BleepingComputer.com: Multiple Issues. Nebuler S, Win32\kastem, Newmediacodec Ect Ect

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • You cannot reply to this topic

Multiple Issues. Nebuler S, Win32\kastem, Newmediacodec Ect Ect I can't seem to remove any of these things

#1 User is offline   LiLcOoKiE 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 12
  • Joined: 08-September 07

Posted 08 September 2007 - 04:47 AM

On start up i get a lsass.exe file missing and a MSVCP71.dll file missing. Then come the pop ups of the win32\Kastem. Even with my connection unplugged there is something trying to use my internet.

I run constant scans with e-trust, avg anti-spyware, ad-aware and spybot. But none of the issues seem to dissapear. I have searched and searched for help but even when I spent hours trying to hardest to get rid of something. I restart and it comes back.

Please
help

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:43:11 PM, on 9/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\mgrs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\msiexec.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX01.797\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\lsass.exe
O2 - BHO: (no name) - {03F2FC29-4B31-40CD-9D29-4B4B7EB06F8F} - C:\WINDOWS\system32\ddayx.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {632AB9DB-EE1E-43B0-AA06-4DD209EE33BF} - C:\WINDOWS\system32\pmnkhhf.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Microsoft System Service] taskmgr1.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [WindXpUpdate32] WindXpUpdate
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [qhenarmz] rundll32.exe "C:\Program Files\lcrefklg\vyfylyra.dll",Init
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win14C.tmp.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\RunServices: [Microsoft System Service] taskmgr1.exe
O4 - HKLM\..\RunServices: [WindXpUpdate32] WindXpUpdate
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189168616843
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: ddayx - C:\WINDOWS\system32\ddayx.dll (file missing)
O20 - Winlogon Notify: pmnkhhf - C:\WINDOWS\SYSTEM32\pmnkhhf.dll
O20 - Winlogon Notify: winxtx32 - C:\WINDOWS\SYSTEM32\winxtx32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8579 bytes

#2 User is offline   LiLcOoKiE 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 12
  • Joined: 08-September 07

Posted 08 September 2007 - 07:19 AM

Ok with a little more tinkering alot of the silly win32\kastem.al warnings stopped coming up and all that my computer could find was the nebuler S thing which i removed for bout 20 minutes then it came back.

new hjt log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:40 PM, on 9/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\lsass.exe
O2 - BHO: (no name) - {03F2FC29-4B31-40CD-9D29-4B4B7EB06F8F} - C:\WINDOWS\system32\ddayx.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {632AB9DB-EE1E-43B0-AA06-4DD209EE33BF} - C:\WINDOWS\system32\pmnkhhf.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Microsoft System Service] taskmgr1.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [WindXpUpdate32] WindXpUpdate
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [qhenarmz] rundll32.exe "C:\Program Files\lcrefklg\vyfylyra.dll",Init
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\RunServices: [Microsoft System Service] taskmgr1.exe
O4 - HKLM\..\RunServices: [WindXpUpdate32] WindXpUpdate
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189168616843
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: pmnkhhf - C:\WINDOWS\SYSTEM32\pmnkhhf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8476 bytes

#3 User is offline   Aaflac 

  • Doin' Dis 'n Dat...
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 1,178
  • Joined: 15-September 06
  • Gender:Not Telling
  • Location:USA

Posted 10 September 2007 - 08:40 AM

Apologies for the delay in responding.

The workload on this forum is intense, and sometimes it is not possible to respond to every inquiry.

Please download ComboFix.exe

Save it to the Desktop

Double-click combofix.exe to run the program
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to stall.)

When finished, a log, ComboFix.txt, is produced.

~~~~
Now, run HijackThis once again to obtain a new log.

~~~~
Please post the ComboFix.txt, and a new HijackThis log in your reply.
To do is to be - Socrates

#4 User is offline   LiLcOoKiE 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 12
  • Joined: 08-September 07

Posted 11 September 2007 - 01:55 AM

ComboFix 07-09-11.1 - "Owner" 2007-09-11 15:41:25.2 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.371 [GMT 10:00]
.

((((((((((((((((((((((((( Files Created from 2007-08-11 to 2007-09-11 )))))))))))))))))))))))))))))))
.

