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2005-8-9 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cfeeeeec]
2004-07-15 05:14 312847 ------w- c:\windows\system32\cfeeeeec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fbadcaddddffd]
2009-04-17 17:05 280079 ----a-w- c:\windows\system32\fbadcaddddffd.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

Quicktrance
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 27042
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Worm.AutoRun.HXB ( Help )

Post by Quicktrance on 16th July 2009, 8:47 pm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\ehome\\ehtray.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Online Services\\AOL\\InstallAol.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Games\\GamerX\\TF2\\hl2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\WoW-0.1.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\Launcher.exe"=
"c:\\Program Files\\GameHouse\\TextTwist\\TextTwist.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:blizzard
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"57053:TCP"= 57053:TCP:Pando Media Booster
"57053:UDP"= 57053:UDP:Pando Media Booster

R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [8/10/2004 3:00 PM 14336]
R2 VACompManService;Vexira Antivirus Component Manager Service;c:\progra~1\VEXIRA~1\Bin\vbcmserv.exe [11/13/2008 7:25 PM 46496]
R2 VBShld;VBShld;c:\windows\system32\drivers\vbshld.sys [10/27/2008 10:07 AM 272480]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/21/2008 10:32 AM 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
R3 VBEngNT;VBEngNT;c:\windows\system32\drivers\vbengnt.sys [3/19/2009 3:43 PM 1173992]
R3 VBFilter;VBFilter;c:\windows\system32\drivers\vbfilter.sys [10/27/2008 10:06 AM 27096]
R3 VBRec;VBRec;c:\windows\system32\drivers\vbrec.sys [10/27/2008 10:05 AM 18528]
S0 da65e88a94091479311aeb67c4d9d230;da65e88a94091479311aeb67c4d9d230;c:\windows\system32\da65e88a94091479311aeb67c4d9d230.sys --> c:\windows\system32\da65e88a94091479311aeb67c4d9d230.sys [?]
S1 jitqprsi;jitqprsi;\??\c:\windows\system32\drivers\jitqprsi.sys --> c:\windows\system32\drivers\jitqprsi.sys [?]
S1 rjdmxlxw;rjdmxlxw;\??\c:\windows\system32\drivers\rjdmxlxw.sys --> c:\windows\system32\drivers\rjdmxlxw.sys [?]
S3 cheetah1;cheetah1;\??\c:\documents and settings\HP_Administrator\Desktop\Hack Pack 101\cheetahengine\cheetah.sys --> c:\documents and settings\HP_Administrator\Desktop\Hack Pack 101\cheetahengine\cheetah.sys [?]
S3 Dua1;Dua1;\??\c:\documents and settings\HP_Administrator\Desktop\Super MPC Hack Pack 1.0\DualEngine2\DualEngi.sys --> c:\documents and settings\HP_Administrator\Desktop\Super MPC Hack Pack 1.0\DualEngine2\DualEngi.sys [?]
S3 geebers12;geebers12;\??\c:\documents and settings\HP_Administrator\Desktop\Buffy Engine 2.0\nvid888.sys --> c:\documents and settings\HP_Administrator\Desktop\Buffy Engine 2.0\nvid888.sys [?]
S3 kaspersky1;kaspersky1;\??\c:\documents and settings\HP_Administrator\Desktop\Kaspersky_Engine_2\kaspersky.sys --> c:\documents and settings\HP_Administrator\Desktop\Kaspersky_Engine_2\kaspersky.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320]
S3 saruen;saruen;\??\c:\documents and settings\HP_Administrator\Desktop\saruen.sys --> c:\documents and settings\HP_Administrator\Desktop\saruen.sys [?]
S3 sejt1;sejt1;\??\c:\documents and settings\HP_Administrator\Desktop\AkumaEngine33\sejt.sys --> c:\documents and settings\HP_Administrator\Desktop\AkumaEngine33\sejt.sys [?]
S3 SHAK31;SHAK31;\??\c:\documents and settings\HP_Administrator\Desktop\RE 4.2\SHAK3.sys --> c:\documents and settings\HP_Administrator\Desktop\RE 4.2\SHAK3.sys [?]
S3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\system32\drivers\SMC1211.sys [7/11/2001 12:06 PM 23153]
S3 spuce1;spuce1;\??\c:\program files\Wizet\MapleStory\SPUCE\spuce.sys --> c:\program files\Wizet\MapleStory\SPUCE\spuce.sys [?]
S3 XDva277;XDva277;\??\c:\windows\system32\XDva277.sys --> c:\windows\system32\XDva277.sys [?]
S3 xp1;xp1;\??\c:\documents and settings\HP_Administrator\Desktop\GMS v.34 Xleviks pack1.1\xp.sys --> c:\documents and settings\HP_Administrator\Desktop\GMS v.34 Xleviks pack1.1\xp.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-07-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2009-07-16 c:\windows\Tasks\User_Feed_Synchronization-{88A90031-33A4-4E3B-8619-DC14F5F5036A}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{06B8B7F4-9E44-3BD8-94E4-787C24CD1841} - c:\windows\system32\aclux.dIl
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
HKCU-Run-Weather - c:\progra~1\AWS\WEATHE~1\Weather.exe
HKLM-Run-YSearchProtection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKLM-Run-01372843 - c:\documents and settings\All Users\Application Data\01372843\01372843.exe
HKLM-Run-Logitech Hardware Abstraction Layer - KHALMNPR.EXE
Notify-__c001E680 - c:\windows\system32\__c001E680.dat
Notify-__c0039734 - c:\windows\system32\__c0039734.dat
Notify-__c0081012 - c:\windows\system32\__c0081012.dat
Notify-__c008A228 - c:\windows\system32\__c008A228.dat
Notify-__c00B48FC - c:\windows\system32\__c00B48FC.dat
Notify-__c00F502E - c:\windows\system32\__c00F502E.dat
Notify-byXpQjkh - byXpQjkh.dll


