Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud


  • This topic is locked This topic is locked
10 replies to this topic

#1 K()nT3nTs

K()nT3nTs

  • Members
  • 150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SoCal
  • Local time:10:58 AM

Posted 26 July 2007 - 08:05 PM

Hello,

im new to this forum and need assistance. i have been all over in looks for a proper way to remove smitfraud from my comp. majority of sites only pertain to personal computers as each one has different situations and adware then others..

so i figure that you will most likey want to see a hijack this report and then you will assist me.. thanks in advance.! :thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 6:02:20 PM, on 7/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\M-Audio\Install\EvoInst.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.750\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\kkuqhtfd.dll",forkonce
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZK
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: M-Audio Installer (EvoInstallerService) - Unknown owner - C:\Program Files\M-Audio\Install\EvoInst.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:58 PM

Posted 27 July 2007 - 04:05 AM

Hello,

I notice that you do not seem to be running Antivirus software and a Firewall. This is somewhat suicidal in today's digital world.
That's why I want you to install them first!!

Avira, AVG OR Active Virus Shield (uncheck the Security Toolbar during install) are good FREE antivirus.
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decrease the reliability of it seriously!
Comodo OR Kerio are FREE firewalls.

Understanding and using firewalls

Reboot your computer afterwards.
After reboot, perform a full scan with your Antivirus and let it remove anything it is finding. Then reboot once again in order to delete files that were in use previously.

Post a new HijackThislog in your next reply - then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 K()nT3nTs

K()nT3nTs
  • Topic Starter

  • Members
  • 150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SoCal
  • Local time:10:58 AM

Posted 27 July 2007 - 10:30 PM

Hello,

I notice that you do not seem to be running Antivirus software and a Firewall. This is somewhat suicidal in today's digital world.
That's why I want you to install them first!!

Avira, AVG OR Active Virus Shield (uncheck the Security Toolbar during install) are good FREE antivirus.
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decrease the reliability of it seriously!
Comodo OR Kerio are FREE firewalls.

Understanding and using firewalls

Reboot your computer afterwards.
After reboot, perform a full scan with your Antivirus and let it remove anything it is finding. Then reboot once again in order to delete files that were in use previously.

Post a new HijackThislog in your next reply - then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.




OK! Got the Comodo and Avira did i mention im a lil crazy?? and a lil suicidal??

anyways thanks for the light you shed upon me. here is the new report


Logfile of HijackThis v1.99.1
Scan saved at 8:27:28 PM, on 7/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\M-Audio\Install\EvoInst.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.750\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\wyqvasue.dll",sitypnow
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZK
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: M-Audio Installer (EvoInstallerService) - Unknown owner - C:\Program Files\M-Audio\Install\EvoInst.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:58 PM

Posted 28 July 2007 - 03:25 AM

Ok, let's deal with the rest now..

But first, First of all, you didn't unzip/extract hijackthis.. and it's still in the tempfolder.
Also, your version of HijackThis is outdated. So download and install this version:

Trend Micro Hijack This™
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.

Then, * Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 K()nT3nTs

K()nT3nTs
  • Topic Starter

  • Members
  • 150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SoCal
  • Local time:10:58 AM

Posted 28 July 2007 - 07:13 PM

Ok!

Here is the ComboFix Log:

