Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Grayware Still On My Pc Need Help Removing


  • This topic is locked This topic is locked
14 replies to this topic

#1 SuperQuad

SuperQuad

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 20 July 2007 - 03:03 PM

Hello,

Went through the whole process of the "Preparation Guide before posting Hijackthis" yesterday
and still having problems with popups on my computer when i try to navigate to a new webpage through internet explorer. Another thing is when i restart my computer about 15 mins after i start getting the pop ups i get a "+ MY AOL" icon that pops up and seems to freeze on my desktop, when i scroll over it, it gives me the hand cursor like it is for a link but does not do anything.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:00 PM, on 7/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1142470437\ee\AOLSoftware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\MA111v2 USB Adapter\MA111v2.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\program files\aol\aol toolbar 3.1\aoltbhelper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Full Tilt Poker\FullTiltPoker.exe
C:\Program Files\PokerStars\PokerStars.exe
C:\Program Files\BugsysClub Software\BugsysClub Software.exe
C:\Program Files\BugsysClub Software\jre\bin\javaw.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11cb0275-578e-47bd-8a00-cd2d724027c0} - C:\WINDOWS\system32\jkbdlty.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [POEngine] "C:\Program Files\PokerOffice\POEngine.exe" C:\Program Files\PokerOffice
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142470437\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UltimateBuddy] C:\Program Files\UltimateBuddy\UltimateBuddy.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.7.4\webbuying.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: StripSaver2.lnk = C:\Program Files\StripSaver2\StripSaver2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111v2 USB Adapter\MA111v2.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Big Dollar Poker - {01486271-B86B-49ad-9917-A14EA656A534} - C:\Program Files\bigdollarMPP\MPPoker.exe (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Wild Jack Poker - {17709D14-4A02-42c6-B9FA-18C90A851F51} - C:\Program Files\wildjackMPP\MPPoker.exe (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: VC Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\VCPOKE~1\client.exe (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe
O9 - Extra button: PokerTime Poker - {7220F1C9-B7E0-47a6-A0BD-D5B3940BCC79} - C:\Program Files\PokerTimeMPP\MPPoker.exe (file missing)
O9 - Extra button: Golden Tiger Poker - {772B5BF8-12E8-4a5d-B48F-652B5E82025D} - C:\Program Files\goldentigerMPP\MPPoker.exe (file missing)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra button: All In Poker - {7FD14A80-30CB-434e-90A3-DEC1B1EA2014} - C:\Program Files\allinpokerMPP\MPPoker.exe (file missing)
O9 - Extra button: River Belle Poker - {83F8B625-1B04-4c35-8BA1-6DB4D7EDBADF} - C:\Program Files\riverbelleMPP\MPPoker.exe (file missing)
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: The Gaming Club Poker - {A18AC347-2CA3-4e5d-AB86-33BFC7EEB931} - C:\Program Files\gamingclubMPP\MPPoker.exe (file missing)
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Big Chip Poker - {BDA7A460-FFDB-4093-9120-F82DD89F5924} - C:\Documents and Settings\All Users\Start Menu\Programs\Big Chip Poker\Big Chip Poker.lnk (file missing)
O9 - Extra 'Tools' menuitem: Big Chip Poker - {BDA7A460-FFDB-4093-9120-F82DD89F5924} - C:\Documents and Settings\All Users\Start Menu\Programs\Big Chip Poker\Big Chip Poker.lnk (file missing)
O9 - Extra button: Grand Bay Poker - {D9BE040A-93CF-4cff-921E-F1D6AE024034} - C:\Program Files\grandbayMPP\MPPoker.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: NordicBet Poker - {E6073F93-9541-4be4-9800-109D378EB99B} - C:\Program Files\nordicbetMPP\MPPoker.exe (file missing)
O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (HKCU)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} (Nyoko Downloader Class) - http://www.riverbellepoker.com/download_helper/Nyoko.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 14566 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:29 PM

Posted 21 July 2007 - 01:26 AM

Hello,

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Also uninstall UltimateBuddy and WebBuying if still present.

Then reboot.

After reboot, * Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SuperQuad

SuperQuad
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 21 July 2007 - 02:01 AM

"GREG" - 2007-07-20 23:47:20 - ComboFix 07-07-21.4 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\ms04180961-6612007.exe
C:\WINDOWS\system32\jkbdlty.dll


((((((((((((((((((((((((( Files Created from 2007-06-21 to 2007-07-21 )))))))))))))))))))))))))))))))


2007-07-20 23:46 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-20 23:45 1,235,144 --a------ C:\Program Files\ComboFix.exe
2007-07-20 00:51 812,344 --a------ C:\Program Files\HJTInstall.exe
2007-07-20 00:51 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-19 23:43 1,893,383 --a------ C:\Program Files\stinger.exe
2007-07-19 21:49 <DIR> d-------- C:\DOCUME~1\GREG\.housecall6.6
2007-07-19 20:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-19 19:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-19 19:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-18 00:55 3,710,431 --a------ C:\Program Files\patch21603d.exe
2007-07-08 17:45 <DIR> d-------- C:\DOCUME~1\GREG\APPLIC~1\Talkback
2007-07-03 14:02 192,512 --a------ C:\WINDOWS\win3210-6611809612007.exe
2007-07-03 14:02 192,512 --a------ C:\WINDOWS\win320861-66118092007.exe
2007-07-01 01:59 <DIR> d-------- C:\Program Files\PlayersOnly Poker
2007-07-01 01:58 11,244,960 --a------ C:\Program Files\FullPlayersOnlySetup.1.0.56.exe
2007-06-29 13:33 192,512 --a------ C:\WINDOWS\ms10-6611809612007.exe
2007-06-28 23:56 <DIR> d-------- C:\Program Files\support.com
2007-06-28 23:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Support.com
2007-06-27 18:15 14,993,976 --a------ C:\Program Files\GoogleEarthWin.exe
2007-06-22 00:32 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-06-22 00:32 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-22 00:32 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-22 00:32 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-22 00:32 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-22 00:32 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-22 00:32 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-22 00:32 <DIR> d-------- C:\Program Files\Alwil Software


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-21 06:43:19 -------- d-----w C:\Program Files\Greetings Workshop
2007-07-21 06:43:11 -------- d-----w C:\Program Files\Plaxo
2007-07-21 06:42:47 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-21 06:40:52 -------- d-----w C:\Program Files\Full Tilt Poker
2007-07-20 19:38:26 -------- d-----w C:\Program Files\BugsysClub Software
2007-07-20 19:35:22 -------- d-----w C:\Program Files\PokerStars
2007-07-20 07:48:12 5,659,648 ----a-w C:\Program Files\spf.msi
2007-07-20 07:33:02 17 ----a-w C:\Program Files\stinger.opt
2007-07-20 06:15:28 -------- d-----w C:\Program Files\QuickTime
2007-07-20 02:43:15 -------- d-----w C:\Program Files\Lavasoft
2007-07-19 21:50:03 -------- d-----w C:\Program Files\Bodog Poker
2007-07-19 20:53:50 -------- d-----w C:\Program Files\Poker Tracker V2
2007-07-06 07:32:50 -------- d-----w C:\Program Files\UltimateBet
2007-06-22 07:31:10 15,213,416 ----a-w C:\Program Files\setupeng.exe
2007-06-15 19:43:08 53,248 ----a-w C:\WINDOWS\uni_eh43.exe
2007-06-04 22:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 22:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 22:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-23 22:38:12 -------- d-----w C:\DOCUME~1\GREG\APPLIC~1\LimeWire
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-09 18:56:36 761,320 ----a-w C:\Program Files\ubuddyupdate.exe
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2006-11-04 10:15:58 509,768 ----a-w C:\Program Files\Google Installer.exe
2006-09-22 10:02:41 2,855,080 ----a-w C:\Program Files\aawsepersonal.exe
2006-08-25 10:17:02 184,320 ----a-w C:\Program Files\UltimateHistory.exe
2006-08-25 10:04:39 916,010 ----a-w C:\Program Files\Poker.exe
2006-08-25 10:03:40 15,807,701 ----a-w C:\Program Files\pt2su.exe
2006-08-16 05:45:54 7,520,232 ----a-w C:\Program Files\ubsetup.exe
2006-08-04 04:38:09 152,327 ----a-w C:\Program Files\clientinstall.exe
2006-07-11 01:34:32 864,511 ----a-w C:\Program Files\capex.exe
2006-06-16 00:57:32 3,799,397 ----a-w C:\Program Files\pokerskins-setup.exe
2006-06-15 03:43:29 5,691,224 ----a-w C:\Program Files\MANSIONSetup.exe
2006-06-08 09:10:16 22,083,376 ----a-w C:\Program Files\QuickTimeInstaller.exe
2006-03-07 23:11:27 3,033,180 ----a-w C:\Program Files\ubuddysetup.exe
2006-01-21 03:47:30 20,921,040 ----a-w C:\Program Files\AdbeRdr705_enu_full.exe
2006-01-21 03:42:59 762,512 ----a-w C:\Program Files\ytb612_efgsip.exe
2005-10-20 10:23:51 35,328 ----a-w C:\Program Files\atl98.dll
2005-08-09 01:53:40 3,870,720 ----a-w C:\Program Files\AbsolutePoker5_5_14.exe
2005-08-09 01:46:47 3,296,864 ----a-w C:\Program Files\BodogPokerClient.exe
2005-06-25 08:02:34 17,160,609 ----a-w C:\Program Files\BugsySetup.exe
2005-06-24 23:08:58 21,904,216 ----a-w C:\Program Files\iTunesSetup.exe
2004-12-06 22:16:28 266,240 ----a-w C:\Program Files\WebInstaller.exe
2004-12-01 03:30:17 3,362,496 ----a-w C:\Program Files\PokerStarsInstall.exe
2004-12-01 03:28:51 7,117,489 ----a-w C:\Program Files\FullTiltSetup.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"POEngine"="C:\Program Files\PokerOffice\POEngine.exe" []
"HostManager"="C:\Program Files\Common Files\AOL\1142470437\ee\AOLSoftware.exe" [2006-05-09 17:24]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 09:59]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-12-19 21:13]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-04 03:47]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" []
"UltimateBuddy"="C:\Program Files\UltimateBuddy\UltimateBuddy.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 08:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" []
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-12-08 14:55]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2006-05-09 17:24]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe" [2006-11-16 13:42]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]

C:\Documents and Settings\GREG\Start Menu\Programs\Startup\
Greetings Workshop Reminders.lnk - C:\Program Files\Greetings Workshop\GWREMIND.EXE [1997-09-04 01:00:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

023 - dot4 - system32\DRIVERS\Dot4.sys
023 - dot4print - system32\DRIVERS\Dot4Prt.sys
023 - dot4scan - system32\DRIVERS\Dot4Scan.sys
023 - dot4usb - system32\DRIVERS\dot4usb.sys
023 - i81x - system32\DRIVERS\i81xnt5.sys
023 - iaimfp0 - system32\DRIVERS\wADV01nt.sys
023 - iaimfp1 - system32\DRIVERS\wADV02NT.sys
023 - iaimfp2 - system32\DRIVERS\wADV05NT.sys
023 - iaimfp3 - system32\DRIVERS\wSiINTxx.sys
023 - iaimfp4 - system32\DRIVERS\wVchNTxx.sys
023 - iaimfp5 - system32\DRIVERS\wADV07nt.sys
023 - iaimfp6 - system32\DRIVERS\wADV08nt.sys
023 - iaimfp7 - system32\DRIVERS\wADV09nt.sys
023 - iaimtv0 - system32\DRIVERS\wATV01nt.sys
023 - iaimtv1 - system32\DRIVERS\wATV02NT.sys
023 - iaimtv3 - system32\DRIVERS\wATV04nt.sys
023 - iaimtv4 - system32\DRIVERS\wCh7xxNT.sys
023 - iaimtv5 - system32\DRIVERS\wATV10nt.sys
023 - iaimtv6 - system32\DRIVERS\wATV06nt.sys
023 - ltmodem5 - system32\DRIVERS\ltmdmnt.sys
023 - ms_mpu401 - system32\drivers\msmpu401.sys
023 - p3 - system32\DRIVERS\p3.sys
023 - sbcphid - \??\C:\WINDOWS\system32\Drivers\SbcpHid.sys
023 - sisnpf - system32\drivers\SISNPF.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-20 23:50:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-20 23:51:53
C:\ComboFix-quarantined-files.txt ... 2007-07-20 23:51

--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:05 AM, on 7/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\AOL\1142470437\ee\AOLSoftware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\NETGEAR\MA111v2 USB Adapter\MA111v2.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\aol\aol toolbar 3.1\aoltbhelper.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [POEngine] "C:\Program Files\PokerOffice\POEngine.exe" C:\Program Files\PokerOffice
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142470437\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UltimateBuddy] C:\Program Files\UltimateBuddy\UltimateBuddy.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: StripSaver2.lnk = C:\Program Files\StripSaver2\StripSaver2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111v2 USB Adapter\MA111v2.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Big Dollar Poker - {01486271-B86B-49ad-9917-A14EA656A534} - C:\Program Files\bigdollarMPP\MPPoker.exe (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Wild Jack Poker - {17709D14-4A02-42c6-B9FA-18C90A851F51} - C:\Program Files\wildjackMPP\MPPoker.exe (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: VC Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\VCPOKE~1\client.exe (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe
O9 - Extra button: PokerTime Poker - {7220F1C9-B7E0-47a6-A0BD-D5B3940BCC79} - C:\Program Files\PokerTimeMPP\MPPoker.exe (file missing)
O9 - Extra button: Golden Tiger Poker - {772B5BF8-12E8-4a5d-B48F-652B5E82025D} - C:\Program Files\goldentigerMPP\MPPoker.exe (file missing)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra button: All In Poker - {7FD14A80-30CB-434e-90A3-DEC1B1EA2014} - C:\Program Files\allinpokerMPP\MPPoker.exe (file missing)
O9 - Extra button: River Belle Poker - {83F8B625-1B04-4c35-8BA1-6DB4D7EDBADF} - C:\Program Files\riverbelleMPP\MPPoker.exe (file missing)
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: The Gaming Club Poker - {A18AC347-2CA3-4e5d-AB86-33BFC7EEB931} - C:\Program Files\gamingclubMPP\MPPoker.exe (file missing)
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Big Chip Poker - {BDA7A460-FFDB-4093-9120-F82DD89F5924} - C:\Documents and Settings\All Users\Start Menu\Programs\Big Chip Poker\Big Chip Poker.lnk (file missing)
O9 - Extra 'Tools' menuitem: Big Chip Poker - {BDA7A460-FFDB-4093-9120-F82DD89F5924} - C:\Documents and Settings\All Users\Start Menu\Programs\Big Chip Poker\Big Chip Poker.lnk (file missing)
O9 - Extra button: Grand Bay Poker - {D9BE040A-93CF-4cff-921E-F1D6AE024034} - C:\Program Files\grandbayMPP\MPPoker.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: NordicBet Poker - {E6073F93-9541-4be4-9800-109D378EB99B} - C:\Program Files\nordicbetMPP\MPPoker.exe (file missing)
O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (HKCU)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} (Nyoko Downloader Class) - http://www.riverbellepoker.com/download_helper/Nyoko.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 13566 bytes

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:29 PM

Posted 21 July 2007 - 02:25 AM

Hi,

I see you have a lot of pokergames installed.. Most of them are already removed, but some leftovers remain in the registry. Keep in mind, Pokergames may be a risk since malware may be lurking there.

Perform next steps in the right order..

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O4 - HKLM\..\Run: [UltimateBuddy] C:\Program Files\UltimateBuddy\UltimateBuddy.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
<= it's a bad idea to let p2p programs startup with Windows
O4 - Startup: StripSaver2.lnk = C:\Program Files\StripSaver2\StripSaver2.exe
O9 - Extra button: Big Dollar Poker - {01486271-B86B-49ad-9917-A14EA656A534} - C:\Program Files\bigdollarMPP\MPPoker.exe (file missing)
O9 - Extra button: Wild Jack Poker - {17709D14-4A02-42c6-B9FA-18C90A851F51} - C:\Program Files\wildjackMPP\MPPoker.exe (file missing)
O9 - Extra button: VC Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\VCPOKE~1\client.exe (file missing)
O9 - Extra button: PokerTime Poker - {7220F1C9-B7E0-47a6-A0BD-D5B3940BCC79} - C:\Program Files\PokerTimeMPP\MPPoker.exe (file missing)
O9 - Extra button: Golden Tiger Poker - {772B5BF8-12E8-4a5d-B48F-652B5E82025D} - C:\Program Files\goldentigerMPP\MPPoker.exe (file missing)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra button: All In Poker - {7FD14A80-30CB-434e-90A3-DEC1B1EA2014} - C:\Program Files\allinpokerMPP\MPPoker.exe (file missing)
O9 - Extra button: River Belle Poker - {83F8B625-1B04-4c35-8BA1-6DB4D7EDBADF} - C:\Program Files\riverbelleMPP\MPPoker.exe (file missing)
O9 - Extra button: The Gaming Club Poker - {A18AC347-2CA3-4e5d-AB86-33BFC7EEB931} - C:\Program Files\gamingclubMPP\MPPoker.exe (file missing)
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Big Chip Poker - {BDA7A460-FFDB-4093-9120-F82DD89F5924} - C:\Documents and Settings\All Users\Start Menu\Programs\Big Chip Poker\Big Chip Poker.lnk (file missing)
O9 - Extra 'Tools' menuitem: Big Chip Poker - {BDA7A460-FFDB-4093-9120-F82DD89F5924} - C:\Documents and Settings\All Users\Start Menu\Programs\Big Chip Poker\Big Chip Poker.lnk (file missing)
O9 - Extra button: Grand Bay Poker - {D9BE040A-93CF-4cff-921E-F1D6AE024034} - C:\Program Files\grandbayMPP\MPPoker.exe (file missing)
O9 - Extra button: NordicBet Poker - {E6073F93-9541-4be4-9800-109D378EB99B} - C:\Program Files\nordicbetMPP\MPPoker.exe (file missing)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe (file missing)
O16 - DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} (Nyoko Downloader Class) - http://www.riverbellepoker.com/download_helper/Nyoko.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab


Some programs also seem to be missing but the startupentries are still present in your HijackThislog, so you may check next entries as well:

O4 - HKLM\..\Run: [POEngine] "C:\Program Files\PokerOffice\POEngine.exe" C:\Program Files\PokerOffice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\win3210-6611809612007.exe
C:\WINDOWS\win320861-66118092007.exe
C:\Program Files\ubuddyupdate.exe

Collect::[8]
C:\WINDOWS\ms10-6611809612007.exe
C:\Program Files\patch21603d.exe


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. * it will create a zipped file on your Desktop - [8]-Submit_Date_Time.zip
* another file will be present on your desktop: CF-Submit.htm which will open after you ran Combofix.
* Where it says: "Submit files for further analysis", click OK and a browser Window will open. There you'll see: "copy/paste filepath into the box & click OK". You'll find the filepath below, so copy and paste this in the above field and click OK.

