Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nasty Malware - Win32.trojandownloader.agent


  • Please log in to reply
17 replies to this topic

#1 chinasteiners

chinasteiners

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 22 October 2007 - 06:59 PM

I have already read the FAQ and run the latest versions of Spybot and AdAware in safe mode. Every time I run AdAware it catches Win32.TrojanDownloader.Agent malware, removes it, but as soon as I boot up again it's back. I have run Spybot just once and it did not catch that virus but did catch three called Win32

This malware continuously pops up a fake Windows Security Alert that says: "Windows has detected an Internet attack attempt...Somebody's trying to infect your PC with spyware or harmful viruses. run full system scan now to protect your PC from Internet attacks, hijacking attempts, and spyware! Click here to download spyware remover for total protection." After half a minute or so, Internet Explorer then opens on its own at either the site http://yourprivacyguard.com or http://safenavweb.com. I disabled access to IE to try to stop that or it will open lots of IE windows.

The virus changed my desktop background picture (or pasted a picture over my background? I could not click any icons) to a .gif that says "Your privacy is in danger, download spyware remover for total protection" or something along those lines.

The virus adds three shortcut windows to my desktop which reappear the instant I reboot. They are labeled Error Cleaner, Privacy Protector, and Spyware &...Protection. All three are shortcuts to http://viruswebprotect.com/shandler.php

The last symptom so far is that the virus will cause the task explorer.exe to take up 100% of my CPU Usage. In order to work, I terminate explorer.exe and do everything from the Task Manager.

I will be unspeakably thankful to whoever can tell me how to get rid of this thing. I live in China and my computer is my link to the outside world. Below is the HijackThis logfile.

Phil

________________________________________________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:57 AM, on 10/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\DF206D97847745E7983C822C45EE3038\ringjack.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\stinger.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: MSVPS System - {480598DD-AE28-48B7-82F7-6ADDA1AA6B66} - C:\WINDOWS\ntspkmxl.dll
O2 - BHO: (no name) - {69A0EEC7-190C-33F1-4F7A-0383C563F5FD} - C:\Program Files\qnatfoww\yoqzwtfa.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: The optnet - {B02534D7-8D91-49BE-A864-97DFB8E0BAB4} - C:\WINDOWS\optnet.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [VF0060 STISvc] RunDLL32.exe V0060Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [xmlkzoxu] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\xmlkzoxu.dll"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: hostctrl - {B0BA5677-C778-4482-BB5D-44B1479D1201} - C:\WINDOWS\hostctrl.dll
O21 - SSODL: hstsys - {D433F572-882D-4C8B-9A93-761E91562F70} - C:\WINDOWS\hstsys.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 11349 bytes

Edited by KoanYorel, 23 October 2007 - 11:27 AM.
to disable hot link URLs above


BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 24 October 2007 - 04:02 PM

Hi chinasteiners and Welcome to the Bleeping Computer!

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#3 chinasteiners

chinasteiners
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 24 October 2007 - 07:50 PM

First the ComboFix log, then HiJackThis. I didn't have my hidden files and folders showing when I ran Combofix; let me know if I need to re-do it because of that. I switched hidden folders on for running HiJackThis though.

Whenever I do anything with Windows Explorer now I get a popup window that says it's from Windows Internet Explorer and says "Cannot find 'file:///C:/WINDOWS/privacy_danger/index.htm'. Make sure the path or Internet address is correct."






ComboFix 07-10-23.1 - Steiner 2007-10-25 8:18:37.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.490 [GMT 8:00]
Running from: C:\Documents and Settings\Steiner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Steiner\Desktop\Error Cleaner.url
C:\Documents and Settings\Steiner\Desktop\Privacy Protector.url
C:\Documents and Settings\Steiner\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Steiner\Favorites\Error Cleaner.url
C:\Documents and Settings\Steiner\Favorites\Privacy Protector.url
C:\Documents and Settings\Steiner\Favorites\Spyware&Malware Protection.url
C:\WINDOWS\hostctrl.dll
C:\WINDOWS\nmcuninstall.exe
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm

.
((((((((((((((((((((((((( Files Created from 2007-09-25 to 2007-10-25 )))))))))))))))))))))))))))))))
.

