Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Popups And A Trojan Issue Please Assist


  • This topic is locked This topic is locked
28 replies to this topic

#1 doomgiver13

doomgiver13

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 22 October 2007 - 03:37 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:35, on 07-10-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\oracle\ora9i\bin\omtsreco.exe
C:\WINDOWS\system32\StacSV.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe
C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\winshow.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Funk Software\Odyssey Client\odtray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\dschlemeieradmin\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://inside.rgare.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://Resource.RGARE.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://rotator.adjuggler.com/servlet/ajrot...&dim=276502
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {BACEB7AF-8D88-456E-82D0-7BEB9A4410FE} - C:\WINDOWS\system32\vtssttt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Microsoft Forefront Client Security Antimalware Service] "C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" -hide
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=https://Resource.RGARE.com
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rgare.net
O17 - HKLM\Software\..\Telephony: DomainName = rgare.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rgare.net
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect Corporate\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateService.exe
O23 - Service: iPCAgent - Unknown owner - C:\Program Files\iPass\Corporate\iPCAgent.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora9i\bin\omtsreco.exe
O23 - Service: Oracleora9iClientCache - Unknown owner - C:\oracle\ora9i\BIN\ONRSD.EXE
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 8321 bytes
If you truly live by the sword, it only stands to reason that someone has to die by it.

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:38 PM

Posted 22 October 2007 - 04:04 PM

Hello doomgiver13

Welcome back to Bleeping Computer :thumbsup:

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with the fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 doomgiver13

doomgiver13
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 22 October 2007 - 04:16 PM

"dschlemeieradmin" - 07-10-22 16:08:32 Service Pack 2
ComboFix 07-04-25.1V - Running from: "C:\Documents and Settings\dschlemeieradmin\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-09-22 to 2007-10-22 ))))))))))))))))))))))))))))))))))


