Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Anti-spy Storm Spyware


  • This topic is locked This topic is locked
14 replies to this topic

#1 dexisbest

dexisbest

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 06 September 2007 - 01:58 AM

Hi,

my machine is infected with spyware. Pop-up balloons taking me to a site for Antispy Storm keep occuring. I've done some intial cleaning procedures but the problem persists.

Thanks for your help in advance....

Here is my hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:56:29 PM, on 6/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\nusrmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {39C6B6C8-E01E-3175-B583-04FDA1EE088B} - C:\Program Files\Tvexbisq\rypwsojv.dll
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: oembios32.msdn_hlp - {AB5FE6E5-7C72-4B89-85D0-D57E7AEAC236} - C:\WINDOWS\system32\oembios32.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [fizodibk] rundll32.exe "C:\Program Files\admfibar\apghujkl.dll",Init
O4 - HKLM\..\Run: [hixctkrk] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\hixctkrk.dll"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O20 - Winlogon Notify: winmxw32 - C:\WINDOWS\SYSTEM32\winmxw32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 7426 bytes


Thanks


Emilio

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 06 September 2007 - 08:56 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum dexisbest :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 dexisbest

dexisbest
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 09 September 2007 - 06:46 PM

hi richie ... thanks for helping me out :thumbsup:

here is the combo fix log .... it rebooted automatically prior to finishing producing the log ... hope that was ok

ComboFix 07-09-10.2 - "Katherine" 2007-09-10 8:49:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.117 [GMT 10:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1\APPLIC~1.\hixctkrk.dll
C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\admfibar
C:\Program Files\admfibar\apghujkl.dll
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe
C:\Program Files\Tvexbisq
C:\Program Files\Tvexbisq\rypwsojv.dll
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\flt.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\system32\0.txt
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\fccyaxu.dll
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\hggdayy.dll
C:\WINDOWS\system32\O.txt
C:\WINDOWS\system32\o.txt
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\winmxw32.dll
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\temp\cache
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wml.exe


((((((((((((((((((((((((( Files Created from 2007-08-10 to 2007-09-10 )))))))))))))))))))))))))))))))
.