2007-10-23 15:41 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-23 00:23 1,953,799 --a------ C:\Program Files\stinger.exe
2007-10-20 17:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-10-20 17:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-10-20 17:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2007-10-20 17:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-20 17:15 <DIR> d-------- C:\Documents and Settings\Steiner\Application Data\SUPERAntiSpyware.com
2007-10-20 15:32 5,914,648 --a------ C:\Program Files\SUPERAntiSpyware.exe
2007-10-20 02:49 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-20 02:47 11,470,608 --a------ C:\Program Files\avgas-setup-7.5.0.50.exe
2007-10-20 00:05 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-19 23:59 <DIR> d-------- C:\Documents and Settings\Steiner\.housecall6.6
2007-10-19 23:39 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-19 23:39 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-19 23:38 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-19 23:27 2,566,736 --a------ C:\Program Files\spywareblastersetup351.exe
2007-10-19 23:04 407,680 --a------ C:\Program Files\aswclnr.exe
2007-10-19 22:52 318,369 --a------ C:\Program Files\HiJackThis.zip
2007-10-19 22:31 19,755,376 --a------ C:\Program Files\aaw2007.exe
2007-10-19 01:37 <DIR> d-------- C:\Program Files\qnatfoww
2007-10-19 01:31 281,600 --a------ C:\WINDOWS\hstsys.dll
2007-10-19 01:31 274,432 --a------ C:\WINDOWS\ntspkmxl.dll
2007-10-19 01:26 96,943 --a------ C:\Program Files\VideoAccessCodecInstall.exe
2007-10-18 19:28 <DIR> d-------- C:\Program Files\iTunes
2007-10-18 19:28 <DIR> d-------- C:\Program Files\iPod
2007-10-17 14:02 <DIR> d-------- C:\Documents and Settings\Steiner\Application Data\gtk-2.0
2007-10-17 01:13 <DIR> d-------- C:\Documents and Settings\Steiner\Application Data\Inkscape
2007-10-17 00:50 <DIR> d-------- C:\Program Files\Inkscape
2007-10-16 23:40 <DIR> d-------- C:\Documents and Settings\Steiner\Application Data\CasaPortale.de
2007-10-16 23:37 <DIR> d-------- C:\Program Files\PosteRazor-1.4-Win32
2007-10-16 23:35 354,656 --a------ C:\Program Files\PosteRazor-1.4-Win32.zip
2007-10-16 21:10 22,974,393 --a------ C:\Program Files\Inkscape-0.45.1-1.win32.exe
2007-10-10 06:31 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-24 23:55 --------- d-----w C:\Documents and Settings\Steiner\Application Data\Skype
2007-10-23 08:28 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-23 06:26 17 ----a-w C:\Program Files\stinger.opt
2007-10-20 07:09 --------- d-----w C:\Documents and Settings\Steiner\Application Data\OpenOffice.org2
2007-10-19 16:04 6,172 ----a-w C:\Program Files\aswclnr.log
2007-10-19 14:53 8,653,598 ----a-w C:\Program Files\aaw2007.exe.part
2007-10-16 13:08 --------- d-----w C:\Program Files\Common Files\Elecard
2007-10-16 13:07 --------- d-----w C:\Program Files\pdf995
2007-10-10 12:43 146,168 ----a-w C:\Documents and Settings\Steiner\Application Data\GDIPFONTCACHEV1.DAT
2007-10-06 15:30 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-06 15:30 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-06 15:30 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-06 15:30 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-06 15:30 --------- d-----w C:\Program Files\Symantec
2007-09-28 10:51 --------- d-----w C:\Program Files\Picasa2
2007-09-18 23:46 --------- d-----w C:\Program Files\Norton AntiVirus
2007-09-18 06:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 06:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 06:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 06:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 06:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 06:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 06:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 06:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 06:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-15 11:13 --------- d-----w C:\Documents and Settings\Steiner\Application Data\SopCast
2007-09-15 11:12 --------- d-----w C:\Program Files\SopCast
2007-09-15 11:11 2,248,200 ----a-w C:\Program Files\SopCast.zip
2007-09-11 10:48 --------- d-----w C:\Program Files\Apple Software Update
2007-09-06 16:06 --------- d-----w C:\Program Files\Google
2007-09-06 12:25 13,416,432 ----a-w C:\Program Files\Google_Earth_BZXD.exe
2007-09-04 09:21 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-04 00:21 23,402,288 ----a-w C:\Program Files\AdbeRdr810_en_US.exe
2007-09-01 13:52 --------- d-----w C:\Program Files\TVUPlayer
2007-09-01 13:51 --------- d-----w C:\Documents and Settings\Steiner\Application Data\TVU networks
2007-08-27 05:15 --------- d-----w C:\Documents and Settings\Steiner\Application Data\uTorrent
2007-08-25 17:45 785,530 ----a-w C:\Program Files\MatroskaSplitter.exe
2007-08-25 17:45 --------- d-----w C:\Program Files\Haali
2007-08-25 14:39 731,711 ----a-w C:\Program Files\avisplit.exe
2007-08-25 14:35 174,727 ----a-w C:\Program Files\osavisplitter.1.0.0.7_nt.exe
2007-08-25 14:35 --------- d-----w C:\Program Files\OpenSource AVI Splitter
2007-08-25 09:51 --------- d-----w C:\Program Files\Winamp
2007-08-25 09:49 6,221,304 ----a-w C:\Program Files\winamp535_full_emusic-7plus.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-19 16:27 24,048,424 ----a-w C:\Program Files\SkypeSetup.exe
2007-08-18 13:15 2,879,608 ----a-w C:\Program Files\TvantsSetup.EXE