2007-10-22 10:37 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-10-22 10:35 <DIR> d-------- C:\!KillBox
2007-10-22 10:12 <DIR> d-------- C:\DOCUME~1\DSCHLE~1\APPLIC~1\Google
2007-10-22 10:02 1,048,576 --ah----- C:\DOCUME~1\DSCHLE~1\NTUSER.DAT
2007-10-22 10:02 <DIR> d-------- C:\Temp\SMSACTIONS
2007-10-22 10:02 <DIR> d-------- C:\DOCUME~1\DSCHLE~1\APPLIC~1\Funk Software
2007-10-18 11:07 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-18 11:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-10-18 11:06 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-18 11:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-10-18 11:02 <DIR> d-------- C:\DOCUME~1\GWHIPP~1\APPLIC~1\Funk Software
2007-10-18 11:01 2,097,152 --ah----- C:\DOCUME~1\GWHIPP~1\NTUSER.DAT
2007-10-17 09:14 <DIR> d-------- C:\VundoFix Backups
2007-10-16 12:46 1 --a------ C:\WINDOWS\tsitra77.exe
2007-10-16 12:46 <DIR> d-------- C:\WINDOWS\system32\oTt08e
2007-10-16 12:46 <DIR> d-------- C:\Temp\fCOe
2007-10-16 12:45 35,840 --a------ C:\WINDOWS\winshow.exe
2007-10-16 12:45 34,304 --------- C:\WINDOWS\system32\vtssttt.dll
2007-10-15 09:24 <DIR> d-------- C:\aura
2007-10-11 08:29 <DIR> d-------- C:\Program Files\iTunes
2007-10-11 08:29 <DIR> d-------- C:\Program Files\iPod
2007-10-11 08:29 <DIR> d-------- C:\DOCUME~1\cchilds\APPLIC~1\Apple Computer
2007-10-11 08:28 <DIR> d-------- C:\Program Files\QuickTime
2007-10-11 08:28 <DIR> d-------- C:\Program Files\Apple Software Update
2007-10-11 08:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-10-11 08:27 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-10-11 08:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-10-08 13:22 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2007-10-08 13:19 <DIR> d-------- C:\Program Files\Business Objects
2007-10-08 13:18 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2007-10-08 13:17 <DIR> d-------- C:\Program Files\RTP Inc
2007-10-04 16:00 <DIR> d-------- C:\DOCUME~1\cchilds\APPLIC~1\AdobeUM
2007-10-04 15:25 <DIR> d-------- C:\DOCUME~1\cchilds\APPLIC~1\Viewpoint
2007-10-04 14:39 <DIR> d-------- C:\DOCUME~1\cchilds\Contacts
2007-10-04 14:38 <DIR> d-------- C:\Program Files\MSN Messenger
2007-10-04 14:35 <DIR> d--hs---- C:\RECYCLER
2007-10-04 14:28 <DIR> d-------- C:\DOCUME~1\cchilds\APPLIC~1\acccore
2007-10-04 14:25 <DIR> d-------- C:\Program Files\Viewpoint
2007-10-04 14:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-10-04 14:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-10-04 14:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-10-04 14:24 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-10-04 14:24 <DIR> d-------- C:\Program Files\AIM6
2007-10-04 14:24 <DIR> d-------- C:\DOCUME~1\cchilds\APPLIC~1\Google
2007-10-04 14:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-10-04 14:23 <DIR> d-------- C:\Program Files\Google
2007-10-04 14:01 <DIR> d-------- C:\Program Files\Folio
2007-10-04 14:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-10-04 13:56 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2007-10-04 13:56 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2007-10-04 13:49 <DIR> d-------- C:\Program Files\Bonjour
2007-10-04 13:45 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-10-04 13:40 299,008 --a------ C:\WINDOWS\uninst.exe
2007-10-04 13:38 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-10-04 13:35 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-10-04 13:35 36,224 --a------ C:\WINDOWS\system32\drivers\hidclass.sys
2007-10-04 13:35 24,960 --a------ C:\WINDOWS\system32\drivers\hidparse.sys
2007-10-04 13:35 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-10-04 13:09 <DIR> d-------- C:\Program Files\RealVNC
2007-10-04 13:09 <DIR> d-------- C:\DOCUME~1\cchilds\APPLIC~1\Funk Software
2007-10-04 13:08 2,097,152 --ah----- C:\DOCUME~1\cchilds\NTUSER.DAT
2007-10-01 10:01 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-10-01 09:57 70,144 --a------ C:\WINDOWS\KPFP32.DLL
2007-10-01 09:57 58,368 --a------ C:\WINDOWS\pfpick.dll
2007-10-01 09:57 53,760 --a------ C:\WINDOWS\PTPICK32.DLL
2007-10-01 09:57 48,128 --a------ C:\WINDOWS\KPSYS32.DLL
2007-10-01 09:57 42,483 --a------ C:\WINDOWS\ICCCODES.DAT
2007-10-01 09:57 39,095 --a------ C:\WINDOWS\Iccsigs.dat
2007-10-01 09:57 31,744 --a------ C:\WINDOWS\KPSHARP.DLL
2007-10-01 09:57 31,232 --a------ C:\WINDOWS\KPSCALE.DLL
2007-10-01 09:57 243,712 --a------ C:\WINDOWS\KPCP32.DLL
2007-10-01 09:57 20,992 --a------ C:\WINDOWS\icccodes.dll
2007-10-01 09:57 156,672 --a------ C:\WINDOWS\sprof32.dll
2007-10-01 09:56 94,285 --a------ C:\WINDOWS\system32\MSVCIRTD.DLL
2007-10-01 09:56 6,144 --a------ C:\WINDOWS\system32\W95FIBER.DLL
2007-10-01 09:56 5,632 --a------ C:\WINDOWS\system32\MFCUIA32.DLL
2007-10-01 09:56 401,484 --a------ C:\WINDOWS\system32\MSVCRTD.DLL
2007-10-01 09:56 33,424 --a------ C:\WINDOWS\system32\URLCACHE.DLL
2007-10-01 09:56 322,832 --a------ C:\WINDOWS\system32\MFC30.DLL
2007-10-01 09:56 32,792 --a------ C:\WINDOWS\SPWHPT.DLL
2007-10-01 09:56 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2007-10-01 09:56 210,944 --a------ C:\WINDOWS\system32\MSVCRT10.DLL
2007-10-01 09:56 133,904 --a------ C:\WINDOWS\system32\MFCANS32.DLL
2007-10-01 09:56 133,392 --a------ C:\WINDOWS\system32\MFCO30.DLL
2007-10-01 09:56 <DIR> d-------- C:\WINDOWS\system32\Color
2007-10-01 09:56 <DIR> d-------- C:\Kpcms
2007-10-01 09:52 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-10-01 09:36 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\iPassConnect
2007-10-01 09:30 36,864 --a------ C:\WINDOWS\system32\AvayaGina.dll
2007-10-01 09:30 327,168 --a------ C:\WINDOWS\IsUninst.exe
2007-10-01 09:30 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-10-01 09:29 <DIR> d-------- C:\VPNet
2007-10-01 09:15 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-10-01 09:15 <DIR> d-------- C:\Program Files\Common Files\Software SupraSoft Shared
2007-10-01 09:15 <DIR> d-------- C:\Program Files\Common Files\Software Sheridan Shared
2007-10-01 09:15 <DIR> d-------- C:\Program Files\Common Files\Software GridEx Shared
2007-10-01 09:15 <DIR> d-------- C:\Program Files\Common Files\Software FX Shared
2007-10-01 09:04 <DIR> dr-h----- C:\MSOCache
2007-10-01 08:50 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Funk Software
2007-09-28 15:45 <DIR> d-------- C:\DOCUME~1\gwhipple\APPLIC~1\Funk Software
2007-09-28 15:44 786,432 --ah----- C:\DOCUME~1\gwhipple\NTUSER.DAT
2007-09-28 15:41 172,032 --a------ C:\WINDOWS\system32\igfxres.dll
2007-09-28 15:04 <DIR> d-------- C:\Temp\Odyssey
2007-09-28 15:03 643,150 --a------ C:\WINDOWS\system32\odGinaLibrary.dll
2007-09-28 15:03 147,522 --a------ C:\WINDOWS\system32\odyGina.dll
2007-09-28 15:03 106,496 --a------ C:\WINDOWS\system32\odyEvent.dll
2007-09-28 15:03 <DIR> d-------- C:\Program Files\Funk Software
2007-09-28 15:03 <DIR> d-------- C:\Program Files\Common Files\Funk Software
2007-09-28 15:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\iPass
2007-09-28 14:59 73,728 --------- C:\WINDOWS\system32\ipgina.dll
2007-09-28 14:58 65,605 --a------ C:\WINDOWS\system32\iPassAE5.dll
2007-09-28 14:58 21,419 --a------ C:\WINDOWS\system32\drivers\iPassP.sys
2007-09-28 14:58 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-09-28 14:58 <DIR> d-------- C:\Temp\ViewMail
2007-09-28 14:58 <DIR> d-------- C:\Program Files\ViewMail
2007-09-28 14:58 <DIR> d-------- C:\Program Files\iPass
2007-09-28 14:58 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-09-28 14:57 67,784 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys
2007-09-28 14:57 <DIR> d-------- C:\Temp\Communicator
2007-09-28 14:57 <DIR> d-------- C:\Program Files\Microsoft Office Communicator
2007-09-28 14:56 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-09-28 14:56 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-09-28 14:56 <DIR> d-------- C:\Program Files\Microsoft Forefront
2007-09-28 14:54 262,144 --a------ C:\DOCUME~1\ALLUSE~1\NTUSER.DAT
2007-09-28 14:54 <DIR> d--hs---- C:\WINDOWS\CSC
2007-09-28 14:54 <DIR> d-------- C:\WINDOWS\system32\ReinstallBackups
2007-09-28 14:51 90,112 --a------ C:\WINDOWS\system32\STACSV.EXE
2007-09-28 14:51 4,736 --a------ C:\WINDOWS\system32\drivers\usbd.sys
2007-09-28 14:51 393,216 --a------ C:\WINDOWS\system32\igxpun.exe
2007-09-28 14:51 303,104 --a------ C:\WINDOWS\STSYSTRA.EXE
2007-09-28 14:51 1,601,536 --a------ C:\WINDOWS\system32\STLANG.DLL
2007-09-28 14:51 <DIR> d-------- C:\WINDOWS\system32\x64
2007-09-28 14:51 <DIR> d-------- C:\WINDOWS\system32\Lang
2007-09-28 14:51 <DIR> d-------- C:\Program Files\Sigmatel
2007-09-28 14:51 <DIR> d-------- C:\Program Files\CONEXANT
2007-09-28 14:50 9,344 --a------ C:\WINDOWS\system32\drivers\compbatt.sys
2007-09-28 14:50 8,832 --a------ C:\WINDOWS\system32\drivers\wmiacpi.sys
2007-09-28 14:50 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2007-09-28 14:50 7,168 --a------ C:\WINDOWS\system32\hccoin.dll
2007-09-28 14:50 61,056 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2007-09-28 14:50 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2007-09-28 14:50 57,600 --a------ C:\WINDOWS\system32\drivers\usbhub.sys
2007-09-28 14:50 53,248 --a------ C:\WINDOWS\system32\drivers\1394bus.sys
2007-09-28 14:50 319,456 --a------ C:\WINDOWS\system32\difxapi.dll
2007-09-28 14:50 26,624 --a------ C:\WINDOWS\system32\drivers\usbehci.sys
2007-09-28 14:50 20,480 --a------ C:\WINDOWS\system32\drivers\usbuhci.sys
2007-09-28 14:50 142,976 --a------ C:\WINDOWS\system32\drivers\usbport.sys
2007-09-28 14:50 14,080 --a------ C:\WINDOWS\system32\drivers\CmBatt.sys
2007-09-28 14:50 14,080 --a------ C:\WINDOWS\system32\drivers\battc.sys
2007-09-28 14:50 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-09-28 14:50 <DIR> d-------- C:\Program Files\Apoint
2007-09-28 14:49 <DIR> d--hs---- C:\System Volume Information


