Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With The Trojan.zonebac


  • This topic is locked This topic is locked
17 replies to this topic

#1 mmoore4

mmoore4

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 27 October 2007 - 12:30 AM

The zonebac was first found by Norton. I did not notice anything different. When I ran a full scan it also found trojan.adclicker and trojan.dropper. Some of these files were quarantined and others were left alone. Norton no longer loads automatically but I can still run it.

Thanks in advance!

Attached Files



BC AdBot (Login to Remove)

 


#2 mmoore4

mmoore4
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 06 November 2007 - 12:14 AM

Here is a new HJT log. I hope a moderator can reply soon. Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:18 PM, on 11/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Sony Handheld\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\DOCUME~1\Michael\LOCALS~1\Temp\Rar$EX00.562\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.medscape.com/px/urlinfo
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Michael"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1993962763-1645522239-1801674531-1005\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe (User 'Aarati')
O4 - HKUS\S-1-5-21-1993962763-1645522239-1801674531-1005\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe" (User 'Aarati')
O4 - HKUS\S-1-5-21-1993962763-1645522239-1801674531-1005\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer (User 'Aarati')
O4 - HKUS\S-1-5-21-1993962763-1645522239-1801674531-1005\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify (User 'Aarati')
O4 - HKUS\S-1-5-21-1993962763-1645522239-1801674531-1005\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry (User 'Aarati')
O4 - HKUS\S-1-5-21-1993962763-1645522239-1801674531-1005\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'Aarati')
O4 - HKUS\S-1-5-21-1993962763-1645522239-1801674531-1005\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Aarati')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O16 - DPF: {D68DAEED-C2A6-4C6F-9365-4676B173D8EF} -
O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} (AMI DicomDir TreeView Control 2.1) - file://E:\CDVIEWER\CdViewer.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

--
End of file - 8140 bytes

#3 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:16 PM

Posted 08 November 2007 - 11:55 PM

Hello mmoore4,

Download FindAWF:
http://noahdfear.net/downloads/FindAWF.exe
Save the file to the Desktop <== IMPORTANT
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced that we need to look at.
Please post it in your reply.

Edited by SifuMike, 08 November 2007 - 11:59 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 mmoore4

mmoore4
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 09 November 2007 - 01:34 AM

Here are the results:


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Fri 11/09/2007
The current time is: 0:15:04.42


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

04/07/2003 05:09 PM 118,784 MXOALDR.EXE
1 File(s) 118,784 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

07/31/2007 05:44 PM 271,672 iTunesHelper.exe
1 File(s) 271,672 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\NAVNT\BAK

09/24/2001 06:59 AM 73,728 vptray.exe
1 File(s) 73,728 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2007 05:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\SPYBOT~1\BAK

05/31/2005 01:04 AM 1,415,824 TeaTimer.exe
1 File(s) 1,415,824 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 01:56 AM 15,360 ctfmon.exe
07/09/2001 09:50 AM 155,648 NeroCheck.exe
2 File(s) 171,008 bytes

Directory of C:\PROGRA~1\AHEAD\NEROBA~1\BAK

10/11/2005 05:25 PM 1,961,984 nbj.exe
1 File(s) 1,961,984 bytes

Directory of C:\PROGRA~1\SCANSOFT\OMNIPA~1\BAK

06/03/2002 11:38 AM 49,152 opware32.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\TIVO\DESKTOP\BAK

06/20/2006 06:25 AM 341,504 TiVoNotify.exe
06/20/2006 06:27 AM 1,313,792 TiVoServer.exe
2 File(s) 1,655,296 bytes

Directory of C:\PROGRA~1\YAHOO!\SEARCH~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\TIVOSH~1\TRANSFER\BAK

06/20/2006 06:24 AM 1,174,528 TiVoTransfer.exe
1 File(s) 1,174,528 bytes

Directory of C:\PROGRA~1\MAXTOR\ONETOUCH\UTILS\BAK

05/21/2003 02:30 PM 45,056 OneTouch.exe
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\AHEAD\AHEAD\DATA\XTRAS\BAK

05/12/2004 02:04 PM 196,608 mssysmgr.exe
1 File(s) 196,608 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

12/11/2001 06:33 PM 196,608 hpztsb04.exe
1 File(s) 196,608 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

