Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Think Infected With A Trojan.


  • Please log in to reply
7 replies to this topic

#1 MikeDivine

MikeDivine

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 19 August 2007 - 02:33 AM

OK to start, I have norton corporate edition and it is up to date. I had norton b4 the problem started. I opened a file and was instantly told it was a virus and it said it was removed. Now my pc is being sent trojans and viruses i think via by a trojan that has hijacked my pc. It also has pop up ads being sent when i browse. I went through and did everything this site told me to to try and fix. I actually got Ad-aware and have now paid for the Ad-aware Pro Package and have Ad-watch also. It found some stuff and got rid of them. yet the adwatch says it is blocking 3 registry changes a second, so within 1 minute it blocks 180 attempted registry changes. meanwhile the pop ups still come up and the ad watch is fighting the trojan and is taking up all my computers processing capabilities so my computer runs at 10 percent its normal speed, I mean super lag. When i turn ad aware off, it runs at maybe 30 percent speed. I think it has something to do with svchost.exe, maybe it has been infected and being used to hijack my pc. There are like 5 process with svchost.exe running. I kill certain ones and the adwatch says no more registry attempts are being made. but if i kill a certain one it starts a 60 second countdown to shutdown my pc. So it must be necessary for windows. I have run a bunch of scans with spybot, ad-aware, norton antivirus and now it says there is nothing. Yet the norton antivirus realtime scan while im on the pc will pop up and say trojan voundo and voundo virus has been found and quarinteened and trojan horse and some others but it always stops them. So that is why i think i have a trojan that keeps sending me these other viruses and spyware and everything else. I hate it and am frustrated. I dont understand how you guys can help me if the gosh darn programs that i paid for cant figure it out. I really hope you can, really hope. PLEASE HELP.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:58:32 PM, on 8/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185211523125
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 7747 bytes

Edited by MikeDivine, 19 August 2007 - 02:39 AM.


BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 19 August 2007 - 04:47 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum MikeDivine :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Now go to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 MikeDivine

MikeDivine
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 19 August 2007 - 01:42 PM

OK Combo fixlog reads as follows:

ComboFix 07-08-17.2 - "HP_Administrator" 2007-08-19 11:19:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1500 [GMT -7:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\HP_ADM~1\APPLIC~1.\mbols~1
C:\DOCUME~1\HP_ADM~1\APPLIC~1.\mbols~1\??mbols\
C:\DOCUME~1\HP_ADM~1\APPLIC~1\install.dat
C:\DOCUME~1\HP_ADM~1\APPLIC~1\tmp1F.tmp.exe
C:\DOCUME~1\HP_ADM~1\APPLIC~1\tmp3F.tmp.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\WINDOWS\system32\hutkiqwb.dll
C:\WINDOWS\system32\wnsapitr32.exe
D:\Autorun.inf


((((((((((((((((((((((((( Files Created from 2007-07-19 to 2007-08-19 )))))))))))))))))))))))))))))))


2007-08-19 11:18 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-18 21:56 1,629,031 ---hs---- C:\WINDOWS\system32\ayadd.ini2
2007-08-18 21:54 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-18 18:09 876,544 --a------ C:\WINDOWS\system32\XaraDocG.dll
2007-08-18 18:09 253,952 --a------ C:\WINDOWS\system32\TemplOp.dll
2007-08-18 18:09 23,552 --a------ C:\WINDOWS\system32\XFontMan.dll
2007-08-18 18:09 131,072 --a------ C:\WINDOWS\system32\BmpImporter.dll
2007-08-18 18:09 126,976 --a------ C:\WINDOWS\system32\TemplMan.dll
2007-08-18 18:09 123,904 -ra------ C:\WINDOWS\system32\XMUpload.1.0.1.dll
2007-08-18 18:09 110,592 --a------ C:\WINDOWS\system32\tsccvid.dll
2007-08-18 18:09 <DIR> d-------- C:\WINDOWS\system32\Xara
2007-08-18 16:39 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-08-18 08:40 1,628,865 ---hs---- C:\WINDOWS\system32\ayadd.bak2
2007-08-17 17:23 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-17 15:35 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-17 15:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-17 15:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-17 15:24 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\.housecall6.6
2007-08-17 15:12 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-08-17 15:12 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-08-17 15:12 3,984 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-17 15:12 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-08-16 20:40 243,296 --a------ C:\WINDOWS\system32\ddaya.dll
2007-08-16 20:40 1,680,137 ---hs---- C:\WINDOWS\system32\ayadd.bak1
2007-08-16 20:35 95,232 --a------ C:\WINDOWS\system32\drvnus.dll
2007-08-16 20:35 43,542 --a------ C:\WINDOWS\system32\vtuvtuu.dll
2007-08-16 20:35 43,542 --a------ C:\WINDOWS\system32\tuvuspn.dll
2007-08-16 20:35 15,360 --a------ C:\WINDOWS\system32\drvnusr.dll
2007-08-16 20:10 <DIR> d-------- C:\Program Files\great mail
2007-08-16 20:10 <DIR> d-------- C:\My Downloads
2007-08-16 20:10 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\great mail
2007-08-16 20:10 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\Get-Torrent
2007-08-16 20:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Cast ping base frag
2007-08-16 20:09 <DIR> d-------- C:\Program Files\Get-Torrent
2007-08-15 20:33 83,208 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-08-15 20:33 73,496 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-08-15 20:28 <DIR> d--hs---- C:\Program Files\outlook
2007-08-15 20:28 <DIR> d--hs---- C:\DOCUME~1\HP_ADM~1\Complete
2007-08-15 20:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-08-15 10:33 <DIR> d-------- C:\Program Files\Bonjour
2007-08-15 10:26 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-08-14 21:39 476,752 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\pswi_preloaded.exe
2007-08-14 21:38 88 -r-hs---- C:\WINDOWS\system32\C4E1D82D46.sys
2007-08-14 21:38 2,516 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-08-10 18:41 <DIR> d-------- C:\bi
2007-08-09 23:17 44,032 --------- C:\WINDOWS\system32\CTSVCCDA.EXE
2007-08-09 23:17 25,088 --------- C:\WINDOWS\system32\CTSVCCTL.EXE
2007-08-09 23:14 <DIR> d-------- C:\WINDOWS\system32\Defaults
2007-08-09 23:13 81,920 --a------ C:\WINDOWS\system32\OpenAL32.dll
2007-08-09 23:13 233,472 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-08-09 23:12 <DIR> d-------- C:\WINDOWS\system32\Data
2007-08-09 23:02 77,824 --------- C:\WINDOWS\system32\ctdvda32.dll
2007-08-09 22:53 <DIR> d-------- C:\Program Files\ACW
2007-08-03 14:45 <DIR> d-------- C:\Program Files\NCH Swift Sound
2007-07-26 00:17 <DIR> d-------- C:\Program Files\Dantz
2007-07-26 00:13 <DIR> d-------- C:\Program Files\Maxtor
2007-07-26 00:11 5,600 --a------ C:\WINDOWS\system\winaspi.dll
2007-07-26 00:11 45,056 --a------ C:\WINDOWS\system32\wnaspi32.dll
2007-07-26 00:11 4,672 --a------ C:\WINDOWS\system\wowpost.exe
2007-07-26 00:11 25,244 --a------ C:\WINDOWS\system32\drivers\aspi32.sys
2007-07-25 17:25 37,376 --a------ C:\WINDOWS\system32\hpz3l3xu.dll
2007-07-23 17:20 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-20 17:14 28,672 --------- C:\WINDOWS\system32\verclsid.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-19 01:13 --------- d-------- C:\Program Files\LimeWire
2007-08-19 01:00 --------- d-------- C:\Program Files\Incomplete
2007-08-18 10:18 --------- d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\Corel
2007-08-17 15:39 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-17 15:39 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-15 20:33 --------- d-------- C:\Program Files\Symantec
2007-08-15 20:32 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-13 20:54 --------- d-------- C:\Program Files\MySpace
2007-08-06 10:52 --------- d-------- C:\Program Files\FinePixViewer
2007-07-23 11:31 --------- d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\AdobeUM