2007-09-11 11:18 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-10 22:56 8,704 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2007-09-10 22:56 4,608 --a------ C:\WINDOWS\system32\nmwcdlog.dll
2007-09-10 22:56 30,720 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-09-10 22:56 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-09-10 22:56 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2007-09-10 22:56 127,488 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2007-09-10 22:56 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-09-09 19:42 <DIR> d--h----- C:\WINDOWS\PIF
2007-09-09 18:21 94,208 --a------ C:\WINDOWS\system32\drvsun.dll
2007-09-09 18:21 15,360 --a------ C:\WINDOWS\system32\drvsunr.dll
2007-09-09 16:08 85,376 --a--c--- C:\WINDOWS\system32\dllcache\nabtsfec.sys
2007-09-09 16:08 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-09-09 16:08 53,760 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2007-09-09 16:08 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-09-09 16:08 17,024 --a--c--- C:\WINDOWS\system32\dllcache\ccdecode.sys
2007-09-09 16:08 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-09-09 16:07 61,440 --a------ C:\WINDOWS\system32\dsnphv71.dll
2007-09-09 16:07 53,248 --a------ C:\WINDOWS\amcap.exe
2007-09-09 16:07 307,200 --a------ C:\WINDOWS\vidcap32.exe
2007-09-09 16:07 28,672 --a------ C:\WINDOWS\vsnphv71.exe
2007-09-09 16:07 28,672 --a------ C:\WINDOWS\system32\vsnphv71.dll
2007-09-09 16:07 220,928 --a------ C:\WINDOWS\system32\drivers\snphv71.sys
2007-09-09 16:07 20,480 --a------ C:\WINDOWS\dsnphv71.exe
2007-09-09 16:07 120,879 --a------ C:\WINDOWS\usnphv71.exe
2007-09-09 16:07 <DIR> d-------- C:\Program Files\Common Files\snphv71
2007-09-08 21:58 499,712 --a------ C:\WINDOWS\MSVCP71.DLL
2007-09-08 20:58 <DIR> d-------- C:\Program Files\Neopets
2007-09-08 20:58 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Neopets Toolbar
2007-09-08 19:37 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-09-08 19:37 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-09-08 19:37 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-09-08 19:37 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-09-08 19:37 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-09-08 19:37 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-09-08 19:37 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-09-08 19:36 <DIR> d-------- C:\Program Files\Sygate
2007-09-08 13:30 15,360 --a------ C:\WINDOWS\system32\drvfetr.dll
2007-09-07 23:19 93,696 --a------ C:\WINDOWS\system32\drvhut.dll
2007-09-07 23:19 15,360 --a------ C:\WINDOWS\system32\drvhutr.dll
2007-09-07 22:48 499,712 --a------ C:\WINDOWS\system32\MSVCP71.DLL
2007-09-07 21:29 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-09-07 21:05 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Uniblue
2007-09-07 20:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-07 19:28 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-09-07 19:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2007-09-07 16:55 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-07 16:46 <DIR> d-------- C:\WTablet
2007-09-07 16:00 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-09-06 23:17 94,208 --a------ C:\WINDOWS\system32\drvdij.dll
2007-09-06 23:17 15,360 --a------ C:\WINDOWS\system32\drvdijr.dll
2007-09-06 22:36 94,208 --a------ C:\WINDOWS\system32\drvpar.dll
2007-09-06 22:36 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-09-06 22:36 15,360 --a------ C:\WINDOWS\system32\drvparr.dll
2007-09-06 22:35 23,552 --a------ C:\WINDOWS\system32\winxtx32.dll
2007-09-06 18:53 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Gamelab
2007-09-06 17:48 <DIR> d-------- C:\Program Files\ReflexiveArcade
2007-09-05 21:06 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Nokia
2007-09-05 21:01 <DIR> d-------- C:\Program Files\DIFX
2007-09-05 21:00 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\PC Suite
2007-09-05 21:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Suite
2007-09-05 20:59 50,688 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-09-05 20:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Downloaded Installations
2007-09-05 20:58 <DIR> d-------- C:\Program Files\Nokia
2007-09-05 20:58 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-09-05 17:27 1,648,016 -r-h----- C:\WINDOWS\EditServAPI.exe
2007-09-05 17:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-09-05 15:24 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\WinRAR
2007-09-05 13:24 90,112 --a------ C:\WINDOWS\unvise32.exe
2007-09-05 13:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-09-05 13:18 <DIR> d-------- C:\Temp
2007-09-05 08:56 <DIR> d-------- C:\Program Files\Bonjour
2007-09-05 08:40 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-09-04 22:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
2007-09-04 21:37 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Corel
2007-09-04 21:30 <DIR> d-------- C:\Program Files\Corel
2007-09-04 20:56 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Thunderbird
2007-09-04 18:28 <DIR> d-------- C:\DOCUME~1\Owner\Shared
2007-09-04 18:28 <DIR> d-------- C:\DOCUME~1\Owner\Incomplete
2007-09-04 18:27 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\FrostWire
2007-09-04 18:25 <DIR> d-------- C:\Program Files\FrostWire
2007-09-04 17:11 <DIR> d-------- C:\Program Files\BitTorrent_DNA
2007-09-04 17:11 <DIR> d-------- C:\Program Files\BitTorrent
2007-09-04 17:11 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\BitTorrent DNA
2007-09-04 17:11 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\BitTorrent
2007-09-04 17:09 <DIR> d-------- C:\Program Files\mIRC
2007-09-04 17:09 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\mIRC
2007-09-04 16:58 <DIR> d-------- C:\DOCUME~1\Owner\Contacts
2007-09-04 16:56 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-09-04 16:55 <DIR> d-------- C:\Program Files\MSN Messenger
2007-09-04 16:47 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\WTablet
2007-09-04 16:45 6,272 --a------ C:\WINDOWS\system32\drivers\wacomvhid.sys
2007-09-04 16:45 5,632 --a------ C:\WINDOWS\system32\drivers\wacommousefilter.sys
2007-09-04 16:45 140,848 --a------ C:\WINDOWS\system32\Wintab32.dll
2007-09-04 16:45 1,013,296 --a------ C:\WINDOWS\system32\Tablet.exe
2007-09-04 16:45 <DIR> d-------- C:\WINDOWS\system32\WTablet
2007-09-04 16:45 <DIR> d-------- C:\Program Files\Tablet
2007-09-04 16:19 16,384 --a------ C:\WINDOWS\system32\lgfwunis.exe
2007-09-04 16:19 102,912 --a------ C:\WINDOWS\system32\Vb6stkit.dll
2007-09-04 16:19 102,160 --a------ C:\WINDOWS\system32\VB6KO.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-07 19:35 1024 --a------ C:\WINDOWS\system32\drivers\513652D0-DB92-40F3-98AD-843EED9731AA.cxv
2007-09-04 13:20 879832 --a------ C:\WINDOWS\system32\drivers\VetEFile.sys
2007-09-04 13:20 108360 --a------ C:\WINDOWS\system32\drivers\VetEBoot.sys
2007-09-03 21:02 99880 --a------ C:\WINDOWS\UnVet32.exe
2007-09-03 21:02 75304 --a------ C:\WINDOWS\system32\VetRedir.dll
2007-09-03 21:02 21032 --a------ C:\WINDOWS\system32\drivers\Vet-Filt.sys
2007-09-03 21:02 15736 --a------ C:\WINDOWS\system32\drivers\VetFDDNT.sys
2007-09-03 21:02 15479 --a------ C:\WINDOWS\system32\drivers\Vet-Rec.sys
2007-09-03 21:02 112168 --a------ C:\WINDOWS\AVShlExt.dll
2007-09-03 20:58 323870 --a------ C:\WINDOWS\system32\Benq Corporation.scr
2007-09-03 20:45 --------- d-------- C:\Program Files\microsoft frontpage
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-11 14:37 6272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-26 16:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 23:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 20:23 1033216 --a------ C:\WINDOWS\explorer.exe
2003-09-08 13:10 11776 --a------ C:\Program Files\44591875.exe
2003-09-08 13:09 11776 --a------ C:\Program Files\44509984.exe
2003-09-08 13:07 11776 --a------ C:\Program Files\44436359.exe
2003-09-08 13:06 11776 --a------ C:\Program Files\44362968.exe
2003-09-08 13:05 11776 --a------ C:\Program Files\44284656.exe
2003-09-08 13:04 11776 --a------ C:\Program Files\44207734.exe
2003-09-08 13:02 11776 --a------ C:\Program Files\44134109.exe
2003-09-08 13:01 11776 --a------ C:\Program Files\44063765.exe
2003-09-08 13:00 11776 --a------ C:\Program Files\43995687.exe
2003-09-08 01:03 76068 --a------ C:\Program Files\setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]
"eTrustPPAP"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe" [2007-09-04 15:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 22:00]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-09-04 17:11]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 16:21]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft System Service"=taskmgr1.exe
"WindXpUpdate32"=WindXpUpdate

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys
S0 szkg;szkg;C:\WINDOWS\system32\DRIVERS\szkg.sys
S2 NMSSvc;Intel® NMS;C:\WINDOWS\system32\NMSSvc.exe
S3 FXDRV;FXDRV;\??\D:\Fxdrv.sys
S3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\system32\drivers\NMSCFG.SYS
S3 SNPHV71;PC Camera (602a VGA);C:\WINDOWS\system32\DRIVERS\snphv71.sys


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5B5C4767-D8DE-AB3B-7ED0-86C27EE5D2BE}]
C:\Documents and Settings\Owner\My Documents\Downloads\Adobe Photoshop CS3 Crack+Keygen\Keygen.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-09-09 15:15:08 C:\WINDOWS\Tasks\PPv5Scan_Daily as Owner at 1 15 AM.job"
"2007-09-09 16:15:08 C:\WINDOWS\Tasks\PPv5Scan_Daily as Owner at 2 15 AM.job"
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-11 15:44:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-11 15:45:42
C:\ComboFix-quarantined-files.txt ... 2007-09-11 15:45
.
--- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:52, on 2007-09-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\RunServices: [Microsoft System Service] taskmgr1.exe
O4 - HKLM\..\RunServices: [WindXpUpdate32] WindXpUpdate
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189168616843
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6134 bytes


i need a new anti virus since my other one is soon to expire. but so far hardly anything is being detected anymore which is great

#5 User is offline   Aaflac 

  • Doin' Dis 'n Dat...
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 1,178
  • Joined: 15-September 06
  • Gender:Not Telling
  • Location:USA

Posted 11 September 2007 - 08:24 AM

There are still some dubious files showing on the ComboFix report, and on the HijackThis log as well..

