francis

July 2, 2008

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.
Download the file & save it as it's originally named, next to ComboFix.exe.
Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.
Please do not reboot your machine until we have reviewed the log.
I would also like to see an Uninstall List:
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
-Ryan

Hi Ryan

I did the download from microsoft.Dropped the setup file in the combofix.exe file and agreed to end user agreement.When it was done it asked me if to continue scanning or not and i pressed ok to continue scanning.There wasn't a CF_RC.txt file after the scan....Was this right?

I also did the uninstall list,here it is as follows:

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)

Adobe Flash Player ActiveX

Adobe Reader 8.1.2

ASUS InstantFun

ASUS Live Update

ASUS Splendid Video Enhancement Technology

ASUS Touch Pad Extra

Asus_Camera_ScreenSaver

Atheros Client Installation Program

ATI - Software Uninstall Utility

ATI Catalyst Control Center

ATI Display Driver

ATI Parental Control & Encoder

ATK Hotkey

ATK Media

ATKOSD2

AVG 7.5

Compatibility Pack for the 2007 Office system

FBrowsingAdvisor

Google Toolbar for Internet Explorer

HijackThis 2.0.2

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows XP (KB909394)

Hotfix for Windows XP (KB914440)

Hotfix for Windows XP (KB915865)

Hotfix for Windows XP (KB918005)

Hotfix for Windows XP (KB935448)

Installation_Tool

Java 6 Update 3

Java SE Runtime Environment 6

Lantronix DeviceInstaller

LifeFrame2

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Hotfix (KB928366)

Microsoft .NET Framework 2.0 Service Pack 1

Microsoft ActiveSync

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office Professional Edition 2003

Motorola SM56 Speakerphone Modem

MSN

MSXML 4.0 SP2 (KB936181)

NB Probe

NoAdware v5.0

OfficeServ Manager Launch Pad Uninstall

Pastel Xpress 2007

Pervasive System Analyzer

Pervasive.SQL 9.60 Workgroup for Windows

PL-2303 USB-to-Serial

Power4 Gear

Readiris Pro 9

Realtek High Definition Audio Driver

Realtek USB 2.0 Card Reader

Samsung SCX-4x21 Series

Security Update for Step By Step Interactive Training (KB923723)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Media Player 10 (KB936782)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows XP (KB900725)

Security Update for Windows XP (KB901017)

Security Update for Windows XP (KB902400)

Security Update for Windows XP (KB905414)

Security Update for Windows XP (KB905749)

Security Update for Windows XP (KB911562)

Security Update for Windows XP (KB913580)

Security Update for Windows XP (KB914388)

Security Update for Windows XP (KB914389)

Security Update for Windows XP (KB917344)

Security Update for Windows XP (KB918118)

Security Update for Windows XP (KB918439)

Security Update for Windows XP (KB919007)

Security Update for Windows XP (KB920213)

Security Update for Windows XP (KB920670)

Security Update for Windows XP (KB920683)

Security Update for Windows XP (KB920685)

Security Update for Windows XP (KB922819)

Security Update for Windows XP (KB923191)

Security Update for Windows XP (KB923414)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB923980)

Security Update for Windows XP (KB924270)

Security Update for Windows XP (KB924496)

Security Update for Windows XP (KB924667)

Security Update for Windows XP (KB925902)

Security Update for Windows XP (KB926255)

Security Update for Windows XP (KB926436)

Security Update for Windows XP (KB927779)

Security Update for Windows XP (KB927802)

Security Update for Windows XP (KB928255)

Security Update for Windows XP (KB928843)

Security Update for Windows XP (KB929123)

Security Update for Windows XP (KB930178)

Security Update for Windows XP (KB931261)

Security Update for Windows XP (KB931784)

Security Update for Windows XP (KB932168)

Security Update for Windows XP (KB933729)

Security Update for Windows XP (KB935839)

Security Update for Windows XP (KB935840)

Security Update for Windows XP (KB936021)

Security Update for Windows XP (KB937894)

Security Update for Windows XP (KB938127)

Security Update for Windows XP (KB938829)

Security Update for Windows XP (KB941202)

Security Update for Windows XP (KB941568)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB941644)

Security Update for Windows XP (KB941693)

Security Update for Windows XP (KB943055)

Security Update for Windows XP (KB943460)

Security Update for Windows XP (KB943485)

Security Update for Windows XP (KB944533)

Security Update for Windows XP (KB944653)

Security Update for Windows XP (KB945553)

Security Update for Windows XP (KB946026)

Security Update for Windows XP (KB948590)