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-07-13 07:52 62 --ahs---- C:\DOCUME~1\DSCHLE~1\APPLIC~1\desktop.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar1.dll
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
{BACEB7AF-8D88-456E-82D0-7BEB9A4410FE} C:\WINDOWS\system32\vtssttt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"DellTouch"="C:\\WINDOWS\\MMKeybd.exe"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"Persistence"="C:\\WINDOWS\\system32\\igfxpers.exe"
"SigmatelSysTrayApp"="stsystra.exe"
"Microsoft Forefront Client Security Antimalware Service"="\"C:\\Program Files\\Microsoft Forefront\\Client Security\\Client\\Antimalware\\MSASCui.exe\" -hide"
"OdTray.exe"="\"C:\\Program Files\\Funk Software\\Odyssey Client\\OdTray.exe\""
@=""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"winshow"="\"C:\\WINDOWS\\winshow.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Communicator"="\"C:\\Program Files\\Microsoft Office Communicator\\Communicator.exe\""
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=dword:00000001
"ForceStartMenuLogOff"=dword:00000001
"DisallowRun"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowRun]
"1"="sysupd.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{BACEB7AF-8D88-456E-82D0-7BEB9A4410FE}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\FCSAM

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Quick Scan.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\MP Scheduled Signature Update.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-22 16:10:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-10-22 16:10:16
C:\ComboFix-quarantined-files.txt ... 07-10-22 16:10
C:\ComboFix2.txt ... 07-10-22 10:37





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:13, on 07-10-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\oracle\ora9i\bin\omtsreco.exe
C:\WINDOWS\system32\StacSV.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe
C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\winshow.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Funk Software\Odyssey Client\odtray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://inside.rgare.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://Resource.RGARE.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://rotator.adjuggler.com/servlet/ajrot...&dim=276502
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {BACEB7AF-8D88-456E-82D0-7BEB9A4410FE} - C:\WINDOWS\system32\vtssttt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Microsoft Forefront Client Security Antimalware Service] "C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" -hide
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=https://Resource.RGARE.com
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rgare.net
O17 - HKLM\Software\..\Telephony: DomainName = rgare.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rgare.net
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect Corporate\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateService.exe
O23 - Service: iPCAgent - Unknown owner - C:\Program Files\iPass\Corporate\iPCAgent.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora9i\bin\omtsreco.exe
O23 - Service: Oracleora9iClientCache - Unknown owner - C:\oracle\ora9i\BIN\ONRSD.EXE
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7900 bytes
If you truly live by the sword, it only stands to reason that someone has to die by it.

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:38 PM

Posted 22 October 2007 - 04:25 PM

K, that didn't go as well as it should have. :thumbsup: I need for you to go offline and disable all your protection programs, then run ComboFix again. Of course, reenable them after you run it and before you come back online. :blink:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 doomgiver13

doomgiver13
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 22 October 2007 - 04:30 PM

In process. Liuckily, I have multiple machines available for this task...hehe
If you truly live by the sword, it only stands to reason that someone has to die by it.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:38 PM

Posted 22 October 2007 - 04:32 PM

Good deal. :thumbsup:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 doomgiver13

doomgiver13
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 22 October 2007 - 04:35 PM

"dschlemeieradmin" - 07-10-22 16:30:24 Service Pack 2
ComboFix 07-04-25.1V - Running from: "C:\Documents and Settings\dschlemeieradmin\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-09-22 to 2007-10-22 ))))))))))))))))))))))))))))))))))