Please do the following:

Download SuperAntiSpyware
Install the program
  • Run SuperAntiSpyware and click: Check for updates
  • Once the update is finished, on the main screen, click: Scan your computer
  • Check: Perform Complete Scan
  • Click Next to start the scan.

Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
  • Click: Preferences
  • Click the Statistics/Logs tab
  • Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)

~~~~
Next, run ComboFix once again, but make sure it is not in Safe Mode.

~~~~
Please provide the SuperAntiSpyware log, as well as the new ComboFx.txt in your reply.


If you need an AntiVirus program, there are free programs available:

Grosoft's AVG: Anti-virus Free Edition

avast! 4 Home

AntiVir Personal Edition

This post has been edited by Aaflac: 11 September 2007 - 08:36 AM

To do is to be - Socrates

#6 User is offline   LiLcOoKiE 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 12
  • Joined: 08-September 07

Posted 13 September 2007 - 12:36 AM

ComboFix 07-09-11.1 - "Owner" 2007-09-11 15:41:25.2 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.371 [GMT 10:00]
.

((((((((((((((((((((((((( Files Created from 2007-08-11 to 2007-09-11 )))))))))))))))))))))))))))))))
.

2007-09-11 11:18 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-10 22:56 8,704 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2007-09-10 22:56 4,608 --a------ C:\WINDOWS\system32\nmwcdlog.dll
2007-09-10 22:56 30,720 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-09-10 22:56 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-09-10 22:56 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2007-09-10 22:56 127,488 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2007-09-10 22:56 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-09-09 19:42 <DIR> d--h----- C:\WINDOWS\PIF
2007-09-09 18:21 94,208 --a------ C:\WINDOWS\system32\drvsun.dll
2007-09-09 18:21 15,360 --a------ C:\WINDOWS\system32\drvsunr.dll
2007-09-09 16:08 85,376 --a--c--- C:\WINDOWS\system32\dllcache\nabtsfec.sys
2007-09-09 16:08 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-09-09 16:08 53,760 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2007-09-09 16:08 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-09-09 16:08 17,024 --a--c--- C:\WINDOWS\system32\dllcache\ccdecode.sys
2007-09-09 16:08 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-09-09 16:07 61,440 --a------ C:\WINDOWS\system32\dsnphv71.dll
2007-09-09 16:07 53,248 --a------ C:\WINDOWS\amcap.exe
2007-09-09 16:07 307,200 --a------ C:\WINDOWS\vidcap32.exe
2007-09-09 16:07 28,672 --a------ C:\WINDOWS\vsnphv71.exe
2007-09-09 16:07 28,672 --a------ C:\WINDOWS\system32\vsnphv71.dll
2007-09-09 16:07 220,928 --a------ C:\WINDOWS\system32\drivers\snphv71.sys
2007-09-09 16:07 20,480 --a------ C:\WINDOWS\dsnphv71.exe
2007-09-09 16:07 120,879 --a------ C:\WINDOWS\usnphv71.exe
2007-09-09 16:07 <DIR> d-------- C:\Program Files\Common Files\snphv71
2007-09-08 21:58 499,712 --a------ C:\WINDOWS\MSVCP71.DLL
2007-09-08 20:58 <DIR> d-------- C:\Program Files\Neopets
2007-09-08 20:58 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Neopets Toolbar
2007-09-08 19:37 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-09-08 19:37 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-09-08 19:37 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-09-08 19:37 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-09-08 19:37 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-09-08 19:37 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-09-08 19:37 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-09-08 19:36 <DIR> d-------- C:\Program Files\Sygate
2007-09-08 13:30 15,360 --a------ C:\WINDOWS\system32\drvfetr.dll
2007-09-07 23:19 93,696 --a------ C:\WINDOWS\system32\drvhut.dll
2007-09-07 23:19 15,360 --a------ C:\WINDOWS\system32\drvhutr.dll
2007-09-07 22:48 499,712 --a------ C:\WINDOWS\system32\MSVCP71.DLL
2007-09-07 21:29 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-09-07 21:05 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Uniblue
2007-09-07 20:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-07 19:28 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-09-07 19:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2007-09-07 16:55 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-07 16:46 <DIR> d-------- C:\WTablet
2007-09-07 16:00 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-09-06 23:17 94,208 --a------ C:\WINDOWS\system32\drvdij.dll
2007-09-06 23:17 15,360 --a------ C:\WINDOWS\system32\drvdijr.dll
2007-09-06 22:36 94,208 --a------ C:\WINDOWS\system32\drvpar.dll
2007-09-06 22:36 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-09-06 22:36 15,360 --a------ C:\WINDOWS\system32\drvparr.dll
2007-09-06 22:35 23,552 --a------ C:\WINDOWS\system32\winxtx32.dll
2007-09-06 18:53 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Gamelab
2007-09-06 17:48 <DIR> d-------- C:\Program Files\ReflexiveArcade
2007-09-05 21:06 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Nokia
2007-09-05 21:01 <DIR> d-------- C:\Program Files\DIFX
2007-09-05 21:00 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\PC Suite
2007-09-05 21:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Suite
2007-09-05 20:59 50,688 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-09-05 20:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Downloaded Installations
2007-09-05 20:58 <DIR> d-------- C:\Program Files\Nokia
2007-09-05 20:58 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-09-05 17:27 1,648,016 -r-h----- C:\WINDOWS\EditServAPI.exe
2007-09-05 17:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-09-05 15:24 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\WinRAR
2007-09-05 13:24 90,112 --a------ C:\WINDOWS\unvise32.exe
2007-09-05 13:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-09-05 13:18 <DIR> d-------- C:\Temp
2007-09-05 08:56 <DIR> d-------- C:\Program Files\Bonjour
2007-09-05 08:40 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-09-04 22:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
2007-09-04 21:37 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Corel
2007-09-04 21:30 <DIR> d-------- C:\Program Files\Corel
2007-09-04 20:56 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Thunderbird
2007-09-04 18:28 <DIR> d-------- C:\DOCUME~1\Owner\Shared
2007-09-04 18:28 <DIR> d-------- C:\DOCUME~1\Owner\Incomplete
2007-09-04 18:27 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\FrostWire
2007-09-04 18:25 <DIR> d-------- C:\Program Files\FrostWire
2007-09-04 17:11 <DIR> d-------- C:\Program Files\BitTorrent_DNA
2007-09-04 17:11 <DIR> d-------- C:\Program Files\BitTorrent
2007-09-04 17:11 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\BitTorrent DNA
2007-09-04 17:11 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\BitTorrent
2007-09-04 17:09 <DIR> d-------- C:\Program Files\mIRC
2007-09-04 17:09 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\mIRC
2007-09-04 16:58 <DIR> d-------- C:\DOCUME~1\Owner\Contacts
2007-09-04 16:56 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-09-04 16:55 <DIR> d-------- C:\Program Files\MSN Messenger
2007-09-04 16:47 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\WTablet
2007-09-04 16:45 6,272 --a------ C:\WINDOWS\system32\drivers\wacomvhid.sys
2007-09-04 16:45 5,632 --a------ C:\WINDOWS\system32\drivers\wacommousefilter.sys
2007-09-04 16:45 140,848 --a------ C:\WINDOWS\system32\Wintab32.dll
2007-09-04 16:45 1,013,296 --a------ C:\WINDOWS\system32\Tablet.exe
2007-09-04 16:45 <DIR> d-------- C:\WINDOWS\system32\WTablet
2007-09-04 16:45 <DIR> d-------- C:\Program Files\Tablet
2007-09-04 16:19 16,384 --a------ C:\WINDOWS\system32\lgfwunis.exe
2007-09-04 16:19 102,912 --a------ C:\WINDOWS\system32\Vb6stkit.dll
2007-09-04 16:19 102,160 --a------ C:\WINDOWS\system32\VB6KO.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-07 19:35 1024 --a------ C:\WINDOWS\system32\drivers\513652D0-DB92-40F3-98AD-843EED9731AA.cxv
2007-09-04 13:20 879832 --a------ C:\WINDOWS\system32\drivers\VetEFile.sys
2007-09-04 13:20 108360 --a------ C:\WINDOWS\system32\drivers\VetEBoot.sys
2007-09-03 21:02 99880 --a------ C:\WINDOWS\UnVet32.exe
2007-09-03 21:02 75304 --a------ C:\WINDOWS\system32\VetRedir.dll
2007-09-03 21:02 21032 --a------ C:\WINDOWS\system32\drivers\Vet-Filt.sys
2007-09-03 21:02 15736 --a------ C:\WINDOWS\system32\drivers\VetFDDNT.sys
2007-09-03 21:02 15479 --a------ C:\WINDOWS\system32\drivers\Vet-Rec.sys
2007-09-03 21:02 112168 --a------ C:\WINDOWS\AVShlExt.dll
2007-09-03 20:58 323870 --a------ C:\WINDOWS\system32\Benq Corporation.scr
2007-09-03 20:45 --------- d-------- C:\Program Files\microsoft frontpage
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-11 14:37 6272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-26 16:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 23:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 20:23 1033216 --a------ C:\WINDOWS\explorer.exe
2003-09-08 13:10 11776 --a------ C:\Program Files\44591875.exe
2003-09-08 13:09 11776 --a------ C:\Program Files\44509984.exe
2003-09-08 13:07 11776 --a------ C:\Program Files\44436359.exe
2003-09-08 13:06 11776 --a------ C:\Program Files\44362968.exe
2003-09-08 13:05 11776 --a------ C:\Program Files\44284656.exe
2003-09-08 13:04 11776 --a------ C:\Program Files\44207734.exe
2003-09-08 13:02 11776 --a------ C:\Program Files\44134109.exe
2003-09-08 13:01 11776 --a------ C:\Program Files\44063765.exe
2003-09-08 13:00 11776 --a------ C:\Program Files\43995687.exe
2003-09-08 01:03 76068 --a------ C:\Program Files\setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]
"eTrustPPAP"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe" [2007-09-04 15:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 22:00]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-09-04 17:11]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 16:21]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft System Service"=taskmgr1.exe
"WindXpUpdate32"=WindXpUpdate