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: &Yahoo! Search - [You must be registered and logged in to see this link.] files\Yahoo!\Common/ycsrch.htm
IE: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - [You must be registered and logged in to see this link.] files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - [You must be registered and logged in to see this link.] files\ieSpell\wikipedia.HTM
IE: Yahoo! &Dictionary - [You must be registered and logged in to see this link.] files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - [You must be registered and logged in to see this link.] files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - [You must be registered and logged in to see this link.] files\Yahoo!\Common/ycsms.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-16 16:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\fbadcaddddffd.dll:SummaryInformation 88 bytes hidden from API
c:\windows\system32\fbadcaddddffd.dll:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes hidden from API

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3720616747-360736051-3086219903-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3720616747-360736051-3086219903-1008\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\cfeeeeec.dll
c:\windows\system32\WININET.dll
c:\windows\system32\fbadcaddddffd.dll
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(3232)
c:\windows\system32\WININET.dll
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
c:\windows\system32\wdfmgr.exe
c:\windows\system32\dllhost.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\ati2evxx.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-07-16 16:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-16 20:18

Pre-Run: 115,108,544,512 bytes free
Post-Run: 116,245,057,536 bytes free

338 --- E O F --- 2009-07-16 19:02

Quicktrance
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 27042
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Worm.AutoRun.HXB ( Help )

Post by Origin on 16th July 2009, 9:14 pm

Now open a new notepad file.
Input this into the notepad file:

File::
c:\documents and settings\HP_Administrator\udpcrawl.tmp
c:\windows\system32\67.tmp
c:\windows\system32\66.tmp
c:\program files\Common Files\jana.dat
c:\program files\Common Files\gipuv.vbs
c:\program files\Common Files\azezuzu.ban
c:\program files\Common Files\gynebyboru.sys
c:\program files\Common Files\sada.reg
c:\program files\Common Files\ivima.pif
c:\program files\Common Files\isawerewun.bat
c:\program files\Common Files\quvum.com
c:\program files\Common Files\dyrisiz.inf
c:\program files\Common Files\apene.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cfeeeeec]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fbadcaddddffd]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=-
"AntiVirusOverride"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-

Driver::
Viewpoint Manager Service
da65e88a94091479311aeb67c4d9d230
jitqprsi
rjdmxlxw
cheetah1
kaspersky.sys

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Worm.AutoRun.HXB ( Help )

Post by Quicktrance on 17th July 2009, 9:25 pm

Sorry it took so long, work and sleep ya know.