2007-10-22 10:37 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-10-22 10:35 <DIR> d-------- C:\!KillBox
2007-10-22 10:12 <DIR> d-------- C:\DOCUME~1\DSCHLE~1\APPLIC~1\Google
2007-10-22 10:02 1,048,576 --ah----- C:\DOCUME~1\DSCHLE~1\NTUSER.DAT
2007-10-22 10:02 <DIR> d-------- C:\Temp\SMSACTIONS
2007-10-22 10:02 <DIR> d-------- C:\DOCUME~1\DSCHLE~1\APPLIC~1\Funk Software
2007-10-18 11:07 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-18 11:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-10-18 11:06 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-18 11:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-10-18 11:02 <DIR> d-------- C:\DOCUME~1\GWHIPP~1\APPLIC~1\Funk Software
2007-10-18 11:01 2,097,152 --ah----- C:\DOCUME~1\GWHIPP~1\NTUSER.DAT
2007-10-17 09:14 <DIR> d-------- C:\VundoFix Backups
2007-10-16 12:46 1 --a------ C:\WINDOWS\tsitra77.exe
2007-10-16 12:46 <DIR> d-------- C:\WINDOWS\system32\oTt08e
2007-10-16 12:46 <DIR> d-------- C:\Temp\fCOe
2007-10-16 12:45 35,840 --a------ C:\WINDOWS\winshow.exe
2007-10-16 12:45 34,304 --------- C:\WINDOWS\system32\vtssttt.dll
2007-10-15 09:24 <DIR> d-------- C:\aura
2007-10-11 08:29 <DIR> d-------- C:\Program Files\iTunes
2007-10-11 08:29 <DIR> d-------- C:\Program Files\iPod
2007-10-11 08:29 <DIR> d-------- C:\DOCUME~1\cchilds\APPLIC~1\Apple Computer
2007-10-11 08:28 <DIR> d-------- C:\Program Files\QuickTime
2007-10-11 08:28 <DIR> d-------- C:\Program Files\Apple Software Update
2007-10-11 08:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-10-11 08:27 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-10-11 08:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-10-08 13:22 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2007-10-08 13:19 <DIR> d-------- C:\Program Files\Business Objects
2007-10-08 13:18 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2007-10-08 13:17 <DIR> d-------- C:\Program Files\RTP Inc
2007-10-04 16:00 <DIR> d-------- C:\DOCUME~1\cchilds\APPLIC~1\AdobeUM
2007-10-04 15:25 <DIR> d-------- C:\DOCUME~1\cchilds\APPLIC~1\Viewpoint
2007-10-04 14:39 <DIR> d-------- C:\DOCUME~1\cchilds\Contacts
2007-10-04 14:38 <DIR> d-------- C:\Program Files\MSN Messenger
2007-10-04 14:35 <DIR> d--hs---- C:\RECYCLER
2007-10-04 14:28 <DIR> d-------- C:\DOCUME~1\cchilds\APPLIC~1\acccore
2007-10-04 14:25 <DIR> d-------- C:\Program Files\Viewpoint
2007-10-04 14:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-10-04 14:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-10-04 14:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-10-04 14:24 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-10-04 14:24 <DIR> d-------- C:\Program Files\AIM6
2007-10-04 14:24 <DIR> d-------- C:\DOCUME~1\cchilds\APPLIC~1\Google
2007-10-04 14:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-10-04 14:23 <DIR> d-------- C:\Program Files\Google
2007-10-04 14:01 <DIR> d-------- C:\Program Files\Folio
2007-10-04 14:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-10-04 13:56 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2007-10-04 13:56 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2007-10-04 13:49 <DIR> d-------- C:\Program Files\Bonjour
2007-10-04 13:45 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-10-04 13:40 299,008 --a------ C:\WINDOWS\uninst.exe
2007-10-04 13:38 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-10-04 13:35 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-10-04 13:35 36,224 --a------ C:\WINDOWS\system32\drivers\hidclass.sys
2007-10-04 13:35 24,960 --a------ C:\WINDOWS\system32\drivers\hidparse.sys
2007-10-04 13:35 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-10-04 13:09 <DIR> d-------- C:\Program Files\RealVNC
2007-10-04 13:09 <DIR> d-------- C:\DOCUME~1\cchilds\APPLIC~1\Funk Software
2007-10-04 13:08 2,097,152 --ah----- C:\DOCUME~1\cchilds\NTUSER.DAT
2007-10-01 10:01 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-10-01 09:57 70,144 --a------ C:\WINDOWS\KPFP32.DLL
2007-10-01 09:57 58,368 --a------ C:\WINDOWS\pfpick.dll
2007-10-01 09:57 53,760 --a------ C:\WINDOWS\PTPICK32.DLL
2007-10-01 09:57 48,128 --a------ C:\WINDOWS\KPSYS32.DLL
2007-10-01 09:57 42,483 --a------ C:\WINDOWS\ICCCODES.DAT
2007-10-01 09:57 39,095 --a------ C:\WINDOWS\Iccsigs.dat
2007-10-01 09:57 31,744 --a------ C:\WINDOWS\KPSHARP.DLL
2007-10-01 09:57 31,232 --a------ C:\WINDOWS\KPSCALE.DLL
2007-10-01 09:57 243,712 --a------ C:\WINDOWS\KPCP32.DLL
2007-10-01 09:57 20,992 --a------ C:\WINDOWS\icccodes.dll
2007-10-01 09:57 156,672 --a------ C:\WINDOWS\sprof32.dll
2007-10-01 09:56 94,285 --a------ C:\WINDOWS\system32\MSVCIRTD.DLL
2007-10-01 09:56 6,144 --a------ C:\WINDOWS\system32\W95FIBER.DLL
2007-10-01 09:56 5,632 --a------ C:\WINDOWS\system32\MFCUIA32.DLL
2007-10-01 09:56 401,484 --a------ C:\WINDOWS\system32\MSVCRTD.DLL
2007-10-01 09:56 33,424 --a------ C:\WINDOWS\system32\URLCACHE.DLL
2007-10-01 09:56 322,832 --a------ C:\WINDOWS\system32\MFC30.DLL
2007-10-01 09:56 32,792 --a------ C:\WINDOWS\SPWHPT.DLL
2007-10-01 09:56 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2007-10-01 09:56 210,944 --a------ C:\WINDOWS\system32\MSVCRT10.DLL
2007-10-01 09:56 133,904 --a------ C:\WINDOWS\system32\MFCANS32.DLL
2007-10-01 09:56 133,392 --a------ C:\WINDOWS\system32\MFCO30.DLL
2007-10-01 09:56 <DIR> d-------- C:\WINDOWS\system32\Color
2007-10-01 09:56 <DIR> d-------- C:\Kpcms
2007-10-01 09:52 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-10-01 09:36 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\iPassConnect
2007-10-01 09:30 36,864 --a------ C:\WINDOWS\system32\AvayaGina.dll
2007-10-01 09:30 327,168 --a------ C:\WINDOWS\IsUninst.exe
2007-10-01 09:30 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-10-01 09:29 <DIR> d-------- C:\VPNet
2007-10-01 09:15 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-10-01 09:15 <DIR> d-------- C:\Program Files\Common Files\Software SupraSoft Shared
2007-10-01 09:15 <DIR> d-------- C:\Program Files\Common Files\Software Sheridan Shared
2007-10-01 09:15 <DIR> d-------- C:\Program Files\Common Files\Software GridEx Shared
2007-10-01 09:15 <DIR> d-------- C:\Program Files\Common Files\Software FX Shared
2007-10-01 09:04 <DIR> dr-h----- C:\MSOCache
2007-10-01 08:50 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Funk Software
2007-09-28 15:45 <DIR> d-------- C:\DOCUME~1\gwhipple\APPLIC~1\Funk Software
2007-09-28 15:44 786,432 --ah----- C:\DOCUME~1\gwhipple\NTUSER.DAT
2007-09-28 15:41 172,032 --a------ C:\WINDOWS\system32\igfxres.dll
2007-09-28 15:04 <DIR> d-------- C:\Temp\Odyssey
2007-09-28 15:03 643,150 --a------ C:\WINDOWS\system32\odGinaLibrary.dll
2007-09-28 15:03 147,522 --a------ C:\WINDOWS\system32\odyGina.dll
2007-09-28 15:03 106,496 --a------ C:\WINDOWS\system32\odyEvent.dll
2007-09-28 15:03 <DIR> d-------- C:\Program Files\Funk Software
2007-09-28 15:03 <DIR> d-------- C:\Program Files\Common Files\Funk Software
2007-09-28 15:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\iPass
2007-09-28 14:59 73,728 --------- C:\WINDOWS\system32\ipgina.dll
2007-09-28 14:58 65,605 --a------ C:\WINDOWS\system32\iPassAE5.dll
2007-09-28 14:58 21,419 --a------ C:\WINDOWS\system32\drivers\iPassP.sys
2007-09-28 14:58 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-09-28 14:58 <DIR> d-------- C:\Temp\ViewMail
2007-09-28 14:58 <DIR> d-------- C:\Program Files\ViewMail
2007-09-28 14:58 <DIR> d-------- C:\Program Files\iPass
2007-09-28 14:58 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-09-28 14:57 67,784 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys
2007-09-28 14:57 <DIR> d-------- C:\Temp\Communicator
2007-09-28 14:57 <DIR> d-------- C:\Program Files\Microsoft Office Communicator
2007-09-28 14:56 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-09-28 14:56 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-09-28 14:56 <DIR> d-------- C:\Program Files\Microsoft Forefront
2007-09-28 14:54 262,144 --a------ C:\DOCUME~1\ALLUSE~1\NTUSER.DAT
2007-09-28 14:54 <DIR> d--hs---- C:\WINDOWS\CSC
2007-09-28 14:54 <DIR> d-------- C:\WINDOWS\system32\ReinstallBackups
2007-09-28 14:51 90,112 --a------ C:\WINDOWS\system32\STACSV.EXE
2007-09-28 14:51 4,736 --a------ C:\WINDOWS\system32\drivers\usbd.sys
2007-09-28 14:51 393,216 --a------ C:\WINDOWS\system32\igxpun.exe
2007-09-28 14:51 303,104 --a------ C:\WINDOWS\STSYSTRA.EXE
2007-09-28 14:51 1,601,536 --a------ C:\WINDOWS\system32\STLANG.DLL
2007-09-28 14:51 <DIR> d-------- C:\WINDOWS\system32\x64
2007-09-28 14:51 <DIR> d-------- C:\WINDOWS\system32\Lang
2007-09-28 14:51 <DIR> d-------- C:\Program Files\Sigmatel
2007-09-28 14:51 <DIR> d-------- C:\Program Files\CONEXANT
2007-09-28 14:50 9,344 --a------ C:\WINDOWS\system32\drivers\compbatt.sys
2007-09-28 14:50 8,832 --a------ C:\WINDOWS\system32\drivers\wmiacpi.sys
2007-09-28 14:50 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2007-09-28 14:50 7,168 --a------ C:\WINDOWS\system32\hccoin.dll
2007-09-28 14:50 61,056 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2007-09-28 14:50 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2007-09-28 14:50 57,600 --a------ C:\WINDOWS\system32\drivers\usbhub.sys
2007-09-28 14:50 53,248 --a------ C:\WINDOWS\system32\drivers\1394bus.sys
2007-09-28 14:50 319,456 --a------ C:\WINDOWS\system32\difxapi.dll
2007-09-28 14:50 26,624 --a------ C:\WINDOWS\system32\drivers\usbehci.sys
2007-09-28 14:50 20,480 --a------ C:\WINDOWS\system32\drivers\usbuhci.sys
2007-09-28 14:50 142,976 --a------ C:\WINDOWS\system32\drivers\usbport.sys
2007-09-28 14:50 14,080 --a------ C:\WINDOWS\system32\drivers\CmBatt.sys
2007-09-28 14:50 14,080 --a------ C:\WINDOWS\system32\drivers\battc.sys
2007-09-28 14:50 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-09-28 14:50 <DIR> d-------- C:\Program Files\Apoint
2007-09-28 14:49 <DIR> d--hs---- C:\System Volume Information