2007-09-10 08:41 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-08 15:40 95,744 --a------ C:\WINDOWS\system32\drvmak.dll
2007-09-08 15:40 23,808 --a------ C:\WINDOWS\system32\ESHOPEE.exe
2007-09-08 15:40 23,296 --a------ C:\WINDOWS\kvnab$.exe
2007-09-08 15:40 21,504 --a------ C:\WINDOWS\cbinst$.exe
2007-09-08 15:40 20,480 --a------ C:\WINDOWS\system32\msole32.exe
2007-09-08 15:40 19,968 --a------ C:\WINDOWS\iexplorr23.dll
2007-09-08 15:40 15,360 --a------ C:\WINDOWS\system32\drvmakr.dll
2007-09-08 15:40 11,520 --a------ C:\WINDOWS\fhfmm.exe
2007-09-08 15:40 <DIR> d-------- C:\Program Files\amsys
2007-09-08 15:39 <DIR> d-------- C:\Program Files\akl
2007-09-08 15:28 8,448 --a------ C:\WINDOWS\kkcomp.dll
2007-09-08 15:28 26,880 --a------ C:\WINDOWS\xadbrk.dll
2007-09-08 15:28 15,360 --a------ C:\WINDOWS\liqad.exe
2007-09-08 15:28 11,520 --a------ C:\WINDOWS\pbsysie.dll
2007-09-08 15:28 <DIR> d-------- C:\Program Files\Accoona
2007-09-08 15:15 29,184 --a------ C:\WINDOWS\liqui.exe
2007-09-08 15:15 18,432 --a------ C:\WINDOWS\liqui.dll
2007-09-08 15:14 8,448 --a------ C:\WINDOWS\wbeCheck.exe
2007-09-08 15:14 27,904 --a------ C:\WINDOWS\liqad.dll
2007-09-08 15:14 24,320 --a------ C:\WINDOWS\kvnab.exe
2007-09-08 15:14 23,808 --a------ C:\WINDOWS\kvnab.dll
2007-09-08 15:14 15,360 --a------ C:\WINDOWS\xadbrk.exe
2007-09-08 15:14 14,336 --a------ C:\WINDOWS\hcwprn.exe
2007-09-08 15:14 14,080 --a------ C:\WINDOWS\settn.dll
2007-09-08 15:14 13,056 --a------ C:\WINDOWS\kkcomp.exe
2007-09-08 14:57 <DIR> d-------- C:\Program Files\AntispyStorm
2007-09-08 13:43 95,744 --a------ C:\WINDOWS\system32\drvnej.dll
2007-09-08 13:43 15,360 --a------ C:\WINDOWS\system32\drvnejr.dll
2007-09-06 17:35 <DIR> d-------- C:\31.1.5114
2007-09-06 16:16 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-06 12:56 <DIR> d-------- C:\DOCUME~1\KATHER~2\DoctorWeb
2007-09-06 09:59 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-06 09:58 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-06 09:45 20,224 --a------ C:\WINDOWS\wbeInst$.exe
2007-09-05 18:45 33,280 --a------ C:\WINDOWS\system32\rundll32.exe
2007-09-05 18:45 33,280 --a------ C:\WINDOWS\system32\dllcache\rundll32.exe
2007-09-05 18:29 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-09-05 18:28 29,696 --a------ C:\WINDOWS\daxtime.dll
2007-09-05 18:28 25,344 --a------ C:\WINDOWS\liqad$.exe
2007-09-05 18:28 23,808 --a------ C:\WINDOWS\fhfmm-Uninstaller.exe
2007-09-05 18:28 23,296 --a------ C:\WINDOWS\eventlowg.dll
2007-09-05 18:28 22,272 --a------ C:\WINDOWS\kkcomp$.exe
2007-09-05 18:28 16,128 --a------ C:\WINDOWS\xadbrk_.exe
2007-09-05 18:28 12,800 --a------ C:\WINDOWS\liqui-Uninstaller.exe
2007-09-05 18:27 <DIR> d-------- C:\Program Files\e-zshopper
2007-09-05 18:06 21,504 --a------ C:\WINDOWS\system32\oembios32.dll
2007-09-05 18:04 94,208 --a------ C:\WINDOWS\system32\drvtej.dll
2007-09-05 18:04 15,360 --a------ C:\WINDOWS\system32\drvtejr.dll
2007-09-05 18:04 <DIR> d-------- C:\WINDOWS\system32\wowrlegl
2007-09-05 13:15 <DIR> d-------- C:\Program Files\iPod
2007-09-05 13:14 <DIR> d-------- C:\Program Files\iTunes
2007-09-05 13:07 <DIR> d-------- C:\Program Files\Apple Software Update
2007-09-05 13:06 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-09-05 13:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-08-27 16:11 38,400 --a------ C:\WINDOWS\HPLTLNK.EXE
2007-08-27 09:53 <DIR> d-------- C:\Program Files\HP design jet 230 plotter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-06 09:23 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-09-06 09:23 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-09-05 18:27 8960 --a------ C:\WINDOWS\ngd.dll
2007-09-05 18:27 8448 --a------ C:\WINDOWS\system32\ace16win.dll
2007-09-05 18:27 29440 --a------ C:\WINDOWS\aconti.exe
2007-09-05 18:27 28672 --a------ C:\WINDOWS\adbar.dll
2007-09-05 18:27 26368 --a------ C:\WINDOWS\spredirect.dll
2007-09-05 18:27 24576 --a------ C:\WINDOWS\xxxvideo.exe
2007-09-05 18:27 23296 --a------ C:\WINDOWS\dp0.dll
2007-09-05 18:27 21504 --a------ C:\WINDOWS\hotporn.exe
2007-09-05 18:27 20480 --a------ C:\WINDOWS\jd2002.dll
2007-09-05 18:27 14080 --a------ C:\WINDOWS\ie_32.exe
2007-09-05 18:05 8852 --a------ C:\WINDOWS\system32\drivers\download_btn.jpg
2007-09-05 18:05 877 --a------ C:\WINDOWS\system32\drivers\header_red_bg.gif
2007-09-05 18:05 838 --a------ C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
2007-09-05 18:05 821 --a------ C:\WINDOWS\system32\drivers\shadow_bg.gif
2007-09-05 18:05 72 --a------ C:\WINDOWS\system32\drivers\bg_bg.gif
2007-09-05 18:05 64 --a------ C:\WINDOWS\system32\drivers\close_ico.gif
2007-09-05 18:05 4448 --a------ C:\WINDOWS\system32\drivers\download_now_btn.gif
2007-09-05 18:05 4008 --a------ C:\WINDOWS\system32\drivers\rating.gif
2007-09-05 18:05 3216 --a------ C:\WINDOWS\system32\drivers\header_red_free_scan.gif
2007-09-05 18:05 3031 --a------ C:\WINDOWS\system32\drivers\spyware_detected.gif
2007-09-05 18:05 26487 --a------ C:\WINDOWS\system32\drivers\screenshot.jpg
2007-09-05 18:05 1743 --a------ C:\WINDOWS\system32\drivers\remove_spyware_header.gif
2007-09-05 18:05 16977 --a------ C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
2007-09-05 18:05 16941 --a------ C:\WINDOWS\system32\drivers\icon_warning_big.gif
2007-09-05 18:05 1381 --a------ C:\WINDOWS\system32\drivers\warning_ico.gif
2007-09-05 18:05 1014 --a------ C:\WINDOWS\system32\drivers\yellow_warning_ico.gif
2007-09-05 18:04 3552 --a------ C:\WINDOWS\system32\drivers\cell_header_remove.gif
2007-09-05 18:04 3479 --a------ C:\WINDOWS\system32\drivers\cell_header_scan.gif
2007-09-05 18:04 3313 --a------ C:\WINDOWS\system32\drivers\cell_header_block.gif
2007-09-05 18:04 1373 --a------ C:\WINDOWS\system32\drivers\cell_footer.gif
2007-09-05 18:04 1342 --a------ C:\WINDOWS\system32\drivers\cell_bg.gif
2007-09-05 13:11 --------- d-------- C:\Program Files\QuickTime
2007-09-05 13:10 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-08-03 12:31 --------- d-------- C:\DOCUME~1\KATHER~2\APPLIC~1\LimeWire
2007-08-03 12:00 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-03 11:28 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SSScanWizard
2007-08-03 11:28 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SSScanAppDataDir
2007-08-03 11:27 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ScanSoft
2007-07-31 12:20 --------- d-------- C:\Program Files\HPQ
2007-07-31 12:16 --------- d-------- C:\Program Files\Sonic
2007-07-31 12:12 --------- d-------- C:\Program Files\Canon
2007-07-31 12:09 --------- d-------- C:\Program Files\ArcSoft
2007-07-31 12:02 --------- d-------- C:\Program Files\Hewlett-Packard
2007-07-31 11:36 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\HP
2007-07-31 11:29 --------- d-------- C:\Program Files\UselessCreations
2007-07-31 11:29 --------- d-------- C:\Program Files\Common Files\HP
2007-07-31 11:23 --------- d-------- C:\Program Files\HP
2007-07-31 11:23 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Hewlett-Packard
2007-07-31 11:14 --------- d-------- C:\Program Files\AccuRate
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-30 18:51 --------- d-------- C:\DOCUME~1\KATHER~2\APPLIC~1\Talkback
2007-07-30 18:47 --------- d-------- C:\Program Files\Lavasoft
2007-07-30 18:47 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-30 18:44 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-30 09:59 --------- dr------- C:\DOCUME~1\KATHER~2\APPLIC~1\Brother
2007-07-30 09:42 879832 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2007-07-30 09:42 108360 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2007-06-27 01:13 851968 --------- C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-27 00:35 665600 --------- C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-26 16:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 16:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 23:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 23:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-15 18:12 96256 --------- C:\WINDOWS\system32\dllcache\inseng.dll
2007-06-15 18:12 616960 --------- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-15 18:12 55808 --------- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-15 18:12 532480 --------- C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-15 18:12 474112 --------- C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-15 18:12 449024 --------- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-15 18:12 39424 --------- C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-06-15 18:12 357888 --------- C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-06-15 18:12 3064320 --------- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-15 18:12 251904 --------- C:\WINDOWS\system32\dllcache\iepeers.dll
2007-06-15 18:12 205824 --------- C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-06-15 18:12 16384 --------- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-15 18:12 151040 --------- C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-15 18:12 1498112 --------- C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-15 18:12 146432 --------- C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-15 18:12 1054208 --------- C:\WINDOWS\system32\dllcache\danim.dll
2007-06-15 18:12 1022976 --------- C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-14 20:32 18432 --------- C:\WINDOWS\system32\dllcache\iedw.exe
2007-06-13 20:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 20:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2007-03-30 19:25 800272 --a------ C:\DOCUME~1\KATHER~2\ppctl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AB5FE6E5-7C72-4B89-85D0-D57E7AEAC236}]
2007-09-05 18:06 21504 --a------ C:\WINDOWS\system32\oembios32.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-28 16:00]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-05-04 12:17]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15]
"RegistryMechanic"="" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 19:25]
"AntispyStorm"="C:\Program Files\AntispyStorm\AntispyStorm.exe" [2007-09-08 14:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 18:00]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 07:56:20]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-04-11 11:10:00]