2007-07-30 11:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 11:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 11:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 11:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 11:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 11:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 11:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 11:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-28 08:44 6,658,184 ----a-w C:\Program Files\sensationalsoccer_at.exe
2007-07-17 11:50 14,993,976 ----a-w C:\Program Files\GoogleEarthWin.exe
2007-06-06 07:15 1,163,592 ----a-w C:\Program Files\install_flash_player.exe
2007-06-01 00:13 513,144 ----a-w C:\Program Files\setup.exe
2007-05-17 14:48 4,659,162 ----a-w C:\Program Files\deutschland.mp3
2007-05-13 13:53 9,187,304 ----a-w C:\Program Files\winamp534_full_bundle_emusic-7plus.exe
2007-05-05 11:47 852,101 ----a-w C:\Program Files\extractnow.exe
2007-05-05 11:43 733,024 ----a-w C:\Program Files\UnRarX_2.2.zip
2007-04-15 15:22 1,401,109 ----a-w C:\Program Files\spybotsd_includes.exe
2007-04-15 14:40 3,191,432 ----a-w C:\Program Files\runalyz.exe
2007-04-15 14:37 5,037,072 ----a-w C:\Program Files\spybotsd14.exe
2007-04-14 17:16 2,566,902 ----a-w C:\Program Files\Taipan_Setup.exe
2007-04-14 16:16 4,479,986 ----a-w C:\Program Files\scnsb.exe
2007-04-14 15:24 999,224 ----a-w C:\Program Files\optimize-setup-0003.exe
2007-04-12 14:01 64,000 ----a-w C:\Program Files\27 __.doc
2007-04-09 15:36 6,890,528 ----a-w C:\Program Files\nvu-1.0-win32-installer-full.exe
2007-04-09 15:18 8,008,753 ----a-w C:\Program Files\nvu-1.0-win32-full.zip
2007-04-09 15:04 1,016,545 ----a-w C:\Program Files\smoke.jar
2007-04-09 15:03 607,051 ----a-w C:\Program Files\nvutut-0.3b.xpi
2007-03-26 16:51 29,732,352 ----a-w C:\Program Files\BookSmart_1.7.6.exe
2007-03-23 06:55 1,691,627 ----a-w C:\Program Files\NewzToolzSetup.exe
2007-03-13 07:20 688,831 ----a-w C:\Program Files\uTorrent-1.6.1-install.exe
2007-03-10 06:21 3,049,211 ----a-w C:\Program Files\converter.exe
2007-02-02 16:48 4,315,421 ----a-w C:\Program Files\BitTornado-0.3.18-w32install.exe
2006-11-12 12:51 36,808,256 ----a-w C:\Program Files\iTunesSetup.exe
2006-11-02 01:58 4,912,968 ----a-w C:\Program Files\picasaweb-current-setup.exe
2006-10-26 01:08 2,733,552 ----a-w C:\Program Files\GmailPopTroubleshooterInstaller.exe
2006-10-23 17:13 6,053,888 ----a-w C:\Program Files\pegasusw32-431.exe
2006-10-23 16:15 17,416,184 ----a-w C:\Program Files\Eudora_7.1.0.9.exe
2006-10-20 06:32 6,335,024 ----a-w C:\Program Files\Thunderbird Setup 1.5.0.7.exe
2006-07-18 16:04 439,296 ----a-w C:\Documents and Settings\Steiner\remote.exe
2006-04-25 22:26 93,391,073 ----a-w C:\Program Files\OOo_2.0.2_Win32Intel_install.exe
2006-04-08 15:54 7,788,331 ----a-w C:\Program Files\Nimo50Build9Beta1.exe
2006-04-08 15:41 19,318,281 ----a-w C:\Program Files\klcodec271f.exe
2006-04-07 00:55 23,491,904 ----a-w C:\Program Files\imechs.exe
2006-04-07 00:36 11,817,800 ----a-w C:\Program Files\GoogleEarth.exe
2006-04-07 00:04 5,175,696 ----a-w C:\Program Files\Firefox Setup 1.5.0.1.exe
2006-04-06 22:52 21,254,280 ----a-w C:\Program Files\AdbeRdr707_en_US.exe
2004-12-05 05:33 2,672 ----a-w C:\Program Files\francais.txt
2004-06-12 08:28 3,108 ----a-w C:\Program Files\readme.txt
2004-01-08 03:38 208,896 ----a-w C:\Program Files\lame_enc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69A0EEC7-190C-33F1-4F7A-0383C563F5FD}]
2007-10-19 01:37 102400 --a------ C:\Program Files\qnatfoww\yoqzwtfa.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-08 18:36]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-08 18:32]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-15 00:11]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-06 23:27]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-05 01:59]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 04:54]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-04 04:24]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-03-30 05:45]
"VF0060 STISvc"="V0060Pin.dll" [2004-11-01 09:00 C:\WINDOWS\system32\V0060Pin.dll]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2005-02-09 00:38]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 18:12 C:\WINDOWS\AGRSMMSG.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 12:59]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-02-08 06:39]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-10-20 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 18:52]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-07 08:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 16:00]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-17 03:45]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-29 18:26]
"SFP"="C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.exe" [2003-09-06 04:30]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"hstsys"= {D433F572-882D-4C8B-9A93-761E91562F70} - C:\WINDOWS\hstsys.dll [2007-10-18 18:36 281600]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LUMIX Simple Viewer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LUMIX Simple Viewer.lnk
backup=C:\WINDOWS\pss\LUMIX Simple Viewer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online Dialer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Verizon Online Dialer.lnk
backup=C:\WINDOWS\pss\Verizon Online Dialer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Steiner^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=C:\Documents and Settings\Steiner\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
"C:\Program Files\Creative\Shared Files\CamTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBCMAgent]
C:\Program Files\Intuit\QuickBooks Customer Manager\QBCMAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RssReader]
C:\Program Files\RssReader\RssReader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

