Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Url.cpvfeed.com Is Kicking My Butt And Nor Core.sys To Be Found


  • This topic is locked This topic is locked
12 replies to this topic

#1 Hollowman

Hollowman

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 26 August 2007 - 05:00 PM

I cannot get rid of this virus/spyware. The url/cpvfeed.com pop ups and constant computer freezing is driving me insane. I've tried everything from Ad-Aware, Trend Micro Housecall, PC Tools Spyware Doctor, Stinger, Spybot Search and Destroy, etc. and all any of them seem to be able to find is "COOKIES"!!!

There is nothing in this computer even relating to a "core.sys" file, not even in the registry. I'm totally stumped. Here is a HiJack this scan.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:46:34 PM, on 8/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.cox.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {343D3FDC-F038-BC96-1215-FC8DB8548F99} - (no file)
O2 - BHO: (no name) - {646B6DD8-F460-B69E-4B15-FC8DB854819B} - (no file)
O2 - BHO: (no name) - {663B6ADB-F06E-BF9A-4B15-FC8DB8548E9E} - (no file)
O2 - BHO: (no name) - {666B6D89-A36F-B69C-4F15-FC8DB854D2CD} - (no file)
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - (no file)
O2 - BHO: (no name) - {991EF04C-93CF-469b-A2BE-CC1B3347566F} - (no file)
O2 - BHO: (no name) - {BBCA26E0-F8EB-450C-A572-545DBF6C4C75} - (no file)
O2 - BHO: msscds32.msdn_hlp - {C934903B-61BE-403A-BC70-D738DAF43B8E} - C:\WINDOWS\system32\msscds32.dll
O2 - BHO: (no name) - {E924034F-CBAA-D15D-8ADC-90ABAA030490} - (no file)
O2 - BHO: (no name) - {f38a5dac-8c54-4ed0-915e-f7365b0f2995} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [bacstray] C:\Program Files\Broadcom\BACS\\BacsTray.exe
O4 - HKLM\..\Run: [ms036354521792007] C:\WINDOWS\ms036354521792007
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Shortcut to Printkey.lnk = C:\Printkey.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1188058813078
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1188058791250
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = assi.com
O17 - HKLM\Software\..\Telephony: DomainName = assi.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = assi.com
O20 - Winlogon Notify: awvtq - C:\WINDOWS\
O20 - Winlogon Notify: devlpk - devlpk.dll (file missing)
O20 - Winlogon Notify: pmnmlji - pmnmlji.dll (file missing)
O20 - Winlogon Notify: qomnono - qomnono.dll (file missing)
O20 - Winlogon Notify: rqrrqop - rqrrqop.dll (file missing)
O20 - Winlogon Notify: SensLogon - ertw1.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 8354 bytes

If anyone sees anything, PLEASE let me know.

Thanks

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:43 PM

Posted 26 August 2007 - 05:04 PM

Hello Hollowman,

Welcome to Bleeping Computer :thumbsup:

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Hollowman

Hollowman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 26 August 2007 - 05:13 PM

Combofix log

ComboFix 07-08-26.3 - "semma" 2007-08-26 18:11:58.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1473 [GMT -4:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\bold.log
C:\DOCUME~1\ADMINI~1\APPLIC~1\.rdr.ini
C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\think-adz.lnk
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\winantispyware 2007
C:\DOCUME~1\semma\APPLIC~1\WinTouch
C:\DOCUME~1\semma\APPLIC~1\wnsxs~1
C:\DOCUME~1\semma\MYDOCU~1\ymante~1
C:\Program Files\dobe~1
C:\Program Files\ssembl~1
C:\temp\0b9
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\iee
C:\UWA7P
C:\WINDOWS\asembl~1
C:\WINDOWS\cookies.ini
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\ms036354521792007.exe
C:\WINDOWS\scurit~1
C:\WINDOWS\scurit~1\s?curity\
C:\WINDOWS\system32\b10FdUe
C:\WINDOWS\system32\configs
C:\WINDOWS\system32\cscentfy.dll
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\ecurit~1
C:\WINDOWS\system32\ecurit~1\?ecurity\
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\F2
C:\WINDOWS\system32\F3
C:\WINDOWS\system32\mcroso~1
C:\WINDOWS\system32\msscds32.dll
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\o05PrEz
C:\WINDOWS\system32\o08PrEz
C:\WINDOWS\system32\racle~1
C:\WINDOWS\system32\scchk32.exe


((((((((((((((((((((((((( Files Created from 2007-07-26 to 2007-08-26 )))))))))))))))))))))))))))))))


