Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Shutdown Was Initiated By N/t Authority/system


  • Please log in to reply
8 replies to this topic

#1 cypr25

cypr25

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 24 September 2007 - 11:42 AM

Hows it going, before you even try to help me... Thank you, ive been reading and searching for stuff about this for about a week now and nothing has been able to help, which sucks i just got this computer about 2-3 months ago and have alot of stuff i need to do online and with my computer.

I have a Dell Optiplex GX260, Windows XP im not sure if its pro and i have a cable internet connection. for about 2 weeks ive been having spyware bleep which seems to be gone, first sign was 'Ultimate Cleaner' and its fake windows msg's.

but this has been a much bigger problem and more, I get a explorer msg saying 'Services and Controller app encountered a problem and needed to close.' and then another box pops up and says 'system shutdown was initiated by NT AUTHORITY\SYSTEM' with a 60 second count down. I keep using 'shutdown -a' in command prompt to keep it from restarting.

usually it either, blocks some sites or i just am not having internet connections for them, it was blocking mcafee updates? or not really allowing me to goto a anti virus site or support sites, just real slow loading and some would say 'host not found'. also it sent about 200-300 emails out on like the first day(21st of sept) i still have some of the ones that didnt send on my mcafee log.

a friend of mine suggested system restore, i tried that to sept 3rd, but it tells me on restart that restore couldnt happen because no changes have been made.

when the spyware started coming i got the mcafee trial 30day version, yesterday after trying restore i was finally able to get to the mcafee download and bought the full version.. still no help, i got IE7 today and all securityupdates for it.

I doubt this is all the information you'll ask for. so anything you need just ask, ill subscribe and keep this thread in my favorites. Thanks alot again!, anything you can tell me or help me with will be much appreciated!





Heres my log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:06:39 PM, on 9/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\MMKeybd.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\program files\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\Program Files\Netropa\OSD.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
c:\PROGRA~1\COMMON~1\mcafee\emproxy\emtray.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://government.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wsnpoem.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: (no name) - {34062413-1ABA-8EA5-618A-024C27617594} - C:\Program Files\Isgcvbid\loogzlnv.dll
O2 - BHO: (no name) - {4AA7B12D-AB2C-4D16-BCFB-704945A98FDD} - C:\WINDOWS\system32\yayxurq.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk98.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [tkfcpuxi] rundll32.exe "C:\Program Files\tkfcpuxi\vavklwbo.dll",Init
O4 - HKLM\..\Run: [yjodsdyd] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\yjodsdyd.dll"
O4 - HKLM\..\Run: [pmhwtmjy] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\pmhwtmjy.dll"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173714692748
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O20 - Winlogon Notify: winbjv32 - winbjv32.dll (file missing)
O20 - Winlogon Notify: yayxurq - C:\WINDOWS\SYSTEM32\yayxurq.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8695 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:05 AM

Posted 24 September 2007 - 06:15 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 cypr25

cypr25
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 24 September 2007 - 09:51 PM

Wow Sam awesome response time! :thumbsup:

This is where we'er at. another friend of mine had me download sygate personal firewall, he told me he was having the same problem and it was caused by a trojan, the firewall now blocking all non program oriented inbound and outbound events, and asking me if allowed on programs with names. I hear mcafee sucks and thats why it didnt detect anything.

So now i have restarted and that error msg did not appear at all, im thinking it still must be on my computer but is just blocked. and i hope thats what we can fix now, Ill follow the instructions above and now you know where we'er at!

#4 cypr25

cypr25
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 24 September 2007 - 10:16 PM

My New Log

ComboFix 07-09-21.2 - "My Name" 2007-09-24 22:56:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1502 [GMT -5:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Eeypynkp
C:\Program Files\Eeypynkp\bqturhgy.dll
C:\Program Files\Isgcvbid
C:\Program Files\Isgcvbid\loogzlnv.dll
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe
C:\Program Files\tkfcpuxi
C:\Program Files\tkfcpuxi\vavklwbo.dll
C:\Program Files\Ultimate Cleaner
C:\WINDOWS\system32\byxussq.dll
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\dobe~1\??pPatch\
C:\WINDOWS\system32\drivers\wsnpoem.sys
C:\WINDOWS\system32\pipmon.exe
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\system32\xpdx.sys
C:\WINDOWS\system32\yayxurq.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_WSNPOEM.SYS
-------\wsnpoem.sys
-------\xpdx


((((((((((((((((((((((((( Files Created from 2007-08-25 to 2007-09-25 )))))))))))))))))))))))))))))))
.