S3 V0060VID;Creative WebCam Live! Ultra;C:\WINDOWS\system32\DRIVERS\V0060Vid.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2c1a570-e131-11da-801c-00166f4138ac}]
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL PortableVaultAES.exe
Explore\command - explorer.exe /n,/e ,.
Launch\command - E:\portablevaultaes.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-18 11:09:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-10-22 12:00:13 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Steiner.job"
"2007-10-25 00:33:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-25 08:26:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????7?3?5?9??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-25 8:36:28 - machine was rebooted
.
--- E O F ---








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:48:21 AM, on 10/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\DF206D97847745E7983C822C45EE3038\ringjack.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {69A0EEC7-190C-33F1-4F7A-0383C563F5FD} - C:\Program Files\qnatfoww\yoqzwtfa.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [VF0060 STISvc] RunDLL32.exe V0060Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: hstsys - {D433F572-882D-4C8B-9A93-761E91562F70} - C:\WINDOWS\hstsys.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 10852 bytes

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 25 October 2007 - 02:40 AM

Lets go ahead and fix the Smitfraud issues before going any further.

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

#5 chinasteiners

chinasteiners
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 25 October 2007 - 06:17 AM

SmitFraudFix v2.241

Scan done at 19:15:30.21, Thu 10/25/2007
Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\DF206D97847745E7983C822C45EE3038\ringjack.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Steiner


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Steiner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Steiner\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///C:\\WINDOWS\\privacy_danger\\index.htm"
"SubscribedURL"=""
"FriendlyName"="Privacy Protection"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~2\\GOEC62~1.DLL"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel® PRO/Wireless 2200BG Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 218.30.19.50
DNS Server Search Order: 61.134.1.4

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2944B795-D8F6-4068-8BA7-899EB374FFF7}: DhcpNameServer=218.30.19.50 61.134.1.4
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2944B795-D8F6-4068-8BA7-899EB374FFF7}: DhcpNameServer=218.30.19.50 61.134.1.4
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2944B795-D8F6-4068-8BA7-899EB374FFF7}: DhcpNameServer=218.30.19.50 61.134.1.4
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=218.30.19.50 61.134.1.4
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=218.30.19.50 61.134.1.4
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=218.30.19.50 61.134.1.4


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 25 October 2007 - 10:12 AM

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

#7 chinasteiners

chinasteiners
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 25 October 2007 - 07:31 PM

First I'll post the SmitFraudFix log, then I'll post HiJackThis.



SmitFraudFix v2.241

Scan done at 8:11:48.68, Fri 10/26/2007
Run from C:\Documents and Settings\Steiner\Desktop\SmitfraudFix

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2944B795-D8F6-4068-8BA7-899EB374FFF7}: DhcpNameServer=218.30.19.50 61.134.1.4
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2944B795-D8F6-4068-8BA7-899EB374FFF7}: DhcpNameServer=218.30.19.50 61.134.1.4
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2944B795-D8F6-4068-8BA7-899EB374FFF7}: DhcpNameServer=218.30.19.50 61.134.1.4
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=218.30.19.50 61.134.1.4
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=218.30.19.50 61.134.1.4
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=218.30.19.50 61.134.1.4


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

________________________________________________________________________________________


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:30:37 AM, on 10/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\DF206D97847745E7983C822C45EE3038\ringjack.exe
C:\WINDOWS\explorer.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {69A0EEC7-190C-33F1-4F7A-0383C563F5FD} - C:\Program Files\qnatfoww\yoqzwtfa.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [VF0060 STISvc] RunDLL32.exe V0060Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: hstsys - {D433F572-882D-4C8B-9A93-761E91562F70} - C:\WINDOWS\hstsys.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10214 bytes

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 26 October 2007 - 02:46 AM

Allrighty...Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#9 chinasteiners

chinasteiners
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 26 October 2007 - 06:17 AM

First is the ComboFix log, then the HijackThis log.



ComboFix 07-10-23.1 - Steiner 2007-10-26 19:08:01.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.491 [GMT 8:00]
Running from: C:\Documents and Settings\Steiner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-26 to 2007-10-26 )))))))))))))))))))))))))))))))
.