2007-08-26 16:31 0 --a------ C:\WINDOWS\Gwang.exe
2007-08-26 13:31 82,248 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-08-26 13:31 57,672 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-08-26 13:31 38,728 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-08-26 13:31 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-08-26 13:31 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-08-26 13:30 <DIR> d-------- C:\Spyware.Doctor.v5.0.5.258
2007-08-26 13:29 <DIR> d-------- C:\DOCUME~1\semma\APPLIC~1\WinRAR
2007-08-26 12:41 664 --a------ C:\cc_20070826_1241.reg
2007-08-26 12:40 48,399 --a------ C:\cc_20070826_1240.reg
2007-08-26 12:33 <DIR> d-------- C:\Program Files\CCleaner
2007-08-26 12:21 482,408 --a------ C:\ccsetup141_slim.exe
2007-08-26 12:21 <DIR> d-------- C:\WINDOWS\pss
2007-08-26 12:03 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-08-26 11:35 <DIR> d-------- C:\DOCUME~1\semma\APPLIC~1\PC Tools
2007-08-26 11:32 19,870,336 --a------ C:\avinstall.exe
2007-08-26 11:10 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-26 11:08 1,073,579 --a------ C:\SDFix.exe
2007-08-26 10:57 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-26 10:53 50,688 --a------ C:\ATF-Cleaner.exe
2007-08-25 23:30 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-25 23:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-25 22:45 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-08-25 22:41 14,920,632 --a------ C:\sdsetup.exe
2007-08-25 21:06 <DIR> d-------- C:\Startup
2007-08-25 19:54 12,413,440 --a------ C:\avgas-setup-7.5.1.43.exe
2007-08-25 19:20 102,800 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-25 18:01 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-08-25 17:09 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-08-25 16:41 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-25 16:39 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-08-25 15:58 <DIR> d-------- C:\Program Files\MSBuild
2007-08-25 15:51 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-08-25 15:48 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-08-25 15:44 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-08-25 15:41 <DIR> d-------- C:\096a0102d8aa6d77b324
2007-08-25 15:36 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-08-25 15:27 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-08-25 15:27 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-08-25 14:45 23,040 --------- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-08-25 14:45 16,896 --------- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-08-25 14:45 128,896 --------- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-08-25 13:45 401,720 --a------ C:\HiJackThis.exe
2007-08-25 13:24 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-08-25 13:24 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-08-25 13:24 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-08-21 08:07 <DIR> d-------- C:\Program Files\SmartDraw 2007
2007-08-20 09:40 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2007-08-13 16:39 63,592 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2007-08-10 10:26 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-08-09 13:17 75,792 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2007-08-09 13:17 36,112 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-08-09 13:17 300,816 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-08-09 13:17 203,024 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-08-09 13:17 112,400 --a------ C:\WINDOWS\system32\drivers\tm_mbd_c.sys
2007-08-09 13:17 1,126,328 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2007-08-09 13:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-09 13:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2007-08-07 08:59 1,602,684 ---hs---- C:\WINDOWS\system32\qtvwa.ini2
2007-08-07 08:57 5 --a------ C:\WINDOWS\system32\sdfixwcs.dll
2007-08-07 08:32 7 --a------ C:\WINDOWS\system32\sdfinacs.dll
2007-08-07 08:32 476 --a------ C:\WINDOWS\system32\msupnixg.dll
2007-08-07 08:32 34,780 --a------ C:\WINDOWS\system32\msratnit.dll
2007-08-07 08:32 220 --a------ C:\WINDOWS\system32\qviexio3.dat
2007-08-07 08:32 12 --a------ C:\WINDOWS\system32\rasqervy.dll
2007-08-07 08:24 134 --a------ C:\WINDOWS\system32\wuasirvy.dll
2007-08-07 08:23 1,903 --a------ C:\WINDOWS\system32\comsatac.dll
2007-08-06 13:46 1,624,912 ---hs---- C:\WINDOWS\system32\qtvwa.bak2
2007-08-06 08:07 1,625,151 ---hs---- C:\WINDOWS\system32\qtvwa.bak1


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-26 17:24 --------- d-------- C:\Program Files\Symantec AntiVirus
2007-08-20 09:50 155648 --a------ C:\WINDOWS\system32\winlogs.exe
2007-08-20 09:42 126976 --a------ C:\WINDOWS\system32\hkcmd.exe
2007-08-09 11:22 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-30 19:18 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-25 09:12 --------- d-------- C:\Program Files\Lavasoft
2007-07-25 09:12 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-25 09:11 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-23 11:58 --------- d-------- C:\Program Files\Windows Live Safety Center
2007-07-23 10:02 --------- d-------- C:\DOCUME~1\semma\APPLIC~1\AdobeUM
2007-07-23 08:21 1798812 --ahs---- C:\WINDOWS\system32\rrutv.bak2
2007-07-19 02:59 3583488 --------- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-18 15:20 65106 --a------ C:\WINDOWS\system32\pwjkwbgv.dll
2007-07-17 15:41 --------- d-------- C:\Program Files\QuickTime
2007-07-12 19:31 765952 --------- C:\WINDOWS\system32\dllcache\vgx.dll
2007-07-10 16:40 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-09 11:53 6369 --ahs---- C:\WINDOWS\system32\rrutv.bak1
2007-06-29 16:22 --------- d-------- C:\Program Files\Google
2007-06-29 16:22 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-06-27 10:34 823808 --------- C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 10:34 671232 --------- C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 10:34 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 10:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 10:34 477696 --------- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 10:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 10:34 44544 --------- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 10:34 384512 --------- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 10:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 10:34 27648 --------- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 10:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 10:34 232960 --------- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 10:34 230400 --------- C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 10:34 193024 --------- C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 10:34 153088 --------- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 10:34 132608 --------- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 10:34 124928 --------- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 10:34 1152000 --------- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 10:34 105984 --------- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 10:34 102400 --------- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 04:27 63488 --------- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 04:27 625152 --------- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 04:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 03:00 161792 --------- C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 02:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 09:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-15 04:12 474112 --------- C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-15 04:12 151040 --------- C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-15 04:12 1498112 --------- C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-15 04:12 1054208 --------- C:\WINDOWS\system32\dllcache\danim.dll
2007-06-15 04:12 1022976 --------- C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 06:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-11 23:51 10834944 --a------ C:\WINDOWS\system32\dllcache\wmp.dll
2007-05-29 13:47 741018 --a------ C:\WINDOWS\system32\shue1a[1].scr