ComboFix 09-07-14.08 - HP_Administrator 07/17/2009 17:09.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.572 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Vexira Antivirus Professional *On-access scanning disabled* (Updated) {76CEA918-5D0F-48D5-BEC6-7BB54A3735C3}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\HP_Administrator\Local Settings\Temp\IadHide5.dll
.
---- Previous Run -------
.
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\HP_Administrator\Local Settings\Temp\IadHide5.dll
c:\documents and settings\HP_Administrator\udpcrawl.tmp
c:\program files\Common Files\apene.exe
c:\program files\Common Files\azezuzu.ban
c:\program files\Common Files\dyrisiz.inf
c:\program files\Common Files\gipuv.vbs
c:\program files\Common Files\gynebyboru.sys
c:\program files\Common Files\isawerewun.bat
c:\program files\Common Files\ivima.pif
c:\program files\Common Files\jana.dat
c:\program files\Common Files\quvum.com
c:\program files\Common Files\sada.reg
c:\windows\system32\66.tmp
c:\windows\system32\67.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CHEETAH1
-------\Legacy_DA65E88A94091479311AEB67C4D9D230
-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_cheetah1
-------\Service_da65e88a94091479311aeb67c4d9d230
-------\Service_jitqprsi
-------\Service_rjdmxlxw
-------\Service_Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2009-06-17 to 2009-07-17 )))))))))))))))))))))))))))))))
.

2009-07-15 11:02 . 2009-07-15 11:02 -------- d-----w- c:\windows\system32\MpEngineStore
2009-07-12 06:37 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-07-01 19:00 . 2009-07-01 19:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2009-06-30 13:13 . 2009-07-11 20:04 -------- d-sh--w- c:\windows\system32\SystemX86
2009-06-30 02:34 . 2009-06-30 02:35 -------- d-----w- C:\bff578460d5402cea55bb72fd0ccc157
2009-06-30 02:34 . 2009-06-30 03:22 -------- d-----w- c:\windows\SxsCaPendDel
2009-06-29 07:03 . 2009-07-12 00:46 -------- d-----w- c:\program files\Incomplete
2009-06-29 06:59 . 2009-07-16 19:05 -------- d-----w- c:\program files\AskBarDis
2009-06-25 20:11 . 2009-06-25 20:11 -------- d-sh--w- c:\documents and settings\HP_Administrator\IECompatCache
2009-06-25 20:10 . 2009-06-25 20:10 -------- d-sh--w- c:\documents and settings\HP_Administrator\PrivacIE
2009-06-25 20:09 . 2009-06-25 20:09 -------- d-sh--w- c:\documents and settings\HP_Administrator\IETldCache
2009-06-25 18:39 . 2009-06-25 18:39 -------- d-----w- c:\windows\ie8updates
2009-06-25 18:23 . 2009-06-25 18:34 -------- dc-h--w- c:\windows\ie8
2009-06-25 17:57 . 2009-06-02 10:12 102912 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-06-25 17:57 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-25 17:57 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-17 21:08 . 2007-12-29 09:15 -------- d-----w- c:\program files\World of Warcraft
2009-07-16 19:05 . 2005-08-09 12:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-12 06:46 . 2008-08-12 19:12 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\FrostWire
2009-06-30 03:34 . 2009-06-15 17:33 -------- d-----w- c:\program files\Diablo II
2009-06-30 03:22 . 2007-05-10 06:34 58096 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-29 06:50 . 2005-08-09 13:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-29 06:48 . 2009-05-29 00:08 -------- d-----w- c:\program files\Norton Security Scan
2009-06-28 05:35 . 2007-08-01 04:53 -------- d-----w- c:\program files\Starcraft
2009-06-25 08:42 . 2008-05-27 04:14 -------- d-----w- c:\program files\Warcraft III
2009-06-17 05:01 . 2006-04-07 15:40 -------- d-----w- c:\program files\Common Files\AOL
2009-06-17 04:52 . 2009-06-17 04:52 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2009-06-16 14:36 . 2004-08-10 19:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-10 19:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 17:42 . 2005-12-08 04:21 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-06-12 06:18 . 2009-06-03 00:56 35190 ----a-w- c:\windows\scunin.dat
2009-06-12 06:18 . 2009-06-03 00:56 967 ----a-w- c:\windows\ScUnin.pif
2009-06-12 06:18 . 2009-06-03 00:56 94208 ----a-w- c:\windows\ScUnin.exe
2009-06-03 19:09 . 2004-08-10 19:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-13 05:15 . 2004-08-10 19:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2004-08-10 19:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-04 03:18 . 2007-03-26 03:10 482 ----a-w- c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2009-05-01 05:13 . 2009-05-01 05:11 34 ----a-w- c:\documents and settings\HP_Administrator\jagex_runescape_preferences.dat
2009-04-19 04:08 . 2009-04-19 04:08 152576 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
.