C:\DOCUME~1\KATHER~2\STARTM~1\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-Link AirPlus.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\D-Link AirPlus.lnk
backup=C:\WINDOWS\pss\D-Link AirPlus.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=C:\WINDOWS\pss\DVD Check.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ChangeResolution]
C:\Documents and Settings\Administrator\ChangeResolution.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
C:\Program Files\HPQ\Default Settings\cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
"%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,ClientStartup -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
"C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PublishPDF]
C:\WINDOWS\PublishPDF\PublishPDF_Loader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

R1 ClntMgmt.sys;ClntMgmt.sys;C:\WINDOWS\system32\Drivers\ClntMgmt.sys
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys
R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe"
S3 AIRPLUS;D-Link AirPlus Wireless Adapter;C:\WINDOWS\system32\DRIVERS\airplus.sys
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys
S3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\system32\Drivers\BrUsbMdm.sys
S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\cmo_bus.sys
S3 cmo_mdfl;Data Modem @ CDMA Filter;C:\WINDOWS\system32\DRIVERS\cmo_mdfl.sys
S3 cmo_mdm;Data Modem @ CDMA Drivers;C:\WINDOWS\system32\DRIVERS\cmo_mdm.sys
S3 cmo_serd;Data Modem @ CDMA Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\cmo_serd.sys
S3 mf;mf;C:\WINDOWS\system32\DRIVERS\mf.sys
S3 MSIRCOMM;Microsoft IR Communications Driver;C:\WINDOWS\system32\DRIVERS\MSIRCOMM.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{37da9833-e7d3-11db-ab8e-0014380a9c19}]
AutoRun\command- setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63087a20-d696-11db-ab83-0014380a9c19}]
AutoRun\command- E:\Launch.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-05 03:07:33 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-05-29 12:46:38 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Katherine at 7 24 PM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-10 09:15:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-10 9:33:27 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-10 09:33
.
--- E O F ---


and here is the hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:21 AM, on 10/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: oembios32.msdn_hlp - {AB5FE6E5-7C72-4B89-85D0-D57E7AEAC236} - C:\WINDOWS\system32\oembios32.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AntispyStorm] C:\Program Files\AntispyStorm\AntispyStorm.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 6890 bytes


thanks again

emilio

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 10 September 2007 - 05:27 AM

Click on Start/Control Panel/Add or Remove Programs and remove/uninstall AntispyStorm if present,then restart your pc.

Download/unzip/extract CFScript to your desktop,the file is attached to the bottom of this post.
Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Download SmitfraudFix (by S!Ri),to your desktop.
Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Double click on Smitfraudfix.cmd
Select #2 and hit Enter to delete the infected files.
You will be prompted: 'Do you want to clean the registry?' answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): 'Replace infected file ?' answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process.
The report can be found at the root of the system drive, usually at C:\rapport.txt
Post the Smitfraudfix report into your next reply.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#5 dexisbest

dexisbest
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 10 September 2007 - 06:40 PM

Richie ... the black background screen of death has gone ... hooray!! :thumbsup:

so here are the logs you asked for ... hopefully nothing else is persisting in the system

i didn't know whether you wanted the hijackthis log done in safe mode or normal mode so i did both (one in safe and one in normal) .... they are attached below..

here is the new combfix log:

ComboFix 07-09-10.2 - "Katherine" 2007-09-11 8:48:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.94 [GMT 10:00]
* Created a new restore point

FILE::
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\settn.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\system32\drvnej.dll
C:\WINDOWS\system32\drvnejr.dll
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\daxtime.dll
C:\WINDOWS\liqad$.exe
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\Program Files\e-zshopper
C:\WINDOWS\system32\oembios32.dll
C:\WINDOWS\system32\drvtej.dll
C:\WINDOWS\system32\drvtejr.dll
C:\WINDOWS\ngd.dll
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\aconti.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\xxxvideo.exe
C:\WINDOWS\dp0.dll
C:\WINDOWS\hotporn.exe
C:\WINDOWS\jd2002.dll
C:\WINDOWS\ie_32.exe
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\bg_bg.gif
C:\WINDOWS\system32\drivers\close_ico.gif
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\spyware_detected.gif
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\remove_spyware_header.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\icon_warning_big.gif
C:\WINDOWS\system32\drivers\warning_ico.gif
C:\WINDOWS\system32\drivers\yellow_warning_ico.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\AntispyStorm
C:\Program Files\AntispyStorm\stat.bin
C:\Program Files\AntispyStorm\uninstall.exe
C:\Program Files\AntispyStorm\uninstall.log
C:\WINDOWS\aconti.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\drivers\bg_bg.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\close_ico.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\icon_warning_big.gif
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\remove_spyware_header.gif
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spyware_detected.gif
C:\WINDOWS\system32\drivers\warning_ico.gif
C:\WINDOWS\system32\drivers\yellow_warning_ico.gif
C:\WINDOWS\system32\drvnej.dll
C:\WINDOWS\system32\drvnejr.dll
C:\WINDOWS\system32\drvtej.dll
C:\WINDOWS\system32\drvtejr.dll
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\oembios32.dll
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\wowrlegl
C:\WINDOWS\system32\wowrlegl\bg1.gif
C:\WINDOWS\system32\wowrlegl\bgtop.gif
C:\WINDOWS\system32\wowrlegl\bottom1.gif
C:\WINDOWS\system32\wowrlegl\essentials.gif
C:\WINDOWS\system32\wowrlegl\icon1.ico
C:\WINDOWS\system32\wowrlegl\install1.gif
C:\WINDOWS\system32\wowrlegl\left1.gif
C:\WINDOWS\system32\wowrlegl\li.gif
C:\WINDOWS\system32\wowrlegl\logo.gif
C:\WINDOWS\system32\wowrlegl\main.htm
C:\WINDOWS\system32\wowrlegl\mainframe.htm
C:\WINDOWS\system32\wowrlegl\reinstall1.gif
C:\WINDOWS\system32\wowrlegl\right1.gif
C:\WINDOWS\system32\wowrlegl\s1.htm
C:\WINDOWS\system32\wowrlegl\s2.htm
C:\WINDOWS\system32\wowrlegl\s3.htm
C:\WINDOWS\system32\wowrlegl\SMTop1.gif
C:\WINDOWS\system32\wowrlegl\SMTop2.gif
C:\WINDOWS\system32\wowrlegl\SMTop3.gif
C:\WINDOWS\system32\wowrlegl\SMTop4.gif
C:\WINDOWS\system32\wowrlegl\soft1_off.gif
C:\WINDOWS\system32\wowrlegl\soft1_off_ext.gif
C:\WINDOWS\system32\wowrlegl\soft1_on.gif
C:\WINDOWS\system32\wowrlegl\soft1_on_ext.gif
C:\WINDOWS\system32\wowrlegl\soft2_off.gif
C:\WINDOWS\system32\wowrlegl\soft2_off_ext.gif
C:\WINDOWS\system32\wowrlegl\soft2_on.gif
C:\WINDOWS\system32\wowrlegl\soft2_on_ext.gif
C:\WINDOWS\system32\wowrlegl\soft3_off.gif
C:\WINDOWS\system32\wowrlegl\soft3_off_ext.gif
C:\WINDOWS\system32\wowrlegl\soft3_on.gif
C:\WINDOWS\system32\wowrlegl\soft3_on_ext.gif
C:\WINDOWS\system32\wowrlegl\softbottom_off.gif
C:\WINDOWS\system32\wowrlegl\softbottom_on.gif
C:\WINDOWS\system32\wowrlegl\softleft_off.gif
C:\WINDOWS\system32\wowrlegl\softleft_on.gif
C:\WINDOWS\system32\wowrlegl\top1.gif
C:\WINDOWS\system32\wowrlegl\top2.gif
C:\WINDOWS\system32\wowrlegl\turnoff1.gif
C:\WINDOWS\system32\wowrlegl\turnon1.gif
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe


((((((((((((((((((((((((( Files Created from 2007-08-10 to 2007-09-10 )))))))))))))))))))))))))))))))
.

2007-09-10 08:41 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-08 15:40 95,744 --a------ C:\WINDOWS\system32\drvmak.dll
2007-09-08 15:40 15,360 --a------ C:\WINDOWS\system32\drvmakr.dll
2007-09-06 17:35 <DIR> d-------- C:\31.1.5114
2007-09-06 16:16 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-06 12:56 <DIR> d-------- C:\DOCUME~1\KATHER~2\DoctorWeb
2007-09-06 09:59 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-06 09:58 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-05 18:45 33,280 --a------ C:\WINDOWS\system32\rundll32.exe
2007-09-05 18:45 33,280 --a------ C:\WINDOWS\system32\dllcache\rundll32.exe
2007-09-05 18:27 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-09-05 18:27 <DIR> d-------- C:\Program Files\e-zshopper
2007-09-05 13:15 <DIR> d-------- C:\Program Files\iPod
2007-09-05 13:14 <DIR> d-------- C:\Program Files\iTunes
2007-09-05 13:07 <DIR> d-------- C:\Program Files\Apple Software Update
2007-09-05 13:06 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-09-05 13:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-08-27 16:11 38,400 --a------ C:\WINDOWS\HPLTLNK.EXE
2007-08-27 09:53 <DIR> d-------- C:\Program Files\HP design jet 230 plotter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-11 08:46 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2007-09-06 09:23 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-09-06 09:23 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-09-05 13:11 --------- d-------- C:\Program Files\QuickTime
2007-09-05 13:10 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-08-03 12:31 --------- d-------- C:\DOCUME~1\KATHER~2\APPLIC~1\LimeWire
2007-08-03 12:00 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-03 11:28 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SSScanWizard
2007-08-03 11:28 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SSScanAppDataDir
2007-08-03 11:27 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ScanSoft
2007-07-31 12:20 --------- d-------- C:\Program Files\HPQ
2007-07-31 12:16 --------- d-------- C:\Program Files\Sonic
2007-07-31 12:12 --------- d-------- C:\Program Files\Canon
2007-07-31 12:09 --------- d-------- C:\Program Files\ArcSoft
2007-07-31 12:02 --------- d-------- C:\Program Files\Hewlett-Packard
2007-07-31 11:36 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\HP
2007-07-31 11:29 --------- d-------- C:\Program Files\UselessCreations
2007-07-31 11:29 --------- d-------- C:\Program Files\Common Files\HP
2007-07-31 11:23 --------- d-------- C:\Program Files\HP
2007-07-31 11:23 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Hewlett-Packard
2007-07-31 11:14 --------- d-------- C:\Program Files\AccuRate
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-30 18:51 --------- d-------- C:\DOCUME~1\KATHER~2\APPLIC~1\Talkback
2007-07-30 18:47 --------- d-------- C:\Program Files\Lavasoft
2007-07-30 18:47 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-30 18:44 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-30 09:59 --------- dr------- C:\DOCUME~1\KATHER~2\APPLIC~1\Brother
2007-07-30 09:42 879832 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2007-07-30 09:42 108360 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2007-06-27 01:13 851968 --------- C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-27 00:35 665600 --------- C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-26 16:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 16:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 23:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 23:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-15 18:12 96256 --------- C:\WINDOWS\system32\dllcache\inseng.dll
2007-06-15 18:12 616960 --------- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-15 18:12 55808 --------- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-15 18:12 532480 --------- C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-15 18:12 474112 --------- C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-15 18:12 449024 --------- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-15 18:12 39424 --------- C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-06-15 18:12 357888 --------- C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-06-15 18:12 3064320 --------- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-15 18:12 251904 --------- C:\WINDOWS\system32\dllcache\iepeers.dll
2007-06-15 18:12 205824 --------- C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-06-15 18:12 16384 --------- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-15 18:12 151040 --------- C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-15 18:12 1498112 --------- C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-15 18:12 146432 --------- C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-15 18:12 1054208 --------- C:\WINDOWS\system32\dllcache\danim.dll
2007-06-15 18:12 1022976 --------- C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-14 20:32 18432 --------- C:\WINDOWS\system32\dllcache\iedw.exe
2007-06-13 20:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 20:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2007-03-30 19:25 800272 --a------ C:\DOCUME~1\KATHER~2\ppctl.dll
.