2007-10-25 21:25 <DIR> d-------- C:\Documents and Settings\Steiner\.gimp-2.4
2007-10-25 20:37 14,952,016 --a------ C:\Program Files\gimp-2.4.0-i586-setup.exe
2007-10-25 19:15 3,362 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-23 15:41 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-23 00:23 1,953,799 --a------ C:\Program Files\stinger.exe
2007-10-20 17:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-10-20 17:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-10-20 17:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2007-10-20 17:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-20 17:15 <DIR> d-------- C:\Documents and Settings\Steiner\Application Data\SUPERAntiSpyware.com
2007-10-20 15:32 5,914,648 --a------ C:\Program Files\SUPERAntiSpyware.exe
2007-10-20 02:49 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-20 02:47 11,470,608 --a------ C:\Program Files\avgas-setup-7.5.0.50.exe
2007-10-20 00:05 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-19 23:59 <DIR> d-------- C:\Documents and Settings\Steiner\.housecall6.6
2007-10-19 23:39 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-19 23:39 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-19 23:38 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-19 23:27 2,566,736 --a------ C:\Program Files\spywareblastersetup351.exe
2007-10-19 23:04 407,680 --a------ C:\Program Files\aswclnr.exe
2007-10-19 22:52 318,369 --a------ C:\Program Files\HiJackThis.zip
2007-10-19 22:31 19,755,376 --a------ C:\Program Files\aaw2007.exe
2007-10-19 01:37 <DIR> d-------- C:\Program Files\qnatfoww
2007-10-19 01:31 281,600 --a------ C:\WINDOWS\hstsys.dll
2007-10-19 01:31 274,432 --a------ C:\WINDOWS\ntspkmxl.dll
2007-10-19 01:26 96,943 --a------ C:\Program Files\VideoAccessCodecInstall.exe
2007-10-18 19:28 <DIR> d-------- C:\Program Files\iTunes
2007-10-18 19:28 <DIR> d-------- C:\Program Files\iPod
2007-10-17 14:02 <DIR> d-------- C:\Documents and Settings\Steiner\Application Data\gtk-2.0
2007-10-17 01:13 <DIR> d-------- C:\Documents and Settings\Steiner\Application Data\Inkscape
2007-10-17 00:50 <DIR> d-------- C:\Program Files\Inkscape
2007-10-16 23:40 <DIR> d-------- C:\Documents and Settings\Steiner\Application Data\CasaPortale.de
2007-10-16 23:37 <DIR> d-------- C:\Program Files\PosteRazor-1.4-Win32
2007-10-16 23:35 354,656 --a------ C:\Program Files\PosteRazor-1.4-Win32.zip
2007-10-16 21:10 22,974,393 --a------ C:\Program Files\Inkscape-0.45.1-1.win32.exe
2007-10-10 06:31 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-26 11:12 --------- d-----w C:\Documents and Settings\Steiner\Application Data\Skype
2007-10-25 13:13 --------- d-----w C:\Program Files\GIMP-2.0
2007-10-23 08:28 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-23 06:26 17 ----a-w C:\Program Files\stinger.opt
2007-10-20 07:09 --------- d-----w C:\Documents and Settings\Steiner\Application Data\OpenOffice.org2
2007-10-19 16:04 6,172 ----a-w C:\Program Files\aswclnr.log
2007-10-19 14:53 8,653,598 ----a-w C:\Program Files\aaw2007.exe.part
2007-10-16 13:08 --------- d-----w C:\Program Files\Common Files\Elecard
2007-10-16 13:07 --------- d-----w C:\Program Files\pdf995
2007-10-10 12:43 146,168 ----a-w C:\Documents and Settings\Steiner\Application Data\GDIPFONTCACHEV1.DAT
2007-10-06 15:30 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-06 15:30 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-06 15:30 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-06 15:30 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-06 15:30 --------- d-----w C:\Program Files\Symantec
2007-09-28 10:51 --------- d-----w C:\Program Files\Picasa2
2007-09-18 23:46 --------- d-----w C:\Program Files\Norton AntiVirus
2007-09-18 06:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 06:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 06:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 06:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 06:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 06:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 06:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 06:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 06:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-15 11:13 --------- d-----w C:\Documents and Settings\Steiner\Application Data\SopCast
2007-09-15 11:12 --------- d-----w C:\Program Files\SopCast
2007-09-15 11:11 2,248,200 ----a-w C:\Program Files\SopCast.zip
2007-09-11 10:48 --------- d-----w C:\Program Files\Apple Software Update
2007-09-06 16:06 --------- d-----w C:\Program Files\Google
2007-09-06 12:25 13,416,432 ----a-w C:\Program Files\Google_Earth_BZXD.exe
2007-09-04 09:21 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-04 00:21 23,402,288 ----a-w C:\Program Files\AdbeRdr810_en_US.exe
2007-09-01 13:52 --------- d-----w C:\Program Files\TVUPlayer
2007-09-01 13:51 --------- d-----w C:\Documents and Settings\Steiner\Application Data\TVU networks
2007-08-27 05:15 --------- d-----w C:\Documents and Settings\Steiner\Application Data\uTorrent
2007-08-25 17:45 785,530 ----a-w C:\Program Files\MatroskaSplitter.exe
2007-08-25 14:39 731,711 ----a-w C:\Program Files\avisplit.exe
2007-08-25 14:35 174,727 ----a-w C:\Program Files\osavisplitter.1.0.0.7_nt.exe
2007-08-25 09:49 6,221,304 ----a-w C:\Program Files\winamp535_full_emusic-7plus.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ----a-w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ----a-w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ----a-w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ----a-w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ----a-w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ----a-w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ----a-w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ----a-w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ----a-w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-19 16:27 24,048,424 ----a-w C:\Program Files\SkypeSetup.exe
2007-08-18 13:15 2,879,608 ----a-w C:\Program Files\TvantsSetup.EXE
2007-08-17 10:21 625,152 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ----a-w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-07-30 11:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 11:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 11:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 11:19 549,720 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 11:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 11:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 11:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 11:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 11:19 325,976 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 11:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 11:19 203,096 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 11:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 11:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 11:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 11:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2007-07-28 08:44 6,658,184 ----a-w C:\Program Files\sensationalsoccer_at.exe
2007-07-17 11:50 14,993,976 ----a-w C:\Program Files\GoogleEarthWin.exe
2007-06-06 07:15 1,163,592 ----a-w C:\Program Files\install_flash_player.exe
2007-06-01 00:13 513,144 ----a-w C:\Program Files\setup.exe
2007-05-17 14:48 4,659,162 ----a-w C:\Program Files\deutschland.mp3
2007-05-13 13:53 9,187,304 ----a-w C:\Program Files\winamp534_full_bundle_emusic-7plus.exe
2007-05-05 11:47 852,101 ----a-w C:\Program Files\extractnow.exe
2007-05-05 11:43 733,024 ----a-w C:\Program Files\UnRarX_2.2.zip
2007-04-15 15:22 1,401,109 ----a-w C:\Program Files\spybotsd_includes.exe
2007-04-15 14:40 3,191,432 ----a-w C:\Program Files\runalyz.exe
2007-04-15 14:37 5,037,072 ----a-w C:\Program Files\spybotsd14.exe
2007-04-14 17:16 2,566,902 ----a-w C:\Program Files\Taipan_Setup.exe
2007-04-14 16:16 4,479,986 ----a-w C:\Program Files\scnsb.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69A0EEC7-190C-33F1-4F7A-0383C563F5FD}]
2007-10-19 01:37 102400 --a------ C:\Program Files\qnatfoww\yoqzwtfa.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-08 18:36]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-08 18:32]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-15 00:11]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-06 23:27]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-05 01:59]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 04:54]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-04 04:24]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-03-30 05:45]
"VF0060 STISvc"="V0060Pin.dll" [2004-11-01 09:00 C:\WINDOWS\system32\V0060Pin.dll]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2005-02-09 00:38]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 18:12 C:\WINDOWS\AGRSMMSG.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 12:59]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-02-08 06:39]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-10-20 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 18:52]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-07 08:14]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 16:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 16:00]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-17 03:45]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-29 18:26]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"hstsys"= {D433F572-882D-4C8B-9A93-761E91562F70} - C:\WINDOWS\hstsys.dll [2007-10-18 18:36 281600]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LUMIX Simple Viewer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LUMIX Simple Viewer.lnk
backup=C:\WINDOWS\pss\LUMIX Simple Viewer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online Dialer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Verizon Online Dialer.lnk
backup=C:\WINDOWS\pss\Verizon Online Dialer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Steiner^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=C:\Documents and Settings\Steiner\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
"C:\Program Files\Creative\Shared Files\CamTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBCMAgent]
C:\Program Files\Intuit\QuickBooks Customer Manager\QBCMAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RssReader]
C:\Program Files\RssReader\RssReader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SFP]
C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