2007-09-24 22:54 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-24 19:14 <DIR> d-------- C:\DOCUME~1\ELIZAB~1\APPLIC~1\SiteAdvisor
2007-09-24 17:22 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg6n.sys
2007-09-24 17:22 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg5n.sys
2007-09-24 17:22 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg4n.sys
2007-09-24 17:21 83,096 --a------ C:\WINDOWS\SYSTEM32\SSSensor.dll
2007-09-24 17:21 60,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Teefer.sys
2007-09-24 17:21 21,075 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wpsdrvnt.sys
2007-09-24 17:21 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg3n.sys
2007-09-24 17:21 <DIR> d-------- C:\Program Files\Sygate
2007-09-24 12:05 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-23 21:44 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-09-23 21:44 <DIR> d-------- C:\DOCUME~1\PATPAL~1\APPLIC~1\SiteAdvisor
2007-09-23 21:44 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\SiteAdvisor
2007-09-23 21:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SiteAdvisor
2007-09-21 20:25 <DIR> d-------- C:\DOCUME~1\ELIZAB~1\APPLIC~1\acccore
2007-09-21 19:50 <DIR> d-------- C:\WINDOWS\SYSTEM32\NtmsData
2007-09-21 08:44 <DIR> d-------- C:\WINDOWS\SYSTEM32\srvuqsja
2007-09-07 12:42 71,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2007-09-07 12:42 37,480 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2007-09-07 12:42 34,184 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2007-09-07 12:42 32,008 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2007-09-07 12:42 170,408 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2007-09-07 12:41 109,608 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2007-09-07 12:40 <DIR> d-------- C:\Program Files\McAfee.com
2007-09-07 12:40 <DIR> d-------- C:\Program Files\McAfee
2007-09-07 12:40 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-09-07 12:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-09-06 18:54 76,068 --a------ C:\Program Files\setup.exe
2007-09-06 15:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-06 14:12 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-06 14:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-06 14:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-06 13:29 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-09-06 12:39 39,424 --a------ C:\dyhoftej.exe
2007-09-06 12:39 <DIR> d-------- C:\WINDOWS\SYSTEM32\pdrlhoej
2007-09-06 12:38 94,208 --a------ C:\WINDOWS\SYSTEM32\drvdoz.dll
2007-09-06 12:38 15,360 --a------ C:\WINDOWS\SYSTEM32\drvdozr.dll
2007-08-29 13:01 <DIR> d-------- C:\Program Files\KRU
2007-08-27 10:50 <DIR> d-------- C:\DOCUME~1\PATPAL~1\APPLIC~1\IMVU

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-24 23:09 --------- d-------- C:\Program Files\Steam
2007-09-24 17:39 --------- d-------- C:\Program Files\mIRC
2007-09-06 19:25 --------- d-------- C:\Program Files\BitTorrent
2007-09-06 15:40 --------- d-------- C:\Program Files\DivX
2007-09-05 12:36 --------- d-------- C:\DOCUME~1\PATPAL~1\APPLIC~1\BitTorrent
2007-08-22 20:09 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-22 19:45 --------- d-------- C:\DOCUME~1\PATPAL~1\APPLIC~1\Talkback
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\SYSTEM32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
2007-07-19 01:59 3583488 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-07-12 18:31 765952 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\vgx.dll
2007-06-27 09:34 823808 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-06-27 09:34 671232 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-06-27 09:34 6058496 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-06-27 09:34 52224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-06-27 09:34 477696 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-06-27 09:34 459264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-06-27 09:34 44544 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-06-27 09:34 384512 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-06-27 09:34 383488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-06-27 09:34 27648 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-06-27 09:34 267776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-06-27 09:34 232960 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-06-27 09:34 230400 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-06-27 09:34 193024 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-06-27 09:34 153088 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-06-27 09:34 132608 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-06-27 09:34 124928 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-06-27 09:34 1152000 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-06-27 09:34 105984 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-06-27 09:34 102400 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-06-27 03:27 63488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-06-27 03:27 625152 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-06-27 03:27 13824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-06-27 02:00 161792 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2007-06-26 01:08 1104896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msxml3.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 17:24 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"AtiPTA"="atiptaxx.exe" [2001-12-20 22:04 C:\WINDOWS\SYSTEM32\atiptaxx.exe]
"HydraVisionDesktopManager"="desk98.exe" [2001-11-09 19:30 C:\WINDOWS\SYSTEM32\Desk98.exe]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 02:01]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-10-02 18:41]
"DellTouch"="C:\WINDOWS\MMKeybd.exe" [2001-09-05 14:28]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-06-20 03:14]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-06-20 03:05]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 16:57]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17]
"Steam"="c:\program files\steam\steam.exe" [2007-06-28 06:26]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2001-08-31 10:02:02]