------- Sigcheck -------

[-] 2004-08-10 19:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtServicePackUninstall$\termsrv.dll
[7] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-11-19 10:08 295424 63999D0ABD8DABFD76A9C07F6E104868 c:\windows\system32\termsrv.dll

.
((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-17 21:17 . 2009-07-17 21:17 16384 c:\windows\Temp\Perflib_Perfdata_750.dat

Quicktrance
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 27042
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Worm.AutoRun.HXB ( Help )

Post by Quicktrance on 17th July 2009, 9:26 pm

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-16 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-08-09 180269]
"VBSysTray"="c:\progra~1\VEXIRA~1\Bin\vbsystry.exe" [2008-11-13 239000]
"AVLoginToDo"="c:\progra~1\VEXIRA~1\Bin\avltd.exe" [2008-11-13 50552]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"ScreenPrint32"="c:\program files\ScreenPrint32 v3\ScreenPrint32.exe" [2008-11-24 446464]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2005-8-9 36903]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\ehome\\ehtray.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Online Services\\AOL\\InstallAol.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Games\\GamerX\\TF2\\hl2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\WoW-0.1.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\Launcher.exe"=
"c:\\Program Files\\GameHouse\\TextTwist\\TextTwist.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:blizzard
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"57053:TCP"= 57053:TCP:Pando Media Booster
"57053:UDP"= 57053:UDP:Pando Media Booster

R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [8/10/2004 3:00 PM 14336]
R2 VACompManService;Vexira Antivirus Component Manager Service;c:\progra~1\VEXIRA~1\Bin\vbcmserv.exe [11/13/2008 7:25 PM 46496]
R2 VBShld;VBShld;c:\windows\system32\drivers\vbshld.sys [10/27/2008 10:07 AM 272480]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
R3 VBEngNT;VBEngNT;c:\windows\system32\drivers\vbengnt.sys [3/19/2009 3:43 PM 1173992]
R3 VBFilter;VBFilter;c:\windows\system32\drivers\vbfilter.sys [10/27/2008 10:06 AM 27096]
R3 VBRec;VBRec;c:\windows\system32\drivers\vbrec.sys [10/27/2008 10:05 AM 18528]
S3 Dua1;Dua1;\??\c:\documents and settings\HP_Administrator\Desktop\Super MPC Hack Pack 1.0\DualEngine2\DualEngi.sys --> c:\documents and settings\HP_Administrator\Desktop\Super MPC Hack Pack 1.0\DualEngine2\DualEngi.sys [?]
S3 geebers12;geebers12;\??\c:\documents and settings\HP_Administrator\Desktop\Buffy Engine 2.0\nvid888.sys --> c:\documents and settings\HP_Administrator\Desktop\Buffy Engine 2.0\nvid888.sys [?]
S3 kaspersky1;kaspersky1;\??\c:\documents and settings\HP_Administrator\Desktop\Kaspersky_Engine_2\kaspersky.sys --> c:\documents and settings\HP_Administrator\Desktop\Kaspersky_Engine_2\kaspersky.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320]
S3 saruen;saruen;\??\c:\documents and settings\HP_Administrator\Desktop\saruen.sys --> c:\documents and settings\HP_Administrator\Desktop\saruen.sys [?]
S3 sejt1;sejt1;\??\c:\documents and settings\HP_Administrator\Desktop\AkumaEngine33\sejt.sys --> c:\documents and settings\HP_Administrator\Desktop\AkumaEngine33\sejt.sys [?]
S3 SHAK31;SHAK31;\??\c:\documents and settings\HP_Administrator\Desktop\RE 4.2\SHAK3.sys --> c:\documents and settings\HP_Administrator\Desktop\RE 4.2\SHAK3.sys [?]
S3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;c:\windows\system32\drivers\SMC1211.sys [7/11/2001 12:06 PM 23153]
S3 spuce1;spuce1;\??\c:\program files\Wizet\MapleStory\SPUCE\spuce.sys --> c:\program files\Wizet\MapleStory\SPUCE\spuce.sys [?]
S3 XDva277;XDva277;\??\c:\windows\system32\XDva277.sys --> c:\windows\system32\XDva277.sys [?]
S3 xp1;xp1;\??\c:\documents and settings\HP_Administrator\Desktop\GMS v.34 Xleviks pack1.1\xp.sys --> c:\documents and settings\HP_Administrator\Desktop\GMS v.34 Xleviks pack1.1\xp.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-07-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2009-07-17 c:\windows\Tasks\User_Feed_Synchronization-{88A90031-33A4-4E3B-8619-DC14F5F5036A}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: &Yahoo! Search - [You must be registered and logged in to see this link.] files\Yahoo!\Common/ycsrch.htm
IE: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - [You must be registered and logged in to see this link.] files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - [You must be registered and logged in to see this link.] files\ieSpell\wikipedia.HTM
IE: Yahoo! &Dictionary - [You must be registered and logged in to see this link.] files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - [You must be registered and logged in to see this link.] files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - [You must be registered and logged in to see this link.] files\Yahoo!\Common/ycsms.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-17 17:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3720616747-360736051-3086219903-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3720616747-360736051-3086219903-1008\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1116)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
c:\windows\system32\wdfmgr.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-07-17 17:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-17 21:23
ComboFix2.txt 2009-07-16 20:18