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-07-13 07:52 62 --ahs---- C:\DOCUME~1\DSCHLE~1\APPLIC~1\desktop.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar1.dll
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
{BACEB7AF-8D88-456E-82D0-7BEB9A4410FE} C:\WINDOWS\system32\vtssttt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"DellTouch"="C:\\WINDOWS\\MMKeybd.exe"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"Persistence"="C:\\WINDOWS\\system32\\igfxpers.exe"
"SigmatelSysTrayApp"="stsystra.exe"
"Microsoft Forefront Client Security Antimalware Service"="\"C:\\Program Files\\Microsoft Forefront\\Client Security\\Client\\Antimalware\\MSASCui.exe\" -hide"
"OdTray.exe"="\"C:\\Program Files\\Funk Software\\Odyssey Client\\OdTray.exe\""
@=""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"winshow"="\"C:\\WINDOWS\\winshow.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Communicator"="\"C:\\Program Files\\Microsoft Office Communicator\\Communicator.exe\""
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=dword:00000001
"ForceStartMenuLogOff"=dword:00000001
"DisallowRun"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowRun]
"1"="sysupd.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{BACEB7AF-8D88-456E-82D0-7BEB9A4410FE}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\FCSAM

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Quick Scan.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\MP Scheduled Signature Update.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-22 16:31:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-10-22 16:31:05
C:\ComboFix-quarantined-files.txt ... 07-10-22 16:31
C:\ComboFix2.txt ... 07-10-22 16:10
C:\ComboFix3.txt ... 07-10-22 10:37





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:32, on 07-10-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\oracle\ora9i\bin\omtsreco.exe
C:\WINDOWS\system32\StacSV.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe
C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\winshow.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Funk Software\Odyssey Client\odtray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://inside.rgare.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://Resource.RGARE.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://rotator.adjuggler.com/servlet/ajrot...&dim=276502
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {BACEB7AF-8D88-456E-82D0-7BEB9A4410FE} - C:\WINDOWS\system32\vtssttt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Microsoft Forefront Client Security Antimalware Service] "C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" -hide
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=https://Resource.RGARE.com
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rgare.net
O17 - HKLM\Software\..\Telephony: DomainName = rgare.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rgare.net
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect Corporate\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateService.exe
O23 - Service: iPCAgent - Unknown owner - C:\Program Files\iPass\Corporate\iPCAgent.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora9i\bin\omtsreco.exe
O23 - Service: Oracleora9iClientCache - Unknown owner - C:\oracle\ora9i\BIN\ONRSD.EXE
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7815 bytes
If you truly live by the sword, it only stands to reason that someone has to die by it.