((((((((((((((((((((((((((((( snapshot_2007-09-10_ 92511.12 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 54,010 2007-09-10 22:42:31 C:\WINDOWS\system32\perfc009.dat
----a-w 383,822 2007-09-10 22:42:31 C:\WINDOWS\system32\perfh009.dat
.
----a-w 54,010 2007-09-09 23:18:39 C:\WINDOWS\system32\perfc009.dat
----a-w 383,822 2007-09-09 23:18:39 C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-28 16:00]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-05-04 12:17]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15]
"RegistryMechanic"="" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 19:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 18:00]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 07:56:20]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-04-11 11:10:00]

C:\DOCUME~1\KATHER~2\STARTM~1\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-Link AirPlus.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\D-Link AirPlus.lnk
backup=C:\WINDOWS\pss\D-Link AirPlus.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=C:\WINDOWS\pss\DVD Check.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ChangeResolution]
C:\Documents and Settings\Administrator\ChangeResolution.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
C:\Program Files\HPQ\Default Settings\cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
"%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
"C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PublishPDF]
C:\WINDOWS\PublishPDF\PublishPDF_Loader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

R1 ClntMgmt.sys;ClntMgmt.sys;C:\WINDOWS\system32\Drivers\ClntMgmt.sys
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys
R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe"
S3 AIRPLUS;D-Link AirPlus Wireless Adapter;C:\WINDOWS\system32\DRIVERS\airplus.sys
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys
S3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\system32\Drivers\BrUsbMdm.sys
S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\cmo_bus.sys
S3 cmo_mdfl;Data Modem @ CDMA Filter;C:\WINDOWS\system32\DRIVERS\cmo_mdfl.sys
S3 cmo_mdm;Data Modem @ CDMA Drivers;C:\WINDOWS\system32\DRIVERS\cmo_mdm.sys
S3 cmo_serd;Data Modem @ CDMA Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\cmo_serd.sys
S3 mf;mf;C:\WINDOWS\system32\DRIVERS\mf.sys
S3 MSIRCOMM;Microsoft IR Communications Driver;C:\WINDOWS\system32\DRIVERS\MSIRCOMM.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63087a20-d696-11db-ab83-0014380a9c19}]
AutoRun\command- E:\Launch.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-05 03:07:33 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-05-29 12:46:38 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Katherine at 7 24 PM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-11 09:01:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-11 9:17:18 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-11 09:17
C:\ComboFix2.txt ... 2007-09-10 09:33
.
--- E O F ---


here is the smitfraudfix log:

SmitFraudFix v2.222

Scan done at 9:23:12.54, Tue 11/09/2007
Run from C:\Documents and Settings\Katherine\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

127.0.0.1 localhost

Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2B39DF7F-3DF6-497D-AE30-39C97BA1CD7B}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2B39DF7F-3DF6-497D-AE30-39C97BA1CD7B}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2B39DF7F-3DF6-497D-AE30-39C97BA1CD7B}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End




here is the hijackthis log done in safe mode:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:26:24 AM, on 11/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 3836 bytes





this is the hijack this log done in normal mode:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:30:32 AM, on 11/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 5172 bytes


thanks again!!!!!!!!!!! :flowers:

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 11 September 2007 - 02:32 AM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)

Make sure all hidden files are showing:
* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

I now need you to do the following if you will:

Go here:http://virusscan.jotti.org/
Using the 'Browse' button,browse to:
C:\31.1.5114
Then press the 'Submit' button.
Wait while the file is scanned.
Post the results into your next reply.

If Jotti's too busy,try here:
http://www.virustotal.com/en/virustotalf.html
Click on the 'Analysis' tab.
Using the 'Browse' button,browse to:
C:\31.1.5114
Then click on 'Send File'.
Post the results into your next reply.

Then do exactly the same with the following files:
C:\WINDOWS\system32\drvmak.dll
C:\WINDOWS\system32\drvmakr.dll
Post all three sets of results into your next reply please.

Also post a new Hijackthis log.
Posted Image
Posted Image

#7 dexisbest

dexisbest
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 11 September 2007 - 07:13 PM

richie,

the total virus and virus scan sites only allow you to submit files ... not folders ... so i have scanned all the files located within the folder and attached the results as a word file to this email.

results from the files contained in the c:/ folder


File Pltfrm2.ini received on 09.12.2007 01:08:31 (CET)
Current status: finished
Result: 0/32 (0%)


Antivirus Version Last Update Result
AhnLab-V3 2007.9.11.1 2007.09.11 -
AntiVir 7.6.0.5 2007.09.12 -
Authentium 4.93.8 2007.09.11 -
Avast 4.7.1043.0 2007.09.11 -
AVG 7.5.0.485 2007.09.11 -
BitDefender 7.2 2007.09.12 -
CAT-QuickHeal 9.00 2007.09.11 -
ClamAV 0.91.2 2007.09.12 -
DrWeb 4.33 2007.09.11 -
eSafe 7.0.15.0 2007.09.11 -
eTrust-Vet 31.1.5127 2007.09.12 -
Ewido 4.0 2007.09.11 -
FileAdvisor 1 2007.09.12 -
Fortinet 3.11.0.0 2007.09.11 -
F-Prot 4.3.2.48 2007.09.11 -
F-Secure 6.70.13030.0 2007.09.11 -
Ikarus T3.1.1.12 2007.09.11 -
Kaspersky 4.0.2.24 2007.09.12 -
McAfee 5117 2007.09.11 -
Microsoft 1.2803 2007.09.12 -
NOD32v2 2522 2007.09.11 -
Norman 5.80.02 2007.09.11 -
Panda 9.0.0.4 2007.09.11 -
Prevx1 V2 2007.09.12 -
Rising 19.40.12.00 2007.09.11 -
Sophos 4.21.0 2007.09.11 -
Sunbelt 2.2.907.0 2007.09.12 -
Symantec 10 2007.09.12 -
TheHacker 6.1.10.184 2007.09.11 -
VBA32 3.12.2.4 2007.09.12 -
VirusBuster 4.3.26:9 2007.09.11 -
Webwasher-Gateway 6.0.1 2007.09.12 -
Additional information
File size: 674 bytes
MD5: b17cb8f663d15fe0fcd8e2fa850cff70
SHA1: e765cdf13aed7907fcf16fe15f8647e460a12620


File vet.da1 received on 09.12.2007 01:19:22 (CET)
Current status: finished
Result: 0/31 (0%)


Antivirus Version Last Update Result
AhnLab-V3 2007.9.11.1 2007.09.11 -
AntiVir 7.6.0.5 2007.09.12 -
Authentium 4.93.8 2007.09.11 -
Avast 4.7.1043.0 2007.09.11 -
AVG 7.5.0.485 2007.09.11 -
BitDefender 7.2 2007.09.12 -
CAT-QuickHeal 9.00 2007.09.11 -
ClamAV 0.91.2 2007.09.12 -
DrWeb 4.33 2007.09.11 -
eSafe 7.0.15.0 2007.09.11 -
eTrust-Vet 31.1.5127 2007.09.12 -
Ewido 4.0 2007.09.11 -
FileAdvisor 1 2007.09.12 -
Fortinet 3.11.0.0 2007.09.11 -
F-Prot 4.3.2.48 2007.09.11 -
F-Secure 6.70.13030.0 2007.09.11 -
Ikarus T3.1.1.12 2007.09.11 -
Kaspersky 4.0.2.24 2007.09.12 -
McAfee 5117 2007.09.11 -
Microsoft 1.2803 2007.09.12 -
NOD32v2 2522 2007.09.11 -
Norman 5.80.02 2007.09.11 -
Panda 9.0.0.4 2007.09.11 -
Prevx1 V2 2007.09.12 -
Rising 19.40.12.00 2007.09.11 -
Sophos 4.21.0 2007.09.11 -
Sunbelt 2.2.907.0 2007.09.12 -
TheHacker 6.1.10.184 2007.09.11 -
VBA32 3.12.2.4 2007.09.12 -
VirusBuster 4.3.26:9 2007.09.11 -
Webwasher-Gateway 6.0.1 2007.09.12 -
Additional information
File size: 598945 bytes
MD5: 593f358ff61e5c90324f88b6659abd4d
SHA1: 17726f32025ed4adaaa6b8921c30d7cbc9c38c3a