S3 V0060VID;Creative WebCam Live! Ultra;C:\WINDOWS\system32\DRIVERS\V0060Vid.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2c1a570-e131-11da-801c-00166f4138ac}]
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL PortableVaultAES.exe
Explore\command - explorer.exe /n,/e ,.
Launch\command - E:\portablevaultaes.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-25 11:09:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-10-22 12:00:13 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Steiner.job"
"2007-10-26 11:13:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-26 19:13:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????7?3?5?9??p???? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-26 19:14:51
C:\ComboFix2.txt ... 2007-10-25 08:36
.
--- E O F ---











Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:15:57 PM, on 10/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\DF206D97847745E7983C822C45EE3038\ringjack.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {69A0EEC7-190C-33F1-4F7A-0383C563F5FD} - C:\Program Files\qnatfoww\yoqzwtfa.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [VF0060 STISvc] RunDLL32.exe V0060Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: hstsys - {D433F572-882D-4C8B-9A93-761E91562F70} - C:\WINDOWS\hstsys.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10265 bytes

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 26 October 2007 - 02:41 PM

Copy the text below to notepad and save it to the desktop with the name CFScript.txt

File::
C:\WINDOWS\hstsys.dll
C:\WINDOWS\ntspkmxl.dll
C:\Program Files\VideoAccessCodecInstall.exe
Folder::
C:\Program Files\qnatfoww
C:\Documents and Settings\Steiner\.housecall6.6
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69A0EEC7-190C-33F1-4F7A-0383C563F5FD}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"hstsys"=-

Once saved,drag CFScript.txt on top of ComboFix.exe and this will launch the tool and begin the script.


Once completed,post the new CombFix log and a fresh HijackThis log.


After posting those logs,Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


#11 chinasteiners

chinasteiners
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 26 October 2007 - 08:13 PM

Combofix, then HijackThis...F-Secure will be in the next post.



ComboFix 07-10-23.1 - Steiner 2007-10-27 8:58:00.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.395 [GMT 8:00]
Running from: C:\Documents and Settings\Steiner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Steiner\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\Program Files\VideoAccessCodecInstall.exe
C:\WINDOWS\hstsys.dll
C:\WINDOWS\ntspkmxl.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Steiner\.housecall6.6
C:\Documents and Settings\Steiner\.housecall6.6\8ball.txt
C:\Documents and Settings\Steiner\.housecall6.6\AU_Log\TmuDump.txt
C:\Documents and Settings\Steiner\.housecall6.6\aucfg.ini
C:\Documents and Settings\Steiner\.housecall6.6\BPMNT.dll
C:\Documents and Settings\Steiner\.housecall6.6\ciussi32.dll
C:\Documents and Settings\Steiner\.housecall6.6\dsvout.dll
C:\Documents and Settings\Steiner\.housecall6.6\engine.stat
C:\Documents and Settings\Steiner\.housecall6.6\getMac.exe
C:\Documents and Settings\Steiner\.housecall6.6\GetServer.ini
C:\Documents and Settings\Steiner\.housecall6.6\jsapi.dll
C:\Documents and Settings\Steiner\.housecall6.6\jupdate.dll
C:\Documents and Settings\Steiner\.housecall6.6\local.conf
C:\Documents and Settings\Steiner\.housecall6.6\log\dsvout.log
C:\Documents and Settings\Steiner\.housecall6.6\log\engine0.log
C:\Documents and Settings\Steiner\.housecall6.6\log\engine0.log.lck
C:\Documents and Settings\Steiner\.housecall6.6\log\error0.log
C:\Documents and Settings\Steiner\.housecall6.6\log\error0.log.lck
C:\Documents and Settings\Steiner\.housecall6.6\log\execution0.log
C:\Documents and Settings\Steiner\.housecall6.6\log\execution0.log.lck
C:\Documents and Settings\Steiner\.housecall6.6\patch.exe
C:\Documents and Settings\Steiner\.housecall6.6\PATCHW32.DLL
C:\Documents and Settings\Steiner\.housecall6.6\Pattern\lpt$vpn.785
C:\Documents and Settings\Steiner\.housecall6.6\Pattern\tmaptn.545
C:\Documents and Settings\Steiner\.housecall6.6\Pattern\tmvamain.ptn
C:\Documents and Settings\Steiner\.housecall6.6\Pattern\tsc.ptn
C:\Documents and Settings\Steiner\.housecall6.6\ssapi32.dll
C:\Documents and Settings\Steiner\.housecall6.6\ssapiptn.da5
C:\Documents and Settings\Steiner\.housecall6.6\tmcomm.sys
C:\Documents and Settings\Steiner\.housecall6.6\TmEngDrv.dll
C:\Documents and Settings\Steiner\.housecall6.6\TmUpdate.dll
C:\Documents and Settings\Steiner\.housecall6.6\tsc.exe
C:\Documents and Settings\Steiner\.housecall6.6\Update\AU_Cache\housecall65.trendmicro.com\ini_xml.zip
C:\Documents and Settings\Steiner\.housecall6.6\Update\AU_Cache\housecall65.trendmicro.com\ini_xml.zip.etag
C:\Documents and Settings\Steiner\.housecall6.6\Update\AU_Cache\housecall65.trendmicro.com\server.ini
C:\Documents and Settings\Steiner\.housecall6.6\Update\AU_Cache\housecall65.trendmicro.com\server.ini.etag
C:\Documents and Settings\Steiner\.housecall6.6\usrbl.dat
C:\Documents and Settings\Steiner\.housecall6.6\usrwl.dat
C:\Documents and Settings\Steiner\.housecall6.6\vsapi32.dll
C:\Documents and Settings\Steiner\.housecall6.6\vscan.dat
C:\Program Files\qnatfoww
C:\Program Files\qnatfoww\yoqzwtfa.dll
C:\Program Files\VideoAccessCodecInstall.exe
C:\WINDOWS\hstsys.dll
C:\WINDOWS\ntspkmxl.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-27 to 2007-10-27 )))))))))))))))))))))))))))))))
.