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:38 PM

Posted 22 October 2007 - 04:41 PM

Something is still interfering.....I'll be right back with something for you. Stubborn stuff! :thumbsup:

How much time do you have today?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 doomgiver13

doomgiver13
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 22 October 2007 - 04:43 PM

until 5:00 pm Central Time.

Just got this darned thing at the end of the day.
If you truly live by the sword, it only stands to reason that someone has to die by it.

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:38 PM

Posted 22 October 2007 - 04:45 PM

I'm in the same time zone....only 15 minutes left huh? :thumbsup: We may not be able to finish up today....just too much to do. Can you pick it back up in the morning?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 doomgiver13

doomgiver13
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 22 October 2007 - 04:46 PM

i should be able to
If you truly live by the sword, it only stands to reason that someone has to die by it.

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:38 PM

Posted 22 October 2007 - 04:49 PM

K, well I have this much for you now.....what time in the morning?

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\winshow.exe
C:\WINDOWS\system32\vtssttt.dll
C:\WINDOWS\tsitra77.exe

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously, along with a new HijackThis log in your next reply.
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 doomgiver13

doomgiver13
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 23 October 2007 - 09:15 AM

BSOD while running the express scan. Trojan.click.4740. C:/windows/winshow.exe

made it through express the second time and currently running custom scan on C:

logs to follow
If you truly live by the sword, it only stands to reason that someone has to die by it.

#14 doomgiver13

doomgiver13
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 23 October 2007 - 10:44 AM

Dr. Web-Cureit log

winvnc4.exe;c:\program files\realvnc\vnc4;Program.RemoteAdmin.origin;;
winshow.exe;c:\windows;Trojan.Click.4740;Deleted.;
winshow.exe;C:\Documents and Settings\cchilds\Local Settings\Temp;Trojan.Click.4740;Deleted.;
ZTIHalDetect.vbs;C:\I386;Probably SCRIPT.Virus;;
winvnc4.exe;C:\Program Files\RealVNC\VNC4;Program.RemoteAdmin.origin;;
A0001053.exe;C:\System Volume Information\_restore{1268995E-15E8-4A49-9735-A36817FC32D8}\RP10;Program.RemoteAdmin.origin;;
A0006311.exe;C:\System Volume Information\_restore{1268995E-15E8-4A49-9735-A36817FC32D8}\RP60;Trojan.Click.4740;Deleted.;





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42, on 07-10-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\oracle\ora9i\bin\omtsreco.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\StacSV.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://inside.rgare.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://Resource.RGARE.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://rotator.adjuggler.com/servlet/ajrot...&dim=276502
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {BACEB7AF-8D88-456E-82D0-7BEB9A4410FE} - C:\WINDOWS\system32\vtssttt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Microsoft Forefront Client Security Antimalware Service] "C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" -hide
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=https://Resource.RGARE.com
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rgare.net
O17 - HKLM\Software\..\Telephony: DomainName = rgare.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rgare.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = rgare.net
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect Corporate\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect Corporate\iPassPeriodicUpdateService.exe
O23 - Service: iPCAgent - Unknown owner - C:\Program Files\iPass\Corporate\iPCAgent.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora9i\bin\omtsreco.exe
O23 - Service: Oracleora9iClientCache - Unknown owner - C:\oracle\ora9i\BIN\ONRSD.EXE
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 8044 bytes





"gwhippleadmin" - 07-10-23 8:52:49 Service Pack 2
ComboFix 07-04-25.1V - Running from: "C:\Documents and Settings\gwhippleadmin\"
Command switches used :: ""C:\Documents and Settings\gwhippleadmin\Desktop\CFScript.txt""


((((((((((((((((((((((((((((((( Files Created from 2007-09-23 to 2007-10-23 ))))))))))))))))))))))))))))))))))