Pre-Run: 115,914,035,200 bytes free
Post-Run: 115,752,423,424 bytes free

273 --- E O F --- 2009-07-16 19:02

Quicktrance
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 27042
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Worm.AutoRun.HXB ( Help )

Post by Quicktrance on 17th July 2009, 9:28 pm

gotta go to work again, ill recheck when i get home.

Quicktrance
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 27042
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Worm.AutoRun.HXB ( Help )

Post by Origin on 18th July 2009, 1:12 am

Now open a new notepad file.
Input this into the notepad file:

Driver::
kaspersky1


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


Please download [You must be registered and logged in to see this link.] to your Desktop and run it by double clicking the program's icon.

  1. Wait a couple of seconds for initial scan to finish.
  2. Connect all of your USB storage devices to the PC, one at a time, and keep each one connected at least for 10 seconds.
  3. If there are more USB storage devices to scan, please take a note about the order in which these were connected.
  4. After all the devices are scanned, right click in the Monitor tab, and choose "Save log". That will open the log in Notepad. Please copy and paste the log into this thread.
Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC, e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras, memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Worm.AutoRun.HXB ( Help )

Post by Quicktrance on 18th July 2009, 11:21 pm

Woh, i make the notepad, draged it, and it dl'd. reset my compy. then i couldnt get online, and now my Vexira Antivurus is not working. it wouldnt let me do anythign so i system restored to earlier today, and now just my antivirus isnt working. The virus's stoped poping up and my compy seems to b running MUCH better, but i dunno whats happening now.

Quicktrance
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 27042
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Worm.AutoRun.HXB ( Help )

Post by Origin on 18th July 2009, 11:28 pm

It must have been corrupted in the removal of the malware, also I recommend using Avira Anti virus have you tried it? It protects you from over 50,000 viruses and its free, you can check it out here:

[You must be registered and logged in to see this link.]

Can you do the USBNoRisk instructions please.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Worm.AutoRun.HXB ( Help )

Post by Quicktrance on 18th July 2009, 11:33 pm

USBNoRisk 2.4 (1 June 2009) by bobby

Started at 7/18/2009 7:31:50 PM

Searching for connected USB Mass storage...
----------------------------------------
========================================

Searching for other storage...
----------------------------------------
D: {7cfc1fe4-ae6f-11db-be51-806d6172696f}
C: {7cfc1fe5-ae6f-11db-be51-806d6172696f}
========================================


Scanning fixed storage...
----------------------------------------

No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 7cfc1fe5-ae6f-11db-be51-806d6172696f
No Desktop.ini files found on C:
----------------------------------------

No blocked files found on D:
No Autorun.inf files found on D:
No mountpoint found for D:
No mountpoint found for 7cfc1fe4-ae6f-11db-be51-806d6172696f
----------------------------------------
Desktop.ini found at D:\cmdcons\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------
Desktop.ini found at D:\hp\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------
Desktop.ini found at D:\I386\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------
Desktop.ini found at D:\MiniNT\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------
Desktop.ini found at D:\PRELOAD\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------
Desktop.ini found at D:\RECOVERY\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------
Desktop.ini found at D:\SYSTEM.SAV\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------
Desktop.ini found at D:\TOOLS\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------
Desktop.ini found at D:\System Volume Information\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------
Desktop.ini found at D:\Recycled\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
----------------------------------------
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
----------------------------------------
Desktop.ini found at D:\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