ComboFix 07-07-27.6 - "Owner" 2007-07-28 16:58:01.1 [GMT -7:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\avdefdqw.exe
C:\WINDOWS\system32\ewkyrcyn.exe
C:\WINDOWS\system32\juxtggyi.exe
C:\WINDOWS\system32\kdmowycx.exe
C:\WINDOWS\system32\nftlyksu.exe
C:\WINDOWS\system32\qjredpto.exe
C:\WINDOWS\system32\wstcgvft.exe
C:\WINDOWS\system32\hntflsef.dll
C:\WINDOWS\system32\xulgtfja.dll
C:\WINDOWS\system32\stvwa.bak1
C:\WINDOWS\system32\stvwa.bak2
C:\WINDOWS\system32\stvwa.ini
C:\WINDOWS\system32\stvwa.ini2
C:\WINDOWS\system32\stvwa.tmp
C:\WINDOWS\system32\stvwa.bak1
C:\WINDOWS\system32\stvwa.bak2
C:\WINDOWS\system32\stvwa.ini
C:\WINDOWS\system32\stvwa.ini2
C:\WINDOWS\system32\stvwa.tmp
C:\WINDOWS\system32\stvwa.bak1
C:\WINDOWS\system32\stvwa.bak2
C:\WINDOWS\system32\stvwa.ini
C:\WINDOWS\system32\stvwa.ini2
C:\WINDOWS\system32\stvwa.tmp
C:\WINDOWS\system32\awvts.dll
C:\WINDOWS\system32\khffgef.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\#SharedObjects\AY3KNLWU\www.broadcaster.com
C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\DOCUME~1\Owner\APPLIC~1\FunWebProducts
C:\WINDOWS\system32\bthrovhy.exe
C:\WINDOWS\system32\jiuqubwo.exe
C:\WINDOWS\system32\mwsiivml.exe
C:\WINDOWS\system32\ohhiwdou.exe
C:\WINDOWS\system32\xoqvjuya.exe
C:\WINDOWS\system32\xqwfokrv.exe


((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-29 )))))))))))))))))))))))))))))))