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys
S0 szkg;szkg;C:\WINDOWS\system32\DRIVERS\szkg.sys
S2 NMSSvc;Intel® NMS;C:\WINDOWS\system32\NMSSvc.exe
S3 FXDRV;FXDRV;\??\D:\Fxdrv.sys
S3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\system32\drivers\NMSCFG.SYS
S3 SNPHV71;PC Camera (602a VGA);C:\WINDOWS\system32\DRIVERS\snphv71.sys


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5B5C4767-D8DE-AB3B-7ED0-86C27EE5D2BE}]
C:\Documents and Settings\Owner\My Documents\Downloads\Adobe Photoshop CS3 Crack+Keygen\Keygen.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-09-09 15:15:08 C:\WINDOWS\Tasks\PPv5Scan_Daily as Owner at 1 15 AM.job"
"2007-09-09 16:15:08 C:\WINDOWS\Tasks\PPv5Scan_Daily as Owner at 2 15 AM.job"
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-11 15:44:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-11 15:45:42
C:\ComboFix-quarantined-files.txt ... 2007-09-11 15:45
.
--- E O F ---

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/12/2007 at 04:44 PM

Application Version : 3.9.1008

Core Rules Database Version : 3304
Trace Rules Database Version: 1310

Scan type : Complete Scan
Total Scan Time : 01:08:05

Memory items scanned : 407
Memory threats detected : 1
Registry items scanned : 4380
Registry threats detected : 11
File items scanned : 23870
File threats detected : 37

Trojan.Downloader-Gen/Suspicious
C:\PROGRAM FILES\BITTORRENT_DNA\DNA.EXE
[BitTorrent DNA] C:\PROGRAM FILES\BITTORRENT_DNA\DNA.EXE
C:\PROGRAM FILES\BITTORRENT_DNA\DNA.EXE

Neopets Toolbar
HKLM\Software\Classes\CLSID\{CD292324-974F-4224-D074-CACA427AA030}
HKCR\CLSID\{CD292324-974F-4224-D074-CACA427AA030}
HKCR\CLSID\{CD292324-974F-4224-D074-CACA427AA030}
HKCR\CLSID\{CD292324-974F-4224-D074-CACA427AA030}\InprocServer32
HKCR\CLSID\{CD292324-974F-4224-D074-CACA427AA030}\InprocServer32#ThreadingModel
HKCR\CLSID\{CD292324-974F-4224-D074-CACA427AA030}\ProgID
C:\PROGRA~1\NEOPETS\TOOLBAR\TOOLBAR.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CD292324-974F-4224-D074-CACA427AA030}
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{CD292324-974F-4224-D074-CACA427AA030}
HKCR\Toolbar.Neopets
HKCR\Toolbar.Neopets\Clsid

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@imrworldwide[2].txt
C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[1].txt
C:\Documents and Settings\Owner\Cookies\owner@acvs.mediaonenetwork[1].txt
C:\Documents and Settings\Owner\Cookies\owner@virginmobile.122.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.halstats[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ehg-nokiafin.hitbox[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt
C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adbrite[2].txt
C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adopt.euroclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@media.adrevolver[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adrevolver[1].txt
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt
C:\Documents and Settings\Owner\Cookies\owner@overture[1].txt
C:\Documents and Settings\Owner\Cookies\owner@serving-sys[1].txt
C:\Documents and Settings\Owner\Cookies\owner@3.adbrite[1].txt

Trojan.Downloader-Gen/HitItQuitIt
C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\BACKUPS\BACKUP-20070908-223433-894.DLL
C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\BACKUPS\BACKUP-20070908-223511-945.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{04446F66-4B31-44B4-9EB6-AE38AFF526CE}\RP2\A0000021.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{04446F66-4B31-44B4-9EB6-AE38AFF526CE}\RP2\A0000031.DLL
C:\WINDOWS\SYSTEM32\PMNKIJJ.DLL
C:\WINDOWS\SYSTEM32\QOMLIFG.DLL

Trojan.Downloader-DNSDoor
C:\WINDOWS\EDITSERVAPI.EXE

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\DDCCA.DLL

Trojan.Downloader-Gen/BigTkt
C:\WINDOWS\SYSTEM32\DRVDIJR.DLL
C:\WINDOWS\SYSTEM32\DRVFETR.DLL
C:\WINDOWS\SYSTEM32\DRVHUTR.DLL
C:\WINDOWS\SYSTEM32\DRVLALR.DLL
C:\WINDOWS\SYSTEM32\DRVPARR.DLL
C:\WINDOWS\SYSTEM32\DRVSUNR.DLL
C:\WINDOWS\SYSTEM32\DRVXUHR.DLL

Trojan.Net-NUSR
C:\WINDOWS\SYSTEM32\NUSRMGR.EXE

Trojan.Downloader-WinXTX32
C:\WINDOWS\SYSTEM32\WINXTX32.DLL

#7 User is offline   Aaflac 

  • Doin' Dis 'n Dat...
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 1,178
  • Joined: 15-September 06
  • Gender:Not Telling
  • Location:USA

Posted 13 September 2007 - 08:47 AM

Looks as if ComboFix was run in Safe Mode again...was that the case?

If not, let us know.

If it was run in Safe Mode, please run it normally in Windows.
To do is to be - Socrates

#8 User is offline   LiLcOoKiE 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 12
  • Joined: 08-September 07

Posted 13 September 2007 - 10:56 PM

ComboFix 07-09-11.1 - "Owner" 2007-09-14 13:37:37.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.153 [GMT 10:00]
.

((((((((((((((((((((((((( Files Created from 2007-08-14 to 2007-09-14 )))))))))))))))))))))))))))))))
.

2007-09-13 21:52 8,704 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2007-09-13 21:52 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-09-13 21:52 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2007-09-13 21:52 <DIR> d-------- C:\WINDOWS\LastGood
2007-09-13 21:52 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-09-13 21:52 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-09-13 21:51 4,608 --a------ C:\WINDOWS\system32\nmwcdlog.dll
2007-09-13 21:51 30,720 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-09-13 21:51 127,488 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2007-09-12 17:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-09-12 16:43 52,224 --a------ C:\WINDOWS\system32\MsPMSNSv.dll
2007-09-12 16:43 356,352 --a------ C:\WINDOWS\system32\MSSCP.dll
2007-09-12 16:43 27,136 --a------ C:\WINDOWS\system32\WMDMLOG.dll
2007-09-12 16:43 245,760 --a------ C:\WINDOWS\system32\MSWMDM.dll
2007-09-12 16:43 23,552 --a------ C:\WINDOWS\system32\WMDMPS.dll
2007-09-12 16:43 201,728 --a------ C:\WINDOWS\system32\MsPMSP.dll
2007-09-12 16:43 159,232 --a------ C:\WINDOWS\system32\cewmdm.dll
2007-09-12 16:40 809,984 --a------ C:\WINDOWS\system32\wmvdmod.dll
2007-09-12 16:40 759,296 --a------ C:\WINDOWS\system32\wmsdmod.dll
2007-09-12 16:40 484,864 --a------ C:\WINDOWS\system32\wmspdmod.dll
2007-09-12 16:40 408,064 --a------ C:\WINDOWS\system32\wmadmod.dll
2007-09-12 16:39 87,040 --a------ C:\WINDOWS\system32\drmstor.dll
2007-09-12 16:39 695,296 --a------ C:\WINDOWS\system32\drmv2clt.dll
2007-09-12 16:39 299,520 --a------ C:\WINDOWS\system32\drmclien.dll
2007-09-12 16:39 286,208 --a------ C:\WINDOWS\system32\blackbox.dll
2007-09-12 16:39 259,072 --a------ C:\WINDOWS\system32\msnetobj.dll
2007-09-12 16:32 <DIR> dr------- C:\Program Files\Winamp
2007-09-12 16:20 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\CyberLink
2007-09-12 15:33 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-12 15:33 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2007-09-12 15:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-11 18:53 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\PlayFirst
2007-09-11 18:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PlayFirst
2007-09-11 18:49 <DIR> d-------- C:\Program Files\Wedding Dash
2007-09-11 17:13 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Comodo
2007-09-11 17:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-09-11 16:59 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-11 11:18 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-09 19:42 <DIR> d--h----- C:\WINDOWS\PIF
2007-09-09 18:21 94,208 --a------ C:\WINDOWS\system32\drvsun.dll
2007-09-09 16:08 85,376 --a--c--- C:\WINDOWS\system32\dllcache\nabtsfec.sys
2007-09-09 16:08 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-09-09 16:08 53,760 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2007-09-09 16:08 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-09-09 16:08 17,024 --a--c--- C:\WINDOWS\system32\dllcache\ccdecode.sys
2007-09-09 16:08 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-09-09 16:07 61,440 --a------ C:\WINDOWS\system32\dsnphv71.dll
2007-09-09 16:07 53,248 --a------ C:\WINDOWS\amcap.exe
2007-09-09 16:07 307,200 --a------ C:\WINDOWS\vidcap32.exe
2007-09-09 16:07 28,672 --a------ C:\WINDOWS\vsnphv71.exe
2007-09-09 16:07 28,672 --a------ C:\WINDOWS\system32\vsnphv71.dll
2007-09-09 16:07 220,928 --a------ C:\WINDOWS\system32\drivers\snphv71.sys
2007-09-09 16:07 20,480 --a------ C:\WINDOWS\dsnphv71.exe
2007-09-09 16:07 120,879 --a------ C:\WINDOWS\usnphv71.exe
2007-09-09 16:07 <DIR> d-------- C:\Program Files\Common Files\snphv71
2007-09-08 21:58 499,712 --a------ C:\WINDOWS\MSVCP71.DLL
2007-09-08 20:58 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Neopets Toolbar
2007-09-07 23:19 93,696 --a------ C:\WINDOWS\system32\drvhut.dll
2007-09-07 22:48 499,712 --a------ C:\WINDOWS\system32\MSVCP71.DLL
2007-09-07 21:29 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-09-07 21:05 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Uniblue
2007-09-07 20:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-07 19:28 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-09-07 19:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2007-09-07 16:55 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-07 16:46 <DIR> d-------- C:\WTablet
2007-09-07 16:00 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-09-06 23:17 94,208 --a------ C:\WINDOWS\system32\drvdij.dll
2007-09-06 22:36 94,208 --a------ C:\WINDOWS\system32\drvpar.dll
2007-09-06 22:36 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-09-06 18:53 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Gamelab
2007-09-06 17:48 <DIR> d-------- C:\Program Files\ReflexiveArcade
2007-09-05 21:06 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Nokia
2007-09-05 21:01 <DIR> d-------- C:\Program Files\DIFX
2007-09-05 21:00 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\PC Suite
2007-09-05 21:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Suite
2007-09-05 20:59 50,688 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-09-05 20:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Downloaded Installations
2007-09-05 20:58 <DIR> d-------- C:\Program Files\Nokia
2007-09-05 17:27 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-09-05 15:24 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\WinRAR
2007-09-05 13:24 90,112 --a------ C:\WINDOWS\unvise32.exe
2007-09-05 13:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-09-05 13:18 <DIR> d-------- C:\Temp
2007-09-05 08:56 <DIR> d-------- C:\Program Files\Bonjour
2007-09-05 08:40 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-09-04 22:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
2007-09-04 21:37 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Corel
2007-09-04 21:30 <DIR> d-------- C:\Program Files\Corel
2007-09-04 20:56 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Thunderbird
2007-09-04 18:28 <DIR> d-------- C:\DOCUME~1\Owner\Shared
2007-09-04 18:28 <DIR> d-------- C:\DOCUME~1\Owner\Incomplete
2007-09-04 18:27 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\FrostWire
2007-09-04 18:25 <DIR> d-------- C:\Program Files\FrostWire
2007-09-04 17:11 <DIR> d-------- C:\Program Files\BitTorrent_DNA
2007-09-04 17:11 <DIR> d-------- C:\Program Files\BitTorrent
2007-09-04 17:11 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\BitTorrent DNA
2007-09-04 17:11 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\BitTorrent
2007-09-04 17:09 <DIR> d-------- C:\Program Files\mIRC
2007-09-04 17:09 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\mIRC

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-12 15:32 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-07 19:35 1024 --a------ C:\WINDOWS\system32\drivers\513652D0-DB92-40F3-98AD-843EED9731AA.cxv
2007-09-04 13:20 879832 --a------ C:\WINDOWS\system32\drivers\VetEFile.sys
2007-09-04 13:20 108360 --a------ C:\WINDOWS\system32\drivers\VetEBoot.sys
2007-09-03 21:02 99880 --a------ C:\WINDOWS\UnVet32.exe
2007-09-03 21:02 75304 --a------ C:\WINDOWS\system32\VetRedir.dll
2007-09-03 21:02 21032 --a------ C:\WINDOWS\system32\drivers\Vet-Filt.sys
2007-09-03 21:02 15736 --a------ C:\WINDOWS\system32\drivers\VetFDDNT.sys
2007-09-03 21:02 15479 --a------ C:\WINDOWS\system32\drivers\Vet-Rec.sys
2007-09-03 21:02 112168 --a------ C:\WINDOWS\AVShlExt.dll
2007-09-03 20:58 323870 --a------ C:\WINDOWS\system32\Benq Corporation.scr
2007-09-03 20:45 --------- d-------- C:\Program Files\microsoft frontpage
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-06-26 16:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 23:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2003-09-08 13:10 11776 --a------ C:\Program Files\44591875.exe
2003-09-08 13:09 11776 --a------ C:\Program Files\44509984.exe
2003-09-08 13:07 11776 --a------ C:\Program Files\44436359.exe
2003-09-08 13:06 11776 --a------ C:\Program Files\44362968.exe
2003-09-08 13:05 11776 --a------ C:\Program Files\44284656.exe
2003-09-08 13:04 11776 --a------ C:\Program Files\44207734.exe
2003-09-08 13:02 11776 --a------ C:\Program Files\44134109.exe
2003-09-08 13:01 11776 --a------ C:\Program Files\44063765.exe
2003-09-08 13:00 11776 --a------ C:\Program Files\43995687.exe
2003-09-08 01:03 76068 --a------ C:\Program Files\setup.exe
.

((((((((((((((((((((((((((((( snapshot_2007-09-11_154438.62 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 382,344 2007-04-12 16:14:52 C:\WINDOWS\Downloaded Program Files\GAME_UNO1.dll
----a-w 304,544 2007-02-22 13:41:12 C:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll
----a-r 10,134 2007-09-13 11:52:31 C:\WINDOWS\Installer\{0D80391C-0A72-43BB-9BC2-143F63CC111D}\ARPPRODUCTICON.exe
----a-r 15,086 2007-09-13 11:55:02 C:\WINDOWS\Installer\{531317A5-586A-4E36-87C1-CA823447B375}\ARPPRODUCTICON.exe
----a-r 3,262 2007-09-13 11:52:04 C:\WINDOWS\Installer\{6882DD11-33B8-4DEA-8305-7E765BF74BD3}\ARPPRODUCTICON.exe
----a-r 32,768 2007-09-11 06:59:49 C:\WINDOWS\Installer\{C04E32E0-0416-434D-AFB9-6969D703A9EF}\icon.exe
----a-r 29,696 2007-09-12 05:33:20 C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
----a-r 18,944 2007-09-12 05:33:20 C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
----a-r 65,024 2007-09-12 05:33:20 C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
----a-w 164,864 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\cewmdm.dll
----a-w 25,088 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
----a-w 173,568 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSP.dll
----a-w 364,784 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MSSCP.dll
----a-w 315,904 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MSWMDM.dll
----a-w 28,160 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\WMDMLOG.dll
----a-w 33,792 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\WMDMPS.dll
----a-w 159,232 2006-02-28 12:00:00 C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\cewmdm.dll
----a-w 52,224 2006-02-28 12:00:00 C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll
----a-w 201,728 2006-02-28 12:00:00 C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSP.dll
----a-w 356,352 2006-02-28 12:00:00 C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MSSCP.dll
----a-w 245,760 2006-02-28 12:00:00 C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MSWMDM.dll
----a-w 27,136 2006-02-28 12:00:00 C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\WMDMLOG.dll
----a-w 23,552 2006-02-28 12:00:00 C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\WMDMPS.dll
----a-w 47,104 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\uwdf.exe
----a-w 15,872 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wdfapi.dll
----a-w 38,912 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wdfmgr.exe
----a-w 61,952 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpdconns.dll
----a-w 114,176 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpdmtp.dll
----a-w 331,776 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpdmtpdr.dll
----a-w 66,560 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpdmtpus.dll
----a-w 331,264 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpdsp.dll
----a-w 10,752 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpdtrace.dll
----a-w 18,944 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpdusb.sys
----a-w 38,912 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpd_ci.dll
----a-w 396,528 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\wmadmod.dll
----a-w 774,904 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\wmsdmod.dll
----a-w 413,944 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\wmspdmod.dll
----a-w 1,218,808 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\wmvadvd.dll
----a-w 895,736 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\wmvdmod.dll
----a-w 408,064 2006-02-28 12:00:00 C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}$BACKUP$\System\wmadmod.dll
----a-w 759,296 2006-02-28 12:00:00 C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}$BACKUP$\System\wmsdmod.dll
----a-w 484,864 2006-02-28 12:00:00 C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}$BACKUP$\System\wmspdmod.dll
----a-w 809,984 2006-02-28 12:00:00 C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}$BACKUP$\System\wmvdmod.dll
----a-w 6,656 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\laprxy.dll
----a-w 96,768 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\logagent.exe
----a-w 221,184 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\qasf.dll
----a-w 716,288 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmadmoe.dll
----a-w 224,768 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmasf.dll
----a-w 335,872 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\WMDRMdev.dll
----a-w 290,816 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\WMDRMNet.dll
----a-w 150,016 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmidx.dll
----a-w 1,027,072 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmnetmgr.dll
----a-w 1,119,744 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmsdmoe2.dll
----a-w 940,544 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmspdmoe.dll
----a-w 1,512,448 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\WMVADVE.DLL
----a-w 2,370,296 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmvcore.dll
----a-w 1,003,008 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmvdmoe2.dll
----a-w 6,656 2006-02-28 12:00:00 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$TEMP$\System\laprxy.dll
----a-w 103,936 2006-02-28 12:00:00 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$TEMP$\System\logagent.exe
----a-w 237,568 2006-02-28 12:00:00 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$TEMP$\System\qasf.dll
----a-w 670,720 2006-02-28 12:00:00 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$TEMP$\System\wmadmoe.dll
----a-w 230,400 2006-02-28 12:00:00 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$TEMP$\System\wmasf.dll
----a-w 151,552 2006-02-28 12:00:00 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$TEMP$\System\wmidx.dll
----a-w 1,050,624 2006-02-28 12:00:00 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$TEMP$\System\wmnetmgr.dll
----a-w 1,119,744 2006-02-28 12:00:00 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$TEMP$\System\wmsdmoe2.dll
----a-w 896,512 2006-02-28 12:00:00 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$TEMP$\System\wmspdmoe.dll
----a-w 2,174,976 2006-12-07 07:02:24 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$TEMP$\System\wmvcore.dll
----a-w 1,001,472 2006-02-28 12:00:00 C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$TEMP$\System\wmvdmoe2.dll
----a-w 294,912 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\blackbox.dll
----a-w 258,296 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\drmclien.dll
----a-w 96,768 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\drmstor.dll
----a-w 502,272 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\drmv2clt.dll
----a-w 142,336 2005-01-28 03:44:28 C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\msnetobj.dll
----a-w 286,208 2006-02-28 12:00:00 C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}$BACKUP$\System\blackbox.dll
----a-w 299,520 2006-02-28 12:00:00 C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}$BACKUP$\System\drmclien.dll
----a-w 87,040 2006-02-28 12:00:00 C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}$BACKUP$\System\drmstor.dll
----a-w 695,296 2006-02-28 12:00:00 C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}$BACKUP$\System\drmv2clt.dll
----a-w 259,072 2006-02-28 12:00:00 C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}$BACKUP$\System\msnetobj.dll
----a-w 17,474,680 2007-09-06 02:50:42 C:\WINDOWS\system32\MRT.exe
----a-w 1,275,392 2007-05-08 05:03:04 C:\WINDOWS\system32\msxml4.dll
-c----w 286,208 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\blackbox.dll
-c----w 159,232 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\cewmdm.dll
-c--a-w 258,296 2005-01-28 03:44:28 C:\WINDOWS\system32\dllcache\drmclien.dll
-c----w 87,040 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\drmstor.dll
-c----w 695,296 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\drmv2clt.dll
-c----w 6,656 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\laprxy.dll
-c----w 103,936 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\logagent.exe
-c----w 259,072 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\msnetobj.dll
-c----w 52,224 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\mspmsnsv.dll
-c----w 201,728 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\mspmsp.dll
-c----w 356,352 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\msscp.dll
-c----w 245,760 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\mswmdm.dll
-c----w 237,568 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\qasf.dll
-c--a-w 396,528 2005-01-28 03:44:28 C:\WINDOWS\system32\dllcache\wmadmod.dll
-c----w 670,720 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\wmadmoe.dll
-c----w 27,136 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\wmdmlog.dll
-c----w 23,552 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\wmdmps.dll
-c----w 1,050,624 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\wmnetmgr.dll
-c----w 759,296 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\wmsdmod.dll
-c----w 1,119,744 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\wmsdmoe2.dll
-c----w 484,864 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\wmspdmod.dll
-c----w 896,512 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\wmspdmoe.dll
-c----w 809,984 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\wmvdmod.dll
-c----w 1,001,472 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\wmvdmoe2.dll
----a-w 82,432 2007-04-18 00:36:40 C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\msxml4r.dll
----a-w 1,275,392 2007-05-08 05:06:44 C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9848.0_x-ww_1b897e9a\msxml4.dll
.
----a-r 10,134 2007-09-10 12:56:34 C:\WINDOWS\Installer\{0D80391C-0A72-43BB-9BC2-143F63CC111D}\ARPPRODUCTICON.exe
----a-r 15,086 2007-09-10 12:58:58 C:\WINDOWS\Installer\{531317A5-586A-4E36-87C1-CA823447B375}\ARPPRODUCTICON.exe
----a-r 3,262 2007-09-10 12:56:06 C:\WINDOWS\Installer\{6882DD11-33B8-4DEA-8305-7E765BF74BD3}\ARPPRODUCTICON.exe
----a-w 16,789,464 2007-08-02 11:34:12 C:\WINDOWS\system32\MRT.exe
----a-w 1,233,920 2003-04-18 06:46:22 C:\WINDOWS\system32\msxml4.dll
-c--a-w 286,208 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\blackbox.dll
-c--a-w 159,232 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\cewmdm.dll
-c--a-w 299,520 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\drmclien.dll
-c--a-w 87,040 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\drmstor.dll
-c--a-w 695,296 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\drmv2clt.dll
-c--a-w 6,656 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\laprxy.dll
-c--a-w 103,936 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\logagent.exe
-c--a-w 259,072 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\msnetobj.dll
-c--a-w 52,224 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\mspmsnsv.dll
-c--a-w 201,728 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\mspmsp.dll
-c--a-w 356,352 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\msscp.dll
-c--a-w 245,760 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\mswmdm.dll
-c--a-w 237,568 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\qasf.dll
-c--a-w 408,064 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\wmadmod.dll
-c--a-w 670,720 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\wmadmoe.dll
-c--a-w 27,136 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\wmdmlog.dll
-c--a-w 23,552 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\wmdmps.dll
-c--a-w 1,050,624 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\wmnetmgr.dll
-c--a-w 759,296 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\wmsdmod.dll
-c--a-w 1,119,744 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\wmsdmoe2.dll
-c--a-w 484,864 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\wmspdmod.dll
-c--a-w 896,512 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\wmspdmoe.dll
-c--a-w 809,984 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\wmvdmod.dll
-c--a-w 1,001,472 2006-02-28 12:00:00 C:\WINDOWS\system32\dllcache\wmvdmoe2.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]
"eTrustPPAP"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe" [2007-09-04 15:02]
"QOELOADER"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe" [2007-09-03 21:01]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 22:00]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"PowerBar"="C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" [2004-04-21 10:26]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 16:21]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft System Service"=taskmgr1.exe
"WindXpUpdate32"=WindXpUpdate

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

R2 NMSSvc;Intel® NMS;C:\WINDOWS\system32\NMSSvc.exe
R3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\system32\drivers\NMSCFG.SYS
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys
S0 szkg;szkg;C:\WINDOWS\system32\DRIVERS\szkg.sys
S3 FXDRV;FXDRV;\??\D:\Fxdrv.sys
S3 SNPHV71;PC Camera (602a VGA);C:\WINDOWS\system32\DRIVERS\snphv71.sys


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5B5C4767-D8DE-AB3B-7ED0-86C27EE5D2BE}]
C:\Documents and Settings\Owner\My Documents\Downloads\Adobe Photoshop CS3 Crack+Keygen\Keygen.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-09-13 15:15:11 C:\WINDOWS\Tasks\PPv5Scan_Daily as Owner at 1 15 AM.job"
- C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\ppv5consumercl.exe
"2007-09-13 16:15:10 C:\WINDOWS\Tasks\PPv5Scan_Daily as Owner at 2 15 AM.job"
- C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\ppv5consumercl.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-14 13:41:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-14 13:45:04
C:\ComboFix-quarantined-files.txt ... 2007-09-14 13:45
C:\ComboFix2.txt ... 2007-09-13 08:41
C:\ComboFix3.txt ... 2007-09-11 15:45
.
--- E O F ---

#9 User is offline   Aaflac 

  • Doin' Dis 'n Dat...
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 1,178
  • Joined: 15-September 06
  • Gender:Not Telling
  • Location:USA

Posted 15 September 2007 - 08:04 PM

Please open Notepad (Start > Run > in the Open field type: notepad)
Click: OK

Copy/ paste the blue text below to Notepad:

KILLALL::

File::
C:\WINDOWS\System32\taskmgr1.exe
C:\WINDOWS\system32\WindXpUpdate
C:\WINDOWS\system32\drvdij.dll
C:\WINDOWS\system32\drvpar.dll
C:\WINDOWS\system32\bdod.bin
C:\Program Files\44591875.exe
C:\Program Files\44509984.exe
C:\Program Files\44436359.exe
C:\Program Files\44362968.exe
C:\Program Files\44284656.exe
C:\Program Files\44207734.exe
C:\Program Files\44134109.exe
C:\Program Files\44063765.exe
C:\Program Files\43995687.exe
C:\Program Files\setup.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft System Service"=-
"WindXpUpdate32"=-

Save as CFScript.txt <-Important!!
Change the Save as type to: All Files
Save it to the Desktop.

Posted Image


Referring to the screenshot above, drag CFScript.txt >>> into >>> ComboFix.exe
ComboFix runs a scan on your system, and may reboot when it finishes. This is normal.

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

When finished, a log is produced: ComboFix.txt

~~~~
Run HijackThis once again to obtain a new log.

~~~~
Please provide the contents of the new ComboFix log , and the new HijackThis log in your reply.
To do is to be - Socrates

#10 User is offline   LiLcOoKiE 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 12
  • Joined: 08-September 07

Posted 18 September 2007 - 08:30 PM

I tried doing what you said about 4 times and everytime my computer would go all weird and id get a blue screen talking about a system dump and that something went wrong and avast anti virus would pop up saying something about an infection just before hand

#11 User is offline   Aaflac 

  • Doin' Dis 'n Dat...
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 1,178
  • Joined: 15-September 06
  • Gender:Not Telling
  • Location:USA

Posted 19 September 2007 - 08:31 AM

Try one more time, but this time use the following Script:

Copy/ paste the blue text below to Notepad:


File::
C:\WINDOWS\System32\taskmgr1.exe
C:\WINDOWS\system32\WindXpUpdate
C:\WINDOWS\system32\drvdij.dll
C:\WINDOWS\system32\drvpar.dll
C:\WINDOWS\system32\bdod.bin
C:\Program Files\44591875.exe
C:\Program Files\44509984.exe
C:\Program Files\44436359.exe
C:\Program Files\44362968.exe
C:\Program Files\44284656.exe
C:\Program Files\44207734.exe
C:\Program Files\44134109.exe
C:\Program Files\44063765.exe
C:\Program Files\43995687.exe
C:\Program Files\setup.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft System Service"=-
"WindXpUpdate32"=-
To do is to be - Socrates

#12 User is offline   LiLcOoKiE 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 12
  • Joined: 08-September 07

Posted 20 September 2007 - 01:29 AM

That still didnt work.

#13 User is offline   Aaflac 

  • Doin' Dis 'n Dat...
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 1,178
  • Joined: 15-September 06
  • Gender:Not Telling
  • Location:USA

Posted 20 September 2007 - 08:52 AM

Please run HijackThis, Scan
Check box for:

O4 - HKLM\..\RunServices: [Microsoft System Service] taskmgr1.exe
O4 - HKLM\..\RunServices: [WindXpUpdate32] WindXpUpdate

Select: Fix checked

~~~~
Next, download OTMoveIt by OldTimer.
Save it to the Desktop
Double-click OTMoveIt.exe to run it.
Copy the file path below (blue) by highlighting all of them, right-clicking and choosing Copy:


C:\WINDOWS\System32\taskmgr1.exe
C:\WINDOWS\system32\WindXpUpdate
C:\WINDOWS\system32\drvdij.dll
C:\WINDOWS\system32\drvpar.dll
C:\WINDOWS\system32\bdod.bin
C:\Program Files\44591875.exe
C:\Program Files\44509984.exe
C:\Program Files\44436359.exe
C:\Program Files\44362968.exe
C:\Program Files\44284656.exe
C:\Program Files\44207734.exe
C:\Program Files\44134109.exe
C:\Program Files\44063765.exe
C:\Program Files\43995687.exe
C:\Program Files\setup.exe


Return to OTMoveIt, right click Paste List of Files/Folders to be moved and choose Paste.
Click the red Moveit! button.

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes

Copy the text on the Results window to post in your reply.

The log from OTMoveIt located at:

C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date the tool was run.

Close OTMoveIt

~~~~
If not asked to restart the computer, please do so now.

~~~~
Please run HijackThis once again to obtain a new log.

~~~~
Please post the OTMoveIt results, and the new HijackThis log in your reply.

This post has been edited by Aaflac: 20 September 2007 - 10:29 AM

To do is to be - Socrates

#14 User is offline   LiLcOoKiE 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 12
  • Joined: 08-September 07

Posted 24 September 2007 - 07:45 AM

Moveit results:
File/Folder C:\WINDOWS\System32\taskmgr1.exe not found.
File/Folder C:\WINDOWS\system32\WindXpUpdate not found.
File/Folder C:\WINDOWS\system32\drvdij.dll not found.
File/Folder C:\WINDOWS\system32\drvpar.dll not found.
File/Folder C:\WINDOWS\system32\bdod.bin not found.
File/Folder C:\Program Files\44591875.exe not found.
File/Folder C:\Program Files\44509984.exe not found.
File/Folder C:\Program Files\44436359.exe not found.
File/Folder C:\Program Files\44362968.exe not found.
File/Folder C:\Program Files\44284656.exe not found.
File/Folder C:\Program Files\44207734.exe not found.
File/Folder C:\Program Files\44134109.exe not found.
File/Folder C:\Program Files\44063765.exe not found.
File/Folder C:\Program Files\43995687.exe not found.
File/Folder C:\Program Files\setup.exe not found.

Created on 09-21-2007 00:32:28

hjt:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:09, on 2007-09-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189168616843
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Unknown owner - C:\Program Files\Sygate\SPF\smc.exe (file missing)
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 6434 bytes

#15 User is offline   Aaflac 

  • Doin' Dis 'n Dat...
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 1,178
  • Joined: 15-September 06
  • Gender:Not Telling
  • Location:USA

Posted 24 September 2007 - 09:08 PM

Please remove the version of ComboFix you downloaded, and download this one: ComboFix.exe
(This program is updated quite often.)

Save it to the Desktop

Double-click combofix.exe to run the program
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to stall.)

When finished, a log, ComboFix.txt, is produced.

Please post the ComboFix.txt in your reply.
To do is to be - Socrates

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users