[ShellvRTF]
RTFPath="protect.ed"
----------------------------------------
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKCR\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\DefaultIcon,@ = C:\WINDOWS\system32\ShellvRTF.dll,0
HKLM\Software\Classes\CLSID\{7f67036b-66f1-411a-ad85-759fb9c5b0db}\InprocServer32,@ = C:\WINDOWS\system32\ShellvRTF.dll
----------------------------------------

========================================
Initial scan finished!
========================================

Quicktrance
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 27042
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Worm.AutoRun.HXB ( Help )

Post by Quicktrance on 18th July 2009, 11:37 pm

as for Avira Anti virus, im downloading it right now. Thanks for the Tip on that. SHould i uninstall the other one?

Quicktrance
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 27042
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Worm.AutoRun.HXB ( Help )

Post by Origin on 18th July 2009, 11:45 pm

Yes please but do the following to uninstall it, I recommend this way because it removes it entirely from your system as it removes reg keys and such:

Please download Revo Uninstall from here: [You must be registered and logged in to see this link.]

  1. Download and run the setup file for Revo Uninstaller.
  2. Once setup, run Revo Uninstaller.
  3. Select the following item for removal by clicking on it once.

    Vexira

  4. Then hit the "Uninstall" button at the top.
  5. Close Revo Uninstaller.


I also recommend a firewall with HIPS(Host Intrusion Prevention SYstem)

Please, consider maintaining a firewall with HIPS (Host Intrusion Prevention Systems). Firewalls are extremely important and are the first part of your computer's defense. HIPS stops malware by monitoring its behavior and it's very important, too.
A firewall is a software program or piece of hardware that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet.
If you are using the Windows Firewall please note that it doesn't monitor or block outbound traffic and is therefore less effective than other free alternatives.

These firewalls are good and do have free versions available A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

**Note If you are running an internet security suite with a personal firewall this is not recommended as they could cause huge problems and conflict with each other.


Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Worm.AutoRun.HXB ( Help )

Post by Quicktrance on 19th July 2009, 12:08 am

Malwarebytes' Anti-Malware 1.39
Database version: 2461
Windows 5.1.2600 Service Pack 3

7/18/2009 8:08:18 PM
mbam-log-2009-07-18 (20-08-18).txt

Scan type: Quick Scan
Objects scanned: 97572
Time elapsed: 6 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 4
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\HP_Administrator\Application Data\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\hp_administrator\application data\malwareremovalbot\Log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\hp_administrator\application data\malwareremovalbot\Settings (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SystemX86 (Worm.Archive) -> Quarantined and deleted successfully.

Files Infected:
c:\windows\system32\cfeeeeec.dll (Worm.AutoRun) -> Quarantined and deleted successfully.
c:\windows\system32\fbadcaddddffd.dll (Trojan.ToolKiller) -> Quarantined and deleted successfully.
c:\documents and settings\hp_administrator\application data\malwareremovalbot\rs.dat (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\hp_administrator\application data\malwareremovalbot\Log\2008 Nov 21 - 10_23_42 PM_359.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\hp_administrator\application data\malwareremovalbot\Log\2008 Nov 23 - 11_36_36 AM_531.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\hp_administrator\application data\malwareremovalbot\Log\2008 Nov 23 - 11_40_55 AM_296.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\hp_administrator\application data\malwareremovalbot\Log\2008 Nov 23 - 11_41_18 AM_234.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\hp_administrator\application data\malwareremovalbot\Settings\ScanResults.pie (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\213.crack.zip (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\213.crack.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\214.keygen.zip (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\214.keygen.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\215.serial.zip (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\215.serial.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\216.setup.zip (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\216.setup.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\217.music.au (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\217.music.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\218.music2.au (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\218.music2.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\219.music3.au (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\219.music3.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\220.music.snd (Worm.Archive) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\systemx86\220.music.snd.kwd (Worm.Archive) -> Quarantined and deleted successfully.

Quicktrance
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-07-16
OS OS : XP
Points Points : 27042
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Worm.AutoRun.HXB ( Help )

Post by Origin on 19th July 2009, 3:02 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum