Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Big Virus/infection! Need Help Bad.


  • Please log in to reply
15 replies to this topic

#1 gus88

gus88

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 13 August 2007 - 05:18 PM

In the past three days a big virus has infiltrated my computer and despite my many attempts to try to disinfect my computer, none have worked so far. My desktop background has been changed to a hazard sign saying "YOUR PRIVACY IS IN DANGER: DOWNLOAD PRIVACY PROTECTION SOFTWARE NOW!!" along with millions of pop-ups that redirect me to anty-spyware websites and such. Getting real frustrated with this virus so I'm using this forum as a last resort. HOPE YOU CAN HELP.

The programs I've tryed so far:
NoAdware
Spybot S&D
SmitFraudFix
VundoFix
ComboFix
Panda Antivirus 2008


Here is my HijackThis report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:33:07 PM, on 8/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\MICROS~4\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\verclsid.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: MSVPS System - {7AF59C20-A1D8-4C1C-927A-99DD9F2A9E0B} - C:\WINDOWS\duocore.dll
O2 - BHO: CVirtualDNSObj Object - {86C510E9-97EF-4749-914F-0280247BE3A6} - C:\WINDOWS\VirtualDNS.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Love default global mess] C:\Documents and Settings\All Users\Application Data\great coal love default\EGGS SURF.exe
O4 - HKLM\..\Run: [Seek dog pure mess] C:\Documents and Settings\All Users\Application Data\Internet debug mess great\About tons camp.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - HKCU\..\Run: [Cpue] "C:\PROGRA~1\ICROSO~1\mmc.exe" -vt yazb
O4 - HKCU\..\Run: [Uxrlsk] "C:\Program Files\??crosoft\msconfig.exe"
O4 - HKCU\..\Run: [Ttksfmv] C:\WINDOWS\system32\??crosoft.NET\nslookup.exe
O4 - HKCU\..\Run: [Cdrom Sect] C:\DOCUME~1\Owner\APPLIC~1\WEBSEC~1\MAGS SEEK.exe
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.09\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.09\MediaManager\grab.html
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://mcctc.howtomaster.com/plugin/awarew...cab/awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139277115658
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...635/mcfscan.cab
O21 - SSODL: wmpenv - {E1D31C91-DA5B-4416-B09C-49CE74C3EAFA} - C:\WINDOWS\wmpenv.dll
O21 - SSODL: wmpconf - {1C4D8B79-BB4B-4EC3-9CFF-A027FD93C6B8} - C:\WINDOWS\wmpconf.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 9540 bytes



And here goes the ComboFix report:


ComboFix 07-08-09.3 - "Owner" 2007-08-13 18:05:09.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.82 [GMT -4:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Owner\Desktop.\Spyware&Malware Protection.url
C:\DOCUME~1\Owner\Desktop\Error Cleaner.url
C:\DOCUME~1\Owner\Desktop\Privacy Protector.url
C:\DOCUME~1\Owner\FAVORI~1.\Error Cleaner.url
C:\DOCUME~1\Owner\FAVORI~1.\Privacy Protector.url
C:\DOCUME~1\Owner\FAVORI~1.\Spyware&Malware Protection.url
C:\WINDOWS\dat.txt
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm


((((((((((((((((((((((((( Files Created from 2007-07-13 to 2007-08-13 )))))))))))))))))))))))))))))))


2007-08-13 18:04 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-13 14:43 15,416 --------- C:\WINDOWS\system32\drivers\sdthook.sys
2007-08-12 16:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\sentinel
2007-08-12 16:48 83,640 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
2007-08-12 16:48 248 --a------ C:\WINDOWS\system32\PavCPL.dat
2007-08-12 16:47 <DIR> d-------- C:\WINDOWS\system32\PAV
2007-08-12 16:46 50,736 --a------ C:\WINDOWS\system32\avldr.dll
2007-08-12 16:46 <DIR> d-------- C:\Program Files\Panda Security
2007-08-12 12:26 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-08-11 11:24 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-08-11 11:24 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-08-11 11:24 2,534 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-10 12:05 <DIR> d-------- C:\VundoFix Backups
2007-08-09 13:58 <DIR> d-------- C:\Program Files\XoftSpySE
2007-08-08 12:00 221,184 --a------ C:\WINDOWS\wmpconf.dll
2007-08-08 12:00 188,416 --a------ C:\WINDOWS\wmpenv.dll
2007-08-08 12:00 188,416 --a------ C:\WINDOWS\duocore.dll
2007-08-07 00:51 21,504 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2007-08-07 00:51 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2007-08-07 00:49 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2007-08-07 00:39 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\InstallShield
2007-08-02 20:35 <DIR> d-------- C:\Program Files\WebSecondDate
2007-08-02 20:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Internet debug mess great
2007-08-02 20:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\great coal love default
2007-07-28 12:52 <DIR> d-------- C:\WINDOWS\pss


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-13 15:33 --------- d-------- C:\Program Files\SP2 Connection Patcher
2007-08-13 13:15 --------- d-------- C:\Program Files\MSN Messenger
2007-08-13 13:14 --------- d-------- C:\Program Files\Morpheus
2007-08-12 17:29 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\WebSecondDate
2007-08-12 16:46 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-12 13:23 --------- d-------- C:\Program Files\QuickTime
2007-08-12 13:10 --------- d-------- C:\Program Files\Microsoft ActiveSync
2007-08-11 12:04 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\WeatherBug
2007-08-09 14:44 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\DownloadManager
2007-08-09 12:31 --------- d-------- C:\Program Files\MorpheusBar
2007-08-09 12:05 --------- d-------- C:\Program Files\Real
2007-08-09 12:02 --------- d-------- C:\Program Files\Windows Live Toolbar
2007-08-07 10:11 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Azureus
2007-08-07 00:55 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-08-07 00:55 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2007-08-07 00:52 --------- d-------- C:\Program Files\Motorola Phone Tools
2007-08-07 00:39 --------- d-------- C:\Program Files\LiveUpdate
2007-07-31 11:46 --------- d-------- C:\Program Files\MSN Games
2007-07-31 11:40 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\MSNInstaller
2007-07-31 11:38 --------- d-------- C:\Program Files\CyberLink
2007-06-16 21:53 --------- d-------- C:\Program Files\Azureus
2007-05-16 11:12 86528 --a--c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll
2006-10-25 16:30 299 --a------ C:\DOCUME~1\Owner\APPLIC~1\internaldb1942.dat
2005-04-08 18:42:05 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7AF59C20-A1D8-4C1C-927A-99DD9F2A9E0B}]
2007-08-07 13:43 188416 --a------ C:\WINDOWS\duocore.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{86C510E9-97EF-4749-914F-0280247BE3A6}]
C:\WINDOWS\VirtualDNS.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 16:42]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 18:55]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 18:51]
"Motive SmartBridge"="C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe" [2002-05-18 12:04]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-10-31 23:24]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-29 11:48]
"Love default global mess"="C:\Documents and Settings\All Users\Application Data\great coal love default\EGGS SURF.exe" [2007-08-13 15:36]
"Seek dog pure mess"="C:\Documents and Settings\All Users\Application Data\Internet debug mess great\About tons camp.exe" [2007-08-13 00:45]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.exe" [2007-07-19 15:23]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2005-06-07 14:58]
"SP2 Connection Patcher"="C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" [2005-07-11 05:51]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00]
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~4\wcescomm.exe" [2006-06-20 22:36]
"Cpue"="C:\PROGRA~1\ICROSO~1\mmc.exe" []
"Uxrlsk"="C:\Program Files\??crosoft\msconfig.exe" []
"Ttksfmv"="C:\WINDOWS\system32\??crosoft.NET\nslookup.exe" []
"Cdrom Sect"="C:\DOCUME~1\Owner\APPLIC~1\WEBSEC~1\MAGS SEEK.exe" []

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"wmpenv"= {E1D31C91-DA5B-4416-B09C-49CE74C3EAFA} - C:\WINDOWS\wmpenv.dll [2007-08-07 13:43 188416]
"wmpconf"= {1C4D8B79-BB4B-4EC3-9CFF-A027FD93C6B8} - C:\WINDOWS\wmpconf.dll [2007-08-07 13:43 221184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 20:02 50736 C:\WINDOWS\system32\avldr.dll

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0s0s09sw.dll]
RUNDLL32.EXE 0s0s09sw.dll,b 269829703

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8D8F949099919994]
46484D49524A52.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cdrom Sect]
C:\DOCUME~1\Owner\APPLIC~1\WEBSEC~1\MAGS SEEK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1159479886\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spam4DriveUp]
C:\Documents and Settings\All Users\Application Data\cakeuserspam4\Phone dumb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
C:\Program Files\mobile PhoneTools\WatchDog.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\Winampa.exe"

R0 TPkd;TPkd;C:\WINDOWS\system32\drivers\TPkd.sys
R2 CdaD10BA;CdaD10BA;\??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS
R2 pavdrv;pavdrv;C:\WINDOWS\system32\DRIVERS\pavdrv51.sys
R2 SNMP;SNMP Service;C:\WINDOWS\System32\snmp.exe
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 P2k;Motorola iDEN P2k Device;C:\WINDOWS\system32\DRIVERS\P2k.sys
S3 RimUsb;BlackBerry Device;C:\WINDOWS\system32\Drivers\RimUsb.sys
S3 SNMPTRAP;SNMP Trap Service;C:\WINDOWS\System32\snmptrap.exe
S3 SunkFilt;Alcor Micro Corp - 9360;\??\C:\WINDOWS\System32\Drivers\sunkfilt.sys
S3 SunkFilt39;Alcor Micro Corp - 3239;\??\C:\WINDOWS\System32\Drivers\sunkfilt39.sys
S3 Sunkfiltp;HP && Alcor Micro Corp for Phison;\??\C:\WINDOWS\System32\Drivers\sunkfiltp.sys
S3 usb_rndisx;USB RNDIS Adapter;C:\WINDOWS\system32\DRIVERS\usb8023x.sys
S3 usbsermptxp;Motorola USB Modem Driver for MPT XP;C:\WINDOWS\system32\DRIVERS\usbsermptxp.sys
S3 Wdf01000;Wdf01000;C:\WINDOWS\system32\DRIVERS\Wdf01000.sys


Contents of the 'Scheduled Tasks' folder
2007-08-13 22:00:00 C:\WINDOWS\Tasks\ACDF02E19188B4E9.job - c:\docume~1\owner\applic~1\websec~1\Pop Idle Aim.exe
2007-08-13 22:07:00 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDetect.exe
2007-08-12 22:37:00 C:\WINDOWS\Tasks\WebReg Deskjet 3900 series.job - C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
2007-08-13 21:00:01 C:\WINDOWS\Tasks\XoftSpySE 2.job - C:\Program Files\XoftSpySE\XoftSpy.exe
2007-08-11 07:00:00 C:\WINDOWS\Tasks\XoftSpySE.job - C:\Program Files\XoftSpySE\XoftSpy.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-13 18:09:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-13 18:10:26
C:\ComboFix-quarantined-files.txt ... 2007-08-13 18:09
C:\ComboFix2.txt ... 2007-08-12 00:52
C:\ComboFix3.txt ... 2007-08-11 12:09

--- E O F ---

Attached Files



BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:46 PM

Posted 17 August 2007 - 10:48 PM

Please download and run SafeBootKeyRepair-CF

It takes a short moment for it to finish running, and produces a log found at C:\SafeBoot_Repair.txt

~~~~
Next, a new version of SmitFraudFix just came out.
Please remove the version you have, and download SmitfraudFix
Extract the files to the Desktop

~~~~
Start the computer in Safe Mode :
  • When the machine first starts again, tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
  • Select the option for Safe Mode using the arrow keys.
  • Press Enter to boot into Safe Mode.
Open SmitfraudFix
  • Double-click smitfraudfix.cmd
  • Select Option 2 - Clean by typing 2 and press Enter (Deletes infected files)
  • You are prompted: Do you want to clean the registry? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool also checks if a relevant file, wininet.dll, is infected.
You may be prompted to replace the infected file (if found).
Replace infected file? Answer Y (yes) and hit Enter to restore a clean file.

~~~~
Restart the computer to complete the removal process.

~~~~
Now, download ComboFix
Save it to the Desktop

Double-click combofix.exe to run the program
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to stall.)

When finished, a log, ComboFix.txt, is produced.

~~~~
Please post the following in your reply:
The C:\SafeBoot_Repair.txt
The SmitFraudFix report located at C:\rapport.txt
The ComboFix.txt
A new HijackThis

Old duck...


#3 gus88

gus88
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 22 August 2007 - 10:39 AM

Hello Aaflac,
Thanks for taking the time to look at my problem and helping out. Sorry I couldn't reply faster, I was out for vacation and just got back. Well, I did everything you stated and my computer is running MUCH better with less pop-ups. Below is all the report logs you asked for. Hopefully you won't find anything of harm this time around and I'll be free of viruses. Again, thanks for all your help, I was on the tip of buying a new computer!!!


Reg export of SafeBoot key after repair:
========================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]
"AlternateShell"="cmd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

========================


SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
~~\SafeBoot\Minimal\RpcSs

=====================


HERE'S THE SMITFRAUDFIX REPORT:

SmitFraudFix v2.215

Scan done at 11:04:14.01, Wed 08/22/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\duocore.dll Deleted
C:\WINDOWS\privacy_danger\ Deleted
C:\WINDOWS\wmpconf.dll Deleted
C:\WINDOWS\wmpenv.dll Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

COMBOFIX REPORT:

ComboFix 07-08-22.2 - "Owner" 2007-08-22 11:20:14.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.52 [GMT -4:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Owner\FAVORI~1\Error Cleaner.url
C:\DOCUME~1\Owner\FAVORI~1\Privacy Protector.url
C:\DOCUME~1\Owner\FAVORI~1\Spyware&Malware Protection.url
C:\WINDOWS\dat.txt


((((((((((((((((((((((((( Files Created from 2007-07-22 to 2007-08-22 )))))))))))))))))))))))))))))))


2007-08-22 11:13 <DIR> d-------- C:\Quarantine
2007-08-22 10:56 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-08-13 18:04 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-13 14:43 15,416 --------- C:\WINDOWS\system32\drivers\sdthook.sys
2007-08-12 16:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\sentinel
2007-08-12 16:48 83,640 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
2007-08-12 16:46 50,736 --a------ C:\WINDOWS\system32\avldr.dll
2007-08-12 16:46 <DIR> d-------- C:\Program Files\Panda Security
2007-08-11 11:24 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-08-11 11:24 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-08-11 11:24 2,426 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-10 12:05 <DIR> d-------- C:\VundoFix Backups
2007-08-09 13:58 <DIR> d-------- C:\Program Files\XoftSpySE
2007-08-07 00:51 21,504 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2007-08-07 00:51 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2007-08-07 00:49 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2007-08-07 00:39 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\InstallShield
2007-08-02 20:35 <DIR> d-------- C:\Program Files\WebSecondDate
2007-08-02 20:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Internet debug mess great
2007-08-02 20:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\great coal love default
2007-07-28 12:52 <DIR> d-------- C:\WINDOWS\pss


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-22 11:13 --------- d-------- C:\Program Files\SP2 Connection Patcher
2007-08-22 01:15 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\WeatherBug
2007-08-22 01:15 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\WeatherBug
2007-08-15 12:18 --------- d-------- C:\Program Files\Morpheus
2007-08-14 08:38 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Azureus
2007-08-14 08:38 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Azureus
2007-08-13 19:40 --------- d-------- C:\Program Files\NoAdware5.0
2007-08-13 13:15 --------- d-------- C:\Program Files\MSN Messenger
2007-08-12 17:29 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\WebSecondDate
2007-08-12 17:29 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\WebSecondDate
2007-08-12 17:19 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\cakeuserspam4
2007-08-12 16:46 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-12 13:23 --------- d-------- C:\Program Files\QuickTime
2007-08-12 13:10 --------- d-------- C:\Program Files\Microsoft ActiveSync
2007-08-09 14:44 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\DownloadManager
2007-08-09 14:44 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\DownloadManager
2007-08-09 12:31 --------- d-------- C:\Program Files\MorpheusBar
2007-08-09 12:05 --------- d-------- C:\Program Files\Real
2007-08-09 12:02 --------- d-------- C:\Program Files\Windows Live Toolbar
2007-08-07 00:55 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-08-07 00:55 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2007-08-07 00:52 --------- d-------- C:\Program Files\Motorola Phone Tools
2007-08-07 00:39 --------- d-------- C:\Program Files\LiveUpdate
2007-07-31 11:46 --------- d-------- C:\Program Files\MSN Games
2007-07-31 11:40 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\MSNInstaller
2007-07-31 11:40 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\MSNInstaller
2007-07-31 11:38 --------- d-------- C:\Program Files\CyberLink
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2006-12-07 10:13 9232 --a------ C:\DOCUME~1\Owner\mqdmmdfl.sys
2006-12-07 10:13 92064 --a------ C:\DOCUME~1\Owner\mqdmmdm.sys
2006-12-07 10:13 79328 --a------ C:\DOCUME~1\Owner\mqdmserd.sys
2006-12-07 10:13 66656 --a------ C:\DOCUME~1\Owner\mqdmbus.sys
2006-12-07 10:13 6208 --a------ C:\DOCUME~1\Owner\mqdmcmnt.sys
2006-12-07 10:13 5936 --a------ C:\DOCUME~1\Owner\mqdmwhnt.sys
2006-12-07 10:13 4048 --a------ C:\DOCUME~1\Owner\mqdmcr.sys
2006-12-07 10:13 25600 --a------ C:\DOCUME~1\Owner\usbsermptxp.sys
2006-12-07 10:13 22768 --a------ C:\DOCUME~1\Owner\usbsermpt.sys
2005-04-08 18:42:05 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{86C510E9-97EF-4749-914F-0280247BE3A6}]
C:\WINDOWS\VirtualDNS.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 16:42]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 18:55]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 18:51]
"Motive SmartBridge"="C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe" [2002-05-18 12:04]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"Love default global mess"="C:\Documents and Settings\All Users\Application Data\great coal love default\EGGS SURF.exe" [2007-08-22 11:14]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.exe" [2007-07-19 15:23]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 15:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-29 11:48]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2005-06-07 14:58]
"SP2 Connection Patcher"="C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" [2005-07-11 05:51]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00]
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~4\wcescomm.exe" [2006-06-20 22:36]
"Cpue"="C:\PROGRA~1\ICROSO~1\mmc.exe" []
"Uxrlsk"="C:\Program Files\??crosoft\msconfig.exe" []
"Ttksfmv"="C:\WINDOWS\system32\??crosoft.NET\nslookup.exe" []
"Cdrom Sect"="C:\DOCUME~1\Owner\APPLIC~1\WEBSEC~1\MAGS SEEK.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 20:02 50736 C:\WINDOWS\system32\avldr.dll

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0s0s09sw.dll]
RUNDLL32.EXE 0s0s09sw.dll,b 269829703

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8D8F949099919994]
46484D49524A52.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cdrom Sect]
C:\DOCUME~1\Owner\APPLIC~1\WEBSEC~1\MAGS SEEK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1159479886\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spam4DriveUp]
C:\Documents and Settings\All Users\Application Data\cakeuserspam4\Phone dumb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
C:\Program Files\mobile PhoneTools\WatchDog.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\Winampa.exe"

R2 CdaD10BA;CdaD10BA;\??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 usbsermptxp;Motorola USB Modem Driver for MPT XP;C:\WINDOWS\system32\DRIVERS\usbsermptxp.sys


Contents of the 'Scheduled Tasks' folder
2007-08-16 21:00:00 C:\WINDOWS\Tasks\ACDF02E19188B4E9.job - c:\docume~1\owner\applic~1\websec~1\Pop Idle Aim.exe
2007-08-22 15:22:00 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDetect.exe
2007-08-15 22:37:01 C:\WINDOWS\Tasks\WebReg Deskjet 3900 series.job - C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-22 11:22:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-22 11:23:36
C:\ComboFix-quarantined-files.txt ... 2007-08-22 11:23
C:\ComboFix2.txt ... 2007-08-13 18:10
C:\ComboFix3.txt ... 2007-08-12 00:52

--- E O F ---

AND A NEW HIJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:43 AM, on 8/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~4\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CVirtualDNSObj Object - {86C510E9-97EF-4749-914F-0280247BE3A6} - C:\WINDOWS\VirtualDNS.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Love default global mess] C:\Documents and Settings\All Users\Application Data\great coal love default\EGGS SURF.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - HKCU\..\Run: [Cpue] "C:\PROGRA~1\ICROSO~1\mmc.exe" -vt yazb
O4 - HKCU\..\Run: [Uxrlsk] "C:\Program Files\??crosoft\msconfig.exe"
O4 - HKCU\..\Run: [Ttksfmv] C:\WINDOWS\system32\??crosoft.NET\nslookup.exe
O4 - HKCU\..\Run: [Cdrom Sect] C:\DOCUME~1\Owner\APPLIC~1\WEBSEC~1\MAGS SEEK.exe
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.09\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.09\MediaManager\grab.html
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://mcctc.howtomaster.com/plugin/awarew...cab/awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139277115658
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...635/mcfscan.cab
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6286 bytes

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:46 PM

Posted 23 August 2007 - 09:11 PM

Earlier I had you download/run SafeBootKeyRepair-CF.exe – Please delete that file.

Then, download SafeBootKeyRepair.exe
Save it to the Desktop.

Double-click SafeBootKeyRepair.exe to run it.
Follow any prompts that may appear.

Please post the new SafeBootKeyRepair log it produced, and a new ComboFix log.

Edited by Aaflac, 23 August 2007 - 09:18 PM.

Old duck...


#5 gus88

gus88
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 24 August 2007 - 08:48 AM

Okay, here they go.

Reg export of SafeBoot key after repair:
========================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]
"AlternateShell"="cmd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

========================


SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
~~\SafeBoot\Minimal\RpcSs

========================


ComboFix 07-08-22.2 - "Owner" 2007-08-24 9:13:29.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.37 [GMT -4:00]


((((((((((((((((((((((((( Files Created from 2007-07-24 to 2007-08-24 )))))))))))))))))))))))))))))))


2007-08-24 07:57 <DIR> d-------- C:\WINDOWS\LastGood
2007-08-22 11:13 <DIR> d-------- C:\Quarantine
2007-08-22 10:56 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-08-13 18:04 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-13 14:43 15,416 --------- C:\WINDOWS\system32\drivers\sdthook.sys
2007-08-12 16:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\sentinel
2007-08-12 16:48 83,640 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
2007-08-12 16:46 50,736 --a------ C:\WINDOWS\system32\avldr.dll
2007-08-12 16:46 <DIR> d-------- C:\Program Files\Panda Security
2007-08-11 11:24 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-08-11 11:24 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-08-11 11:24 2,426 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-10 12:05 <DIR> d-------- C:\VundoFix Backups
2007-08-09 13:58 <DIR> d-------- C:\Program Files\XoftSpySE
2007-08-07 00:51 21,504 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2007-08-07 00:51 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2007-08-07 00:49 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2007-08-07 00:39 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\InstallShield
2007-08-02 20:35 <DIR> d-------- C:\Program Files\WebSecondDate
2007-08-02 20:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Internet debug mess great
2007-08-02 20:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\great coal love default
2007-07-28 12:52 <DIR> d-------- C:\WINDOWS\pss


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-22 21:16 --------- d-------- C:\Program Files\Morpheus
2007-08-22 11:13 --------- d-------- C:\Program Files\SP2 Connection Patcher
2007-08-22 01:15 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\WeatherBug
2007-08-22 01:15 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\WeatherBug
2007-08-14 08:38 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Azureus
2007-08-14 08:38 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Azureus
2007-08-13 19:40 --------- d-------- C:\Program Files\NoAdware5.0
2007-08-13 13:15 --------- d-------- C:\Program Files\MSN Messenger
2007-08-12 17:29 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\WebSecondDate
2007-08-12 17:29 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\WebSecondDate
2007-08-12 17:19 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\cakeuserspam4
2007-08-12 16:46 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-12 13:23 --------- d-------- C:\Program Files\QuickTime
2007-08-12 13:10 --------- d-------- C:\Program Files\Microsoft ActiveSync
2007-08-09 14:44 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\DownloadManager
2007-08-09 14:44 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\DownloadManager
2007-08-09 12:31 --------- d-------- C:\Program Files\MorpheusBar
2007-08-09 12:05 --------- d-------- C:\Program Files\Real
2007-08-09 12:02 --------- d-------- C:\Program Files\Windows Live Toolbar
2007-08-07 00:55 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-08-07 00:55 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2007-08-07 00:52 --------- d-------- C:\Program Files\Motorola Phone Tools
2007-08-07 00:39 --------- d-------- C:\Program Files\LiveUpdate
2007-07-31 11:46 --------- d-------- C:\Program Files\MSN Games
2007-07-31 11:40 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\MSNInstaller
2007-07-31 11:40 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\MSNInstaller
2007-07-31 11:38 --------- d-------- C:\Program Files\CyberLink
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2006-12-07 10:13 9232 --a------ C:\DOCUME~1\Owner\mqdmmdfl.sys
2006-12-07 10:13 92064 --a------ C:\DOCUME~1\Owner\mqdmmdm.sys
2006-12-07 10:13 79328 --a------ C:\DOCUME~1\Owner\mqdmserd.sys
2006-12-07 10:13 66656 --a------ C:\DOCUME~1\Owner\mqdmbus.sys
2006-12-07 10:13 6208 --a------ C:\DOCUME~1\Owner\mqdmcmnt.sys
2006-12-07 10:13 5936 --a------ C:\DOCUME~1\Owner\mqdmwhnt.sys
2006-12-07 10:13 4048 --a------ C:\DOCUME~1\Owner\mqdmcr.sys
2006-12-07 10:13 25600 --a------ C:\DOCUME~1\Owner\usbsermptxp.sys
2006-12-07 10:13 22768 --a------ C:\DOCUME~1\Owner\usbsermpt.sys
2005-04-08 18:42:05 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{86C510E9-97EF-4749-914F-0280247BE3A6}]
C:\WINDOWS\VirtualDNS.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 16:42]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 18:55]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 18:51]
"Motive SmartBridge"="C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe" [2002-05-18 12:04]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"Love default global mess"="C:\Documents and Settings\All Users\Application Data\great coal love default\EGGS SURF.exe" [2007-08-24 07:57]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.exe" [2007-07-19 15:23]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 15:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-29 11:48]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2005-06-07 14:58]
"SP2 Connection Patcher"="C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" [2005-07-11 05:51]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00]
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~4\wcescomm.exe" [2006-06-20 22:36]
"Cpue"="C:\PROGRA~1\ICROSO~1\mmc.exe" []
"Uxrlsk"="C:\Program Files\??crosoft\msconfig.exe" []
"Ttksfmv"="C:\WINDOWS\system32\??crosoft.NET\nslookup.exe" []
"Cdrom Sect"="C:\DOCUME~1\Owner\APPLIC~1\WEBSEC~1\MAGS SEEK.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 20:02 50736 C:\WINDOWS\system32\avldr.dll

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0s0s09sw.dll]
RUNDLL32.EXE 0s0s09sw.dll,b 269829703

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8D8F949099919994]
46484D49524A52.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cdrom Sect]
C:\DOCUME~1\Owner\APPLIC~1\WEBSEC~1\MAGS SEEK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1159479886\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spam4DriveUp]
C:\Documents and Settings\All Users\Application Data\cakeuserspam4\Phone dumb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
C:\Program Files\mobile PhoneTools\WatchDog.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\Winampa.exe"

R2 CdaD10BA;CdaD10BA;\??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 usbsermptxp;Motorola USB Modem Driver for MPT XP;C:\WINDOWS\system32\DRIVERS\usbsermptxp.sys


Contents of the 'Scheduled Tasks' folder
2007-08-24 13:00:00 C:\WINDOWS\Tasks\ACDF02E19188B4E9.job - c:\docume~1\owner\applic~1\websec~1\Pop Idle Aim.exe
2007-08-24 13:17:01 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDetect.exe
2007-08-22 22:37:00 C:\WINDOWS\Tasks\WebReg Deskjet 3900 series.job - C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-24 09:16:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-24 9:18:18
C:\ComboFix-quarantined-files.txt ... 2007-08-24 09:17
C:\ComboFix2.txt ... 2007-08-22 11:23
C:\ComboFix3.txt ... 2007-08-13 18:10

--- E O F ---

#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:46 PM

Posted 24 August 2007 - 02:31 PM

Let's get rid of some malware before going any further...

Please download SuperAntiSpyware
Install the program
  • Run SuperAntiSpyware and click: Check for updates
  • Once the update is finished, on the main screen, click: Scan your computer
  • Check: Perform Complete Scan
  • Click Next to start the scan.
Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
  • Click: Preferences
  • Click the Statistics/Logs tab
  • Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)

~~~~
Also update your version of Java!
There are vulnerabilities in older versions.

Go to Start > Control Panel > Add/Remove Programs
In the list of Currently Installed Programs, look for all previous versions of Java:
J2SE Runtime Environment number x, etc.
Select the entry and then Remove

Next, download and install the newest version:
Java Runtime Environment (JRE) 6 Update 2

~~~~
Please run HijackThis once again to obtain a new log.

~~~~
Please provide the contents of the SuperAntiSpyware log, and the new HijackThis log.

Edited by Aaflac, 24 August 2007 - 02:34 PM.

Old duck...


#7 gus88

gus88
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 25 August 2007 - 12:25 AM

Hey. Thanks for all your help. My computer's been running much faster since I followed your steps. Here go the SuperAntiSpyware and new Hijackthis logs.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/24/2007 at 10:17 PM

Application Version : 3.9.1008

Core Rules Database Version : 3292
Trace Rules Database Version: 1303

Scan type : Complete Scan
Total Scan Time : 01:22:58

Memory items scanned : 431
Memory threats detected : 0
Registry items scanned : 6199
Registry threats detected : 16
File items scanned : 44471
File threats detected : 163

Adware.Lop-Variant
[Love default global mess] C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\GREAT COAL LOVE DEFAULT\EGGS SURF.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\GREAT COAL LOVE DEFAULT\EGGS SURF.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\WEBSECONDDATE\POP THAT CREATIVE.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP865\A0167810.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP865\A0167814.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP866\A0167827.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP866\A0167829.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP867\A0167844.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP867\A0167845.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP868\A0168024.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP868\A0168029.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP869\A0168030.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP869\A0168054.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP869\A0168057.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP869\A0168067.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP872\A0168493.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP872\A0168554.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP872\A0168566.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP872\A0168568.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP872\A0168578.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP872\A0168588.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP872\A0169588.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP872\A0169589.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP872\A0169599.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP872\A0169625.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP872\A0169693.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP873\A0169708.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP873\A0169715.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP873\A0169717.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP873\A0169718.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP873\A0169720.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP873\A0169721.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP873\A0169748.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP874\A0169834.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP874\A0169839.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP875\A0169925.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP875\A0170919.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP875\A0170924.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP876\A0170946.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP876\A0170975.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP876\A0170993.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP877\A0171089.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP878\A0171091.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP878\A0171272.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP880\A0171301.EXE

Trojan.VirtualDNS
HKLM\Software\Classes\CLSID\{86C510E9-97EF-4749-914F-0280247BE3A6}
HKCR\CLSID\{86C510E9-97EF-4749-914F-0280247BE3A6}
HKCR\CLSID\{86C510E9-97EF-4749-914F-0280247BE3A6}
HKCR\CLSID\{86C510E9-97EF-4749-914F-0280247BE3A6}#AppID
HKCR\CLSID\{86C510E9-97EF-4749-914F-0280247BE3A6}\Control
HKCR\CLSID\{86C510E9-97EF-4749-914F-0280247BE3A6}\InprocServer32
HKCR\CLSID\{86C510E9-97EF-4749-914F-0280247BE3A6}\InprocServer32#ThreadingModel
HKCR\CLSID\{86C510E9-97EF-4749-914F-0280247BE3A6}\MiscStatus
HKCR\CLSID\{86C510E9-97EF-4749-914F-0280247BE3A6}\MiscStatus\1
HKCR\CLSID\{86C510E9-97EF-4749-914F-0280247BE3A6}\ProgID
HKCR\CLSID\{86C510E9-97EF-4749-914F-0280247BE3A6}\ToolboxBitmap32
HKCR\CLSID\{86C510E9-97EF-4749-914F-0280247BE3A6}\TypeLib
HKCR\CLSID\{86C510E9-97EF-4749-914F-0280247BE3A6}\Version
HKCR\CLSID\{86C510E9-97EF-4749-914F-0280247BE3A6}\VersionIndependentProgID
C:\WINDOWS\VIRTUALDNS.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{86C510E9-97EF-4749-914F-0280247BE3A6}
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP873\A0169714.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjk4uocpgep.stats.esomniture[2].txt
C:\Documents and Settings\Owner\Cookies\owner@pro-market[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.morpheus[2].txt
C:\Documents and Settings\Owner\Cookies\owner@a.websponsors[2].txt
C:\Documents and Settings\Owner\Cookies\owner@edge.ru4[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.googleadservices[4].txt
C:\Documents and Settings\Owner\Cookies\owner@secure.datingmedialtd[2].txt
C:\Documents and Settings\Owner\Cookies\owner@datingmedialtd[1].txt
C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.adbrite[1].txt
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tremor.adbureau[2].txt
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjkycncjgfo.stats.esomniture[2].txt
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnygjczkcp.stats.esomniture[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.googleadservices[1].txt
C:\Documents and Settings\Owner\Cookies\owner@login.tracking101[2].txt
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wgmiemcjado.stats.esomniture[2].txt
C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tacoda[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adserver.easyad[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.revsci[1].txt
C:\Documents and Settings\Owner\Cookies\owner@bluestreak[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
C:\Documents and Settings\Owner\Cookies\owner@clicksor[2].txt
C:\Documents and Settings\Owner\Cookies\owner@statcounter[2].txt
C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@specificclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@zedo[1].txt
C:\Documents and Settings\Owner\Cookies\owner@yadro[1].txt
C:\Documents and Settings\Owner\Cookies\owner@paypal.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@apmebf[1].txt
C:\Documents and Settings\Owner\Cookies\owner@webpower[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.iconadserver[2].txt
C:\Documents and Settings\Owner\Cookies\owner@cpvfeed[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.addynamix[1].txt
C:\Documents and Settings\Owner\Cookies\owner@interclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@revsci[1].txt
C:\Documents and Settings\Owner\Cookies\owner@newmotioninc.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@marylandteens.student[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.googleadservices[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.realtechnetwork[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www1.addfreestats[1].txt
C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adbrite[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ar.atwola[2].txt
C:\Documents and Settings\Owner\Cookies\owner@rambler[1].txt
C:\Documents and Settings\Owner\Cookies\owner@webstat[1].txt
C:\Documents and Settings\Owner\Cookies\owner@pandasoftware.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@burstnet[2].txt
C:\Documents and Settings\Owner\Cookies\owner@4.adbrite[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.realtechnetwork[1].txt
C:\Documents and Settings\Owner\Cookies\owner@precisionclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adrevolver[1].txt
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt
C:\Documents and Settings\Owner\Cookies\owner@media.adrevolver[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.burstnet[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt
C:\Documents and Settings\Owner\Cookies\owner@advertise.youvidz[1].txt
C:\Documents and Settings\Owner\Cookies\owner@youporn[1].txt
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnywoazsbp.stats.esomniture[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.interclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@reduxads.valuead[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjk4uiajkgq.stats.esomniture[2].txt
C:\Documents and Settings\Owner\Cookies\owner@serving-sys[2].txt
C:\Documents and Settings\Owner\Cookies\owner@aff.primaryads[2].txt

Trojan.ZenoSearch
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AOL\C_AMERICA ONLINE 9.0\OPTCLEAN.EXE

Trojan.Net-MSV/VPS-G
C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\BACKUPS\BACKUP-20070813-151654-734.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP876\A0170979.DLL

Adware.ClickSpring
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\ICROSO~1\MMC.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP849\A0160747.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP850\A0161747.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP853\A0162746.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP855\A0163766.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP856\A0164766.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP858\A0165757.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP859\A0166785.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP863\A0167249.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP872\A0169613.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP872\A0169614.EXE

Trojan.Downloader/Media-Codec
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\VIDEOACCESSCODEC\VIDEOACCESSCODEC.OCX.VIR

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WNSAPIICOMSV32.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP849\A0160750.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP850\A0161750.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP853\A0162749.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP855\A0163769.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP856\A0164769.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP857\A0164785.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP859\A0166788.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP863\A0167252.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP872\A0168495.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP872\A0169608.EXE

Trojan.Downloader-Gen/RetAd
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP841\A0158551.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP842\A0158562.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP848\A0159795.EXE

Adware.ClickSpring/Resident
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP850\A0161736.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP850\A0161746.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP853\A0162745.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP855\A0163765.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP856\A0164765.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP858\A0165756.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP859\A0166784.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP864\A0167777.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP872\A0169609.DLL