Then, post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Edited by miekiemoes, 21 July 2007 - 02:26 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 SuperQuad

SuperQuad
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 21 July 2007 - 04:53 AM

"GREG" - 2007-07-21 2:47:03 - ComboFix 07-07-21.4 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\GREG\Desktop 1\CFScript.txt


((((((((((((((((((((((((( Files Created from 2007-06-21 to 2007-07-21 )))))))))))))))))))))))))))))))


2007-07-20 23:46 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-20 23:45 1,235,144 --a------ C:\Program Files\ComboFix.exe
2007-07-20 00:51 812,344 --a------ C:\Program Files\HJTInstall.exe
2007-07-20 00:51 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-19 23:43 1,893,383 --a------ C:\Program Files\stinger.exe
2007-07-19 21:49 <DIR> d-------- C:\DOCUME~1\GREG\.housecall6.6
2007-07-19 20:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-19 19:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-19 19:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-08 17:45 <DIR> d-------- C:\DOCUME~1\GREG\APPLIC~1\Talkback
2007-07-01 01:59 <DIR> d-------- C:\Program Files\PlayersOnly Poker
2007-07-01 01:58 11,244,960 --a------ C:\Program Files\FullPlayersOnlySetup.1.0.56.exe
2007-06-28 23:56 <DIR> d-------- C:\Program Files\support.com
2007-06-28 23:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Support.com
2007-06-27 18:15 14,993,976 --a------ C:\Program Files\GoogleEarthWin.exe
2007-06-22 00:32 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-06-22 00:32 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-22 00:32 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-22 00:32 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-22 00:32 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-22 00:32 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-22 00:32 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-22 00:32 <DIR> d-------- C:\Program Files\Alwil Software


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-21 07:55:13 -------- d-----w C:\Program Files\Full Tilt Poker
2007-07-21 07:00:18 -------- d-----w C:\Program Files\Greetings Workshop
2007-07-21 06:43:11 -------- d-----w C:\Program Files\Plaxo
2007-07-21 06:42:47 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-20 19:38:26 -------- d-----w C:\Program Files\BugsysClub Software
2007-07-20 19:35:22 -------- d-----w C:\Program Files\PokerStars
2007-07-20 07:48:12 5,659,648 ----a-w C:\Program Files\spf.msi
2007-07-20 07:33:02 17 ----a-w C:\Program Files\stinger.opt
2007-07-20 06:15:28 -------- d-----w C:\Program Files\QuickTime
2007-07-20 02:43:15 -------- d-----w C:\Program Files\Lavasoft
2007-07-19 21:50:03 -------- d-----w C:\Program Files\Bodog Poker
2007-07-19 20:53:50 -------- d-----w C:\Program Files\Poker Tracker V2
2007-07-06 07:32:50 -------- d-----w C:\Program Files\UltimateBet
2007-06-22 07:31:10 15,213,416 ----a-w C:\Program Files\setupeng.exe
2007-06-15 19:43:08 53,248 ----a-w C:\WINDOWS\uni_eh43.exe
2007-06-04 22:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 22:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 22:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-23 22:38:12 -------- d-----w C:\DOCUME~1\GREG\APPLIC~1\LimeWire
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2006-11-04 10:15:58 509,768 ----a-w C:\Program Files\Google Installer.exe
2006-09-22 10:02:41 2,855,080 ----a-w C:\Program Files\aawsepersonal.exe
2006-08-25 10:17:02 184,320 ----a-w C:\Program Files\UltimateHistory.exe
2006-08-25 10:04:39 916,010 ----a-w C:\Program Files\Poker.exe
2006-08-25 10:03:40 15,807,701 ----a-w C:\Program Files\pt2su.exe
2006-08-16 05:45:54 7,520,232 ----a-w C:\Program Files\ubsetup.exe
2006-08-04 04:38:09 152,327 ----a-w C:\Program Files\clientinstall.exe
2006-07-11 01:34:32 864,511 ----a-w C:\Program Files\capex.exe
2006-06-16 00:57:32 3,799,397 ----a-w C:\Program Files\pokerskins-setup.exe
2006-06-15 03:43:29 5,691,224 ----a-w C:\Program Files\MANSIONSetup.exe
2006-06-08 09:10:16 22,083,376 ----a-w C:\Program Files\QuickTimeInstaller.exe
2006-03-07 23:11:27 3,033,180 ----a-w C:\Program Files\ubuddysetup.exe
2006-01-21 03:47:30 20,921,040 ----a-w C:\Program Files\AdbeRdr705_enu_full.exe
2006-01-21 03:42:59 762,512 ----a-w C:\Program Files\ytb612_efgsip.exe
2005-10-20 10:23:51 35,328 ----a-w C:\Program Files\atl98.dll
2005-08-09 01:53:40 3,870,720 ----a-w C:\Program Files\AbsolutePoker5_5_14.exe
2005-08-09 01:46:47 3,296,864 ----a-w C:\Program Files\BodogPokerClient.exe
2005-06-25 08:02:34 17,160,609 ----a-w C:\Program Files\BugsySetup.exe
2005-06-24 23:08:58 21,904,216 ----a-w C:\Program Files\iTunesSetup.exe
2004-12-06 22:16:28 266,240 ----a-w C:\Program Files\WebInstaller.exe
2004-12-01 03:30:17 3,362,496 ----a-w C:\Program Files\PokerStarsInstall.exe
2004-12-01 03:28:51 7,117,489 ----a-w C:\Program Files\FullTiltSetup.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="C:\Program Files\Common Files\AOL\1142470437\ee\AOLSoftware.exe" [2006-05-09 17:24]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 09:59]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-12-19 21:13]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-04 03:47]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 08:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-12-08 14:55]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2006-05-09 17:24]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe" [2006-11-16 13:42]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]

C:\Documents and Settings\GREG\Start Menu\Programs\Startup\
Greetings Workshop Reminders.lnk - C:\Program Files\Greetings Workshop\GWREMIND.EXE [1997-09-04 01:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-11-04 03:16:00]
MA111 Configuration Utility.lnk - C:\Program Files\NETGEAR\MA111v2 USB Adapter\MA111v2.exe [2004-05-28 16:53:34]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-08-19 01:00:00]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-08-19 01:00:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

023 - dot4 - system32\DRIVERS\Dot4.sys
023 - dot4print - system32\DRIVERS\Dot4Prt.sys
023 - dot4scan - system32\DRIVERS\Dot4Scan.sys
023 - dot4usb - system32\DRIVERS\dot4usb.sys
023 - i81x - system32\DRIVERS\i81xnt5.sys
023 - iaimfp0 - system32\DRIVERS\wADV01nt.sys
023 - iaimfp1 - system32\DRIVERS\wADV02NT.sys
023 - iaimfp2 - system32\DRIVERS\wADV05NT.sys
023 - iaimfp3 - system32\DRIVERS\wSiINTxx.sys
023 - iaimfp4 - system32\DRIVERS\wVchNTxx.sys
023 - iaimfp5 - system32\DRIVERS\wADV07nt.sys
023 - iaimfp6 - system32\DRIVERS\wADV08nt.sys
023 - iaimfp7 - system32\DRIVERS\wADV09nt.sys
023 - iaimtv0 - system32\DRIVERS\wATV01nt.sys
023 - iaimtv1 - system32\DRIVERS\wATV02NT.sys
023 - iaimtv3 - system32\DRIVERS\wATV04nt.sys
023 - iaimtv4 - system32\DRIVERS\wCh7xxNT.sys
023 - iaimtv5 - system32\DRIVERS\wATV10nt.sys
023 - iaimtv6 - system32\DRIVERS\wATV06nt.sys
023 - ltmodem5 - system32\DRIVERS\ltmdmnt.sys
023 - ms_mpu401 - system32\drivers\msmpu401.sys
023 - p3 - system32\DRIVERS\p3.sys
023 - sbcphid - \??\C:\WINDOWS\system32\Drivers\SbcpHid.sys
023 - sisnpf - system32\drivers\SISNPF.sys