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{343D3FDC-F038-BC96-1215-FC8DB8548F99}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{646B6DD8-F460-B69E-4B15-FC8DB854819B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{663B6ADB-F06E-BF9A-4B15-FC8DB8548E9E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{666B6D89-A36F-B69C-4F15-FC8DB854D2CD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{991EF04C-93CF-469b-A2BE-CC1B3347566F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBCA26E0-F8EB-450C-A572-545DBF6C4C75}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E924034F-CBAA-D15D-8ADC-90ABAA030490}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f38a5dac-8c54-4ed0-915e-f7365b0f2995}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-08-02 08:43]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-08-20 09:42]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2007-08-20 13:58]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2007-08-20 08:53]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-08-20 13:14]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-01-04 21:05]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2007-08-20 13:57]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-01-13 20:20]
"bacstray"="C:\Program Files\Broadcom\BACS\\BacsTray.exe" [2007-08-20 13:58]
"ms036354521792007"="C:\WINDOWS\ms036354521792007" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-07-17 15:41]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-04-12 06:58]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-08-02 10:49]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvtq]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\devlpk]
devlpk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnmlji]
pmnmlji.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomnono]
qomnono.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrrqop]
rqrrqop.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogon]
ertw1.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
S2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
S2 CVPNDRVA;Cisco Systems IPsec Driver;\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
S2 tmxpflt;tmxpflt;C:\WINDOWS\system32\DRIVERS\tmxpflt.sys
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys


Contents of the 'Scheduled Tasks' folder
2007-08-26 04:00:00 C:\WINDOWS\Tasks\At1.job - C:\WINDOWS\system32\V43FEJBU.exe
2007-08-26 13:00:00 C:\WINDOWS\Tasks\At10.job - C:\WINDOWS\system32\V43FEJBU.exe
2007-08-26 07:00:00 C:\WINDOWS\Tasks\At100.job - C:\WINDOWS\system32\IIJx2Fho.exe
2007-08-26 08:00:00 C:\WINDOWS\Tasks\At101.job - C:\WINDOWS\system32\IIJx2Fho.exe
2007-08-26 09:00:00 C:\WINDOWS\Tasks\At102.job - C:\WINDOWS\system32\IIJx2Fho.exe
2007-08-26 10:00:00 C:\WINDOWS\Tasks\At103.job - C:\WINDOWS\system32\IIJx2Fho.exe
2007-08-26 11:00:00 C:\WINDOWS\Tasks\At104.job
2007-08-26 12:00:00 C:\WINDOWS\Tasks\At105.job
2007-08-26 13:00:00 C:\WINDOWS\Tasks\At106.job - C:\WINDOWS\system32\IIJx2Fho.exe
2007-08-26 14:00:00 C:\WINDOWS\Tasks\At107.job
2007-08-26 15:00:00 C:\WINDOWS\Tasks\At108.job - C:\WINDOWS\system32\IIJx2Fho.exe
2007-08-26 16:00:00 C:\WINDOWS\Tasks\At109.job - C:\WINDOWS\system32\IIJx2Fho.exe
2007-08-26 14:00:00 C:\WINDOWS\Tasks\At11.job
2007-08-26 17:00:00 C:\WINDOWS\Tasks\At110.job - C:\WINDOWS\system32\IIJx2Fho.exe
2007-08-26 18:00:00 C:\WINDOWS\Tasks\At111.job - C:\WINDOWS\system32\IIJx2Fho.exe
2007-08-26 19:00:00 C:\WINDOWS\Tasks\At112.job - C:\WINDOWS\system32\IIJx2Fho.exe
2007-08-26 20:05:05 C:\WINDOWS\Tasks\At113.job - C:\WINDOWS\system32\IIJx2Fho.exe
2007-08-26 21:03:51 C:\WINDOWS\Tasks\At114.job - C:\WINDOWS\system32\IIJx2Fho.exe
2007-08-21 22:00:00 C:\WINDOWS\Tasks\At115.job - C:\WINDOWS\system32\IIJx2Fho.exe
2007-08-21 23:00:00 C:\WINDOWS\Tasks\At116.job - C:\WINDOWS\system32\IIJx2Fho.exe
2007-08-26 00:00:00 C:\WINDOWS\Tasks\At117.job - C:\WINDOWS\system32\IIJx2Fho.exe
2007-08-10 01:00:00 C:\WINDOWS\Tasks\At118.job - C:\WINDOWS\system32\IIJx2Fho.exe
2007-08-10 02:00:00 C:\WINDOWS\Tasks\At119.job - C:\WINDOWS\system32\IIJx2Fho.exe
2007-08-26 15:00:00 C:\WINDOWS\Tasks\At12.job
2007-08-26 03:00:00 C:\WINDOWS\Tasks\At120.job - C:\WINDOWS\system32\IIJx2Fho.exe
2007-08-26 16:00:00 C:\WINDOWS\Tasks\At13.job
2007-08-26 17:00:00 C:\WINDOWS\Tasks\At14.job - C:\WINDOWS\system32\V43FEJBU.exe
2007-08-26 18:00:00 C:\WINDOWS\Tasks\At15.job - C:\WINDOWS\system32\V43FEJBU.exe
2007-08-26 19:00:00 C:\WINDOWS\Tasks\At16.job - C:\WINDOWS\system32\V43FEJBU.exe
2007-08-26 20:08:02 C:\WINDOWS\Tasks\At17.job - C:\WINDOWS\system32\V43FEJBU.exe
2007-08-26 21:06:08 C:\WINDOWS\Tasks\At18.job - C:\WINDOWS\system32\V43FEJBU.exe
2007-08-21 22:00:00 C:\WINDOWS\Tasks\At19.job - C:\WINDOWS\system32\V43FEJBU.exe
2007-08-26 05:00:00 C:\WINDOWS\Tasks\At2.job
2007-08-21 23:00:00 C:\WINDOWS\Tasks\At20.job
2007-08-26 00:00:02 C:\WINDOWS\Tasks\At21.job - C:\WINDOWS\system32\V43FEJBU.exe
2007-08-10 01:00:00 C:\WINDOWS\Tasks\At22.job
2007-08-10 02:00:00 C:\WINDOWS\Tasks\At23.job - C:\WINDOWS\system32\V43FEJBU.exe
2007-08-26 03:00:00 C:\WINDOWS\Tasks\At24.job - C:\WINDOWS\system32\V43FEJBU.exe
2007-08-26 04:00:00 C:\WINDOWS\Tasks\At25.job - C:\WINDOWS\system32\5LS120dL.exe
2007-08-26 05:00:01 C:\WINDOWS\Tasks\At26.job - C:\WINDOWS\system32\5LS120dL.exe
2007-08-26 06:00:00 C:\WINDOWS\Tasks\At27.job - C:\WINDOWS\system32\5LS120dL.exe
2007-08-26 07:00:00 C:\WINDOWS\Tasks\At28.job - C:\WINDOWS\system32\5LS120dL.exe
2007-08-26 08:00:00 C:\WINDOWS\Tasks\At29.job - C:\WINDOWS\system32\5LS120dL.exe
2007-08-26 06:00:00 C:\WINDOWS\Tasks\At3.job - C:\WINDOWS\system32\V43FEJBU.exe
2007-08-26 09:00:00 C:\WINDOWS\Tasks\At30.job
2007-08-26 10:00:00 C:\WINDOWS\Tasks\At31.job
2007-08-26 11:00:00 C:\WINDOWS\Tasks\At32.job - C:\WINDOWS\system32\5LS120dL.exe
2007-08-26 12:00:00 C:\WINDOWS\Tasks\At33.job - C:\WINDOWS\system32\5LS120dL.exe
2007-08-26 13:00:00 C:\WINDOWS\Tasks\At34.job - C:\WINDOWS\system32\5LS120dL.exe
2007-08-26 14:00:00 C:\WINDOWS\Tasks\At35.job
2007-08-26 15:00:00 C:\WINDOWS\Tasks\At36.job - C:\WINDOWS\system32\5LS120dL.exe
2007-08-26 16:00:00 C:\WINDOWS\Tasks\At37.job - C:\WINDOWS\system32\5LS120dL.exe
2007-08-26 17:00:00 C:\WINDOWS\Tasks\At38.job - C:\WINDOWS\system32\5LS120dL.exe
2007-08-26 18:00:00 C:\WINDOWS\Tasks\At39.job - C:\WINDOWS\system32\5LS120dL.exe
2007-08-26 07:00:00 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\system32\V43FEJBU.exe
2007-08-26 19:00:00 C:\WINDOWS\Tasks\At40.job
2007-08-26 20:10:56 C:\WINDOWS\Tasks\At41.job - C:\WINDOWS\system32\5LS120dL.exe
2007-08-26 21:08:41 C:\WINDOWS\Tasks\At42.job - C:\WINDOWS\system32\5LS120dL.exe
2007-08-21 22:00:01 C:\WINDOWS\Tasks\At43.job - C:\WINDOWS\system32\5LS120dL.exe
2007-08-21 23:00:00 C:\WINDOWS\Tasks\At44.job - C:\WINDOWS\system32\5LS120dL.exe
2007-08-26 00:00:02 C:\WINDOWS\Tasks\At45.job - C:\WINDOWS\system32\5LS120dL.exe
2007-08-10 01:00:00 C:\WINDOWS\Tasks\At46.job - C:\WINDOWS\system32\5LS120dL.exe
2007-08-10 02:00:00 C:\WINDOWS\Tasks\At47.job - C:\WINDOWS\system32\5LS120dL.exe