2007-07-28 16:56 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-28 02:01 125,972 --a------ C:\WINDOWS\system32\evipmyps.dll
2007-07-28 02:00 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-27 20:32 <DIR> d-------- C:\Program Files\MySpace
2007-07-27 20:32 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\MySpace
2007-07-27 19:50 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Comodo
2007-07-27 19:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-07-27 19:34 <DIR> d-------- C:\Program Files\Comodo
2007-07-25 12:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Propellerhead Software
2007-07-25 09:38 <DIR> d-------- C:\!KillBox
2007-07-24 17:45 125,972 --a------ C:\WINDOWS\system32\jsrymlwi.dll
2007-07-24 17:33 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-22 06:26 <DIR> d-------- C:\Program Files\MagicISO
2007-07-17 00:19 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Steinberg
2007-07-17 00:16 87,040 --a------ C:\WINDOWS\system32\ra32sipr.dll
2007-07-17 00:16 85,504 --a------ C:\WINDOWS\system32\encdnet.dll
2007-07-17 00:16 81,920 --a------ C:\WINDOWS\system32\ra3214_4.dll
2007-07-17 00:16 72,704 --a------ C:\WINDOWS\system32\ra3228_8.dll
2007-07-17 00:16 61,952 --a------ C:\WINDOWS\system32\decdnet.dll
2007-07-17 00:16 487,936 --a------ C:\WINDOWS\system32\rmbe3260.dll
2007-07-17 00:16 352,768 --a------ C:\WINDOWS\system32\pngu3263.dll
2007-07-17 00:16 21,504 --a------ C:\WINDOWS\system32\ra32dnet.dll
2007-07-17 00:16 131,072 --a------ C:\WINDOWS\system32\pneng50.dll
2007-07-17 00:16 130,560 --a------ C:\WINDOWS\system32\pnc3250.dll
2007-07-17 00:16 <DIR> d-------- C:\Program Files\Steinberg
2007-07-17 00:15 33,792 --a------ C:\WINDOWS\system32\drivers\cledx.sys
2007-07-17 00:14 704,512 --a------ C:\WINDOWS\system32\SYNSOACC.dll
2007-07-17 00:14 45,056 --a------ C:\WINDOWS\system32\Synsopos.exe
2007-07-17 00:14 16,896 --a------ C:\WINDOWS\system32\drivers\synasUSB.sys
2007-07-17 00:14 147,456 --a------ C:\WINDOWS\system32\SynsoLChk.dll
2007-07-17 00:14 <DIR> d-------- C:\Program Files\Syncrosoft
2007-07-16 23:21 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Leadertech
2007-07-16 10:43 4,648,960 --a------ C:\WINDOWS\system32\JAMktSetup_uninstall.exe
2007-07-15 19:02 <DIR> d-------- C:\Program Files\BitTorrent
2007-07-15 19:02 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\BitTorrent
2007-07-06 21:59 <DIR> d-------- C:\Program Files\MixMeister BPM Analyzer
2007-06-28 12:57 <DIR> d-------- C:\Program Files\MTV Networks
2007-06-28 12:45 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-06-28 12:45 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-06-28 12:43 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-06-28 12:43 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-25 23:30 1234 --a------ C:\DOCUME~1\Owner\APPLIC~1\wklnhst.dat
2007-06-28 13:09 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Google
2007-06-28 13:08 --------- d-------- C:\Program Files\Google
2007-06-28 13:01 --------- d-------- C:\Program Files\Winamp
2007-06-26 23:45 --------- d-------- C:\Program Files\MagniGlass
2007-06-22 01:28 --------- d-------- C:\Program Files\MSN Messenger
2007-06-21 14:02 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\ATI
2007-06-21 13:59 --------- d-------- C:\Program Files\ATI Technologies
2007-06-21 12:16 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\DivX
2007-06-21 08:33 --------- d-------- C:\Program Files\DivX
2007-06-20 09:47 31184 --a------ C:\DOCUME~1\Owner\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-06-18 23:57 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-06-15 22:30 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\NCH Swift Sound
2007-06-15 22:29 --------- d-------- C:\Program Files\NCH Swift Sound
2007-06-14 03:42 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Symantec
2007-06-12 03:40 5421 --a------ C:\WINDOWS\mozver.dat
2007-06-11 07:26 --------- d-------- C:\Program Files\GoldWave
2007-06-08 14:27 --------- d-------- C:\Program Files\Apple Software Update
2007-06-07 17:43 --------- d-------- C:\Program Files\QuickTime Alternative
2007-06-07 17:43 --------- d-------- C:\Program Files\Media Player Classic
2007-06-07 17:43 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Apple Computer
2007-06-07 12:40 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Viewpoint
2007-06-05 23:25 --------- d-------- C:\Program Files\InterActual
2007-06-05 01:05 99965 --a------ C:\WINDOWS\UninstallFirefox.exe
2007-06-01 15:52 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
2007-06-01 00:15 --------- d-------- C:\Program Files\Microsoft Works
2007-06-01 00:14 --------- d-------- C:\Program Files\Microsoft ActiveSync
2007-06-01 00:13 --------- d-------- C:\Program Files\Common Files\ODBC
2007-06-01 00:07 --------- d-------- C:\Program Files\Microsoft Works Suite 2002
2007-05-31 19:50 --------- d-------- C:\Program Files\Fostex
2007-05-31 19:07 --------- d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-05-31 18:49 --------- d-------- C:\Program Files\Ahead
2007-05-30 23:45 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-30 23:44 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-30 23:44 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-30 23:44 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-30 23:44 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-05-30 02:05 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Help
2007-05-30 00:04 --------- d-------- C:\Program Files\AIM6
2007-05-30 00:04 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\acccore
2007-05-30 00:03 --------- d-------- C:\Program Files\Common Files\AOL
2007-05-29 03:07 --------- d-------- C:\Program Files\Messenger
2007-05-29 03:03 --------- d-------- C:\Program Files\MSXML 4.0
2007-05-28 18:07 --------- d-------- C:\Program Files\Microsoft LifeCam
2007-05-28 17:41 --------- d-------- C:\Program Files\M-Audio
2007-05-28 17:39 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Propellerhead Software
2007-05-28 17:19 --------- d-------- C:\Program Files\Pure Networks
2007-05-28 17:15 --------- d-------- C:\Program Files\M-Audio Firewire Family
2007-05-28 17:15 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-05-28 17:11 --------- d-------- C:\Program Files\Propellerhead
2007-05-28 16:47 233472 --a------ C:\WINDOWS\system32\REX Shared Library.dll
2007-05-28 16:47 225280 --a------ C:\WINDOWS\system32\ReWire.dll
2007-05-28 16:40 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-05-28 16:33 --------- d-------- C:\Program Files\Common Files\Real
2007-05-28 08:04 --------- d-------- C:\Program Files\McAfee.com
2007-05-28 08:04 --------- d-------- C:\Program Files\McAfee
2007-05-28 08:04 --------- d-------- C:\Program Files\Common Files\McAfee
2007-05-28 08:04 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\McAfee
2007-05-28 08:03 --------- d-------- C:\Program Files\MSN Encarta Plus
2007-05-28 08:03 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\SampleView
2007-05-28 08:02 --------- d-------- C:\Program Files\CyberLink
2007-05-28 02:49 --------- d-------- C:\Program Files\BigFix
2007-05-28 02:48 --------- d-------- C:\Program Files\Common Files\Ahead
2007-05-28 02:47 --------- d-------- C:\Program Files\Digital Media Reader
2007-05-28 02:46 --------- d-------- C:\Program Files\Viewpoint
2007-05-28 02:46 --------- d-------- C:\Program Files\Learn2.com
2007-05-28 02:45 --------- d-------- C:\Program Files\Common Files\Nullsoft
2007-05-28 02:42 335 --a------ C:\WINDOWS\nsreg.dat
2007-05-28 02:30 --------- d-------- C:\Program Files\Common Files\New Boundary
2007-05-28 02:26 --------- d-------- C:\Program Files\CONEXANT
2007-05-28 01:24 60 --a------ C:\WINDOWS\system32\SYSDRV.DAT
2007-05-16 08:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}]
C:\WINDOWS\system32\jwadqiil.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-07-27 19:34]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-28 07:07]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 18:34]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F2A0229A-C4CA-4789-B606-973D24DCDD1C}"= C:\Program Files\McAfee\McAfee AntiSpyware\MssShell.dll [2004-10-19 01:00 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk
backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^WordWeb.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\WordWeb.lnk
backup=C:\WINDOWS\pss\WordWeb.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"F:\The Program Files\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
"C:\Program Files\Microsoft LifeCam\LifeExp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MAFWTaskbarApp]
C:\WINDOWS\system32\MAFWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryManager]
rundll32.exe "C:\WINDOWS\system32\jsrymlwi.dll",forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\razer]
F:\The Program Files\razerhid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
%WINDIR%\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
%WINDIR%\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedItUpEX]
C:\Documents and Settings\Owner\Desktop\SpeedItUp.exe -MINI