118784 Apr 7 2003 "C:\WINDOWS\bak\MXOALDR.EXE"
118784 Apr 7 2003 "C:\Program Files\Maxtor\OneTouch\Drivers\USB\mxoaldr.exe"
118784 Apr 7 2003 "C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\MXOALDR.EXE"
271672 Jul 31 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
271672 Jul 31 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Oct 27 2007 "C:\WINDOWS\Installer\{E0219810-16E4-437D-9165-93D7B22524F9}\iTunesIco.exe"
116024 Jul 31 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.3.2.6\iTunesSetupAdmin.exe"
73728 Sep 24 2001 "C:\Program Files\Navnt\bak\vptray.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
1415824 May 31 2005 "C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
155648 Jul 9 2001 "C:\Documents and Settings\Aarati\Local Settings\Temp\RarSFX0\System\NeroCheck.exe"
155648 Jul 9 2001 "C:\Documents and Settings\Aarati\Local Settings\Temp\RarSFX1\System\NeroCheck.exe"
1961984 Oct 11 2005 "C:\Program Files\Ahead\Nero BackItUp\bak\nbj.exe"
1961984 Oct 11 2005 "C:\Documents and Settings\Aarati\Local Settings\Temp\RarSFX0\Nero BackItUp\NBJ.exe"
1961984 Oct 11 2005 "C:\Documents and Settings\Aarati\Local Settings\Temp\RarSFX1\Nero BackItUp\NBJ.exe"
49152 Jun 3 2002 "C:\Program Files\ScanSoft\OmniPageSE\bak\opware32.exe"
341504 Jun 20 2006 "C:\Program Files\TiVo\Desktop\bak\TiVoNotify.exe"
1313792 Jun 20 2006 "C:\Program Files\TiVo\Desktop\bak\TiVoServer.exe"
1174528 Jun 20 2006 "C:\Program Files\Common Files\TiVo Shared\Transfer\bak\TiVoTransfer.exe"
45056 May 21 2003 "C:\Program Files\Maxtor\OneTouch\Utils\bak\OneTouch.exe"
196608 May 12 2004 "C:\Program Files\Ahead\Ahead\data\Xtras\bak\mssysmgr.exe"
196608 Dec 11 2001 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb04.exe"


end of report

#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:16 PM

Posted 09 November 2007 - 11:35 AM

Hi mmoore4,

Please double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:


"C:\WINDOWS\bak\MXOALDR.EXE"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\Navnt\bak\vptray.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\NeroCheck.exe"
"C:\Program Files\Ahead\Nero BackItUp\bak\nbj.exe"
"C:\Program Files\ScanSoft\OmniPageSE\bak\opware32.exe"
"C:\Program Files\TiVo\Desktop\bak\TiVoNotify.exe"
"C:\Program Files\TiVo\Desktop\bak\TiVoServer.exe"
"C:\Program Files\Common Files\TiVo Shared\Transfer\bak\TiVoTransfer.exe"
"C:\Program Files\Maxtor\OneTouch\Utils\bak\OneTouch.exe"
"C:\Program Files\Ahead\Ahead\data\Xtras\bak\mssysmgr.exe"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb04.exe"


Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply
.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 mmoore4

mmoore4
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 11 November 2007 - 07:27 PM

Here is the new report. I had trouble logging in the other day so this is a little late. Thanks


Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Sun 11/11/2007
The current time is: 17:41:41.78


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

04/07/2003 05:09 PM 118,784 MXOALDR.EXE
1 File(s) 118,784 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

07/31/2007 05:44 PM 271,672 iTunesHelper.exe
1 File(s) 271,672 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\NAVNT\BAK

09/24/2001 06:59 AM 73,728 vptray.exe
1 File(s) 73,728 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2007 05:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\SPYBOT~1\BAK

05/31/2005 01:04 AM 1,415,824 TeaTimer.exe
1 File(s) 1,415,824 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 01:56 AM 15,360 ctfmon.exe
07/09/2001 09:50 AM 155,648 NeroCheck.exe
2 File(s) 171,008 bytes

Directory of C:\PROGRA~1\AHEAD\NEROBA~1\BAK

10/11/2005 05:25 PM 1,961,984 nbj.exe
1 File(s) 1,961,984 bytes

Directory of C:\PROGRA~1\SCANSOFT\OMNIPA~1\BAK

06/03/2002 11:38 AM 49,152 opware32.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\TIVO\DESKTOP\BAK

06/20/2006 06:25 AM 341,504 TiVoNotify.exe
06/20/2006 06:27 AM 1,313,792 TiVoServer.exe
2 File(s) 1,655,296 bytes