2007-08-26 03:00:00 C:\WINDOWS\Tasks\At48.job - C:\WINDOWS\system32\5LS120dL.exe
2007-08-26 04:00:00 C:\WINDOWS\Tasks\At49.job - C:\WINDOWS\system32\5t2GH151.exe
2007-08-26 08:00:00 C:\WINDOWS\Tasks\At5.job - C:\WINDOWS\system32\V43FEJBU.exe
2007-08-26 05:00:01 C:\WINDOWS\Tasks\At50.job - C:\WINDOWS\system32\5t2GH151.exe
2007-08-26 06:00:00 C:\WINDOWS\Tasks\At51.job - C:\WINDOWS\system32\5t2GH151.exe
2007-08-26 07:00:00 C:\WINDOWS\Tasks\At52.job - C:\WINDOWS\system32\5t2GH151.exe
2007-08-26 08:00:00 C:\WINDOWS\Tasks\At53.job - C:\WINDOWS\system32\5t2GH151.exe
2007-08-26 09:00:00 C:\WINDOWS\Tasks\At54.job - C:\WINDOWS\system32\5t2GH151.exe
2007-08-26 10:00:00 C:\WINDOWS\Tasks\At55.job - C:\WINDOWS\system32\5t2GH151.exe
2007-08-26 11:00:00 C:\WINDOWS\Tasks\At56.job - C:\WINDOWS\system32\5t2GH151.exe
2007-08-26 12:00:00 C:\WINDOWS\Tasks\At57.job - C:\WINDOWS\system32\5t2GH151.exe
2007-08-26 13:00:00 C:\WINDOWS\Tasks\At58.job - C:\WINDOWS\system32\5t2GH151.exe
2007-08-26 14:00:00 C:\WINDOWS\Tasks\At59.job
2007-08-26 09:00:00 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\system32\V43FEJBU.exe
2007-08-26 15:00:00 C:\WINDOWS\Tasks\At60.job - C:\WINDOWS\system32\5t2GH151.exe
2007-08-26 16:00:00 C:\WINDOWS\Tasks\At61.job - C:\WINDOWS\system32\5t2GH151.exe
2007-08-26 17:00:00 C:\WINDOWS\Tasks\At62.job - C:\WINDOWS\system32\5t2GH151.exe
2007-08-26 18:00:00 C:\WINDOWS\Tasks\At63.job - C:\WINDOWS\system32\5t2GH151.exe
2007-08-26 19:00:00 C:\WINDOWS\Tasks\At64.job - C:\WINDOWS\system32\5t2GH151.exe
2007-08-26 20:13:33 C:\WINDOWS\Tasks\At65.job - C:\WINDOWS\system32\5t2GH151.exe
2007-08-26 21:10:57 C:\WINDOWS\Tasks\At66.job - C:\WINDOWS\system32\5t2GH151.exe
2007-08-21 22:00:01 C:\WINDOWS\Tasks\At67.job - C:\WINDOWS\system32\5t2GH151.exe
2007-08-21 23:00:01 C:\WINDOWS\Tasks\At68.job - C:\WINDOWS\system32\5t2GH151.exe
2007-08-26 00:00:03 C:\WINDOWS\Tasks\At69.job
2007-08-26 10:00:00 C:\WINDOWS\Tasks\At7.job - C:\WINDOWS\system32\V43FEJBU.exe
2007-08-10 01:00:00 C:\WINDOWS\Tasks\At70.job - C:\WINDOWS\system32\5t2GH151.exe
2007-08-10 02:00:00 C:\WINDOWS\Tasks\At71.job - C:\WINDOWS\system32\5t2GH151.exe
2007-08-26 03:00:01 C:\WINDOWS\Tasks\At72.job - C:\WINDOWS\system32\5t2GH151.exe
2007-08-26 04:00:00 C:\WINDOWS\Tasks\At73.job - C:\WINDOWS\system32\S4r07H8O.exe
2007-08-26 05:00:01 C:\WINDOWS\Tasks\At74.job - C:\WINDOWS\system32\S4r07H8O.exe
2007-08-26 06:00:00 C:\WINDOWS\Tasks\At75.job - C:\WINDOWS\system32\S4r07H8O.exe
2007-08-26 07:00:00 C:\WINDOWS\Tasks\At76.job - C:\WINDOWS\system32\S4r07H8O.exe
2007-08-26 08:00:00 C:\WINDOWS\Tasks\At77.job
2007-08-26 09:00:00 C:\WINDOWS\Tasks\At78.job - C:\WINDOWS\system32\S4r07H8O.exe
2007-08-26 10:00:00 C:\WINDOWS\Tasks\At79.job - C:\WINDOWS\system32\S4r07H8O.exe
2007-08-26 11:00:00 C:\WINDOWS\Tasks\At8.job - C:\WINDOWS\system32\V43FEJBU.exe
2007-08-26 11:00:00 C:\WINDOWS\Tasks\At80.job - C:\WINDOWS\system32\S4r07H8O.exe
2007-08-26 12:00:00 C:\WINDOWS\Tasks\At81.job - C:\WINDOWS\system32\S4r07H8O.exe
2007-08-26 13:00:00 C:\WINDOWS\Tasks\At82.job - C:\WINDOWS\system32\S4r07H8O.exe
2007-08-26 14:00:00 C:\WINDOWS\Tasks\At83.job
2007-08-26 15:00:00 C:\WINDOWS\Tasks\At84.job - C:\WINDOWS\system32\S4r07H8O.exe
2007-08-26 16:00:00 C:\WINDOWS\Tasks\At85.job - C:\WINDOWS\system32\S4r07H8O.exe
2007-08-26 17:00:00 C:\WINDOWS\Tasks\At86.job - C:\WINDOWS\system32\S4r07H8O.exe
2007-08-26 18:00:00 C:\WINDOWS\Tasks\At87.job - C:\WINDOWS\system32\S4r07H8O.exe
2007-08-26 19:00:00 C:\WINDOWS\Tasks\At88.job - C:\WINDOWS\system32\S4r07H8O.exe
2007-08-26 20:15:56 C:\WINDOWS\Tasks\At89.job - C:\WINDOWS\system32\S4r07H8O.exe
2007-08-26 12:00:00 C:\WINDOWS\Tasks\At9.job - C:\WINDOWS\system32\V43FEJBU.exe
2007-08-26 21:13:15 C:\WINDOWS\Tasks\At90.job - C:\WINDOWS\system32\S4r07H8O.exe
2007-08-21 22:00:01 C:\WINDOWS\Tasks\At91.job - C:\WINDOWS\system32\S4r07H8O.exe
2007-08-21 23:00:01 C:\WINDOWS\Tasks\At92.job - C:\WINDOWS\system32\S4r07H8O.exe
2007-08-26 00:00:03 C:\WINDOWS\Tasks\At93.job - C:\WINDOWS\system32\S4r07H8O.exe
2007-08-10 01:00:00 C:\WINDOWS\Tasks\At94.job - C:\WINDOWS\system32\S4r07H8O.exe
2007-08-10 02:00:00 C:\WINDOWS\Tasks\At95.job - C:\WINDOWS\system32\S4r07H8O.exe
2007-08-26 03:00:01 C:\WINDOWS\Tasks\At96.job - C:\WINDOWS\system32\S4r07H8O.exe
2007-08-26 04:00:00 C:\WINDOWS\Tasks\At97.job - C:\WINDOWS\system32\IIJx2Fho.exe
2007-08-26 05:00:01 C:\WINDOWS\Tasks\At98.job
2007-08-26 06:00:00 C:\WINDOWS\Tasks\At99.job - C:\WINDOWS\system32\IIJx2Fho.exe
2007-08-26 19:29:37 C:\WINDOWS\Tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-26 18:14:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-26 18:15:26 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-26 18:15