2007-07-20 22:54 --------- d-------- C:\Program Files\Google
2007-07-18 23:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-18 19:40 --------- d-------- C:\Program Files\Norton Internet Security
2007-07-18 14:53 --------- d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\Real
2007-07-18 14:53 --------- d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\Intuit
2007-07-18 14:51 1877 -rahs---- C:\WINDOWS\system32\drivers\103C_HP_CPC_ER883AA-ABA m7470n_YC_0Pavi_QCNN614_E62NAemMPA1_48_IAMETHYST-M_SMSI_V1.0_B3.47_T060303_WXP2_L409_M2047_J300_7AMD_8Athlon 64 X2 Dual Core_92.19_#060529_N10EC8139_Z11C10620_G10027146.MRK
2007-07-14 12:16 --------- d-------- C:\Program Files\BroadJump
2007-07-13 21:24 --------- d-------- C:\Program Files\Creative
2007-07-13 16:50 --------- d-------- C:\Program Files\MyWay
2007-07-13 09:39 --------- d-------- C:\Program Files\Eraser
2007-07-12 16:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-07-10 20:55 --------- d-------- C:\Program Files\blue's clues
2007-07-07 11:58 --------- d-------- C:\Program Files\Nanny Mania
2007-07-06 10:03 --------- d-------- C:\Program Files\MSN Games
2007-07-02 20:00 --------- d-------- C:\Program Files\The Magicians Handbook - Cursed Valley
2007-07-02 20:00 --------- d-------- C:\Program Files\Big City Adventure - San Francisco
2007-07-02 20:00 --------- d-------- C:\Program Files\bfgclient
2007-06-27 07:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 07:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 07:34 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 07:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 07:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 07:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 07:34 44544 --a------ C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 07:34 384512 --a------ C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 07:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 07:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 07:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 07:34 232960 --a------ C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 07:34 230400 --a------ C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 07:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 07:34 153088 --a------ C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 07:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 07:34 124928 --a------ C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 07:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 07:34 105984 --a------ C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 07:34 102400 --a------ C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 01:27 63488 --a------ C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 01:27 625152 --a------ C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 01:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 00:00 161792 --a------ C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-25 23:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-24 23:56 --------- d-------- C:\Program Files\Hidden Expedition Titanic
2007-06-22 20:00 --------- d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\Sandlot Games
2007-06-22 19:59 --------- d-------- C:\Program Files\Yahoo! Games
2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 06:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-13 03:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 03:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2006-10-14 09:48 774144 --a------ C:\Program Files\RngInterstitial.dll
2005-09-24 08:49 12288 --a------ C:\WINDOWS\Fonts.\RandFont.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16710DEF-8D6D-4E27-8060-2A7B7441E988}]
2007-08-16 20:40 243296 --a------ C:\WINDOWS\system32\ddaya.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4}]
2007-08-16 20:35 43542 --a------ C:\WINDOWS\system32\tuvuspn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66AABAEB-0D58-447E-AD4C-398E1795B825}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9F062246-CB8A-C12C-DCD8-97ABAB0305E5}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 17:29]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21]
"CTHelper"="CTHELPER.EXE" [2005-06-17 23:01 C:\WINDOWS\CTHELPER.EXE]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" []
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2007-07-26 09:57]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 21:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4}"= C:\WINDOWS\system32\tuvuspn.dll [2007-08-16 20:35 43542]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddaya]
C:\WINDOWS\system32\ddaya.dll 2007-08-16 20:40 243296 C:\WINDOWS\system32\ddaya.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvuspn]
tuvuspn.dll 2007-08-16 20:35 43542 C:\WINDOWS\system32\tuvuspn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrvc32]
winrvc32.dll