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2001-08-31 10:02:02]

C:\DOCUME~1\ELIZAB~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2001-08-31 10:02:02]

C:\DOCUME~1\PATPAL~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2001-08-31 10:02:02]

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2001-08-31 10:02:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbjv32]
winbjv32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe
R2 NetAlrt;NetAlrt;\??\C:\WINDOWS\System32\drivers\NetAlrt.sys
R2 PlatAlrt;PlatAlrt;\??\C:\WINDOWS\System32\drivers\PlatAlrt.sys
R3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
R3 Msikbd2k;DellTouch;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys
R3 pcx1nd5;Toshiba PCX1100U USB Cable Modem networking driver;C:\WINDOWS\system32\DRIVERS\pcx1nd5.sys
R3 pcx1unic;Toshiba PCX1100U USB Cable Modem WDM driver;C:\WINDOWS\system32\DRIVERS\pcx1unic.sys
S2 Nhksrv;Netropa NHK Server;C:\WINDOWS\Nhksrv.exe
S3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
S3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\System32\drivers\NMSCFG.SYS
S3 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-15 07:05:01 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-09-07 17:41:26 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-24 23:08:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-24 23:11:44 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-24 23:11
.
--- E O F ---


It said dont let programs run during the scan when it rebooted, but my mcafee, aol instant msgr, sygate all opened on startup.
Also i see in the log, i have spybot s/d and i think ad aware (aawservice.exe?) <-- didnt see in log) but these i tried unistalling a while ago and couldnt, one said didnt have the file needed anymore? another problem another time. :thumbsup:!

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:05 AM

Posted 25 September 2007 - 05:06 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
C:\WINDOWS\SYSTEM32\srvuqsja
C:\WINDOWS\SYSTEM32\pdrlhoej

File::
C:\dyhoftej.exe
C:\WINDOWS\SYSTEM32\drvdoz.dll
C:\WINDOWS\SYSTEM32\drvdozr.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbjv32]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 cypr25

cypr25
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 25 September 2007 - 07:36 PM

After i ran that combofix yesterday it really started to speed up and get back to what it used to be, the only thing ive seen slowing it was portscan attacks the firewall tells me about. I did uninstall adaware and spybot s/d today. trying to keep you up todate:) again thanks for the help!

heres the logs!

ComboFix 07-09-21.2 - "Pat Palmer" 2007-09-25 20:25:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1479 [GMT -5:00]
* Created a new restore point