2007-10-25 21:25 <DIR> d-------- C:\Documents and Settings\Steiner\.gimp-2.4
2007-10-25 20:37 14,952,016 --a------ C:\Program Files\gimp-2.4.0-i586-setup.exe
2007-10-25 19:15 3,362 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-23 15:41 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-23 00:23 1,953,799 --a------ C:\Program Files\stinger.exe
2007-10-20 17:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-10-20 17:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-10-20 17:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2007-10-20 17:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-20 17:15 <DIR> d-------- C:\Documents and Settings\Steiner\Application Data\SUPERAntiSpyware.com
2007-10-20 15:32 5,914,648 --a------ C:\Program Files\SUPERAntiSpyware.exe
2007-10-20 02:49 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-20 02:47 11,470,608 --a------ C:\Program Files\avgas-setup-7.5.0.50.exe
2007-10-20 00:05 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-19 23:39 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-19 23:39 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-19 23:38 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-19 23:27 2,566,736 --a------ C:\Program Files\spywareblastersetup351.exe
2007-10-19 23:04 407,680 --a------ C:\Program Files\aswclnr.exe
2007-10-19 22:52 318,369 --a------ C:\Program Files\HiJackThis.zip
2007-10-19 22:31 19,755,376 --a------ C:\Program Files\aaw2007.exe
2007-10-18 19:28 <DIR> d-------- C:\Program Files\iTunes
2007-10-18 19:28 <DIR> d-------- C:\Program Files\iPod
2007-10-17 14:02 <DIR> d-------- C:\Documents and Settings\Steiner\Application Data\gtk-2.0
2007-10-17 01:13 <DIR> d-------- C:\Documents and Settings\Steiner\Application Data\Inkscape
2007-10-17 00:50 <DIR> d-------- C:\Program Files\Inkscape
2007-10-16 23:40 <DIR> d-------- C:\Documents and Settings\Steiner\Application Data\CasaPortale.de
2007-10-16 23:37 <DIR> d-------- C:\Program Files\PosteRazor-1.4-Win32
2007-10-16 23:35 354,656 --a------ C:\Program Files\PosteRazor-1.4-Win32.zip
2007-10-16 21:10 22,974,393 --a------ C:\Program Files\Inkscape-0.45.1-1.win32.exe
2007-10-10 06:31 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-27 00:56 --------- d-----w C:\Documents and Settings\Steiner\Application Data\Skype
2007-10-25 13:13 --------- d-----w C:\Program Files\GIMP-2.0
2007-10-23 08:28 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-23 06:26 17 ----a-w C:\Program Files\stinger.opt
2007-10-20 07:09 --------- d-----w C:\Documents and Settings\Steiner\Application Data\OpenOffice.org2
2007-10-19 16:04 6,172 ----a-w C:\Program Files\aswclnr.log
2007-10-19 14:53 8,653,598 ----a-w C:\Program Files\aaw2007.exe.part
2007-10-16 13:08 --------- d-----w C:\Program Files\Common Files\Elecard
2007-10-16 13:07 --------- d-----w C:\Program Files\pdf995
2007-10-10 12:43 146,168 ----a-w C:\Documents and Settings\Steiner\Application Data\GDIPFONTCACHEV1.DAT
2007-10-06 15:30 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-06 15:30 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-06 15:30 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-06 15:30 --------- d-----w C:\Program Files\Symantec
2007-09-28 10:51 --------- d-----w C:\Program Files\Picasa2
2007-09-18 23:46 --------- d-----w C:\Program Files\Norton AntiVirus
2007-09-18 06:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 06:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 06:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 06:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 06:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 06:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 06:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 06:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 06:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-15 11:13 --------- d-----w C:\Documents and Settings\Steiner\Application Data\SopCast
2007-09-15 11:12 --------- d-----w C:\Program Files\SopCast
2007-09-15 11:11 2,248,200 ----a-w C:\Program Files\SopCast.zip
2007-09-11 10:48 --------- d-----w C:\Program Files\Apple Software Update
2007-09-06 16:06 --------- d-----w C:\Program Files\Google
2007-09-06 12:25 13,416,432 ----a-w C:\Program Files\Google_Earth_BZXD.exe
2007-09-04 09:21 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-04 00:21 23,402,288 ----a-w C:\Program Files\AdbeRdr810_en_US.exe
2007-09-01 13:52 --------- d-----w C:\Program Files\TVUPlayer
2007-09-01 13:51 --------- d-----w C:\Documents and Settings\Steiner\Application Data\TVU networks
2007-08-27 05:15 --------- d-----w C:\Documents and Settings\Steiner\Application Data\uTorrent
2007-08-25 17:45 785,530 ----a-w C:\Program Files\MatroskaSplitter.exe
2007-08-25 14:39 731,711 ----a-w C:\Program Files\avisplit.exe
2007-08-25 14:35 174,727 ----a-w C:\Program Files\osavisplitter.1.0.0.7_nt.exe
2007-08-25 09:49 6,221,304 ----a-w C:\Program Files\winamp535_full_emusic-7plus.exe
2007-08-19 16:27 24,048,424 ----a-w C:\Program Files\SkypeSetup.exe
2007-08-18 13:15 2,879,608 ----a-w C:\Program Files\TvantsSetup.EXE
2007-07-28 08:44 6,658,184 ----a-w C:\Program Files\sensationalsoccer_at.exe
2007-07-17 11:50 14,993,976 ----a-w C:\Program Files\GoogleEarthWin.exe
2007-06-06 07:15 1,163,592 ----a-w C:\Program Files\install_flash_player.exe
2007-06-01 00:13 513,144 ----a-w C:\Program Files\setup.exe
2007-05-17 14:48 4,659,162 ----a-w C:\Program Files\deutschland.mp3
2007-05-13 13:53 9,187,304 ----a-w C:\Program Files\winamp534_full_bundle_emusic-7plus.exe
2007-05-05 11:47 852,101 ----a-w C:\Program Files\extractnow.exe
2007-05-05 11:43 733,024 ----a-w C:\Program Files\UnRarX_2.2.zip
2007-04-15 15:22 1,401,109 ----a-w C:\Program Files\spybotsd_includes.exe
2007-04-15 14:40 3,191,432 ----a-w C:\Program Files\runalyz.exe
2007-04-15 14:37 5,037,072 ----a-w C:\Program Files\spybotsd14.exe
2007-04-14 17:16 2,566,902 ----a-w C:\Program Files\Taipan_Setup.exe
2007-04-14 16:16 4,479,986 ----a-w C:\Program Files\scnsb.exe
2007-04-14 15:24 999,224 ----a-w C:\Program Files\optimize-setup-0003.exe
2007-04-12 14:01 64,000 ----a-w C:\Program Files\27 __.doc
2007-04-09 15:36 6,890,528 ----a-w C:\Program Files\nvu-1.0-win32-installer-full.exe
2007-04-09 15:18 8,008,753 ----a-w C:\Program Files\nvu-1.0-win32-full.zip
2007-04-09 15:04 1,016,545 ----a-w C:\Program Files\smoke.jar
2007-04-09 15:03 607,051 ----a-w C:\Program Files\nvutut-0.3b.xpi
2007-03-26 16:51 29,732,352 ----a-w C:\Program Files\BookSmart_1.7.6.exe
2007-03-23 06:55 1,691,627 ----a-w C:\Program Files\NewzToolzSetup.exe
2007-03-13 07:20 688,831 ----a-w C:\Program Files\uTorrent-1.6.1-install.exe
2007-03-10 06:21 3,049,211 ----a-w C:\Program Files\converter.exe
2007-02-02 16:48 4,315,421 ----a-w C:\Program Files\BitTornado-0.3.18-w32install.exe
2006-11-12 12:51 36,808,256 ----a-w C:\Program Files\iTunesSetup.exe
2006-11-02 01:58 4,912,968 ----a-w C:\Program Files\picasaweb-current-setup.exe
2006-10-26 01:08 2,733,552 ----a-w C:\Program Files\GmailPopTroubleshooterInstaller.exe
2006-10-23 17:13 6,053,888 ----a-w C:\Program Files\pegasusw32-431.exe
2006-10-23 16:15 17,416,184 ----a-w C:\Program Files\Eudora_7.1.0.9.exe
2006-10-20 06:32 6,335,024 ----a-w C:\Program Files\Thunderbird Setup 1.5.0.7.exe
2006-07-18 16:04 439,296 ----a-w C:\Documents and Settings\Steiner\remote.exe
2006-04-25 22:26 93,391,073 ----a-w C:\Program Files\OOo_2.0.2_Win32Intel_install.exe
2006-04-08 15:54 7,788,331 ----a-w C:\Program Files\Nimo50Build9Beta1.exe
2006-04-08 15:41 19,318,281 ----a-w C:\Program Files\klcodec271f.exe
2006-04-07 00:55 23,491,904 ----a-w C:\Program Files\imechs.exe
2006-04-07 00:36 11,817,800 ----a-w C:\Program Files\GoogleEarth.exe
2006-04-07 00:04 5,175,696 ----a-w C:\Program Files\Firefox Setup 1.5.0.1.exe
2006-04-06 22:52 21,254,280 ----a-w C:\Program Files\AdbeRdr707_en_US.exe
2004-12-05 05:33 2,672 ----a-w C:\Program Files\francais.txt
2004-06-12 08:28 3,108 ----a-w C:\Program Files\readme.txt
2004-01-08 03:38 208,896 ----a-w C:\Program Files\lame_enc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-08 18:36]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-08 18:32]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-15 00:11]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-06 23:27]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-05 01:59]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 04:54]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-04 04:24]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-03-30 05:45]
"VF0060 STISvc"="V0060Pin.dll" [2004-11-01 09:00 C:\WINDOWS\system32\V0060Pin.dll]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2005-02-09 00:38]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 18:12 C:\WINDOWS\AGRSMMSG.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 12:59]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-02-08 06:39]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-10-20 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 18:52]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-07 08:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 16:00]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-17 03:45]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-29 18:26]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LUMIX Simple Viewer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LUMIX Simple Viewer.lnk
backup=C:\WINDOWS\pss\LUMIX Simple Viewer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online Dialer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Verizon Online Dialer.lnk
backup=C:\WINDOWS\pss\Verizon Online Dialer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Steiner^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=C:\Documents and Settings\Steiner\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
"C:\Program Files\Creative\Shared Files\CamTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBCMAgent]
C:\Program Files\Intuit\QuickBooks Customer Manager\QBCMAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RssReader]
C:\Program Files\RssReader\RssReader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SFP]
C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