S3 MaxtorFrontPanel1;Maxtor 1394 Storage Front Panel Driver;C:\WINDOWS\system32\DRIVERS\mxofwfp.sys


Contents of the 'Scheduled Tasks' folder
2007-07-25 22:32:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-19 18:00:00 C:\WINDOWS\Tasks\B38CF07F948B6637.job - c:\docume~1\hp_adm~1\applic~1\greatm~1\loud knob ooze.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-19 11:30:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\ayadd.tmp2

scan completed successfully
hidden files: 1

**************************************************************************

Completion time: 2007-08-19 11:33:59 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-19 11:33

--- E O F ---


and the abc.bat log as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:28 AM, on 8/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {16710DEF-8D6D-4E27-8060-2A7B7441E988} - C:\WINDOWS\system32\ddaya.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4} - C:\WINDOWS\system32\tuvuspn.dll
O2 - BHO: (no name) - {66AABAEB-0D58-447E-AD4C-398E1795B825} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185211523125
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O20 - Winlogon Notify: ddaya - C:\WINDOWS\system32\ddaya.dll
O20 - Winlogon Notify: tuvuspn - C:\WINDOWS\SYSTEM32\tuvuspn.dll
O20 - Winlogon Notify: winrvc32 - winrvc32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 8192 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 19 August 2007 - 04:30 PM

Please disable Spybot S&Dís protection,or it will interfere.
You can enable it after you're clean.
Open Spybot and click on 'Mode' and check 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
Reboot the computer.

If you find you're experiencing problems disabling Spybot's Tea-Timer,follow the info in the link below:
http://www.russelltexas.com/malware/teatimer.htm
----------------------------------------------------------------------------
Disable Ad-Aware Ad-Watch or it will interfere.

1. Right click on the Ad-Watch icon in the system tray.
2. At the bottom of the screen there will be two checkable items called "Active" and "Automatic".

Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically

3. Uncheck both of those boxes.
----------------------------------------------------------------------------

Copy and paste ALL the following blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\ayadd.ini2
C:\WINDOWS\system32\ayadd.bak2
C:\WINDOWS\system32\ayadd.tmp2
C:\WINDOWS\system32\ddaya.dll
C:\WINDOWS\system32\ayadd.bak1
C:\WINDOWS\system32\drvnus.dll
C:\WINDOWS\system32\vtuvtuu.dll
C:\WINDOWS\system32\tuvuspn.dll
C:\WINDOWS\system32\drvnusr.dll
C:\WINDOWS\Tasks\B38CF07F948B6637.job
Folder::
C:\Program Files\great mail
C:\DOCUME~1\HP_ADM~1\APPLIC~1\great mail
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Cast ping base frag
C:\Program Files\outlook
C:\Program Files\MyWay
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16710DEF-8D6D-4E27-8060-2A7B7441E988}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66AABAEB-0D58-447E-AD4C-398E1795B825}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9F062246-CB8A-C12C-DCD8-97ABAB0305E5}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddaya]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvuspn]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrvc32]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#5 MikeDivine

MikeDivine
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 20 August 2007 - 01:17 AM

here is the new combofix log:

ComboFix 07-08-17.2 - "HP_Administrator" 2007-08-19 22:58:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1526 [GMT -7:00]
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript
* Created a new restore point

FILE::
C:\WINDOWS\system32\ayadd.ini2
C:\WINDOWS\system32\ayadd.bak2
C:\WINDOWS\system32\ayadd.tmp2
C:\WINDOWS\system32\ddaya.dll
C:\WINDOWS\system32\ayadd.bak1
C:\WINDOWS\system32\drvnus.dll
C:\WINDOWS\system32\vtuvtuu.dll
C:\WINDOWS\system32\tuvuspn.dll
C:\WINDOWS\system32\drvnusr.dll
C:\WINDOWS\Tasks\B38CF07F948B6637.job