FILE::
C:\dyhoftej.exe
C:\WINDOWS\SYSTEM32\drvdoz.dll
C:\WINDOWS\SYSTEM32\drvdozr.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\dyhoftej.exe
C:\WINDOWS\SYSTEM32\drvdoz.dll
C:\WINDOWS\SYSTEM32\drvdozr.dll
C:\WINDOWS\SYSTEM32\pdrlhoej
C:\WINDOWS\SYSTEM32\pdrlhoej\bg1.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\bgtop.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\bottom1.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\essentials.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\icon1.ico
C:\WINDOWS\SYSTEM32\pdrlhoej\install1.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\left1.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\li.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\logo.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\main.htm
C:\WINDOWS\SYSTEM32\pdrlhoej\mainframe.htm
C:\WINDOWS\SYSTEM32\pdrlhoej\reinstall1.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\right1.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\s1.htm
C:\WINDOWS\SYSTEM32\pdrlhoej\s2.htm
C:\WINDOWS\SYSTEM32\pdrlhoej\s3.htm
C:\WINDOWS\SYSTEM32\pdrlhoej\SMTop1.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\SMTop2.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\SMTop3.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\SMTop4.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\soft1_off.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\soft1_off_ext.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\soft1_on.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\soft1_on_ext.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\soft2_off.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\soft2_off_ext.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\soft2_on.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\soft2_on_ext.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\soft3_off.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\soft3_off_ext.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\soft3_on.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\soft3_on_ext.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\softbottom_off.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\softbottom_on.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\softleft_off.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\softleft_on.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\top1.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\top2.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\turnoff1.gif
C:\WINDOWS\SYSTEM32\pdrlhoej\turnon1.gif
C:\WINDOWS\SYSTEM32\srvuqsja
C:\WINDOWS\SYSTEM32\srvuqsja\bg1.gif
C:\WINDOWS\SYSTEM32\srvuqsja\bgtop.gif
C:\WINDOWS\SYSTEM32\srvuqsja\bottom1.gif
C:\WINDOWS\SYSTEM32\srvuqsja\essentials.gif
C:\WINDOWS\SYSTEM32\srvuqsja\icon1.ico
C:\WINDOWS\SYSTEM32\srvuqsja\install1.gif
C:\WINDOWS\SYSTEM32\srvuqsja\left1.gif
C:\WINDOWS\SYSTEM32\srvuqsja\li.gif
C:\WINDOWS\SYSTEM32\srvuqsja\logo.gif
C:\WINDOWS\SYSTEM32\srvuqsja\main.htm
C:\WINDOWS\SYSTEM32\srvuqsja\mainframe.htm
C:\WINDOWS\SYSTEM32\srvuqsja\reinstall1.gif
C:\WINDOWS\SYSTEM32\srvuqsja\right1.gif
C:\WINDOWS\SYSTEM32\srvuqsja\s1.htm
C:\WINDOWS\SYSTEM32\srvuqsja\s2.htm
C:\WINDOWS\SYSTEM32\srvuqsja\s3.htm
C:\WINDOWS\SYSTEM32\srvuqsja\SMTop1.gif
C:\WINDOWS\SYSTEM32\srvuqsja\SMTop2.gif
C:\WINDOWS\SYSTEM32\srvuqsja\SMTop3.gif
C:\WINDOWS\SYSTEM32\srvuqsja\SMTop4.gif
C:\WINDOWS\SYSTEM32\srvuqsja\soft1_off.gif
C:\WINDOWS\SYSTEM32\srvuqsja\soft1_off_ext.gif
C:\WINDOWS\SYSTEM32\srvuqsja\soft1_on.gif
C:\WINDOWS\SYSTEM32\srvuqsja\soft1_on_ext.gif
C:\WINDOWS\SYSTEM32\srvuqsja\soft2_off.gif
C:\WINDOWS\SYSTEM32\srvuqsja\soft2_off_ext.gif
C:\WINDOWS\SYSTEM32\srvuqsja\soft2_on.gif
C:\WINDOWS\SYSTEM32\srvuqsja\soft2_on_ext.gif
C:\WINDOWS\SYSTEM32\srvuqsja\soft3_off.gif
C:\WINDOWS\SYSTEM32\srvuqsja\soft3_off_ext.gif
C:\WINDOWS\SYSTEM32\srvuqsja\soft3_on.gif
C:\WINDOWS\SYSTEM32\srvuqsja\soft3_on_ext.gif
C:\WINDOWS\SYSTEM32\srvuqsja\softbottom_off.gif
C:\WINDOWS\SYSTEM32\srvuqsja\softbottom_on.gif
C:\WINDOWS\SYSTEM32\srvuqsja\softleft_off.gif
C:\WINDOWS\SYSTEM32\srvuqsja\softleft_on.gif
C:\WINDOWS\SYSTEM32\srvuqsja\top1.gif
C:\WINDOWS\SYSTEM32\srvuqsja\top2.gif
C:\WINDOWS\SYSTEM32\srvuqsja\turnoff1.gif
C:\WINDOWS\SYSTEM32\srvuqsja\turnon1.gif

.
((((((((((((((((((((((((( Files Created from 2007-08-26 to 2007-09-26 )))))))))))))))))))))))))))))))
.