Security Update for Windows XP (KB948881)

Security Update for Windows XP (KB950749)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

SmarThru 4

SmarThru PC Fax

Spyware Doctor 5.0

Striata Reader

Synaptics Pointing Device Driver

Update for Windows XP (KB898461)

Update for Windows XP (KB900485)

Update for Windows XP (KB904942)

Update for Windows XP (KB908531)

Update for Windows XP (KB911164)

Update for Windows XP (KB911280)

Update for Windows XP (KB916595)

Update for Windows XP (KB920872)

Update for Windows XP (KB922582)

Update for Windows XP (KB927891)

Update for Windows XP (KB930916)

Update for Windows XP (KB932823-v3)

Update for Windows XP (KB936357)

Update for Windows XP (KB938828)

Update for Windows XP (KB942763)

Update for Windows XP (KB942840)

USB2.0 1.3M WebCam

Windows Installer 3.1 (KB893803)

Windows Internet Explorer 7

Windows Media Format Runtime

Windows Media Player 10

Windows Media Player 10 Hotfix - KB894476

Windows XP Hotfix - KB886185

WinFlash

Wireless Console 2

Yahoo! Toolbar

Here is also the hijackthis report that was run after the install of recovery console:

ComboFix 08-06-30.2 - Dialtech 2008-07-02 15:27:07.2 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.447 [GMT 2:00]

Running from: C:\Documents and Settings\Dialtech\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Dialtech\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))

.

2008-06-23 18:54 . 2008-06-23 18:54 <DIR> d-------- C:\Program Files\Trend Micro

2008-06-20 15:43 . 2008-03-15 16:34 802,816 --a------ C:\WINDOWS\system32\IT_Engine.dll

2008-06-20 15:43 . 2000-06-19 10:05 421,891 --a------ C:\WINDOWS\system32\Vsflex7L.ocx

2008-06-20 15:43 . 1998-07-22 00:00 102,912 --a------ C:\WINDOWS\system32\VB6STKIT.DLL

2008-06-20 15:43 . 2007-12-12 17:01 73,728 --a------ C:\WINDOWS\system32\CommXPCtrl.ocx

2008-06-11 07:38 . 2008-06-13 15:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys

2008-06-11 07:38 . 2008-06-13 15:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-02 13:02 290,912 ----a-w C:\WINDOWS\xcopy.bin

2008-05-12 19:08 --------- d-----w C:\Documents and Settings\Dialtech\Application Data\DivX

2008-05-12 19:05 --------- d-----w C:\Documents and Settings\Dialtech\Application Data\Yahoo!

2008-05-12 19:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion

2008-05-12 19:04 --------- d-----w C:\Program Files\Yahoo!

2008-05-12 19:04 --------- d-----w C:\Program Files\DivX

2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys

2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys

2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll

2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll

2008-04-23 20:16 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll

2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe

2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe

2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe

2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll

2008-02-25 15:21 190 ----a-w C:\Program Files\Common Files\psasetup.log

.

((((((((((((((((((((((((((((( snapshot@2008-07-01_ 8.24.33.40 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-07-01 05:56:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-07-02 12:56:26 2,048 --s-a-w C:\WINDOWS\bootstat.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StartCCC"="c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 20:00 15360]

"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATKOSD2"="C:\Program Files\ATKOSD2\ATKOSD2.exe" [2007-07-03 10:48 7708672]

"ATKHOTKEY"="C:\Program Files\ATK Hotkey\Hcontrol.exe" [2007-07-12 10:25 225280]

"ATKMEDIA"="C:\Program Files\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 08:27 61440]

"ASUS Live Update"="C:\Program Files\ASUS\ASUS Live Update\ALU.exe" [2007-07-19 15:41 49520]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-25 13:02 786521]

"ACMON"="C:\Program Files\ASUS\Splendid\ACMON.exe" [2007-07-10 10:59 851968]

"ABLKSR"="C:\WINDOWS\ABLKSR\ABLKSR.exe" [2006-01-03 03:14 61440]

"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 10:31 630784]

"Power_Gear"="C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe" [2006-07-26 18:01 90112]

"Wireless Console 2"="C:\Program Files\Wireless Console 2\wcourier.exe" [2007-07-05 16:53 1040384]

"ASUSTPE"="C:\WINDOWS\system32\ASUSTPE.exe" [2007-01-16 16:13 106496]

"ASUS Camera ScreenSaver"="C:\WINDOWS\ASScrProlog.exe" [2008-02-24 22:10 37232]