Adware.Lop-Gen
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP864\A0167789.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP864\A0167790.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP864\A0167792.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP872\A0168536.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP873\A0169709.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP873\A0169711.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP873\A0169716.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP873\A0169719.EXE

Trojan.SearchTool
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP872\A0168531.DLL

Trojan.Downloader-Gen/Win
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP872\A0169607.EXE

Trojan.PSA3D
C:\WINDOWS\SYSTEM32\REDIR2.A3D




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:19:22 AM, on 8/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
C:\PROGRA~1\MICROS~4\wcescomm.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\WebProxy.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - HKCU\..\Run: [Cpue] "C:\PROGRA~1\ICROSO~1\mmc.exe" -vt yazb
O4 - HKCU\..\Run: [Uxrlsk] "C:\Program Files\??crosoft\msconfig.exe"
O4 - HKCU\..\Run: [Ttksfmv] C:\WINDOWS\system32\??crosoft.NET\nslookup.exe
O4 - HKCU\..\Run: [Cdrom Sect] C:\DOCUME~1\Owner\APPLIC~1\WEBSEC~1\MAGS SEEK.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.09\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.09\MediaManager\grab.html
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://mcctc.howtomaster.com/plugin/awarew...cab/awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139277115658
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...635/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 7301 bytes

#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:46 PM

Posted 25 August 2007 - 10:40 PM

Please go to Start > Run, and type: control
Double-click Add or Remove Programs
From the list of Currently Installed Programs, look for:

Any entry with OIN or OuterInfo They need to go.

Click on the entry and select Remove to uninstall

If OIN or OuterInfo is not listed, download and run the OIN Uninstaller

~~~~
Also download to the Desktop: NoLop
Follow the instructions presented.

~~~~
Run ComboFix once again.

~~~~
Please post the contents of C:\NoLop.log, the new ComboFix.txt, and a new HijackThis log.

Old duck...


#9 gus88

gus88
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 26 August 2007 - 04:29 PM

Here they go.


NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\Owner\Desktop
[8/26/2007]
[5:06:56 PM]

---Infection Files Found/Removed---
C:\WINDOWS\tasks\ACDF02E19188B4E9.job

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Aol
C:\Documents and Settings\All Users\Application Data\Aol Downloads
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Bvrp Software
C:\Documents and Settings\All Users\Application Data\Cakeuserspam4
C:\Documents and Settings\All Users\Application Data\Great Coal Love Default -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Hp
C:\Documents and Settings\All Users\Application Data\Internet Debug Mess Great -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Intuit
C:\Documents and Settings\All Users\Application Data\Mcafee
C:\Documents and Settings\All Users\Application Data\Mcafee.com
C:\Documents and Settings\All Users\Application Data\Mcafee.com Personal Firewall
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Motive -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Msn6
C:\Documents and Settings\All Users\Application Data\Pace Anti-piracy
C:\Documents and Settings\All Users\Application Data\Prism Deploy
C:\Documents and Settings\All Users\Application Data\Propellerhead Software
C:\Documents and Settings\All Users\Application Data\Pure Networks
C:\Documents and Settings\All Users\Application Data\Quicktime
C:\Documents and Settings\All Users\Application Data\Sentinel
C:\Documents and Settings\All Users\Application Data\Skilljam
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Superantispyware.com
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Temp -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
C:\Documents and Settings\Default User\Application Data\Identities
C:\Documents and Settings\Default User\Application Data\Mcafee
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Default User\Application Data\Sampleview -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Macromedia
C:\Documents and Settings\Localservice\Application Data\Mcafee.com Personal Firewall
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Macromedia
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Symantec
C:\Documents and Settings\Owner\Application Data\Acccore
C:\Documents and Settings\Owner\Application Data\Adobe
C:\Documents and Settings\Owner\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Owner\Application Data\Aol
C:\Documents and Settings\Owner\Application Data\Apple Computer
C:\Documents and Settings\Owner\Application Data\Azureus
C:\Documents and Settings\Owner\Application Data\Cyberlink
C:\Documents and Settings\Owner\Application Data\Downloadmanager -- EMPTY Directory
C:\Documents and Settings\Owner\Application Data\Google
C:\Documents and Settings\Owner\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Owner\Application Data\Hp
C:\Documents and Settings\Owner\Application Data\Identities
C:\Documents and Settings\Owner\Application Data\Image Zone Express
C:\Documents and Settings\Owner\Application Data\Imesh
C:\Documents and Settings\Owner\Application Data\Intuit
C:\Documents and Settings\Owner\Application Data\Lavasoft
C:\Documents and Settings\Owner\Application Data\Macromedia
C:\Documents and Settings\Owner\Application Data\Mcafee.com Personal Firewall
C:\Documents and Settings\Owner\Application Data\Microsoft
C:\Documents and Settings\Owner\Application Data\Microsoft Web Folders -- EMPTY Directory
C:\Documents and Settings\Owner\Application Data\Morpheus
C:\Documents and Settings\Owner\Application Data\Mozilla
C:\Documents and Settings\Owner\Application Data\Msn6
C:\Documents and Settings\Owner\Application Data\Msninstaller
C:\Documents and Settings\Owner\Application Data\Myspace
C:\Documents and Settings\Owner\Application Data\Netpumper -- EMPTY Directory
C:\Documents and Settings\Owner\Application Data\Propellerhead Software
C:\Documents and Settings\Owner\Application Data\Real
C:\Documents and Settings\Owner\Application Data\Sampleview -- EMPTY Directory
C:\Documents and Settings\Owner\Application Data\Sun
C:\Documents and Settings\Owner\Application Data\Superantispyware.com
C:\Documents and Settings\Owner\Application Data\Symantec
C:\Documents and Settings\Owner\Application Data\Syntrillium
C:\Documents and Settings\Owner\Application Data\Vlc
C:\Documents and Settings\Owner\Application Data\Weatherbug
C:\Documents and Settings\Owner\Application Data\Webseconddate
C:\Documents and Settings\Owner\Application Data\You've Got Pictures Screensaver


ComboFix 07-08-26.3 - "Owner" 2007-08-26 17:21:51.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.55 [GMT -4:00]
* Created a new restore point


((((((((((((((((((((((((( Files Created from 2007-07-26 to 2007-08-26 )))))))))))))))))))))))))))))))


2007-08-26 17:08 <DIR> d-------- C:\NoLopBackups
2007-08-25 09:18 15,416 --------- C:\WINDOWS\system32\drivers\sdthook.sys
2007-08-24 20:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-24 20:48 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-24 20:48 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2007-08-24 20:47 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-24 13:53 83,640 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
2007-08-24 13:53 248 --a------ C:\WINDOWS\system32\PavCPL.dat
2007-08-24 13:52 <DIR> d-------- C:\WINDOWS\system32\PAV
2007-08-22 11:13 <DIR> d-------- C:\Quarantine
2007-08-22 10:56 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-08-13 18:04 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-12 16:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\sentinel
2007-08-12 16:46 50,736 --a------ C:\WINDOWS\system32\avldr.dll
2007-08-12 16:46 <DIR> d-------- C:\Program Files\Panda Security
2007-08-11 11:24 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-08-11 11:24 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-08-11 11:24 2,426 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-10 12:05 <DIR> d-------- C:\VundoFix Backups
2007-08-09 13:58 <DIR> d-------- C:\Program Files\XoftSpySE
2007-08-07 00:51 21,504 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2007-08-07 00:51 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2007-08-07 00:49 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2007-08-02 20:35 <DIR> d-------- C:\Program Files\WebSecondDate
2007-08-02 20:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Internet debug mess great
2007-08-02 20:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\great coal love default
2007-07-28 12:52 <DIR> d-------- C:\WINDOWS\pss


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-26 17:15 --------- d-------- C:\Program Files\SP2 Connection Patcher
2007-08-26 17:06 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-26 17:06 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BVRP Software
2007-08-26 17:03 --------- d-------- C:\Program Files\Microsoft ActiveSync
2007-08-26 17:00 --------- d-------- C:\Program Files\HP
2007-08-26 16:52 --------- d-------- C:\Program Files\DCC Manager
2007-08-26 16:51 --------- d-------- C:\Program Files\Avpack
2007-08-26 16:51 --------- d-------- C:\Program Files\AVI Codec Pack
2007-08-26 15:32 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Azureus
2007-08-25 21:23 --------- d-------- C:\Program Files\Morpheus
2007-08-25 11:42 --------- d-------- C:\Program Files\Azureus
2007-08-25 00:56 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\WebSecondDate
2007-08-24 14:24 --------- d-------- C:\Program Files\NoAdware5.0
2007-08-24 10:45 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\WeatherBug
2007-08-13 13:15 --------- d-------- C:\Program Files\MSN Messenger
2007-08-12 17:19 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\cakeuserspam4
2007-08-12 13:23 --------- d-------- C:\Program Files\QuickTime
2007-08-09 14:44 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\DownloadManager
2007-08-09 12:31 --------- d-------- C:\Program Files\MorpheusBar
2007-08-09 12:05 --------- d-------- C:\Program Files\Real
2007-08-09 12:02 --------- d-------- C:\Program Files\Windows Live Toolbar
2007-08-07 00:55 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-08-07 00:55 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2007-08-07 00:52 --------- d-------- C:\Program Files\Motorola Phone Tools
2007-07-31 11:46 --------- d-------- C:\Program Files\MSN Games
2007-07-31 11:40 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\MSNInstaller
2007-07-31 11:38 --------- d-------- C:\Program Files\CyberLink
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2006-12-07 10:13 9232 --a------ C:\DOCUME~1\Owner\mqdmmdfl.sys
2006-12-07 10:13 92064 --a------ C:\DOCUME~1\Owner\mqdmmdm.sys
2006-12-07 10:13 79328 --a------ C:\DOCUME~1\Owner\mqdmserd.sys
2006-12-07 10:13 66656 --a------ C:\DOCUME~1\Owner\mqdmbus.sys
2006-12-07 10:13 6208 --a------ C:\DOCUME~1\Owner\mqdmcmnt.sys
2006-12-07 10:13 5936 --a------ C:\DOCUME~1\Owner\mqdmwhnt.sys
2006-12-07 10:13 4048 --a------ C:\DOCUME~1\Owner\mqdmcr.sys
2006-12-07 10:13 25600 --a------ C:\DOCUME~1\Owner\usbsermptxp.sys
2006-12-07 10:13 22768 --a------ C:\DOCUME~1\Owner\usbsermpt.sys
2005-04-08 18:42:05 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 16:42]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 18:55]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 18:51]
"Motive SmartBridge"="C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe" [2002-05-18 12:04]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 15:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-29 11:48]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.exe" [2007-07-19 15:23]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2005-06-07 14:58]
"SP2 Connection Patcher"="C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" [2005-07-11 05:51]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00]
"Cpue"="C:\PROGRA~1\ICROSO~1\mmc.exe" []
"Uxrlsk"="C:\Program Files\??crosoft\msconfig.exe" []
"Ttksfmv"="C:\WINDOWS\system32\??crosoft.NET\nslookup.exe" []
"Cdrom Sect"="C:\DOCUME~1\Owner\APPLIC~1\WEBSEC~1\MAGS SEEK.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 20:02 50736 C:\WINDOWS\system32\avldr.dll

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0s0s09sw.dll]
RUNDLL32.EXE 0s0s09sw.dll,b 269829703

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8D8F949099919994]
46484D49524A52.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cdrom Sect]
C:\DOCUME~1\Owner\APPLIC~1\WEBSEC~1\MAGS SEEK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1159479886\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spam4DriveUp]
C:\Documents and Settings\All Users\Application Data\cakeuserspam4\Phone dumb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
C:\Program Files\mobile PhoneTools\WatchDog.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\Winampa.exe"

R2 CdaD10BA;CdaD10BA;\??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS
R2 pavdrv;pavdrv;C:\WINDOWS\system32\DRIVERS\pavdrv51.sys
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 usbsermptxp;Motorola USB Modem Driver for MPT XP;C:\WINDOWS\system32\DRIVERS\usbsermptxp.sys


Contents of the 'Scheduled Tasks' folder
2007-08-26 21:22:01 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDetect.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-26 17:24:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-26 17:25:44
C:\ComboFix-quarantined-files.txt ... 2007-08-26 17:25
C:\ComboFix2.txt ... 2007-08-24 09:18
C:\ComboFix3.txt ... 2007-08-22 11:23

--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:21, on 2007-08-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
C:\ComboFix\ERUNT.cfexe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Cpue] "C:\PROGRA~1\ICROSO~1\mmc.exe" -vt yazb
O4 - HKCU\..\Run: [Uxrlsk] "C:\Program Files\??crosoft\msconfig.exe"
O4 - HKCU\..\Run: [Ttksfmv] C:\WINDOWS\system32\??crosoft.NET\nslookup.exe
O4 - HKCU\..\Run: [Cdrom Sect] C:\DOCUME~1\Owner\APPLIC~1\WEBSEC~1\MAGS SEEK.exe
O4 - Global Startup: NoLop.exe
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.09\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.09\MediaManager\grab.html
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://mcctc.howtomaster.com/plugin/awarew...cab/awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139277115658
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...635/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6875 bytes

#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:46 PM

Posted 28 August 2007 - 09:28 PM

My apology for the delay. For some reason I did not get notified of your reply.

Please open Notepad (Start > Run > in the Open field type: notepad)
Click: OK

Copy/ paste the blue text below to Notepad:

Folder::
C:\Documents and Settings\All Users\Application Data\Cakeuserspam4
C:\Documents and Settings\All Users\Application Data\Great Coal Love Default
C:\Documents and Settings\All Users\Application Data\Internet Debug Mess Great
C:\Documents and Settings\Owner\Application Data\Weatherbug

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\{BA52B914-B692-46c4-B683-905236F6F655}]
[-HKEY_LOCAL_MACHINE\CLSID\{BA52B914-B692-46c4-B683-905236F6F655}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\{4982D40A-C53B-4615-B15B-B5B5E98D167C}]
[-HKEY_LOCAL_MACHINE\CLSID\{4982D40A-C53B-4615-B15B-B5B5E98D167C}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cpue"=-
"Uxrlsk"=-
"Ttksfmv"=-
"Cdrom Sect"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0s0s09sw.dll]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8D8F949099919994]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cdrom Sect]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spam4DriveUp]


Save as CFScript.txt <-Important!!
Change the Save as type to: All Files
Save it to the Desktop.

Posted Image


Referring to the screenshot above, drag CFScript.txt >>> into >>> ComboFix.exe
ComboFix runs a scan on your system, and may reboot when it finishes. This is normal.

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

When finished, a log is produced: ComboFix.txt