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
C:\Program Files\Digital Media Reader\shwiconem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
C:\Program Files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
C:\WINDOWS\vVX3000.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
C:\Program Files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\_AntiSpyware]
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McAfeeAntiSpyware"=2 (0x2)
"iPod Service"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)

R0 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
R0 Inspect;Comodo Network Engine;C:\WINDOWS\system32\DRIVERS\inspect.sys
R1 CmdMon;Comodo Application Engine;C:\WINDOWS\system32\DRIVERS\cmdmon.sys
R2 EvoInstallerService;M-Audio Installer;C:\Program Files\M-Audio\Install\EvoInst.exe
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe"
R3 atinrvxx;ATI WDM Rage Theater Video;C:\WINDOWS\system32\DRIVERS\atinrvxx.sys
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys
R3 DELTAFW;Service for M-Audio FW Driver (WDM);C:\WINDOWS\system32\DRIVERS\deltafw.sys
R3 EVOLUSB;%EVOL_USB.SvcDesc%;C:\WINDOWS\system32\drivers\evolusb.sys
R3 MVDCODEC;ATI WDM Specialized MVD Codec;C:\WINDOWS\system32\DRIVERS\atinmdxx.sys
R3 Razerlow;Razer Copperhead Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys
R3 RTL8023xp;Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver;C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
R3 SunkFilt;Alcor Micro Corp Reader;\??\C:\WINDOWS\System32\Drivers\sunkfilt.sys
S3 mxnic;Macronix MX987xx Family Fast Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\mxnic.sys
S3 VX3000;VX-3000;C:\WINDOWS\system32\DRIVERS\VX3000.sys
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys


Contents of the 'Scheduled Tasks' folder
2007-07-28 04:00:00 C:\WINDOWS\tasks\McAfee AntiSpyware.job
2007-07-29 00:08:00 C:\WINDOWS\tasks\McAfee.com Update Check (YOUR-4F7B3BA289-Owner).job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-28 17:06:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\\xd8\x2022\x20ac|\xff\xff\xff\xff\22\x2022\x20ac|\xf9\x2022A~\2]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\Software\Adobe\FeatureSubscriptions\DVAAdobeDocMeta\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\Registered"

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-28 17:08:28 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-28 17:08

--- E O F ---
____________________________________________________________________________________________________________________________


And The Hijack this report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:09:04 PM, on 7/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\M-Audio\Install\EvoInst.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\The Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\system32\jwadqiil.dll (file missing)
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZK
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: M-Audio Installer (EvoInstallerService) - Unknown owner - C:\Program Files\M-Audio\Install\EvoInst.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 4152 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:58 PM

Posted 29 July 2007 - 03:42 AM

Hi,

No wonder I couldn't see an Antivirus/Firewall present in your First HijackThislog - you disabled them via msconfig.
How are you supposed to prevent malware if you disable them?

Do you still have McAfee and Norto Internet Security installed? Never install more than one Antivirus, because they are not compatible, cause a huge system slowdown and may cause crashes.... even though they are disabled, since some related components are still running. So uninstall McAfee and Norton Internet Security... since you already have AVG Antivirus running.

Then,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\evipmyps.dll
C:\WINDOWS\system32\jsrymlwi.dll

Folder::
C:\!KillBox

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryManager]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Sidenote... I see you are using MySpace..
MySpace is not safe and I do not recommend it to anyone. You may also want to read these blogs:
MySpace userprofiles infected
MySpace malware -- for the unpatched
Hacked Ad Seen on MySpace Served Spyware to a Million
MySpace users hit by hacker virus

Other reasons why not using MySpace.com:

1. It contains suggestive and pornographic images
2. It allows for the easy posting of way too much personal information
3. It is a context for dating and personal ads
4. It can be and has been used to exploit children and teenagers.

So if you want to keep your system clean, do not use MySpace
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 K()nT3nTs

K()nT3nTs
  • Topic Starter

  • Members
  • 150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SoCal
  • Local time:10:58 AM

Posted 30 July 2007 - 12:45 AM

Aight no mo myspace.


Here is the New Combo Fix Report.


ComboFix 07-07-27.6 - "Owner" 2007-07-29 22:36:28.2 [GMT -7:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\!KillBox
C:\!KillBox\Logs\kb.log
C:\WINDOWS\system32\evipmyps.dll
C:\WINDOWS\system32\jsrymlwi.dll


((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-30 )))))))))))))))))))))))))))))))


2007-07-28 16:56 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-28 02:00 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-27 20:32 <DIR> d-------- C:\Program Files\MySpace
2007-07-27 20:32 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\MySpace
2007-07-27 19:50 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Comodo
2007-07-27 19:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-07-27 19:34 <DIR> d-------- C:\Program Files\Comodo
2007-07-25 12:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Propellerhead Software
2007-07-24 17:33 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-22 06:26 <DIR> d-------- C:\Program Files\MagicISO
2007-07-17 00:19 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Steinberg
2007-07-17 00:16 87,040 --a------ C:\WINDOWS\system32\ra32sipr.dll
2007-07-17 00:16 85,504 --a------ C:\WINDOWS\system32\encdnet.dll
2007-07-17 00:16 81,920 --a------ C:\WINDOWS\system32\ra3214_4.dll
2007-07-17 00:16 72,704 --a------ C:\WINDOWS\system32\ra3228_8.dll
2007-07-17 00:16 61,952 --a------ C:\WINDOWS\system32\decdnet.dll
2007-07-17 00:16 487,936 --a------ C:\WINDOWS\system32\rmbe3260.dll
2007-07-17 00:16 352,768 --a------ C:\WINDOWS\system32\pngu3263.dll
2007-07-17 00:16 21,504 --a------ C:\WINDOWS\system32\ra32dnet.dll
2007-07-17 00:16 131,072 --a------ C:\WINDOWS\system32\pneng50.dll
2007-07-17 00:16 130,560 --a------ C:\WINDOWS\system32\pnc3250.dll
2007-07-17 00:16 <DIR> d-------- C:\Program Files\Steinberg
2007-07-17 00:15 33,792 --a------ C:\WINDOWS\system32\drivers\cledx.sys
2007-07-17 00:14 704,512 --a------ C:\WINDOWS\system32\SYNSOACC.dll
2007-07-17 00:14 45,056 --a------ C:\WINDOWS\system32\Synsopos.exe
2007-07-17 00:14 16,896 --a------ C:\WINDOWS\system32\drivers\synasUSB.sys
2007-07-17 00:14 147,456 --a------ C:\WINDOWS\system32\SynsoLChk.dll
2007-07-17 00:14 <DIR> d-------- C:\Program Files\Syncrosoft
2007-07-16 23:21 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Leadertech
2007-07-16 10:43 4,648,960 --a------ C:\WINDOWS\system32\JAMktSetup_uninstall.exe
2007-07-15 19:02 <DIR> d-------- C:\Program Files\BitTorrent
2007-07-15 19:02 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\BitTorrent
2007-07-06 21:59 <DIR> d-------- C:\Program Files\MixMeister BPM Analyzer