--- E O F ---


New Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:17, on 2007-08-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.cox.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {343D3FDC-F038-BC96-1215-FC8DB8548F99} - (no file)
O2 - BHO: (no name) - {646B6DD8-F460-B69E-4B15-FC8DB854819B} - (no file)
O2 - BHO: (no name) - {663B6ADB-F06E-BF9A-4B15-FC8DB8548E9E} - (no file)
O2 - BHO: (no name) - {666B6D89-A36F-B69C-4F15-FC8DB854D2CD} - (no file)
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - (no file)
O2 - BHO: (no name) - {991EF04C-93CF-469b-A2BE-CC1B3347566F} - (no file)
O2 - BHO: (no name) - {BBCA26E0-F8EB-450C-A572-545DBF6C4C75} - (no file)
O2 - BHO: (no name) - {E924034F-CBAA-D15D-8ADC-90ABAA030490} - (no file)
O2 - BHO: (no name) - {f38a5dac-8c54-4ed0-915e-f7365b0f2995} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [bacstray] C:\Program Files\Broadcom\BACS\\BacsTray.exe
O4 - HKLM\..\Run: [ms036354521792007] C:\WINDOWS\ms036354521792007
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Shortcut to Printkey.lnk = C:\Printkey.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1188058813078
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1188058791250
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = assi.com
O17 - HKLM\Software\..\Telephony: DomainName = assi.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = assi.com
O20 - Winlogon Notify: awvtq - C:\WINDOWS\
O20 - Winlogon Notify: devlpk - devlpk.dll (file missing)
O20 - Winlogon Notify: pmnmlji - pmnmlji.dll (file missing)
O20 - Winlogon Notify: qomnono - qomnono.dll (file missing)
O20 - Winlogon Notify: rqrrqop - rqrrqop.dll (file missing)
O20 - Winlogon Notify: SensLogon - ertw1.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 8327 bytes

#4 Hollowman

Hollowman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 26 August 2007 - 05:32 PM

Another Hijack this file incase I did it wrong last time.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:36:15 PM, on 8/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Broadcom\BACS\BacsTray.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Printkey.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.cox.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {343D3FDC-F038-BC96-1215-FC8DB8548F99} - (no file)
O2 - BHO: (no name) - {646B6DD8-F460-B69E-4B15-FC8DB854819B} - (no file)
O2 - BHO: (no name) - {663B6ADB-F06E-BF9A-4B15-FC8DB8548E9E} - (no file)
O2 - BHO: (no name) - {666B6D89-A36F-B69C-4F15-FC8DB854D2CD} - (no file)
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - (no file)
O2 - BHO: (no name) - {991EF04C-93CF-469b-A2BE-CC1B3347566F} - (no file)
O2 - BHO: (no name) - {BBCA26E0-F8EB-450C-A572-545DBF6C4C75} - (no file)
O2 - BHO: (no name) - {E924034F-CBAA-D15D-8ADC-90ABAA030490} - (no file)
O2 - BHO: (no name) - {f38a5dac-8c54-4ed0-915e-f7365b0f2995} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [bacstray] C:\Program Files\Broadcom\BACS\\BacsTray.exe
O4 - HKLM\..\Run: [ms036354521792007] C:\WINDOWS\ms036354521792007
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Shortcut to Printkey.lnk = C:\Printkey.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1188058813078
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1188058791250
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = assi.com
O17 - HKLM\Software\..\Telephony: DomainName = assi.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = assi.com
O20 - Winlogon Notify: awvtq - C:\WINDOWS\
O20 - Winlogon Notify: devlpk - devlpk.dll (file missing)
O20 - Winlogon Notify: pmnmlji - pmnmlji.dll (file missing)
O20 - Winlogon Notify: qomnono - qomnono.dll (file missing)
O20 - Winlogon Notify: rqrrqop - rqrrqop.dll (file missing)
O20 - Winlogon Notify: SensLogon - ertw1.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 9745 bytes

#5 Hollowman

Hollowman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 26 August 2007 - 06:49 PM

Hi Tea,

Well, Whatever the combofix did, The pop ups seemed to have stopped for now. Thank you for that. However, the wallpaper is now a wierd color and unable to be changed. Any other suggestions?

Also, do you see anything else in the hijackthis log?

Thank you again.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:43 PM

Posted 26 August 2007 - 08:10 PM

Hello,

We're not done yet, so no need to worry. :thumbsup:

First you should know that you're actually doing more harm than good by running 2 Anti Virus programs. (Trend Micro and Norton) When you do this both programs compete for resources, and the end result is neither does it's best and can cause system instability. I recommend that you choose the one you want to keep, update it, disable the other one, and use it as an on demand only scan occasionally.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {343D3FDC-F038-BC96-1215-FC8DB8548F99} - (no file)
O2 - BHO: (no name) - {646B6DD8-F460-B69E-4B15-FC8DB854819B} - (no file)
O2 - BHO: (no name) - {663B6ADB-F06E-BF9A-4B15-FC8DB8548E9E} - (no file)
O2 - BHO: (no name) - {666B6D89-A36F-B69C-4F15-FC8DB854D2CD} - (no file)
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - (no file)
O2 - BHO: (no name) - {991EF04C-93CF-469b-A2BE-CC1B3347566F} - (no file)
O2 - BHO: (no name) - {BBCA26E0-F8EB-450C-A572-545DBF6C4C75} - (no file)
O2 - BHO: (no name) - {E924034F-CBAA-D15D-8ADC-90ABAA030490} - (no file)
O2 - BHO: (no name) - {f38a5dac-8c54-4ed0-915e-f7365b0f2995} - (no file)
O20 - Winlogon Notify: awvtq - C:\WINDOWS\
O20 - Winlogon Notify: devlpk - devlpk.dll (file missing)
O20 - Winlogon Notify: pmnmlji - pmnmlji.dll (file missing)
O20 - Winlogon Notify: qomnono - qomnono.dll (file missing)
O20 - Winlogon Notify: rqrrqop - rqrrqop.dll (file missing)
O20 - Winlogon Notify: SensLogon - ertw1.dll (file missing)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