~~~~
Run HijackThis once again to obtain a new log.

~~~~
Please provide the contents of the new ComboFix log , and the new HijackThis log in your reply.

Old duck...


#11 gus88

gus88
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 30 August 2007 - 09:20 PM

ComboFix 07-08-26.3 - "Owner" 2007-08-30 22:07:58.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.50 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\All Users\Application Data\Cakeuserspam4
C:\Documents and Settings\All Users\Application Data\Cakeuserspam4\DrawSect.exe
C:\Documents and Settings\All Users\Application Data\Great Coal Love Default
C:\Documents and Settings\All Users\Application Data\Internet Debug Mess Great
C:\Documents and Settings\Owner\Application Data\Weatherbug
C:\Documents and Settings\Owner\Application Data\Weatherbug\0107_Winter.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\0107_Winter_Mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\102x96_ActiveStorms.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\102x96_Disney.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\102x96_Disney_2.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\102x96_Disney_3.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\102x96_Hurricane_Dean.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\102x96_HurricaneCommandCenter.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\102x96_HurricaneCommandCenterWithFlag.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\102x96_NST_3-22-07.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\102x96_NWF.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\102x96BlowoutSalev2.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\102x96DisneyQuestforGold.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\102x96FarmersAlmanacOutlookTile.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\102x96FOG_Lightning.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\102x96FreeTrial.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\102x96HurricaneNameVideo_Plus_Mobile.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\102x96HurricaneVideo.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\102x96LiveTrafficCameras.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\102x96Mobile2_0507.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\102x96New_Disney_2.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\102x96Professional.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\102x96SponsorTileMobileVideo.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\102x96video.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\102x96video1_mobile2.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\102x96vidgallery.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\102x96vidgallery2.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\102x96wireless22.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\102x96wireless24.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\102x96wireless27.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\4th_of_July_0707.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\4th_of_July_0707_Mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\511.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\511a.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_blueyellow.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_blueyellow_mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_blueyellow_nav_traffic.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_brand_alltel_APPROVED.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_brand_alltel_MASK.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_brand_cw_APPROVED.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_brand_cw_MASK.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_brand_IceAgeAPPROVED.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_brand_IceAgeMASK.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_brand_Tylenol_Completed.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_brand_Tylenol_MASK.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_brandwrap_APPROVED.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_brandwrap_cherryb_approved.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_brandwrap_cherryb_mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_brandwrap_MASK.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_brandwrap_mobile.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_brandwrap_mobile_mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_brandwrap_Mobile_MASK_bubble.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_brandwrap_MobileAPPROVED.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_brandwrap_plus.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_brandwrap_PLUS_AP_Holiday.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_brandwrap_plus_mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_brandwrap_PLUS_MASK_Holiday.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_brandwrap_pws.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_brandwrap_pws_mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_brandwrap_pws_mask_new.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_brandwrap_spring2.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_brandwrap_spring2_mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_brandwrap_valAPPROVED.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_brandwrap_valMASK.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_brandwrap_winter_PLUS.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_brandwrap_winter_Plus_MASK.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_Default_Spring_Mobile_BG_0506.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_Default_Spring_Mobile_MASK_0506.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_default_winter_0106_Background.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_default_winter_0106_bg_updated.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_default_winter_0106_MASK.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_Discovery_DC.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_Discovery_DC.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_fall_mobile1_new.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_fall_mobile2_mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_fallbrandwrap_mobile1.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_fallbrandwrap_mobile2B.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_fallbrandwrap_plus.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_fallbrandwrap_plus_mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_Fixed_BRWP_valMASK.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_FixedBRWP_valAPPROVED.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_Generic_Forecast_BG_0206.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_Generic_Forecast_MASK_0206.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_Generic_Photo_Approved.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_Generic_Photo_MASK.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_generic_summerAPPROVED.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_generic_summerMASK.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_Generic_Sun_0306_Final.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_Generic_Sun_0306_Final.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_Generic2005_Final.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_Generic2005_Final.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_Generic2006_Fall_091406.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_Generic2006_Fall_091406.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_Generic2007_Spring_060807.JPG
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_Generic2007_Summe_0807r.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_Generic2007_Summer.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_Generic2007_Summer_070507.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_Generic2007_Summer_070507_Mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_Generic2007_Summer_Mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_Generic2007_Summer_Mask_0807.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_GenericPLUS_approved.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_GenericPLUS_MASK.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_GenericPLUS_Summer_082906.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_GenericPLUS_Summer_082906.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_GenericRadarMaps_Final.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_GenericRadarMaps_MASK.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_nav_dark_square_0206.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_nav_light_round_0706.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_nav_light_square_0206.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_nav_light_square_0706.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_Protonix_Approved2.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_Protonix_MASK.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_Share_alert_tab2.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_Share_alert_tab2_mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_Spring_Bubble_0507.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_Spring_Bubble_Mask_0507.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_Tornado_Spring_0607.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60_Tornado_Spring_0607_Mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\605_NewDefault-maskl.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\605_NewDefault.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60brandwrap.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60brandwrap_plus.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60Default-mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60Default.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60fall_mobiletile.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60nav_dark_round.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60nav_Generic2005.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60nav_Generic2005_1.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60Sales-CastrolSPnew.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60Sales-CastrolSPnew_mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60Sales-NetPaniPod.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60Sales-NetPaniPod_mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60Sales-Tamiflu.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60Sales-Tamiflu_mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60Sales_delta_EST694mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60Sales_delta_EST694shell.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60sales_ESUVEE_approved.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60sales_ESUVEE_mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60Sales_historychannel_mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60Sales_historychannel_shell.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60Sales_HVAC_mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60Sales_HVAC2_shell.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60Sales_KingsDom.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60Sales_KingsDom_mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60Sales_Subway_Mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60Sales_Subway_shell.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\60Sales_Subway2_Mask.BMP
C:\Documents and Settings\Owner\Application Data\Weatherbug\60Sales_Subway2_shell.JPG
C:\Documents and Settings\Owner\Application Data\Weatherbug\60Sales_Vicks_Mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\60Sales_Vicks_Shell.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\Adderall_BRWP_Final.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\Adderall_Mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\Allstate.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\Allstate_Mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\Army_background.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\Army_mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\AveA-Walmart_0607.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\AveA-Walmart_0607_Kingsford.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\AveA-Walmart_0607_Mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\AveA-Walmart_0607_Mask_Kingsford.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\Claritin.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\Claritin_Mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\disney_wrap.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\disney_wrap_background.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\Fall.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\Fall_Mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\Fox_Theatrical_approved.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\Fox_Theatrical_MASK.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\HurricaneRelief.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\katrina.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\KatrinaRelief.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\lampsplus.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\lampsplusmask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\leftnav_605Generic.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\Memorial_Generic_07.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\Memorial_Generic_07_MASK.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\nav_07182007.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\nav_alt2.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\nav_Generic_Forecast_0206.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\nav_Generic_Photos_0206.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\nav_Generic_Radar_0206.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\nav_Generic2005_0106.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\nav_Generic2005_032907.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\nav_Generic2006.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\nav_Generic2006_0706.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\nav_square_traffic.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\nav_square2.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\New_Spring_Bubble_052007.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\New_Spring_Bubble_052007_Mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\newkatrina.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\NghtAtTheMus_back.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\NghtAtTheMus_mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\orkin_approved052707.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\orkin_MASK052707.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\pwstile.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\rita.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\Rita_Relief.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\Sears_Generic.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\Sears_Generic_MASK.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\SponsorFreeTrial.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\SponsorTile28b.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\sponsortile34.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\SponsorTile37.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\SponsorTile38.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\SponsorTile39.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\SponsorTile40.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\SponsorTile42.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\Spring_2007.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\Spring_2007_Mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\Summer_Hurricane_Bubble_071707.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\Summer_Hurricane_Bubble_071707_Mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\SurveyAIMTile.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\Tamiflu.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\Tamiflu_mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\topnav_605Generic.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\TopNav_Free_Round_Green.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\TopNav_Free_Sq_Green.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\topnav_Generic2005.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\topnav_Generic2005_121505.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\topnav_Generic2007.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\topnav_round.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\topnav_square.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\topnav_square_121505.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\topnav_stations_generic.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\topnav_stations_round.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\topnav_stations_square.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\Video21_60_nav_dark_square.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\Video21_60_nav_light_square.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\Visa_Mask_revised.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\Visa_revised.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\visaNFL.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\visaNFL_mask.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\Wendys_approved.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\Wendys_MASK.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\wilma.jpg
C:\Documents and Settings\Owner\Application Data\Weatherbug\Winter_BUBBLE2.bmp
C:\Documents and Settings\Owner\Application Data\Weatherbug\Winter_BUBBLE2.jpg


((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-31 )))))))))))))))))))))))))))))))


2007-08-28 00:36 <DIR> d-------- C:\Program Files\Morpheus Super Accelerator
2007-08-28 00:33 <DIR> d-------- C:\Program Files\Azureus Ultra Accelerator
2007-08-26 17:08 <DIR> d-------- C:\NoLopBackups
2007-08-24 20:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-24 20:48 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-24 20:48 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2007-08-24 20:47 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-24 13:53 83,640 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
2007-08-24 13:53 248 --a------ C:\WINDOWS\system32\PavCPL.dat
2007-08-24 13:52 <DIR> d-------- C:\WINDOWS\system32\PAV
2007-08-22 11:13 <DIR> d-------- C:\Quarantine
2007-08-22 10:56 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-08-13 18:04 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-12 16:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\sentinel
2007-08-12 16:46 50,736 --a------ C:\WINDOWS\system32\avldr.dll
2007-08-12 16:46 <DIR> d-------- C:\Program Files\Panda Security
2007-08-11 11:24 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-08-11 11:24 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-08-11 11:24 2,426 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-10 12:05 <DIR> d-------- C:\VundoFix Backups
2007-08-09 13:58 <DIR> d-------- C:\Program Files\XoftSpySE
2007-08-07 00:51 21,504 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2007-08-07 00:51 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2007-08-07 00:49 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2007-08-02 20:35 <DIR> d-------- C:\Program Files\WebSecondDate
2007-07-28 12:52 <DIR> d-------- C:\WINDOWS\pss
2007-07-02 10:05 <DIR> d-------- C:\spoolerlogs


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-30 20:25 --------- d-------- C:\Program Files\Morpheus
2007-08-30 12:10 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Azureus
2007-08-30 00:02 --------- d-------- C:\Program Files\SP2 Connection Patcher
2007-08-29 15:12 --------- d-------- C:\Program Files\Azureus
2007-08-26 17:06 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-26 17:06 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BVRP Software
2007-08-26 17:03 --------- d-------- C:\Program Files\Microsoft ActiveSync
2007-08-26 17:00 --------- d-------- C:\Program Files\HP
2007-08-26 16:52 --------- d-------- C:\Program Files\DCC Manager
2007-08-26 16:51 --------- d-------- C:\Program Files\Avpack
2007-08-26 16:51 --------- d-------- C:\Program Files\AVI Codec Pack
2007-08-25 00:56 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\WebSecondDate
2007-08-24 14:24 --------- d-------- C:\Program Files\NoAdware5.0
2007-08-13 13:15 --------- d-------- C:\Program Files\MSN Messenger
2007-08-12 13:23 --------- d-------- C:\Program Files\QuickTime
2007-08-09 14:44 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\DownloadManager
2007-08-09 12:31 --------- d-------- C:\Program Files\MorpheusBar
2007-08-09 12:05 --------- d-------- C:\Program Files\Real
2007-08-09 12:02 --------- d-------- C:\Program Files\Windows Live Toolbar
2007-08-07 00:55 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-08-07 00:55 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2007-08-07 00:52 --------- d-------- C:\Program Files\Motorola Phone Tools
2007-07-31 11:46 --------- d-------- C:\Program Files\MSN Games
2007-07-31 11:40 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\MSNInstaller
2007-07-31 11:38 --------- d-------- C:\Program Files\CyberLink
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2006-12-07 10:13 9232 --a------ C:\DOCUME~1\Owner\mqdmmdfl.sys
2006-12-07 10:13 92064 --a------ C:\DOCUME~1\Owner\mqdmmdm.sys
2006-12-07 10:13 79328 --a------ C:\DOCUME~1\Owner\mqdmserd.sys
2006-12-07 10:13 66656 --a------ C:\DOCUME~1\Owner\mqdmbus.sys
2006-12-07 10:13 6208 --a------ C:\DOCUME~1\Owner\mqdmcmnt.sys
2006-12-07 10:13 5936 --a------ C:\DOCUME~1\Owner\mqdmwhnt.sys
2006-12-07 10:13 4048 --a------ C:\DOCUME~1\Owner\mqdmcr.sys
2006-12-07 10:13 25600 --a------ C:\DOCUME~1\Owner\usbsermptxp.sys
2006-12-07 10:13 22768 --a------ C:\DOCUME~1\Owner\usbsermpt.sys
2005-04-08 18:42:05 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 16:42]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 18:55]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 18:51]
"Motive SmartBridge"="C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe" [2002-05-18 12:04]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 15:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-29 11:48]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.exe" [2007-07-19 15:23]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SP2 Connection Patcher"="C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" [2005-07-11 05:51]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00]

C:\DOCUME~1\Owner\STARTM~1\Programs\Startup\
Azureus Ultra Accelerator.lnk - C:\Program Files\Azureus Ultra Accelerator\Azureus Ultra Accelerator.exe [2007-08-16 03:35:34]
Morpheus Super Accelerator.lnk - C:\Program Files\Morpheus Super Accelerator\Morpheus Super Accelerator.exe [2007-07-18 11:23:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 20:02 50736 C:\WINDOWS\system32\avldr.dll

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1159479886\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
C:\Program Files\mobile PhoneTools\WatchDog.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
C:\Program Files\AWS\WeatherBug\Weather.exe 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\Winampa.exe"

R2 CdaD10BA;CdaD10BA;\??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS
R2 pavdrv;pavdrv;C:\WINDOWS\system32\DRIVERS\pavdrv51.sys
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 usbsermptxp;Motorola USB Modem Driver for MPT XP;C:\WINDOWS\system32\DRIVERS\usbsermptxp.sys


Contents of the 'Scheduled Tasks' folder
2007-08-31 02:12:00 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDetect.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-30 22:11:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-30 22:12:54
C:\ComboFix-quarantined-files.txt ... 2007-08-30 22:12
C:\ComboFix2.txt ... 2007-08-26 17:25
C:\ComboFix3.txt ... 2007-08-24 09:18

--- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:27 PM, on 8/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Morpheus Super Accelerator\Morpheus Super Accelerator.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Morpheus\Morpheus.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Azureus Ultra Accelerator.lnk = C:\Program Files\Azureus Ultra Accelerator\Azureus Ultra Accelerator.exe
O4 - Startup: Morpheus Super Accelerator.lnk = C:\Program Files\Morpheus Super Accelerator\Morpheus Super Accelerator.exe
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.09\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.09\MediaManager\grab.html
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://mcctc.howtomaster.com/plugin/awarew...cab/awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139277115658
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...635/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6777 bytes

#12 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:46 PM

Posted 31 August 2007 - 10:33 PM

Are you able to boot into Safe Mode with this computer? It's got me baffled, since ran a utility to fix the issue.

Start the computer in Safe Mode :
  • Reboot
  • When the machine starts, tap the F8 before Windows starts
  • You are presented with a Windows XP Advanced Options menu
  • Select the option for Safe Mode using the arrow keys
  • Press Enter to boot into Safe Mode

Old duck...


#13 gus88

gus88
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 06 September 2007 - 04:25 PM

Sorry it took so long to answer. YES, the SAFE MODE does work on my computer. Did you find any other malfunctions with my comp.? Thanks for all your help.

#14 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:03:46 PM

Posted 06 September 2007 - 08:46 PM

Apparently there is an issue with the SafeBoot key in the Registry.

Let’s go this route:

Please launch Notepad, (Start > Run, type in: notepad)
Copy/paste all the blue text below to it:

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\RpcSs]
@="Service"


In Notepad, go to File (upper menu bar), and select: Save as
In the Save as prompt:
Save in: Desktop
File Name: safe.reg
Save as Type: All files
Click: Save
Exit out of Notepad.

Back on the Desktop, double-click on the safe.reg file just saved and click on Yes when asked to merge the information into the Registry.