*Newly Created Service* - CATCHME

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-21 02:48:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-21 2:49:30
C:\ComboFix-quarantined-files.txt ... 2007-07-21 02:49
C:\ComboFix2.txt ... 2007-07-21 02:20
C:\ComboFix3.txt ... 2007-07-20 23:51

--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:51:56 AM, on 7/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\AOL\1142470437\ee\AOLSoftware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\NETGEAR\MA111v2 USB Adapter\MA111v2.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\program files\aol\aol toolbar 3.1\aoltbhelper.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142470437\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111v2 USB Adapter\MA111v2.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (HKCU)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 9618 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:29 PM

Posted 21 July 2007 - 01:53 PM

Hi,

Wasn't there a Submit_Date_Time.zip created on your desktop?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 SuperQuad

SuperQuad
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 21 July 2007 - 03:32 PM

Hello,

Nope, created CFScript and put Combofix on my desktop did the drag from CFScript to Combofix Box popped up it asked if i wanted to Run/Cancel, Ran it, Combofix ran check, Data Log came up but nothing else was created on my desktop at all.

Edit: The only new Zipfile on my comp. that i didn't notice before is in my Local Disk (C:)
named "catchme" and also have a "catchme" txt document both which just recently showed up, not sure if thats what im looking for or not?

Edited by SuperQuad, 21 July 2007 - 03:49 PM.


#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:29 PM

Posted 22 July 2007 - 12:51 AM

Yes, upload that Catchme.zip
We'll see if it's that one or not.
Upload it here: http://www.bleepingcomputer.com/submit-malware.php?channel=8

Can you also post the contents of C:\ComboFix-quarantined-files.txt in your next reply please?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 SuperQuad

SuperQuad
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 22 July 2007 - 01:53 AM

You want me to post the "code" in the Combofix-quarantined-files text document??

Edited by SuperQuad, 22 July 2007 - 02:12 AM.


#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:29 PM

Posted 22 July 2007 - 02:11 AM

Did you want the "code" in the actual Zipfile also???

No, that's ok.

I wonder what you have been copying/pasting in the CFScript previously, but it appears that all the files that were deleted are in that catchme.zip.

Anyway, delete the Catchme.zip and also delete the C:\Qoobox folder

Then let me know in your next reply how things are now...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 SuperQuad

SuperQuad
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 22 July 2007 - 02:18 AM

What you read in the previous entry which i just edited was the catchme text document and not the Combofix-quarantined-files text document "code" which you requested. I actually posted the combofix quarantined first and wasent sure if that was right cause it was the "code" for that file then i edited my post and by accident posted the catchme txt doc, so do you still want me to delete those files?

Edited by SuperQuad, 22 July 2007 - 02:33 AM.


#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:29 PM

Posted 22 July 2007 - 03:59 AM

so do you still want me to delete those files?

Yes, delete the Catchme.zip and C:\Qoobox - folder
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 SuperQuad

SuperQuad
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 22 July 2007 - 04:49 AM

Ok those two files are deleted, Everything seems to be working well haven't had a popup all day so something is working :thumbsup: Anything else?

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:29 PM

Posted 22 July 2007 - 04:56 AM

You should be ok now here. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:29 PM

Posted 25 July 2007 - 06:12 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users