"ASUS Screen Saver Protector"="C:\WINDOWS\ASScrPro.exe" [2008-02-24 22:10 33136]

"ACU"="C:\Program Files\Atheros\ACU.exe" [2007-05-03 17:42 376921]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-27 19:13 580096]

"WHITNEY_S2P"="C:\Program Files\Samsung\Samsung SCX-4x21 Series\PSU\Scan2pc.exe" [2006-03-27 08:35 229376]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 12:49 16269312 C:\WINDOWS\RTHDCPL.exe]

"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-25 10:28 219136]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\

CCC.lnk - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-09-29 09:57:36 49152]

C:\Documents and Settings\Dialtech\Start Menu\Programs\Startup\

CCC.lnk - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-09-29 09:57:36 49152]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Pervasive.SQL Workgroup Engine.lnk - C:\PVSW\bin\w3dbsmgr.exe [2007-04-15 13:43:14 112208]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=

"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=

"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

"C:\\PVSW\\bin\\w3dbsmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\Lantronix\\DeviceInstaller\\DeviceInstaller.exe"=

"C:\\Program Files\\Microsoft ActiveSync\\RAPIMGR.EXE"=

"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 StkSSrv;Syntek AVStream USB2.0 WebCam Service;C:\WINDOWS\System32\StkCSrv.exe [2007-04-18 23:42]

R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l251x86.sys [2007-08-21 09:50]

R3 RTSTOR;USB Mass Stroage Device;C:\WINDOWS\system32\drivers\RTSTOR.SYS [2006-06-10 00:07]

R3 StkCMini;Syntek AVStream USB2.0 1.3M WebCam;C:\WINDOWS\system32\Drivers\StkCMini.sys [2007-06-06 03:40]

R3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [2007-03-28 19:52]

S2 SSPORT;SSPORT;C:\WINDOWS\system32\Drivers\SSPORT.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a74fad96-0edc-11dd-8883-001d60b07209}]

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL driver.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]

msiexec /fums {857D4360-762B-978B-76AD-491AA719E47A} /qb

.

Contents of the 'Scheduled Tasks' folder

"2008-06-26 01:00:02 C:\WINDOWS\Tasks\RegCure.job"

- C:\Documents and Settings\Dialtech\Desktop\RegCure\RegCure.exe

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-02 15:28:12

Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-07-02 15:28:31

ComboFix-quarantined-files.txt 2008-07-02 13:28:30

ComboFix2.txt 2008-07-01 06:24:44

Pre-Run: 29,900,177,408 bytes free

Post-Run: 29,902,438,400 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

134 --- E O F --- 2008-06-21 06:59:27

I also had to reboot the pc because it would not let me go onto the internet...Sorry!!!

Regards,

Francis

July 1, 2008

Hi Ryan

Thank you for responding. here is a combofix log report followed by a hijackthis report.

ComboFix 08-06-30.2 - Dialtech 2008-07-01 8:22:57.1 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.460 [GMT 2:00]

Running from: C:\Documents and Settings\Dialtech\Desktop\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\Dialtech\Application Data\macromedia\Flash Player\#SharedObjects\8RPCZHYV\iforex.com

C:\Documents and Settings\Dialtech\Application Data\macromedia\Flash Player\#SharedObjects\8RPCZHYV\iforex.com\Emerp\Events\flash_object.swf\user_data.sol

C:\Documents and Settings\Dialtech\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com

C:\Documents and Settings\Dialtech\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol

C:\Program Files\InternetSoftware\InternetSoftware-1.dll

C:\Program Files\InternetSoftware\pcre3.dll

C:\Program Files\InternetSoftware\uninstall.exe

.

((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))

.

2008-06-23 18:54 . 2008-06-23 18:54 <DIR> d-------- C:\Program Files\Trend Micro

2008-06-20 15:43 . 2008-03-15 16:34 802,816 --a------ C:\WINDOWS\system32\IT_Engine.dll

2008-06-20 15:43 . 2000-06-19 10:05 421,891 --a------ C:\WINDOWS\system32\Vsflex7L.ocx

2008-06-20 15:43 . 1998-07-22 00:00 102,912 --a------ C:\WINDOWS\system32\VB6STKIT.DLL

2008-06-20 15:43 . 2007-12-12 17:01 73,728 --a------ C:\WINDOWS\system32\CommXPCtrl.ocx

2008-06-11 07:38 . 2008-06-13 15:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys

2008-06-11 07:38 . 2008-06-13 15:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-27 06:02 290,912 ----a-w C:\WINDOWS\xcopy.bin