2007-09-25 17:43 21,396 --ah----- C:\WINDOWS\SYSTEM32\mlfcache.dat
2007-09-25 13:36 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-24 22:54 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-24 19:14 <DIR> d-------- C:\DOCUME~1\ELIZAB~1\APPLIC~1\SiteAdvisor
2007-09-24 17:22 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg6n.sys
2007-09-24 17:22 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg5n.sys
2007-09-24 17:22 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg4n.sys
2007-09-24 17:21 83,096 --a------ C:\WINDOWS\SYSTEM32\SSSensor.dll
2007-09-24 17:21 60,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Teefer.sys
2007-09-24 17:21 21,075 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wpsdrvnt.sys
2007-09-24 17:21 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg3n.sys
2007-09-24 17:21 <DIR> d-------- C:\Program Files\Sygate
2007-09-24 12:05 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-23 21:44 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-09-23 21:44 <DIR> d-------- C:\DOCUME~1\PATPAL~1\APPLIC~1\SiteAdvisor
2007-09-23 21:44 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\SiteAdvisor
2007-09-23 21:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SiteAdvisor
2007-09-21 20:25 <DIR> d-------- C:\DOCUME~1\ELIZAB~1\APPLIC~1\acccore
2007-09-21 19:50 <DIR> d-------- C:\WINDOWS\SYSTEM32\NtmsData
2007-09-07 12:42 71,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2007-09-07 12:42 37,480 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2007-09-07 12:42 34,184 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2007-09-07 12:42 32,008 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2007-09-07 12:42 170,408 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2007-09-07 12:41 109,608 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2007-09-07 12:40 <DIR> d-------- C:\Program Files\McAfee.com
2007-09-07 12:40 <DIR> d-------- C:\Program Files\McAfee
2007-09-07 12:40 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-09-07 12:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-09-06 18:54 76,068 --a------ C:\Program Files\setup.exe
2007-09-06 15:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-06 14:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-06 14:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-06 13:29 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-08-29 13:01 <DIR> d-------- C:\Program Files\KRU
2007-08-27 10:50 <DIR> d-------- C:\DOCUME~1\PATPAL~1\APPLIC~1\IMVU

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-25 20:30 --------- d-------- C:\Program Files\Steam
2007-09-25 14:41 --------- d-------- C:\Program Files\mIRC
2007-09-06 19:25 --------- d-------- C:\Program Files\BitTorrent
2007-09-06 15:40 --------- d-------- C:\Program Files\DivX
2007-09-05 12:36 --------- d-------- C:\DOCUME~1\PATPAL~1\APPLIC~1\BitTorrent
2007-08-22 20:09 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-22 19:45 --------- d-------- C:\DOCUME~1\PATPAL~1\APPLIC~1\Talkback
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 17:24 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"AtiPTA"="atiptaxx.exe" [2001-12-20 22:04 C:\WINDOWS\SYSTEM32\atiptaxx.exe]
"HydraVisionDesktopManager"="desk98.exe" [2001-11-09 19:30 C:\WINDOWS\SYSTEM32\Desk98.exe]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 02:01]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-10-02 18:41]
"DellTouch"="C:\WINDOWS\MMKeybd.exe" [2001-09-05 14:28]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-06-20 03:14]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-06-20 03:05]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 16:57]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17]
"Steam"="c:\program files\steam\steam.exe" [2007-06-28 06:26]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2001-08-31 10:02:02]

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2001-08-31 10:02:02]

C:\DOCUME~1\ELIZAB~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2001-08-31 10:02:02]

C:\DOCUME~1\PATPAL~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2001-08-31 10:02:02]