2007-10-23 08:46 <DIR> d-------- C:\DOCUME~1\GWHIPP~1\APPLIC~1\Google
2007-10-22 10:37 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-10-22 10:35 <DIR> d-------- C:\!KillBox
2007-10-22 10:12 <DIR> d-------- C:\DOCUME~1\DSCHLE~1\APPLIC~1\Google
2007-10-22 10:02 1,048,576 --ah----- C:\DOCUME~1\DSCHLE~1\NTUSER.DAT
2007-10-22 10:02 <DIR> d-------- C:\Temp\SMSACTIONS
2007-10-22 10:02 <DIR> d-------- C:\DOCUME~1\DSCHLE~1\APPLIC~1\Funk Software
2007-10-18 11:07 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-18 11:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-10-18 11:06 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-18 11:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-10-18 11:02 <DIR> d-------- C:\DOCUME~1\GWHIPP~1\APPLIC~1\Funk Software
2007-10-18 11:01 2,097,152 --ah----- C:\DOCUME~1\GWHIPP~1\NTUSER.DAT
2007-10-17 09:14 <DIR> d-------- C:\VundoFix Backups
2007-10-16 12:46 1 --a------ C:\WINDOWS\tsitra77.exe
2007-10-16 12:46 <DIR> d-------- C:\WINDOWS\system32\oTt08e
2007-10-16 12:46 <DIR> d-------- C:\Temp\fCOe
2007-10-16 12:45 35,840 --a------ C:\WINDOWS\winshow.exe
2007-10-16 12:45 34,304 --------- C:\WINDOWS\system32\vtssttt.dll
2007-10-15 09:24 <DIR> d-------- C:\aura
2007-10-11 08:29 <DIR> d-------- C:\Program Files\iTunes
2007-10-11 08:29 <DIR> d-------- C:\Program Files\iPod
2007-10-11 08:29 <DIR> d-------- C:\DOCUME~1\cchilds\APPLIC~1\Apple Computer
2007-10-11 08:28 <DIR> d-------- C:\Program Files\QuickTime
2007-10-11 08:28 <DIR> d-------- C:\Program Files\Apple Software Update
2007-10-11 08:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-10-11 08:27 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-10-11 08:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-10-08 13:22 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2007-10-08 13:19 <DIR> d-------- C:\Program Files\Business Objects
2007-10-08 13:18 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2007-10-08 13:17 <DIR> d-------- C:\Program Files\RTP Inc
2007-10-04 16:00 <DIR> d-------- C:\DOCUME~1\cchilds\APPLIC~1\AdobeUM
2007-10-04 15:25 <DIR> d-------- C:\DOCUME~1\cchilds\APPLIC~1\Viewpoint
2007-10-04 14:39 <DIR> d-------- C:\DOCUME~1\cchilds\Contacts
2007-10-04 14:38 <DIR> d-------- C:\Program Files\MSN Messenger
2007-10-04 14:35 <DIR> d--hs---- C:\RECYCLER
2007-10-04 14:28 <DIR> d-------- C:\DOCUME~1\cchilds\APPLIC~1\acccore
2007-10-04 14:25 <DIR> d-------- C:\Program Files\Viewpoint
2007-10-04 14:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-10-04 14:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-10-04 14:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-10-04 14:24 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-10-04 14:24 <DIR> d-------- C:\Program Files\AIM6
2007-10-04 14:24 <DIR> d-------- C:\DOCUME~1\cchilds\APPLIC~1\Google
2007-10-04 14:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-10-04 14:23 <DIR> d-------- C:\Program Files\Google
2007-10-04 14:01 <DIR> d-------- C:\Program Files\Folio
2007-10-04 14:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-10-04 13:56 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2007-10-04 13:56 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2007-10-04 13:49 <DIR> d-------- C:\Program Files\Bonjour
2007-10-04 13:45 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-10-04 13:40 299,008 --a------ C:\WINDOWS\uninst.exe
2007-10-04 13:38 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-10-04 13:35 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-10-04 13:35 36,224 --a------ C:\WINDOWS\system32\drivers\hidclass.sys
2007-10-04 13:35 24,960 --a------ C:\WINDOWS\system32\drivers\hidparse.sys
2007-10-04 13:35 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-10-04 13:09 <DIR> d-------- C:\Program Files\RealVNC
2007-10-04 13:09 <DIR> d-------- C:\DOCUME~1\cchilds\APPLIC~1\Funk Software
2007-10-04 13:08 2,097,152 --ah----- C:\DOCUME~1\cchilds\NTUSER.DAT
2007-10-01 10:01 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-10-01 09:57 70,144 --a------ C:\WINDOWS\KPFP32.DLL
2007-10-01 09:57 58,368 --a------ C:\WINDOWS\pfpick.dll
2007-10-01 09:57 53,760 --a------ C:\WINDOWS\PTPICK32.DLL
2007-10-01 09:57 48,128 --a------ C:\WINDOWS\KPSYS32.DLL
2007-10-01 09:57 42,483 --a------ C:\WINDOWS\ICCCODES.DAT
2007-10-01 09:57 39,095 --a------ C:\WINDOWS\Iccsigs.dat
2007-10-01 09:57 31,744 --a------ C:\WINDOWS\KPSHARP.DLL
2007-10-01 09:57 31,232 --a------ C:\WINDOWS\KPSCALE.DLL
2007-10-01 09:57 243,712 --a------ C:\WINDOWS\KPCP32.DLL
2007-10-01 09:57 20,992 --a------ C:\WINDOWS\icccodes.dll
2007-10-01 09:57 156,672 --a------ C:\WINDOWS\sprof32.dll
2007-10-01 09:56 94,285 --a------ C:\WINDOWS\system32\MSVCIRTD.DLL
2007-10-01 09:56 6,144 --a------ C:\WINDOWS\system32\W95FIBER.DLL
2007-10-01 09:56 5,632 --a------ C:\WINDOWS\system32\MFCUIA32.DLL
2007-10-01 09:56 401,484 --a------ C:\WINDOWS\system32\MSVCRTD.DLL
2007-10-01 09:56 33,424 --a------ C:\WINDOWS\system32\URLCACHE.DLL
2007-10-01 09:56 322,832 --a------ C:\WINDOWS\system32\MFC30.DLL
2007-10-01 09:56 32,792 --a------ C:\WINDOWS\SPWHPT.DLL
2007-10-01 09:56 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2007-10-01 09:56 210,944 --a------ C:\WINDOWS\system32\MSVCRT10.DLL
2007-10-01 09:56 133,904 --a------ C:\WINDOWS\system32\MFCANS32.DLL
2007-10-01 09:56 133,392 --a------ C:\WINDOWS\system32\MFCO30.DLL
2007-10-01 09:56 <DIR> d-------- C:\WINDOWS\system32\Color
2007-10-01 09:56 <DIR> d-------- C:\Kpcms
2007-10-01 09:52 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-10-01 09:36 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\iPassConnect
2007-10-01 09:30 36,864 --a------ C:\WINDOWS\system32\AvayaGina.dll
2007-10-01 09:30 327,168 --a------ C:\WINDOWS\IsUninst.exe
2007-10-01 09:30 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-10-01 09:29 <DIR> d-------- C:\VPNet
2007-10-01 09:15 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-10-01 09:15 <DIR> d-------- C:\Program Files\Common Files\Software SupraSoft Shared
2007-10-01 09:15 <DIR> d-------- C:\Program Files\Common Files\Software Sheridan Shared
2007-10-01 09:15 <DIR> d-------- C:\Program Files\Common Files\Software GridEx Shared
2007-10-01 09:15 <DIR> d-------- C:\Program Files\Common Files\Software FX Shared
2007-10-01 09:04 <DIR> dr-h----- C:\MSOCache
2007-10-01 08:50 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Funk Software
2007-09-28 15:45 <DIR> d-------- C:\DOCUME~1\gwhipple\APPLIC~1\Funk Software
2007-09-28 15:44 786,432 --ah----- C:\DOCUME~1\gwhipple\NTUSER.DAT
2007-09-28 15:41 172,032 --a------ C:\WINDOWS\system32\igfxres.dll
2007-09-28 15:04 <DIR> d-------- C:\Temp\Odyssey
2007-09-28 15:03 643,150 --a------ C:\WINDOWS\system32\odGinaLibrary.dll
2007-09-28 15:03 147,522 --a------ C:\WINDOWS\system32\odyGina.dll
2007-09-28 15:03 106,496 --a------ C:\WINDOWS\system32\odyEvent.dll
2007-09-28 15:03 <DIR> d-------- C:\Program Files\Funk Software
2007-09-28 15:03 <DIR> d-------- C:\Program Files\Common Files\Funk Software
2007-09-28 15:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\iPass
2007-09-28 14:59 73,728 --------- C:\WINDOWS\system32\ipgina.dll
2007-09-28 14:58 65,605 --a------ C:\WINDOWS\system32\iPassAE5.dll
2007-09-28 14:58 21,419 --a------ C:\WINDOWS\system32\drivers\iPassP.sys
2007-09-28 14:58 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-09-28 14:58 <DIR> d-------- C:\Temp\ViewMail
2007-09-28 14:58 <DIR> d-------- C:\Program Files\ViewMail
2007-09-28 14:58 <DIR> d-------- C:\Program Files\iPass
2007-09-28 14:58 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-09-28 14:57 67,784 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys
2007-09-28 14:57 <DIR> d-------- C:\Temp\Communicator
2007-09-28 14:57 <DIR> d-------- C:\Program Files\Microsoft Office Communicator
2007-09-28 14:56 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-09-28 14:56 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-09-28 14:56 <DIR> d-------- C:\Program Files\Microsoft Forefront
2007-09-28 14:54 262,144 --a------ C:\DOCUME~1\ALLUSE~1\NTUSER.DAT
2007-09-28 14:54 <DIR> d--hs---- C:\WINDOWS\CSC
2007-09-28 14:54 <DIR> d-------- C:\WINDOWS\system32\ReinstallBackups
2007-09-28 14:51 90,112 --a------ C:\WINDOWS\system32\STACSV.EXE
2007-09-28 14:51 4,736 --a------ C:\WINDOWS\system32\drivers\usbd.sys
2007-09-28 14:51 393,216 --a------ C:\WINDOWS\system32\igxpun.exe
2007-09-28 14:51 303,104 --a------ C:\WINDOWS\STSYSTRA.EXE
2007-09-28 14:51 1,601,536 --a------ C:\WINDOWS\system32\STLANG.DLL
2007-09-28 14:51 <DIR> d-------- C:\WINDOWS\system32\x64
2007-09-28 14:51 <DIR> d-------- C:\WINDOWS\system32\Lang
2007-09-28 14:51 <DIR> d-------- C:\Program Files\Sigmatel
2007-09-28 14:51 <DIR> d-------- C:\Program Files\CONEXANT
2007-09-28 14:50 9,344 --a------ C:\WINDOWS\system32\drivers\compbatt.sys
2007-09-28 14:50 8,832 --a------ C:\WINDOWS\system32\drivers\wmiacpi.sys
2007-09-28 14:50 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2007-09-28 14:50 7,168 --a------ C:\WINDOWS\system32\hccoin.dll
2007-09-28 14:50 61,056 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2007-09-28 14:50 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2007-09-28 14:50 57,600 --a------ C:\WINDOWS\system32\drivers\usbhub.sys
2007-09-28 14:50 53,248 --a------ C:\WINDOWS\system32\drivers\1394bus.sys
2007-09-28 14:50 319,456 --a------ C:\WINDOWS\system32\difxapi.dll
2007-09-28 14:50 26,624 --a------ C:\WINDOWS\system32\drivers\usbehci.sys
2007-09-28 14:50 20,480 --a------ C:\WINDOWS\system32\drivers\usbuhci.sys
2007-09-28 14:50 142,976 --a------ C:\WINDOWS\system32\drivers\usbport.sys
2007-09-28 14:50 14,080 --a------ C:\WINDOWS\system32\drivers\CmBatt.sys
2007-09-28 14:50 14,080 --a------ C:\WINDOWS\system32\drivers\battc.sys
2007-09-28 14:50 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-09-28 14:50 <DIR> d-------- C:\Program Files\Apoint
2007-09-28 14:49 <DIR> d--hs---- C:\System Volume Information