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1\Cast ping base frag
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Cast ping base frag\Setup For.exe
C:\DOCUME~1\HP_ADM~1\APPLIC~1\great mail
C:\DOCUME~1\HP_ADM~1\APPLIC~1\great mail\0
C:\DOCUME~1\HP_ADM~1\APPLIC~1\great mail\liushqtu.exe
C:\DOCUME~1\HP_ADM~1\APPLIC~1\great mail\rectpeak.exe
C:\Program Files\great mail
C:\Program Files\MyWay
C:\Program Files\outlook
C:\WINDOWS\system32\ayadd.bak1
C:\WINDOWS\system32\ayadd.bak2
C:\WINDOWS\system32\ayadd.ini2
C:\WINDOWS\system32\ddaya.dll
C:\WINDOWS\system32\drvnus.dll
C:\WINDOWS\system32\drvnusr.dll
C:\WINDOWS\system32\tuvuspn.dll
C:\WINDOWS\system32\vtuvtuu.dll
C:\WINDOWS\Tasks\B38CF07F948B6637.job


((((((((((((((((((((((((( Files Created from 2007-07-20 to 2007-08-20 )))))))))))))))))))))))))))))))


2007-08-19 11:18 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-18 21:54 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-18 18:09 876,544 --a------ C:\WINDOWS\system32\XaraDocG.dll
2007-08-18 18:09 253,952 --a------ C:\WINDOWS\system32\TemplOp.dll
2007-08-18 18:09 23,552 --a------ C:\WINDOWS\system32\XFontMan.dll
2007-08-18 18:09 131,072 --a------ C:\WINDOWS\system32\BmpImporter.dll
2007-08-18 18:09 126,976 --a------ C:\WINDOWS\system32\TemplMan.dll
2007-08-18 18:09 123,904 -ra------ C:\WINDOWS\system32\XMUpload.1.0.1.dll
2007-08-18 18:09 110,592 --a------ C:\WINDOWS\system32\tsccvid.dll
2007-08-18 18:09 <DIR> d-------- C:\WINDOWS\system32\Xara
2007-08-18 16:39 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-08-17 17:23 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-17 15:35 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-17 15:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-17 15:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-17 15:24 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\.housecall6.6
2007-08-17 15:12 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-08-17 15:12 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-08-17 15:12 3,984 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-17 15:12 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-08-16 20:10 <DIR> d-------- C:\My Downloads
2007-08-16 20:10 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\Get-Torrent
2007-08-16 20:09 <DIR> d-------- C:\Program Files\Get-Torrent
2007-08-15 20:33 83,208 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-08-15 20:33 73,496 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-08-15 20:28 <DIR> d--hs---- C:\DOCUME~1\HP_ADM~1\Complete
2007-08-15 20:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-08-15 10:33 <DIR> d-------- C:\Program Files\Bonjour
2007-08-15 10:26 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-08-14 21:39 476,752 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\pswi_preloaded.exe
2007-08-14 21:38 88 -r-hs---- C:\WINDOWS\system32\C4E1D82D46.sys
2007-08-14 21:38 2,516 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-08-10 18:41 <DIR> d-------- C:\bi
2007-08-09 23:17 44,032 --a------ C:\WINDOWS\system32\CTSVCCDA.EXE
2007-08-09 23:17 25,088 --a------ C:\WINDOWS\system32\CTSVCCTL.EXE
2007-08-09 23:14 <DIR> d-------- C:\WINDOWS\system32\Defaults
2007-08-09 23:13 81,920 --a------ C:\WINDOWS\system32\OpenAL32.dll
2007-08-09 23:13 233,472 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-08-09 23:12 <DIR> d-------- C:\WINDOWS\system32\Data
2007-08-09 23:02 77,824 --a------ C:\WINDOWS\system32\ctdvda32.dll
2007-08-09 22:53 <DIR> d-------- C:\Program Files\ACW
2007-08-03 14:45 <DIR> d-------- C:\Program Files\NCH Swift Sound
2007-07-26 00:17 <DIR> d-------- C:\Program Files\Dantz
2007-07-26 00:13 <DIR> d-------- C:\Program Files\Maxtor
2007-07-26 00:11 5,600 --a------ C:\WINDOWS\system\winaspi.dll
2007-07-26 00:11 45,056 --a------ C:\WINDOWS\system32\wnaspi32.dll
2007-07-26 00:11 4,672 --a------ C:\WINDOWS\system\wowpost.exe
2007-07-26 00:11 25,244 --a------ C:\WINDOWS\system32\drivers\aspi32.sys
2007-07-25 17:25 37,376 --a------ C:\WINDOWS\system32\hpz3l3xu.dll
2007-07-23 17:20 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-20 17:14 28,672 --------- C:\WINDOWS\system32\verclsid.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-19 01:13 --------- d-------- C:\Program Files\LimeWire
2007-08-19 01:00 --------- d-------- C:\Program Files\Incomplete
2007-08-18 10:18 --------- d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\Corel