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2001-08-31 10:02:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe
R2 NetAlrt;NetAlrt;\??\C:\WINDOWS\System32\drivers\NetAlrt.sys
R2 PlatAlrt;PlatAlrt;\??\C:\WINDOWS\System32\drivers\PlatAlrt.sys
R3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
R3 Msikbd2k;DellTouch;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys
R3 pcx1nd5;Toshiba PCX1100U USB Cable Modem networking driver;C:\WINDOWS\system32\DRIVERS\pcx1nd5.sys
R3 pcx1unic;Toshiba PCX1100U USB Cable Modem WDM driver;C:\WINDOWS\system32\DRIVERS\pcx1unic.sys
S2 Nhksrv;Netropa NHK Server;C:\WINDOWS\Nhksrv.exe
S3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
S3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\System32\drivers\NMSCFG.SYS
S3 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-15 07:05:01 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-09-07 17:41:26 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-25 20:29:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-25 20:33:26 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-25 20:32
C:\ComboFix2.txt ... 2007-09-24 23:11
.
--- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:34:30 PM, on 9/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cmd.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\MMKeybd.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\program files\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\regedit.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk98.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173714692748
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7799 bytes

Edited by cypr25, 25 September 2007 - 07:38 PM.


#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:05 AM

Posted 26 September 2007 - 09:05 AM

Your logs are looking pretty good. But let's run a very thorough scan for malware just to clean up anything we missed.

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If the log is large you may need to post it in separate posts.
Also post one last hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 cypr25

cypr25
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 26 September 2007 - 04:37 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/26/2007 at 05:26 PM

Application Version : 3.9.1008

Core Rules Database Version : 3313
Trace Rules Database Version: 1316

Scan type : Complete Scan
Total Scan Time : 01:29:40

Memory items scanned : 455
Memory threats detected : 0
Registry items scanned : 4280
Registry threats detected : 0
File items scanned : 61203
File threats detected : 66

Adware.Tracking Cookie
C:\Documents and Settings\Pat Palmer\Cookies\pat_palmer@tremor.adbureau[2].txt
C:\Documents and Settings\Pat Palmer\Cookies\pat_palmer@trafficmp[2].txt
C:\Documents and Settings\Pat Palmer\Cookies\pat_palmer@reduxads.valuead[2].txt
C:\Documents and Settings\Pat Palmer\Cookies\pat_palmer@overture[1].txt
C:\Documents and Settings\Pat Palmer\Cookies\pat_palmer@atwola[1].txt
C:\Documents and Settings\Pat Palmer\Cookies\pat_palmer@keywordmax[1].txt
C:\Documents and Settings\Pat Palmer\Cookies\pat_palmer@blethenmaine.112.2o7[1].txt
C:\Documents and Settings\Pat Palmer\Cookies\pat_palmer@bs.serving-sys[1].txt
C:\Documents and Settings\Pat Palmer\Cookies\pat_palmer@imrworldwide[2].txt
C:\Documents and Settings\Pat Palmer\Cookies\pat_palmer@cpvfeed[2].txt
C:\Documents and Settings\Pat Palmer\Cookies\pat_palmer@journalregistercompany.122.2o7[1].txt
C:\Documents and Settings\Pat Palmer\Cookies\pat_palmer@2o7[2].txt
C:\Documents and Settings\Pat Palmer\Cookies\pat_palmer@tribalfusion[2].txt
C:\Documents and Settings\Pat Palmer\Cookies\pat_palmer@ar.atwola[1].txt
C:\Documents and Settings\Pat Palmer\Cookies\pat_palmer@questionmarket[2].txt
C:\Documents and Settings\Pat Palmer\Cookies\pat_palmer@tacoda[1].txt
C:\Documents and Settings\Pat Palmer\Cookies\pat_palmer@rotator.adjuggler[2].txt
C:\Documents and Settings\Pat Palmer\Cookies\pat_palmer@adopt.specificclick[2].txt
C:\Documents and Settings\Pat Palmer\Cookies\pat_palmer@serving-sys[1].txt
C:\Documents and Settings\Pat Palmer\Cookies\pat_palmer@atdmt[2].txt
C:\Documents and Settings\Pat Palmer\Cookies\pat_palmer@adopt.euroclick[2].txt
C:\Documents and Settings\Pat Palmer\Cookies\pat_palmer@fdau.adbureau[1].txt
C:\Documents and Settings\Pat Palmer\Cookies\pat_palmer@richmedia.yahoo[1].txt
C:\Documents and Settings\Pat Palmer\Cookies\pat_palmer@revsci[1].txt
C:\Documents and Settings\Pat Palmer\Cookies\pat_palmer@specificclick[2].txt
C:\Documents and Settings\Pat Palmer\Cookies\pat_palmer@perf.overture[1].txt
C:\Documents and Settings\Pat Palmer\Cookies\pat_palmer@precisionclick[1].txt
C:\Documents and Settings\Pat Palmer\Cookies\pat_palmer@realmedia[2].txt
C:\Documents and Settings\Pat Palmer\Cookies\pat_palmer@112.2o7[2].txt
C:\Documents and Settings\Elizabeth Palmer\Cookies\elizabeth palmer@ad.yieldmanager[1].txt
C:\Documents and Settings\Elizabeth Palmer\Cookies\elizabeth palmer@atwola[1].txt
C:\Documents and Settings\Elizabeth Palmer\Cookies\elizabeth palmer@bs.serving-sys[2].txt
C:\Documents and Settings\Elizabeth Palmer\Cookies\elizabeth palmer@keybank.112.2o7[1].txt
C:\Documents and Settings\Elizabeth Palmer\Cookies\elizabeth palmer@revsci[2].txt
C:\Documents and Settings\Elizabeth Palmer\Cookies\elizabeth palmer@serving-sys[1].txt
C:\Documents and Settings\Elizabeth Palmer\Cookies\elizabeth_palmer@adinterax[1].txt
C:\Documents and Settings\Elizabeth Palmer\Cookies\elizabeth_palmer@advertising[2].txt
C:\Documents and Settings\Elizabeth Palmer\Cookies\elizabeth_palmer@atdmt[2].txt
C:\Documents and Settings\Elizabeth Palmer\Cookies\elizabeth_palmer@ehg-yahoo.hitbox[2].txt
C:\Documents and Settings\Elizabeth Palmer\Cookies\elizabeth_palmer@hitbox[2].txt
C:\Documents and Settings\Elizabeth Palmer\Cookies\elizabeth_palmer@imrworldwide[2].txt
C:\Documents and Settings\Elizabeth Palmer\Cookies\elizabeth_palmer@mediaplex[2].txt
C:\Documents and Settings\Elizabeth Palmer\Cookies\elizabeth_palmer@msnportal.112.2o7[1].txt
C:\Documents and Settings\Elizabeth Palmer\Cookies\elizabeth_palmer@questionmarket[1].txt
C:\Documents and Settings\Elizabeth Palmer\Cookies\elizabeth_palmer@richmedia.yahoo[2].txt