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-25 23:30 1234 --a------ C:\DOCUME~1\Owner\APPLIC~1\wklnhst.dat
2007-06-28 13:09 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Google
2007-06-28 13:08 --------- d-------- C:\Program Files\Google
2007-06-28 13:01 --------- d-------- C:\Program Files\Winamp
2007-06-28 12:57 --------- d-------- C:\Program Files\MTV Networks
2007-06-28 12:45 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-06-26 23:45 --------- d-------- C:\Program Files\MagniGlass
2007-06-22 01:28 --------- d-------- C:\Program Files\MSN Messenger
2007-06-21 14:02 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\ATI
2007-06-21 13:59 --------- d-------- C:\Program Files\ATI Technologies
2007-06-21 12:16 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\DivX
2007-06-21 08:33 --------- d-------- C:\Program Files\DivX
2007-06-20 09:47 31184 --a------ C:\DOCUME~1\Owner\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-06-18 23:57 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-06-15 22:30 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\NCH Swift Sound
2007-06-15 22:29 --------- d-------- C:\Program Files\NCH Swift Sound
2007-06-14 03:42 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Symantec
2007-06-12 03:40 5421 --a------ C:\WINDOWS\mozver.dat
2007-06-11 07:26 --------- d-------- C:\Program Files\GoldWave
2007-06-08 14:27 --------- d-------- C:\Program Files\Apple Software Update
2007-06-07 17:43 --------- d-------- C:\Program Files\QuickTime Alternative
2007-06-07 17:43 --------- d-------- C:\Program Files\Media Player Classic
2007-06-07 17:43 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Apple Computer
2007-06-07 12:40 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Viewpoint
2007-06-05 23:25 --------- d-------- C:\Program Files\InterActual
2007-06-05 01:05 99965 --a------ C:\WINDOWS\UninstallFirefox.exe
2007-06-01 15:52 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
2007-06-01 00:15 --------- d-------- C:\Program Files\Microsoft Works
2007-06-01 00:14 --------- d-------- C:\Program Files\Microsoft ActiveSync
2007-06-01 00:13 --------- d-------- C:\Program Files\Common Files\ODBC
2007-06-01 00:07 --------- d-------- C:\Program Files\Microsoft Works Suite 2002
2007-05-31 19:50 --------- d-------- C:\Program Files\Fostex
2007-05-31 19:07 --------- d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-05-31 18:49 --------- d-------- C:\Program Files\Ahead
2007-05-30 23:45 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-30 23:44 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-30 23:44 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-30 23:44 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-30 23:44 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-05-30 02:05 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Help
2007-05-30 00:04 --------- d-------- C:\Program Files\AIM6
2007-05-30 00:04 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\acccore
2007-05-30 00:03 --------- d-------- C:\Program Files\Common Files\AOL
2007-05-29 03:07 --------- d-------- C:\Program Files\Messenger
2007-05-29 03:03 --------- d-------- C:\Program Files\MSXML 4.0
2007-05-28 18:07 --------- d-------- C:\Program Files\Microsoft LifeCam
2007-05-28 17:41 --------- d-------- C:\Program Files\M-Audio
2007-05-28 17:39 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Propellerhead Software
2007-05-28 17:19 --------- d-------- C:\Program Files\Pure Networks
2007-05-28 17:15 --------- d-------- C:\Program Files\M-Audio Firewire Family
2007-05-28 17:15 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-05-28 17:11 --------- d-------- C:\Program Files\Propellerhead
2007-05-28 16:47 233472 --a------ C:\WINDOWS\system32\REX Shared Library.dll
2007-05-28 16:47 225280 --a------ C:\WINDOWS\system32\ReWire.dll
2007-05-28 16:40 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-05-28 16:33 --------- d-------- C:\Program Files\Common Files\Real
2007-05-28 08:03 --------- d-------- C:\Program Files\MSN Encarta Plus
2007-05-28 08:03 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\SampleView
2007-05-28 08:02 --------- d-------- C:\Program Files\CyberLink
2007-05-28 02:49 --------- d-------- C:\Program Files\BigFix
2007-05-28 02:48 --------- d-------- C:\Program Files\Common Files\Ahead
2007-05-28 02:47 --------- d-------- C:\Program Files\Digital Media Reader
2007-05-28 02:46 --------- d-------- C:\Program Files\Viewpoint
2007-05-28 02:46 --------- d-------- C:\Program Files\Learn2.com
2007-05-28 02:45 --------- d-------- C:\Program Files\Common Files\Nullsoft
2007-05-28 02:42 335 --a------ C:\WINDOWS\nsreg.dat
2007-05-28 02:30 --------- d-------- C:\Program Files\Common Files\New Boundary
2007-05-28 02:26 --------- d-------- C:\Program Files\CONEXANT
2007-05-28 01:24 60 --a------ C:\WINDOWS\system32\SYSDRV.DAT
2007-05-16 08:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-07-27 19:34]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-28 07:07]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk
backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^WordWeb.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\WordWeb.lnk
backup=C:\WINDOWS\pss\WordWeb.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"F:\The Program Files\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
"C:\Program Files\Microsoft LifeCam\LifeExp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MAFWTaskbarApp]
C:\WINDOWS\system32\MAFWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\razer]
F:\The Program Files\razerhid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
%WINDIR%\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
%WINDIR%\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedItUpEX]
C:\Documents and Settings\Owner\Desktop\SpeedItUp.exe -MINI

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
C:\Program Files\Digital Media Reader\shwiconem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
C:\Program Files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
C:\WINDOWS\vVX3000.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
C:\Program Files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\_AntiSpyware]
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McAfeeAntiSpyware"=2 (0x2)
"iPod Service"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)