Use Windows Search (Start > Search > For Files or Folders), to search for the following file:
ms036354521792007

Please go to VirusTotal and submit the file for a scan and post the results in your next reply. Please also post a new HijackThis log. :flowers:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Hollowman

Hollowman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 27 August 2007 - 07:28 PM

OK, Thank you for your patience with me. After a VERY long work day, I'm back to working on this monster.

I did just as you said. I removed the Symantec antivirus, then rand the Hijackthis and deleted the entries you suggested.

After, I did the search for the file in question, and was only able to find 2 instances of it. A prefetch "MS036354521792007.EXE-17A5FE75.pf" and a quaranteened file of the same name with a ".vir" extention on it. Below are the Hijack this results and the VirusTotal Results.


Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:31:53 PM, on 8/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Broadcom\BACS\BacsTray.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Printkey.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.cox.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [bacstray] C:\Program Files\Broadcom\BACS\\BacsTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Shortcut to Printkey.lnk = C:\Printkey.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1188058813078
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1188058791250
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = assi.com
O17 - HKLM\Software\..\Telephony: DomainName = assi.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = assi.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 6641 bytes



Virustotal:

Antivirus Version Last Update Result
AhnLab-V3 2007.8.28.0 2007.08.27 -
AntiVir 7.4.1.63 2007.08.27 -
Authentium 4.93.8 2007.08.26 -
Avast 4.7.1029.0 2007.08.27 -
AVG 7.5.0.484 2007.08.27 -
BitDefender 7.2 2007.08.28 -
CAT-QuickHeal 9.00 2007.08.25 -
ClamAV 0.91 2007.08.28 -
DrWeb 4.33 2007.08.27 -
eSafe 7.0.15.0 2007.08.26 -
eTrust-Vet 31.1.5088 2007.08.27 -
Ewido 4.0 2007.08.27 -
FileAdvisor 1 2007.08.28 -
Fortinet 2.91.0.0 2007.08.27 -
F-Prot 4.3.2.48 2007.08.26 -
F-Secure 6.70.13030.0 2007.08.28 -
Ikarus T3.1.1.12 2007.08.28 -
Kaspersky 4.0.2.24 2007.08.28 -
McAfee 5106 2007.08.27 -
Microsoft 1.2803 2007.08.28 -
NOD32v2 2486 2007.08.27 -
Norman 5.80.02 2007.08.27 -
Panda 9.0.0.4 2007.08.28 Suspicious file
Prevx1 V2 2007.08.28 Trojan.Downloader
Rising 19.38.02.00 2007.08.27 -
Sophos 4.21.0 2007.08.28 -
Sunbelt 2.2.907.0 2007.08.25 -
Symantec 10 2007.08.27 -
TheHacker 6.1.9.173 2007.08.27 -
VBA32 3.12.2.3 2007.08.27 -
VirusBuster 4.3.26:9 2007.08.27 -
Webwasher-Gateway 6.0.1 2007.08.27 -
Additional information
File size: 192512 bytes
MD5: e4e884bc725820e800e291f46b72b4ce
SHA1: cd58a40888c9d7b1b423795d0acc728ef1f63f09
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5...286DB00E0013D5A


Thank you very much for your time on this.

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:43 PM

Posted 28 August 2007 - 12:34 AM

Hello,

You're most welcome. :thumbsup:

However, the wallpaper is now a wierd color and unable to be changed.

Is this still happening?

Let's clean out the registry some (This should also get rid of that file you found in Prefetch) :

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Download the trial version of Spy Sweeper from
Here


Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Restart your computer, and then please copy and paste the SpySweeper log into this thread.

Please also let me know it's running now. :flowers:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 Hollowman

Hollowman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 28 August 2007 - 06:10 AM

OK, Ran ATF Cleaner and Spysweeper. Here are the Spy Sweeper Results.