File vet.dat received on 09.12.2007 01:34:29 (CET)
Current status: finished
Result: 0/32 (0%)


Antivirus Version Last Update Result
AhnLab-V3 2007.9.11.1 2007.09.11 -
AntiVir 7.6.0.5 2007.09.12 -
Authentium 4.93.8 2007.09.11 -
Avast 4.7.1043.0 2007.09.11 -
AVG 7.5.0.485 2007.09.11 -
BitDefender 7.2 2007.09.12 -
CAT-QuickHeal 9.00 2007.09.11 -
ClamAV 0.91.2 2007.09.12 -
DrWeb 4.33 2007.09.11 -
eSafe 7.0.15.0 2007.09.11 -
eTrust-Vet 31.1.5127 2007.09.12 -
Ewido 4.0 2007.09.11 -
FileAdvisor 1 2007.09.12 -
Fortinet 3.11.0.0 2007.09.11 -
F-Prot 4.3.2.48 2007.09.11 -
F-Secure 6.70.13030.0 2007.09.11 -
Ikarus T3.1.1.12 2007.09.12 -
Kaspersky 4.0.2.24 2007.09.12 -
McAfee 5117 2007.09.11 -
Microsoft 1.2803 2007.09.12 -
NOD32v2 2522 2007.09.11 -
Norman 5.80.02 2007.09.11 -
Panda 9.0.0.4 2007.09.11 -
Prevx1 V2 2007.09.12 -
Rising 19.40.12.00 2007.09.11 -
Sophos 4.21.0 2007.09.11 -
Sunbelt 2.2.907.0 2007.09.12 -
Symantec 10 2007.09.12 -
TheHacker 6.1.10.184 2007.09.11 -
VBA32 3.12.2.4 2007.09.12 -
VirusBuster 4.3.26:9 2007.09.11 -
Webwasher-Gateway 6.0.1 2007.09.12 -
Additional information
File size: 9389832 bytes
MD5: 65b0673b121ce40790211cf55397abb0
SHA1: 21c57367da20d185bb4c7280bd375353f161a937

File Vet.txt received on 09.12.2007 01:43:35 (CET)
Current status: finished
Result: 0/32 (0%)


Antivirus Version Last Update Result
AhnLab-V3 2007.9.11.1 2007.09.11 -
AntiVir 7.6.0.5 2007.09.12 -
Authentium 4.93.8 2007.09.11 -
Avast 4.7.1043.0 2007.09.11 -
AVG 7.5.0.485 2007.09.11 -
BitDefender 7.2 2007.09.12 -
CAT-QuickHeal 9.00 2007.09.11 -
ClamAV 0.91.2 2007.09.12 -
DrWeb 4.33 2007.09.11 -
eSafe 7.0.15.0 2007.09.11 -
eTrust-Vet 31.1.5127 2007.09.12 -
Ewido 4.0 2007.09.11 -
FileAdvisor 1 2007.09.12 -
Fortinet 3.11.0.0 2007.09.11 -
F-Prot 4.3.2.48 2007.09.11 -
F-Secure 6.70.13030.0 2007.09.11 -
Ikarus T3.1.1.12 2007.09.12 -
Kaspersky 4.0.2.24 2007.09.12 -
McAfee 5117 2007.09.11 -
Microsoft 1.2803 2007.09.12 -
NOD32v2 2522 2007.09.11 -
Norman 5.80.02 2007.09.11 -
Panda 9.0.0.4 2007.09.11 -
Prevx1 V2 2007.09.12 -
Rising 19.40.12.00 2007.09.11 -
Sophos 4.21.0 2007.09.11 -
Sunbelt 2.2.907.0 2007.09.12 -
Symantec 10 2007.09.12 -
TheHacker 6.1.10.184 2007.09.11 -
VBA32 3.12.2.4 2007.09.12 -
VirusBuster 4.3.26:9 2007.09.11 -
Webwasher-Gateway 6.0.1 2007.09.12 -
Additional information
File size: 856 bytes
MD5: 48c3c7a6181ee1b2f78ddff7d05e4bf7
SHA1: 18cb6f250d9fa82be1560c6f6dfecf923b5703d4


File VetE.dll received on 09.12.2007 01:49:28 (CET)
Current status: finished
Result: 0/32 (0%)


Antivirus Version Last Update Result
AhnLab-V3 2007.9.11.1 2007.09.11 -
AntiVir 7.6.0.5 2007.09.12 -
Authentium 4.93.8 2007.09.11 -
Avast 4.7.1043.0 2007.09.11 -
AVG 7.5.0.485 2007.09.11 -
BitDefender 7.2 2007.09.12 -
CAT-QuickHeal 9.00 2007.09.11 -
ClamAV 0.91.2 2007.09.12 -
DrWeb 4.33 2007.09.11 -
eSafe 7.0.15.0 2007.09.11 -
eTrust-Vet 31.1.5127 2007.09.12 -
Ewido 4.0 2007.09.11 -
FileAdvisor 1 2007.09.12 -
Fortinet 3.11.0.0 2007.09.11 -
F-Prot 4.3.2.48 2007.09.11 -
F-Secure 6.70.13030.0 2007.09.11 -
Ikarus T3.1.1.12 2007.09.12 -
Kaspersky 4.0.2.24 2007.09.12 -
McAfee 5117 2007.09.11 -
Microsoft 1.2803 2007.09.12 -
NOD32v2 2522 2007.09.11 -
Norman 5.80.02 2007.09.11 -
Panda 9.0.0.4 2007.09.11 -
Prevx1 V2 2007.09.12 -
Rising 19.40.12.00 2007.09.11 -
Sophos 4.21.0 2007.09.11 -
Sunbelt 2.2.907.0 2007.09.12 -
Symantec 10 2007.09.12 -
TheHacker 6.1.10.184 2007.09.11 -
VBA32 3.12.2.4 2007.09.12 -
VirusBuster 4.3.26:9 2007.09.11 -
Webwasher-Gateway 6.0.1 2007.09.12 -
Additional information
File size: 1353016 bytes
MD5: 6c31efde487950ca7fc725d523811526
SHA1: b566acf4cde3f5f254c00179371ab59445d1828e





results from the scans of the 2 windows systems files...