~~~~
Run ComboFix once again, and post the ComboFix.txt log in your reply.

Old duck...


#15 gus88

gus88
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 11 September 2007 - 10:24 PM

Hey. Sorry for the late post, been extremely busy. Anyways, here's the Combofix report.




ComboFix 07-09-12.4 - "Owner" 2007-09-11 23:14:16.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.53 [GMT -4:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\C.tmp
C:\D.tmp

.
((((((((((((((((((((((((( Files Created from 2007-08-12 to 2007-09-12 )))))))))))))))))))))))))))))))
.

2007-09-04 12:59 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Yahoo!
2007-09-04 12:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-09-04 12:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-08-28 00:36 <DIR> d-------- C:\Program Files\Morpheus Super Accelerator
2007-08-28 00:33 <DIR> d-------- C:\Program Files\Azureus Ultra Accelerator
2007-08-26 17:08 <DIR> d-------- C:\NoLopBackups
2007-08-24 20:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-24 20:48 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-24 20:48 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2007-08-24 20:47 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-24 13:53 83,640 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
2007-08-24 13:53 248 --a------ C:\WINDOWS\system32\PavCPL.dat
2007-08-24 13:52 <DIR> d-------- C:\WINDOWS\system32\PAV
2007-08-22 11:13 <DIR> d-------- C:\Quarantine
2007-08-22 10:56 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-08-13 18:04 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-12 16:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\sentinel
2007-08-12 16:46 50,736 --a------ C:\WINDOWS\system32\avldr.dll
2007-08-12 16:46 <DIR> d-------- C:\Program Files\Panda Security
2007-08-11 11:24 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-08-11 11:24 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-08-11 11:24 2,426 --a------ C:\WINDOWS\system32\tmp.reg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-11 19:13 --------- d-------- C:\Program Files\SP2 Connection Patcher
2007-09-11 13:39 --------- d-------- C:\Program Files\Morpheus
2007-09-07 10:38 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BVRP Software
2007-09-07 10:01 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Azureus
2007-09-06 10:50 --------- d-------- C:\Program Files\Azureus
2007-09-04 12:31 --------- d-------- C:\Program Files\Yahoo!
2007-08-26 17:06 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-26 17:03 --------- d-------- C:\Program Files\Microsoft ActiveSync
2007-08-26 17:00 --------- d-------- C:\Program Files\HP
2007-08-26 16:52 --------- d-------- C:\Program Files\DCC Manager
2007-08-26 16:51 --------- d-------- C:\Program Files\Avpack
2007-08-26 16:51 --------- d-------- C:\Program Files\AVI Codec Pack
2007-08-25 00:56 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\WebSecondDate
2007-08-24 14:24 --------- d-------- C:\Program Files\NoAdware5.0
2007-08-13 19:42 --------- d-------- C:\Program Files\XoftSpySE
2007-08-13 13:15 --------- d-------- C:\Program Files\MSN Messenger
2007-08-12 13:23 --------- d-------- C:\Program Files\QuickTime
2007-08-09 14:44 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\DownloadManager
2007-08-09 12:31 --------- d-------- C:\Program Files\MorpheusBar
2007-08-09 12:05 --------- d-------- C:\Program Files\Real
2007-08-09 12:02 --------- d-------- C:\Program Files\Windows Live Toolbar
2007-08-07 00:55 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-08-07 00:55 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2007-08-07 00:52 --------- d-------- C:\Program Files\Motorola Phone Tools
2007-08-07 00:49 --------- d-------- C:\Program Files\Common Files\Motorola Shared
2007-08-02 20:35 --------- d-------- C:\Program Files\WebSecondDate
2007-07-31 11:46 --------- d-------- C:\Program Files\MSN Games
2007-07-31 11:40 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\MSNInstaller
2007-07-31 11:38 --------- d-------- C:\Program Files\CyberLink
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2006-12-07 10:13 9232 --a------ C:\DOCUME~1\Owner\mqdmmdfl.sys
2006-12-07 10:13 92064 --a------ C:\DOCUME~1\Owner\mqdmmdm.sys
2006-12-07 10:13 79328 --a------ C:\DOCUME~1\Owner\mqdmserd.sys
2006-12-07 10:13 66656 --a------ C:\DOCUME~1\Owner\mqdmbus.sys
2006-12-07 10:13 6208 --a------ C:\DOCUME~1\Owner\mqdmcmnt.sys
2006-12-07 10:13 5936 --a------ C:\DOCUME~1\Owner\mqdmwhnt.sys
2006-12-07 10:13 4048 --a------ C:\DOCUME~1\Owner\mqdmcr.sys
2006-12-07 10:13 25600 --a------ C:\DOCUME~1\Owner\usbsermptxp.sys
2006-12-07 10:13 22768 --a------ C:\DOCUME~1\Owner\usbsermpt.sys
2005-04-08 18:42:05 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 16:42]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 18:55]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 18:51]
"Motive SmartBridge"="C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe" [2002-05-18 12:04]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-29 11:48]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.exe" [2007-07-19 15:23]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SP2 Connection Patcher"="C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" [2005-07-11 05:51]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-27 16:19]

C:\DOCUME~1\Owner\STARTM~1\Programs\Startup\
Azureus Ultra Accelerator.lnk - C:\Program Files\Azureus Ultra Accelerator\Azureus Ultra Accelerator.exe [2007-08-16 03:35:34]
Morpheus Super Accelerator.lnk - C:\Program Files\Morpheus Super Accelerator\Morpheus Super Accelerator.exe [2007-07-18 11:23:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 20:02 50736 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1159479886\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
C:\Program Files\mobile PhoneTools\WatchDog.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
C:\Program Files\AWS\WeatherBug\Weather.exe 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\Winampa.exe"

R2 CdaD10BA;CdaD10BA;\??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS
R2 pavdrv;pavdrv;C:\WINDOWS\system32\DRIVERS\pavdrv51.sys
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 usbsermptxp;Motorola USB Modem Driver for MPT XP;C:\WINDOWS\system32\DRIVERS\usbsermptxp.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-12 03:17:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-11 23:17:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-11 23:18:45
C:\ComboFix-quarantined-files.txt ... 2007-09-11 23:18
C:\ComboFix2.txt ... 2007-08-30 22:12
C:\ComboFix3.txt ... 2007-08-26 17:25
.
--- E O F ---




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users