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-07-13 07:52 62 --ahs---- C:\DOCUME~1\GWHIPP~1\APPLIC~1\desktop.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar1.dll
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
{BACEB7AF-8D88-456E-82D0-7BEB9A4410FE} C:\WINDOWS\system32\vtssttt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"DellTouch"="C:\\WINDOWS\\MMKeybd.exe"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"Persistence"="C:\\WINDOWS\\system32\\igfxpers.exe"
"SigmatelSysTrayApp"="stsystra.exe"
"Microsoft Forefront Client Security Antimalware Service"="\"C:\\Program Files\\Microsoft Forefront\\Client Security\\Client\\Antimalware\\MSASCui.exe\" -hide"
"OdTray.exe"="\"C:\\Program Files\\Funk Software\\Odyssey Client\\OdTray.exe\""
@=""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"winshow"="\"C:\\WINDOWS\\winshow.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Communicator"="\"C:\\Program Files\\Microsoft Office Communicator\\Communicator.exe\""
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=dword:00000001
"ForceStartMenuLogOff"=dword:00000001
"DisallowRun"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowRun]
"1"="sysupd.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{BACEB7AF-8D88-456E-82D0-7BEB9A4410FE}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\FCSAM

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Quick Scan.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\MP Scheduled Signature Update.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-23 08:54:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-10-23 8:54:58
C:\ComboFix-quarantined-files.txt ... 07-10-23 08:54
C:\ComboFix2.txt ... 07-10-22 16:31
C:\ComboFix3.txt ... 07-10-22 16:10
If you truly live by the sword, it only stands to reason that someone has to die by it.

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:38 PM

Posted 23 October 2007 - 11:27 AM

Hello.....ready for round 2 huh? :thumbsup:

Did you have Tea Timer running when you did that? It really does interfere with ComboFix, so please run the script again with Tea Timer off if you didn't before, please. I'm about ready to bring out the really big guns.

Let me know.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users