File drvmak.dll received on 09.12.2007 01:55:03 (CET)
Current status: finished
Result: 13/32 (40.63%)


Antivirus Version Last Update Result
AhnLab-V3 2007.9.11.1 2007.09.11 -
AntiVir 7.6.0.5 2007.09.12 TR/Crypt.PEC2X.Gen
Authentium 4.93.8 2007.09.11 -
Avast 4.7.1043.0 2007.09.11 -
AVG 7.5.0.485 2007.09.11 Dialer.MCM
BitDefender 7.2 2007.09.12 -
CAT-QuickHeal 9.00 2007.09.11 -
ClamAV 0.91.2 2007.09.12 -
DrWeb 4.33 2007.09.11 -
eSafe 7.0.15.0 2007.09.11 Win32.Dialer.qn
eTrust-Vet 31.1.5127 2007.09.12 -
Ewido 4.0 2007.09.11 -
FileAdvisor 1 2007.09.12 -
Fortinet 3.11.0.0 2007.09.11 -
F-Prot 4.3.2.48 2007.09.11 -
F-Secure 6.70.13030.0 2007.09.11 Trojan.Win32.Dialer.qn
Ikarus T3.1.1.12 2007.09.12 Trojan.Win32.Agent.qt
Kaspersky 4.0.2.24 2007.09.12 Trojan.Win32.Dialer.qn
McAfee 5117 2007.09.11 -
Microsoft 1.2803 2007.09.12 -
NOD32v2 2522 2007.09.11 -
Norman 5.80.02 2007.09.11 W32/Dialer.BOBI
Panda 9.0.0.4 2007.09.11 Dialer.KPV
Prevx1 V2 2007.09.12 KickStart:Trojan-S
Rising 19.40.12.00 2007.09.11 -
Sophos 4.21.0 2007.09.11 Mal/Generic-A
Sunbelt 2.2.907.0 2007.09.12 VIPRE.Suspicious
Symantec 10 2007.09.12 -
TheHacker 6.1.10.184 2007.09.11 Trojan/Dialer.qn
VBA32 3.12.2.4 2007.09.12 -
VirusBuster 4.3.26:9 2007.09.11 -
Webwasher-Gateway 6.0.1 2007.09.12 Trojan.Crypt.PEC2X.Gen
Additional information
File size: 95744 bytes
MD5: 5054d7b97728170885c6b514dc59b8b4
SHA1: 78ee7ef4f8eb9e7ef7e2114b40031580410ad052
packers: PECOMPACT
packers: PecBundle, PECompact
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5...DF091007899A001
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.


File drvmakr.dll received on 09.12.2007 02:00:22 (CET)
Current status: finished
Result: 4/32 (12.5%)


Antivirus Version Last Update Result
AhnLab-V3 2007.9.11.1 2007.09.11 -
AntiVir 7.6.0.5 2007.09.12 ADSPY/Virtumonde.KU
Authentium 4.93.8 2007.09.11 -
Avast 4.7.1043.0 2007.09.11 -
AVG 7.5.0.485 2007.09.11 -
BitDefender 7.2 2007.09.12 -
CAT-QuickHeal 9.00 2007.09.11 -
ClamAV 0.91.2 2007.09.12 -
DrWeb 4.33 2007.09.11 -
eSafe 7.0.15.0 2007.09.11 -
eTrust-Vet 31.1.5127 2007.09.12 -
Ewido 4.0 2007.09.11 -
FileAdvisor 1 2007.09.12 -
Fortinet 3.11.0.0 2007.09.11 -
F-Prot 4.3.2.48 2007.09.11 -
F-Secure 6.70.13030.0 2007.09.11 -
Ikarus T3.1.1.12 2007.09.12 -
Kaspersky 4.0.2.24 2007.09.12 -
McAfee 5117 2007.09.11 -
Microsoft 1.2803 2007.09.12 -
NOD32v2 2522 2007.09.11 -
Norman 5.80.02 2007.09.11 -
Panda 9.0.0.4 2007.09.11 Spyware/Virtumonde
Prevx1 V2 2007.09.12 -
Rising 19.40.12.00 2007.09.11 -
Sophos 4.21.0 2007.09.11 -
Sunbelt 2.2.907.0 2007.09.12 -
Symantec 10 2007.09.12 WinAntiSpyware
TheHacker 6.1.10.184 2007.09.11 -
VBA32 3.12.2.4 2007.09.12 -
VirusBuster 4.3.26:9 2007.09.11 -
Webwasher-Gateway 6.0.1 2007.09.12 Ad-Spyware.Virtumonde.KU
Additional information
File size: 15360 bytes
MD5: 269b1889146ccac34c0cb66e1c6b5c92
SHA1: 15dca82840552e8caeddf206adb30704c585b014




below is the new hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:04:21 AM, on 12/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 5058 bytes


thanks


emilio

#8 dexisbest

dexisbest
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 11 September 2007 - 07:16 PM

richie,

as you can see i have posted all the results in the previous reply, not in a word document as i stated

sorry

emilio

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 11 September 2007 - 07:32 PM

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware,don't run it yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Find and delete:
C:\WINDOWS\system32\drvmak.dll
C:\WINDOWS\system32\drvmakr.dll

Still in Safe Mode start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#10 dexisbest

dexisbest
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 11 September 2007 - 11:22 PM

richie ...

here are the logs:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/12/2007 at 01:52 PM

Application Version : 3.9.1008

Core Rules Database Version : 3304
Trace Rules Database Version: 1310

Scan type : Complete Scan
Total Scan Time : 01:39:38

Memory items scanned : 189
Memory threats detected : 0
Registry items scanned : 6378
Registry threats detected : 0
File items scanned : 48125
File threats detected : 70