What's next

7:12 AM: Removal process completed. Elapsed time 00:01:19
7:11 AM: Quarantining All Traces: trojan-downloader.gen
7:11 AM: Quarantining All Traces: bho_xmlhelper
7:11 AM: Quarantining All Traces: bookedspace
7:11 AM: Quarantining All Traces: trojan-poolsv
7:11 AM: Quarantining All Traces: zenosearchassistant
7:11 AM: Quarantining All Traces: enbrowser
7:11 AM: Quarantining All Traces: trojan downloader matcash
7:10 AM: Quarantining All Traces: purityscan
7:10 AM: Removal process initiated
7:10 AM: Traces Found: 13
7:10 AM: Full Sweep has completed. Elapsed time 00:20:17
7:10 AM: File Sweep Complete, Elapsed Time: 00:15:23
7:08 AM: Warning: TCompressedFile.GetStreams(1): Stream read error
7:08 AM: C:\SDFix\backups\backups.zip (ID = 560496)
7:08 AM: C:\SDFix\backups\backups.zip (ID = 372576)
7:08 AM: C:\SDFix\backups\backups.zip (ID = 790944)
7:08 AM: Found Adware: trojan-downloader.gen
7:04 AM: Warning: SweepDirectories: Cannot find directory "d:". This directory was not added to the list of paths to be scanned.
7:04 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsc17e00aa-3e60-48a2-a818-b3793034dc62.tmp". The operation completed successfully
7:04 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms5b85cd35-3892-484c-8bc3-e0262f609934.tmp". The operation completed successfully
7:04 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms4fe146b1-2e77-48a5-a36a-841229f89f89.tmp". The operation completed successfully
7:04 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms398a2bd4-3a9a-4a92-8ac2-cfc0486f66f1.tmp". The operation completed successfully
7:04 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms7451a6d6-1b22-4dbb-abcd-26d6e66259d7.tmp". The operation completed successfully
7:04 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms77eaa4b7-f3ea-495a-87c4-c9f61fab3129.tmp". The operation completed successfully
7:04 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms19ac55ce-40fd-41dc-a727-0b34322af8bb.tmp". The operation completed successfully
7:04 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms18a080ca-e8f1-4657-bbc4-03f09706da89.tmp". The operation completed successfully
7:04 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms3c19317a-5afb-497b-b1ff-a0cb00a587be.tmp". The operation completed successfully
7:04 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms98ab5c1e-6cfb-4acf-93e8-f750354c73e9.tmp". The operation completed successfully
7:02 AM: C:\Startup\Think-Adz.lnk (ID = 372576)
7:02 AM: Found Adware: zenosearchassistant
6:55 AM: Starting File Sweep
6:55 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
6:55 AM: Starting Cookie Sweep
6:55 AM: Registry Sweep Complete, Elapsed Time:00:01:02
6:55 AM: HKU\WRSS_Profile_S-1-5-21-2144127933-2925511071-2785895544-500\software\zabstract\ (ID = 2118217)
6:55 AM: HKU\WRSS_Profile_S-1-5-21-2144127933-2925511071-2785895544-500\software\cfg32\contextserver\ (ID = 2118195)
6:55 AM: Found Adware: bookedspace
6:54 AM: HKU\WRSS_Profile_S-1-5-21-789336058-2049760794-725345543-13353\software\system\sysuid\ (ID = 731748)
6:54 AM: Found Adware: enbrowser
6:54 AM: HKU\S-1-5-21-789336058-2049760794-725345543-13356\software\microsoft\windows\currentversion\uninstall\wintouch\ (ID = 2443371)
6:54 AM: Found Trojan Horse: trojan downloader matcash
6:54 AM: HKU\S-1-5-21-789336058-2049760794-725345543-13356\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\outerinfo\ (ID = 2062989)
6:54 AM: Found Adware: purityscan
6:54 AM: HKLM\software\classes\typelib\{09dc28c6-bce2-42b1-b3ea-8ab82f0f3b0a}\ (ID = 2394758)
6:54 AM: HKLM\software\classes\appid\{91c9ce76-9eb1-4a77-92a1-27c44dbbfeee}\ (ID = 2312247)
6:54 AM: HKLM\software\classes\appid\bho_adw.dll\ (ID = 2312245)
6:54 AM: Found Adware: bho_xmlhelper
6:54 AM: HKLM\software\microsoft\windows\spoolsv\ || datepoolsv (ID = 2218317)
6:54 AM: Found Trojan Horse: trojan-poolsv
6:54 AM: Starting Registry Sweep
6:54 AM: Memory Sweep Complete, Elapsed Time: 00:02:59
6:51 AM: Starting Memory Sweep
6:50 AM: Start Full Sweep
6:50 AM: Sweep initiated using definitions version 977
Keylogger: Off
6:46 AM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
E-mail Attachment: On
6:46 AM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: Off
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
6:46 AM: Shield States
6:46 AM: License Check Status (0): Success
6:46 AM: Spyware Definitions: 977
6:45 AM: Spy Sweeper 5.5.7.48 started
6:45 AM: Spy Sweeper 5.5.7.48 started
6:45 AM: | Start of Session, August 28, 2007 |
***************
Common Ad Sites: Off
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
6:33 AM: Shield States
6:33 AM: License Check Status (0): Success
6:33 AM: Spyware Definitions: 977
6:32 AM: Spy Sweeper 5.5.7.48 started
6:32 AM: Spy Sweeper 5.5.7.48 started
6:32 AM: | Start of Session, August 28, 2007 |
***************

#10 Hollowman

Hollowman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 28 August 2007 - 06:45 AM

Yes, I Still cannot change the desktop.

#11 Hollowman

Hollowman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 28 August 2007 - 07:43 AM

Hi Tea,

I ran yet another spy sweeper scan and it came up clean. The PC is running great now. As far as the wallpaper issue, I believe I figured it out. I ran a utility called Desktopclean that fixed my registry for the desktop settings and it works great now.

I can't thank you enough for all your help. This is a GREAT site. I have added it to my favorites and i WILL be making a donation as well as taking a course on how to read hijackthis logs.

Thank you again,

Hollowman

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:43 PM

Posted 28 August 2007 - 09:15 AM

Good Morning :flowers:

That's great to know! :thumbsup: You're most welcome for the help.

Please delete ComboFix and its accompanying folder C:\Qoobox. SpySweeper is just a trial, so you can remove it, or keep it until the trial runs out if you like it. :huh: Do keep ATF Cleaner if you like it. I love it and run it on my own computer regularly.

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

It is very important to maintain your Firewall.
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:43 PM

Posted 05 September 2007 - 10:29 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users