Trojan.Downloader-Gen/BigTkt
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRVDOZR.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP232\A0101779.DLL

Trojan.Downloader-PIP Mon
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\PIPMON.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP229\A0101581.EXE

Adware.Search2Find
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP202\A0075720.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP202\A0075721.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP202\A0075722.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP202\A0075726.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP202\A0075727.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP202\A0075728.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP206\A0084794.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP206\A0084795.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP206\A0084796.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP220\A0089169.LNK

Trojan.Downloader-Gen/AVP
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP206\A0082795.EXE

Trojan.Downloader-Gen/MobRules
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP206\A0082797.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP206\A0082798.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP229\A0101574.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP229\A0101575.DLL

Trojan.Downloader-Gen/HitItQuitIt
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP229\A0101577.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP229\A0101586.DLL




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:28 PM, on 9/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\MMKeybd.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\AIM6\aim6.exe
C:\program files\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk98.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173714692748
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7919 bytes

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:05 AM

Posted 27 September 2007 - 07:13 AM

Good! Nothing active picked up there, although we do want to flush out your old restore points.


Flush your system restore, this will delete any restore points that you have but it will also make sure that any malware hiding in system restore will be booted off.

Turn off System Restore:
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Restart your computer, turn it back on and create a restore point.

Create a restore point:
  • Click Start and point to All Programs.
  • Mouse over Accessories, then System Tools, and select System Restore.
  • In the System Restore wizard, select the box next the text labeled "Create a
    restore point" and click the Next button.
  • Type a description for your new restore point. Something like "After
    cleanup". Click Create and you're done.


================


Otherwise, everything looks good to me! :blink:


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :wacko:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users