S3 V0060VID;Creative WebCam Live! Ultra;C:\WINDOWS\system32\DRIVERS\V0060Vid.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2c1a570-e131-11da-801c-00166f4138ac}]
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL PortableVaultAES.exe
Explore\command - explorer.exe /n,/e ,.
Launch\command - E:\portablevaultaes.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-25 11:09:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-10-22 12:00:13 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Steiner.job"
"2007-10-27 01:08:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-27 09:07:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????7?3?5?9??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-27 9:10:40 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-26 19:14
C:\ComboFix3.txt ... 2007-10-25 08:36
.
--- E O F ---



_________________________________________________________________________________________________________________



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:13:08 AM, on 10/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\DF206D97847745E7983C822C45EE3038\ringjack.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [VF0060 STISvc] RunDLL32.exe V0060Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9968 bytes

Edited by chinasteiners, 26 October 2007 - 08:21 PM.


#12 chinasteiners

chinasteiners
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 26 October 2007 - 11:26 PM

Here's the F-Secure Online Scanner report:



Scanning Report
Saturday, October 27, 2007 10:31:41 - 11:50:10

Computer name: ADRAMMELECH
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
Result: 4 malware found
Tracking Cookie (spyware)

* System (Disinfected)
* System
* System
* System

Statistics
Scanned:

* Files: 48202
* System: 5864
* Not scanned: 5

Actions:

* Disinfected: 1
* Renamed: 0
* Deleted: 0
* None: 3
* Submitted: 0

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{BFE36115-7254-48E2-9639-67AD280246D0}.BIN
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MUVEE TECHNOLOGIES\030625\0102\0310\VALUES

Options
Scanning engines:

* F-Secure Libra: 2.4.2, 2007-10-26
* F-Secure AVP: 7.0.171, 2007-10-26
* F-Secure Orion: 1.2.37, 2007-10-26
* F-Secure Blacklight: 1.0.64
* F-Secure Draco: 1.0.35, 0598-150-72
* F-Secure Pegasus: 1.19.0, 2007-09-18

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
* Use Advanced heuristics

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

Edited by chinasteiners, 26 October 2007 - 11:28 PM.


#13 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 27 October 2007 - 04:01 AM

How does the machine seem to be running today?

Please post an uninstall list,
  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file.
  • When you press Save button a notepad will open with the contents of that file.
  • Simply copy and paste the contents of that notepad into this topic please.


#14 chinasteiners

chinasteiners
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 27 October 2007 - 06:18 AM

The computer is working great today...ever since running SmitfraudFix and ComboFix the symptoms have been gone (or such that I haven't noticed them). I'm waiting for when you tell me we've got everything taken care of to lavish you with praise. Instead of dread I'm feeling pretty elated every time I come to the computer now.

Here's the uninstall list:

µTorrent
7-Zip 4.36 beta
Ad-Aware 2007
Adobe Flash Player Plugin
Adobe Reader 8.1.0
Adobe Reader Chinese Simplified Fonts
Agere Systems AC'97 Modem
Ahead Nero Burning Rom PlugIn Pack 2.0.2 by MadHacker2k4
ALPS Touch Pad Driver
AppCore
Apple Mobile Device Support
Apple Software Update
ArcSoft Software Suite
aspi
Audacity 1.2.0
AV
AVG Anti-Spyware 7.5
BitTornado 0.3.18
Canon iP1600
Canon PhotoRecord
Canon Utilities Easy-PhotoPrint
ccCommon
CCHelp
CCleaner (remove only)
CCScore
Creative WebCam Center
Creative WebCam Live! Ultra Driver (1.01.03.0127)
Creative WebCam Live! Ultra User's Guide (English)
DivX Web Player
DVD Shrink 3.2
Easy-WebPrint
ESSAdpt
ESSANUP
ESSCAM
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSTUTOR
ESSvpaht
ESSvpot
Estate Planner 2.0
ExtractNow
FreeMind
GIMP 2.4.0
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
GTK+ 2.8.9 runtime environment
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Help and Support
HP Image Zone 4.8.5
HP Image Zone Plus 4.8.5
HP Software Update
HP Wireless Assistant 1.01 B2
HP_User_Guides_0005
HPIZplus450
InCD EasyWrite Reader (Ahead Software)
Inkscape 0.45.1
Intel® Graphics Media Accelerator Driver for Mobile
InterActual Player
Internet Worm Protection
InterVideo WinDVD
IrfanView (remove only)
iTunes
J2SE Runtime Environment 5.0 Update 4
K-Lite Codec Pack 2.71 Full
Kodak EasyShare software
KSU
Lernout & Hauspie TruVoice American English TTS Engine
LinguaLinks
LiveUpdate 3.2 (Symantec Corporation)
Locked Programs
LUMIX Simple Viewer
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Global IME for Office XP (Simplified Chinese)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Standard
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
Mozilla Firefox (2.0.0.8)
Mozilla Thunderbird (2.0.0.6)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
muvee autoProducer 4.0 - SE
Nero 6 Ultra Edition
NewzToolz v1.0.1
Nimo Codecs Pack v5.0 (Remove Only)
Norton AntiVirus
Norton AntiVirus (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton Protection Center
Notifier
Nvu 1.0
OmniFormat
OpenOffice.org 2.0
OpenSource AVI Splitter (remove only)
Opera 9.01
OTtBP
PDFCreator
Picasa 2
Quick Launch Buttons 5.10 B5
QuickBooks Customer Manager Version 1
QuickBooks Premier Edition 2005
Quicken Family Lawyer 2001
QuickTime
RealPlayer
RssReader
RunAlyzer
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
SFR
SFR2
Skype™ 3.5
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
SopCast 1.1.2
SoundMAX
SPBBC 32bit
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
SUPERAntiSpyware Free Edition
Symantec
SymNet
Taipan v1.11
Texas Instruments PCIxx21/x515 drivers.
The Complete Idiot's Guide to Wills and Estates
The Plain-Language Law Dictionary
TVAnts 1.0
TVUPlayer 2.3.2.52
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
USB MassStorage CardReader
VideoLAN VLC media player 0.8.5
Virtools 3D Life Player
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB884575
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885464
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892559
WordWeb

#15 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 27 October 2007 - 05:01 PM

Lets make sure a few items are up to date

J2SE Runtime Environment 5.0 Update 4<-- Uninstall and install latest version from link below.
http://www.java.com/en/download/index.jsp

QuickTime<-- Make sure its the latest version.

RealPlayer<-- Make sure its the latest version.


Now we need to reset System Restore and Clear out all the old infected restore points.
  • Click Start
  • Right-Click "My Computer" and Select Properties.
  • Click on the "System Restore" tab.
  • Place a checkmark in the box for "Turn off System Restore" and Click "Apply."
  • Restart the Computer.
  • Return to System Restore and Uncheck the box for "Turn off System Restore" and Click "Apply."
  • A fresh Restore Point will be created.

Consider using Erunt for a backup to System Restore in case the machine ever does crash.
http://silentrunners.org/sr_eruntuse.html

Be sure to read through the entire page and pay close attention to Emergency Procedures should you ever need it.


Let me know when you get System Restore fixed up.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users