2007-08-17 15:39 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-17 15:39 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-15 20:33 --------- d-------- C:\Program Files\Symantec
2007-08-15 20:32 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-13 20:54 --------- d-------- C:\Program Files\MySpace
2007-08-06 10:52 --------- d-------- C:\Program Files\FinePixViewer
2007-07-23 11:31 --------- d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\AdobeUM
2007-07-20 22:54 --------- d-------- C:\Program Files\Google
2007-07-18 23:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-18 19:40 --------- d-------- C:\Program Files\Norton Internet Security
2007-07-18 14:53 --------- d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\Real
2007-07-18 14:53 --------- d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\Intuit
2007-07-18 14:51 1877 -rahs---- C:\WINDOWS\system32\drivers\103C_HP_CPC_ER883AA-ABA m7470n_YC_0Pavi_QCNN614_E62NAemMPA1_48_IAMETHYST-M_SMSI_V1.0_B3.47_T060303_WXP2_L409_M2047_J300_7AMD_8Athlon 64 X2 Dual Core_92.19_#060529_N10EC8139_Z11C10620_G10027146.MRK
2007-07-14 12:16 --------- d-------- C:\Program Files\BroadJump
2007-07-13 21:24 --------- d-------- C:\Program Files\Creative
2007-07-13 09:39 --------- d-------- C:\Program Files\Eraser
2007-07-12 16:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-07-10 20:55 --------- d-------- C:\Program Files\blue's clues
2007-07-07 11:58 --------- d-------- C:\Program Files\Nanny Mania
2007-07-06 10:03 --------- d-------- C:\Program Files\MSN Games
2007-07-02 20:00 --------- d-------- C:\Program Files\The Magicians Handbook - Cursed Valley
2007-07-02 20:00 --------- d-------- C:\Program Files\Big City Adventure - San Francisco
2007-07-02 20:00 --------- d-------- C:\Program Files\bfgclient
2007-06-27 07:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 07:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 07:34 6058496 --a------ C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 07:34 52224 --a------ C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 07:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 07:34 459264 --a------ C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 07:34 44544 --a------ C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 07:34 384512 --a------ C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 07:34 383488 --a------ C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 07:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 07:34 267776 --a------ C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 07:34 232960 --a------ C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 07:34 230400 --a------ C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 07:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 07:34 153088 --a------ C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 07:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 07:34 124928 --a------ C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 07:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 07:34 105984 --a------ C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 07:34 102400 --a------ C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 01:27 63488 --a------ C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 01:27 625152 --a------ C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 01:27 13824 --a------ C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 00:00 161792 --a------ C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-24 23:56 --------- d-------- C:\Program Files\Hidden Expedition Titanic
2007-06-22 20:00 --------- d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\Sandlot Games
2007-06-22 19:59 --------- d-------- C:\Program Files\Yahoo! Games
2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-13 03:23 1033216 --a------ C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-13 03:23 1033216 --a------ C:\WINDOWS\explorer.exe
2006-10-14 09:48 774144 --a------ C:\Program Files\RngInterstitial.dll
2005-09-24 08:49 12288 --a------ C:\WINDOWS\Fonts.\RandFont.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 17:29]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21]
"CTHelper"="CTHELPER.EXE" [2005-06-17 23:01 C:\WINDOWS\CTHELPER.EXE]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" []
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 21:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Ad-Watch"=C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe

S3 MaxtorFrontPanel1;Maxtor 1394 Storage Front Panel Driver;C:\WINDOWS\system32\DRIVERS\mxofwfp.sys


Contents of the 'Scheduled Tasks' folder
2007-07-25 22:32:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-19 23:07:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-19 23:09:36 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-19 23:09
C:\ComboFix2.txt ... 2007-08-19 11:33

--- E O F ---

and here is the new highjack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14:06 PM, on 8/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185211523125
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 7309 bytes

#6 MikeDivine

MikeDivine
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 20 August 2007 - 01:59 AM

Well I think you have fixed my pc. I am definitly going to make a donation. I would really like to know what comboFix is. Is it for a trojan or virus called Combo? And if yea how did you know I had that specific one. If you can help me with some answers to those questions, I will leave a greater donation.

Thank you,
Mike Divine

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 20 August 2007 - 04:21 AM

I would really like to know what comboFix is. Is it for a trojan or virus called Combo?

Basically ComboFix is used for specifically targetting certain malware/spyware such as SurfSideKick,QooLogic,Look2Me,Virtumundo etc.
Its an extremely powerful tool,as well as removing specific types of spyware,its also used by compitent operatives for detecting problems within the operating system,and gives clues to other infections.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#8 MikeDivine

MikeDivine
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 20 August 2007 - 04:39 PM

Here is the SuperAntiSpyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/20/2007 at 02:12 PM

Application Version : 3.9.1008

Core Rules Database Version : 3289
Trace Rules Database Version: 1300

Scan type : Complete Scan
Total Scan Time : 01:08:19

Memory items scanned : 403
Memory threats detected : 0
Registry items scanned : 6432
Registry threats detected : 0
File items scanned : 74668
File threats detected : 14

Adware.Tracking Cookie
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@a.websponsors[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ad.adnetinteractive[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@freecodesource.advertserve[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@adrevolver[3].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ads.adbrite[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@adserving.cpxinteractive[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@counter.auctionworks[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@e-2dj6wjk4anazclo.stats.esomniture[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@gcc-06.googleadservices[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@media.adrevolver[3].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@questionmarket[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@specificclick[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@statcounter[2].txt

Adware.Lop-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{106CF321-99A3-4E3A-9103-1BD027606A99}\RP147\A0010889.EXE


And here is the new highjack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:37:15 PM, on 8/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {16710DEF-8D6D-4E27-8060-2A7B7441E988} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4} - (no file)
O2 - BHO: (no name) - {66AABAEB-0D58-447E-AD4C-398E1795B825} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {869AA68B-F362-44DD-916F-CA7C4D8C6153} - (no file)
O2 - BHO: (no name) - {9F062246-CB8A-C12C-DCD8-97ABAB0305E5} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')

O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185211523125
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ddaya - C:\WINDOWS\
O20 - Winlogon Notify: tuvuspn - C:\WINDOWS\
O20 - Winlogon Notify: winrvc32 - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 7993 bytes

Is there a way to figure out which of these processes are bad? If I were to tell highjack to fix all the google toolbar stuff and myspace im and msn msger or anything else i see that isnt necessary, i would be pretty safe in doing so, correct? Or is it stupid to worry about it?

Edited by MikeDivine, 20 August 2007 - 04:42 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users