Adware.Tracking Cookie
C:\Documents and Settings\Katherine\Cookies\katherine@atwola[1].txt
C:\Documents and Settings\Katherine\Cookies\katherine@nbads[2].txt
C:\Documents and Settings\Katherine\Cookies\katherine@cbs.112.2o7[1].txt
C:\Documents and Settings\Katherine\Cookies\katherine@acvs.mediaonenetwork[2].txt
C:\Documents and Settings\Katherine\Cookies\katherine@cs.sexcounter[2].txt
C:\Documents and Settings\Katherine\Cookies\katherine@focalex[2].txt
C:\Documents and Settings\Katherine\Cookies\katherine@ad2.pamedia.com[2].txt
C:\Documents and Settings\Katherine\Cookies\katherine@ads.realtechnetwork[1].txt
C:\Documents and Settings\Katherine\Cookies\katherine@adrevolver[2].txt
C:\Documents and Settings\Katherine\Cookies\katherine@sensismediasmart.com[1].txt
C:\Documents and Settings\Katherine\Cookies\katherine@adopt.hbmediapro[2].txt
C:\Documents and Settings\Katherine\Cookies\katherine@nextag[2].txt
C:\Documents and Settings\Katherine\Cookies\katherine@888[1].txt
C:\Documents and Settings\Katherine\Cookies\katherine@ad.sensismediasmart.com[1].txt
C:\Documents and Settings\Katherine\Cookies\katherine@usenext[1].txt
C:\Documents and Settings\Katherine\Cookies\katherine@keywordmax[1].txt
C:\Documents and Settings\Katherine\Cookies\katherine@msnportal.112.2o7[1].txt
C:\Documents and Settings\Katherine\Cookies\katherine@cracksearchengine[1].txt
C:\Documents and Settings\Katherine\Cookies\katherine@realmedia[2].txt
C:\Documents and Settings\Katherine\Cookies\katherine@media.theage.com[1].txt
C:\Documents and Settings\Katherine\Cookies\katherine@tribalfusion[1].txt
C:\Documents and Settings\Katherine\Cookies\katherine@www.cracksearchengine[1].txt
C:\Documents and Settings\Katherine\Cookies\katherine@pt.crossmediaservices[1].txt
C:\Documents and Settings\Katherine\Cookies\katherine@ad2.adecn[1].txt
C:\Documents and Settings\Katherine\Cookies\katherine@www.ezytrack[1].txt
C:\Documents and Settings\Katherine\Cookies\katherine@revenue[2].txt
C:\Documents and Settings\Katherine\Cookies\katherine@247realmedia[1].txt
C:\Documents and Settings\Katherine\Cookies\katherine@roiservice[2].txt
C:\Documents and Settings\Katherine\Cookies\katherine@stat.onestat[2].txt
C:\Documents and Settings\Katherine\Cookies\katherine@cracker.com[1].txt
C:\Documents and Settings\Katherine\Cookies\katherine@trafficmp[2].txt
C:\Documents and Settings\Katherine\Cookies\katherine@pitchforkmedia[1].txt
C:\Documents and Settings\Katherine\Cookies\katherine@ads.pointroll[2].txt
C:\Documents and Settings\Katherine\Cookies\katherine@partypoker[2].txt
C:\Documents and Settings\Katherine\Cookies\katherine@superstats[1].txt
C:\Documents and Settings\Katherine\Cookies\katherine@serving-sys[1].txt
C:\Documents and Settings\Katherine\Cookies\katherine@mediaonenetwork[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.sensismediasmart.com[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad2.pamedia.com[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@cruisingforsex[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@pamedia.com[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@rb4.worldsex[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@sensismediasmart.com[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@sitestats.tiscali.co[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@webstats[1].txt
C:\Documents and Settings\Katherine\Cookies\katherine@ad.zanox[2].txt
C:\Documents and Settings\Katherine\Cookies\katherine@ads.designboom[2].txt
C:\Documents and Settings\Katherine\Cookies\katherine@ads2.drivelinemedia[1].txt
C:\Documents and Settings\Katherine\Cookies\katherine@adsrevenue[1].txt
C:\Documents and Settings\Katherine\Cookies\katherine@click.payserve[1].txt
C:\Documents and Settings\Katherine\Cookies\katherine@ffxcam.cracker.com[2].txt
C:\Documents and Settings\Katherine\Cookies\katherine@media.fairfax.com[1].txt
C:\Documents and Settings\Katherine\Cookies\katherine@pamedia.com[1].txt
C:\Documents and Settings\Katherine\Cookies\katherine@shop.zanox[2].txt
C:\Documents and Settings\Katherine\Cookies\katherine@shoplocl.adbureau[1].txt
C:\Documents and Settings\Katherine\Cookies\katherine@sixapart.adbureau[1].txt
C:\Documents and Settings\Katherine\Cookies\katherine@www.clubtransmediale[1].txt
C:\Documents and Settings\Katherine\Cookies\katherine@www.pitchforkmedia[1].txt
C:\Documents and Settings\Katherine\Cookies\katherine@www.screensavers[1].txt

Adware.WhenU
C:\DOCUMENTS AND SETTINGS\KATHERINE\DOCTORWEB\QUARANTINE\A0038905.EXE

Trojan.NewDotNet
C:\DOCUMENTS AND SETTINGS\KATHERINE\DOCTORWEB\QUARANTINE\A0038906.DLL

Trojan.NewDotNet-Installer
C:\DOCUMENTS AND SETTINGS\KATHERINE\DOCTORWEB\QUARANTINE\A0038907.EXE

Trojan.Downloader-Gen/MobRules
C:\QOOBOX\QUARANTINE\C\DOCUME~1\ALLUSE~1\APPLIC~1\HIXCTKRK.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\TVEXBISQ\RYPWSOJV.DLL.VIR

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\ADMFIBAR\APGHUJKL.DLL.VIR

Adware.ClickSpring/Yazzle
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1162OINUNINSTALLER.EXE.VIR

Trojan.Downloader-Gen/BigTkt
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRVNEJR.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRVTEJR.DLL.VIR
C:\RECYCLER\S-1-5-21-3774636547-3022623609-48652769-1005\DC4.DLL

Trojan.Downloader-FakeRX
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\OEMBIOS32.DLL.VIR





here is the hijack this log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:57 PM, on 12/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 5292 bytes

thanks.... how does it look???

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 12 September 2007 - 03:11 AM

Well your log looks clean,hows your pc running now,any problems.
Posted Image
Posted Image

#12 dexisbest

dexisbest
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 12 September 2007 - 04:10 AM

Richie.... .my pc feels a lot more stable and is running faster :thumbsup: ... no more pop ups thank god!! I'm going to run CCleaner to get rid of any excess files etc........

Thanks for all your help, very much appreciated ... there would be massive problems without you guys helping us mere mortals out!!!

:flowers:



Emilio

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 12 September 2007 - 05:12 AM

If all's ok,please do the following.

Find and delete:
Combofix.exe
SmitfraudFix.exe

C:\Qoobox

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#14 dexisbest

dexisbest
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 12 September 2007 - 07:43 PM

ok .. that's all done!!


thanks so much for you help!!

Emilio

:thumbsup:

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 13 September 2007 - 04:15 AM

You're welcome Emilio :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users