R0 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
R0 Inspect;Comodo Network Engine;C:\WINDOWS\system32\DRIVERS\inspect.sys
R1 CmdMon;Comodo Application Engine;C:\WINDOWS\system32\DRIVERS\cmdmon.sys
R2 EvoInstallerService;M-Audio Installer;C:\Program Files\M-Audio\Install\EvoInst.exe
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe"
R3 atinrvxx;ATI WDM Rage Theater Video;C:\WINDOWS\system32\DRIVERS\atinrvxx.sys
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys
R3 DELTAFW;Service for M-Audio FW Driver (WDM);C:\WINDOWS\system32\DRIVERS\deltafw.sys
R3 EVOLUSB;%EVOL_USB.SvcDesc%;C:\WINDOWS\system32\drivers\evolusb.sys
R3 MVDCODEC;ATI WDM Specialized MVD Codec;C:\WINDOWS\system32\DRIVERS\atinmdxx.sys
R3 Razerlow;Razer Copperhead Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys
R3 RTL8023xp;Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver;C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
R3 SunkFilt;Alcor Micro Corp Reader;\??\C:\WINDOWS\System32\Drivers\sunkfilt.sys
S3 mxnic;Macronix MX987xx Family Fast Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\mxnic.sys
S3 VX3000;VX-3000;C:\WINDOWS\system32\DRIVERS\VX3000.sys
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-29 22:39:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\\xd8\x2022\x20ac|\xff\xff\xff\xff\22\x2022\x20ac|\xf9\x2022A~\2]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\Software\Adobe\FeatureSubscriptions\DVAAdobeDocMeta\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\Registered"

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-29 22:41:15
C:\ComboFix-quarantined-files.txt ... 2007-07-29 22:41
C:\ComboFix2.txt ... 2007-07-28 17:08

--- E O F ---


And the HiJack This.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:45 PM, on 7/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\M-Audio\Install\EvoInst.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\MTV Networks\URGE\UrgeMS.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\The Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZK
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: M-Audio Installer (EvoInstallerService) - Unknown owner - C:\Program Files\M-Audio\Install\EvoInst.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 3931 bytes

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:58 PM

Posted 30 July 2007 - 04:36 AM

Hi,

Check and fix next entry in HijackThis:

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZK

Delete the C:\Qoobox folder.

Let me know in your next reply how things are now...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 K()nT3nTs

K()nT3nTs
  • Topic Starter

  • Members
  • 150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SoCal
  • Local time:10:58 AM

Posted 30 July 2007 - 12:43 PM

Wow.. its all good.

I deleted the items and restarted, then a fat list of stuff came up in Spybot. fixed the problems then restarted again. now its all clean. Thanks
a lot.

quick question..

can you provide a run through of what you did, i would like to know of any references and sites on how to read a HiJack this report and what is safe and not safe to remove if somthing were to happen.

i know you're probably busy with other stuff, but i would really like to know.

thanks again for your time.

Edited by K()nT3nTs, 30 July 2007 - 01:38 PM.


#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:58 PM

Posted 30 July 2007 - 07:17 PM

can you provide a run through of what you did, i would like to know of any references and sites on how to read a HiJack this report and what is safe and not safe to remove if somthing were to happen.

Well, actually, this is all a matter of experience. I am dealing with more than 20 logs a day and after a while, you'll recognise easily what files are good or bad and what tools to use to get rid of it.

But.. If you want to learn more about HijackThis and malware cleanup in general, you can always join some online training schools (for free).
Not sure if there's still room here at Bleeping Computers for training, so for that, it's better to send a PM to Grinler, the admin of this board if there's still room.

Or, you can signup here as well: http://forums.spywareinfo.com/index.php?showtopic=34
It's a different forum, but I am also active there :thumbsup:

Glad I could help. :flowers:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:58 PM

Posted 04 August 2007 - 04:36 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users