Directory of C:\PROGRA~1\YAHOO!\SEARCH~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\TIVOSH~1\TRANSFER\BAK

06/20/2006 06:24 AM 1,174,528 TiVoTransfer.exe
1 File(s) 1,174,528 bytes

Directory of C:\PROGRA~1\MAXTOR\ONETOUCH\UTILS\BAK

05/21/2003 02:30 PM 45,056 OneTouch.exe
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\AHEAD\AHEAD\DATA\XTRAS\BAK

05/12/2004 02:04 PM 196,608 mssysmgr.exe
1 File(s) 196,608 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

12/11/2001 06:33 PM 196,608 hpztsb04.exe
1 File(s) 196,608 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

118784 Apr 7 2003 "C:\WINDOWS\MXOALDR.EXE"
118784 Apr 7 2003 "C:\WINDOWS\bak\MXOALDR.EXE"
118784 Apr 7 2003 "C:\Program Files\Maxtor\OneTouch\Drivers\USB\mxoaldr.exe"
118784 Apr 7 2003 "C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\MXOALDR.EXE"
271672 Jul 31 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
271672 Jul 31 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Oct 27 2007 "C:\WINDOWS\Installer\{E0219810-16E4-437D-9165-93D7B22524F9}\iTunesIco.exe"
116024 Jul 31 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.3.2.6\iTunesSetupAdmin.exe"
73728 Sep 24 2001 "C:\Program Files\Navnt\vptray.exe"
73728 Sep 24 2001 "C:\Program Files\Navnt\bak\vptray.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
1415824 May 31 2005 "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
1415824 May 31 2005 "C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
155648 Jul 9 2001 "C:\Documents and Settings\Aarati\Local Settings\Temp\RarSFX0\System\NeroCheck.exe"
155648 Jul 9 2001 "C:\Documents and Settings\Aarati\Local Settings\Temp\RarSFX1\System\NeroCheck.exe"
1961984 Oct 11 2005 "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
1961984 Oct 11 2005 "C:\Program Files\Ahead\Nero BackItUp\bak\nbj.exe"
1961984 Oct 11 2005 "C:\Documents and Settings\Aarati\Local Settings\Temp\RarSFX0\Nero BackItUp\NBJ.exe"
1961984 Oct 11 2005 "C:\Documents and Settings\Aarati\Local Settings\Temp\RarSFX1\Nero BackItUp\NBJ.exe"
49152 Jun 3 2002 "C:\Program Files\ScanSoft\OmniPageSE\opware32.exe"
49152 Jun 3 2002 "C:\Program Files\ScanSoft\OmniPageSE\bak\opware32.exe"
341504 Jun 20 2006 "C:\Program Files\TiVo\Desktop\TiVoNotify.exe"
341504 Jun 20 2006 "C:\Program Files\TiVo\Desktop\bak\TiVoNotify.exe"
1313792 Jun 20 2006 "C:\Program Files\TiVo\Desktop\TiVoServer.exe"
1313792 Jun 20 2006 "C:\Program Files\TiVo\Desktop\bak\TiVoServer.exe"
1174528 Jun 20 2006 "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe"
1174528 Jun 20 2006 "C:\Program Files\Common Files\TiVo Shared\Transfer\bak\TiVoTransfer.exe"
45056 May 21 2003 "C:\Program Files\Maxtor\OneTouch\Utils\OneTouch.exe"
45056 May 21 2003 "C:\Program Files\Maxtor\OneTouch\Utils\bak\OneTouch.exe"
196608 May 12 2004 "C:\Program Files\Ahead\Ahead\data\Xtras\mssysmgr.exe"
196608 May 12 2004 "C:\Program Files\Ahead\Ahead\data\Xtras\bak\mssysmgr.exe"
196608 Dec 11 2001 "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe"
196608 Dec 11 2001 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb04.exe"


end of report

#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:16 PM

Posted 11 November 2007 - 10:15 PM

Hi mmoore4,

I had trouble logging in the other day so this is a little late.



That is OK. Last night Bleeping Computers was down for about an hour for maintenance.


Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Reboot your computer <==== Important

*********************************

Please double-click the FindAWF icon once again
This time we are going to remove some folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\WINDOWS\bak
C:\Program Files\iTunes\bak
C:\Program Files\Navnt\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Spybot - Search & Destroy\bak
C:\WINDOWS\system32\bak
C:\Program Files\Ahead\Nero BackItUp\bak
C:\Program Files\ScanSoft\OmniPageSE\bak
C:\Program Files\TiVo\Desktop\bak
C:\Program Files\Common Files\TiVo Shared\Transfer\bak
C:\Program Files\Maxtor\OneTouch\Utils\bak
C:\Program Files\Ahead\Ahead\data\Xtras\bak
C:\WINDOWS\system32\spool\drivers\w32x86\3\bak


Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply

Edited by SifuMike, 11 November 2007 - 10:17 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 mmoore4

mmoore4
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 12 November 2007 - 12:12 AM

Thanks SifuMike.

Here is the latest:


Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Sun 11/11/2007
The current time is: 23:02:26.20


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SPYBOT~1\BAK

05/31/2005 01:04 AM 1,415,824 TeaTimer.exe
1 File(s) 1,415,824 bytes

Directory of C:\PROGRA~1\YAHOO!\SEARCH~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

1415824 May 31 2005 "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
1415824 May 31 2005 "C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"


end of report

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:16 PM

Posted 12 November 2007 - 12:45 AM

Hi mmoore4,

We will have to delete one folder manually.

Find and delete the following BAK folder.
C:\Program Files\Spybot - Search & Destroy\bak <=== folder

Then run FindAWF with Option 1 and post the log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 mmoore4

mmoore4
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 13 November 2007 - 08:00 AM

Last One???



Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Tue 11/13/2007
The current time is: 0:25:29.10


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\YAHOO!\SEARCH~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:16 PM

Posted 13 November 2007 - 02:22 PM

Hi mmoore4,

Last One???


Almost. :thumbsup:

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones
When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

We should have whataboutadog and zonebac on the ropes. :blink:

Then run ComboFix.

If you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

Disconnect from the Internet while running ComboFix.

Temporarily disable any anti-virus and anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".

If you have Norton Antivirus installed then disable script blocking so it will not interfere with the fix.

To disable Norton Script blocking Service:

* Disable the Script Blocking Service:
To open Services, click Start, point to Settings, and then click Control Panel.
Double-click Administrative Tools, and then double-click Services.
Find ScriptBlocking services, Right-click the service, and then click and then click Properties.
On the General tab, under Startup, click Disabled.
Under Service Status, click Stop button. Click Apply button.

* Disable the Script Blocking In Norton Settings:
Start Norton Antivirus.
Click Options. If a menu appears when you click Options, then click Norton Antivirus. The Norton Antivirus Options dialog box appears.
Click Script Blocking.
Uncheck Enable Script Blocking (recommended).
Click OK
You can reenable it afterwards when everything is clean again.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 mmoore4

mmoore4
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 17 November 2007 - 12:38 AM

Complicated stuff!

1. Combofix Log

ComboFix 07-11-08.1 - Michael 2007-11-16 7:25:18.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.210 [GMT -6:00]
Running from: C:\Documents and Settings\Michael\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 )))))))))))))))))))))))))))))))
.

2007-11-15 23:25 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-11 23:04 <DIR> d--h----- C:\WINDOWS\PIF
2007-11-11 17:41 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-11-11 17:41 118,784 --a------ C:\WINDOWS\MXOALDR.EXE
2007-11-10 21:38 <DIR> d-------- C:\Documents and Settings\Pa\Application Data\ScanSoft
2007-11-05 18:54 <DIR> d-------- C:\Program Files\Google
2007-10-23 23:16 94,480 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-23 23:15 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\HouseCall 6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-14 13:12 --------- d-----w C:\Program Files\Sony Handheld
2007-11-14 13:09 --------- d-----w C:\Program Files\Common Files\Skyscape
2007-11-12 05:02 --------- d-----w C:\Program Files\QuickTime
2007-11-12 05:02 --------- d-----w C:\Program Files\Navnt
2007-11-12 05:02 --------- d-----w C:\Program Files\iTunes
2007-11-12 00:42 --------- d-----w C:\Program Files\SpywareBlaster
2007-10-17 00:07 --------- d-----w C:\Documents and Settings\Aarati\Application Data\HP
2007-10-14 17:37 --------- d-----w C:\Documents and Settings\Aarati\Application Data\Image Zone Express
2007-10-08 01:25 --------- d-----w C:\Program Files\Yahoo!
2007-10-07 17:54 --------- d--h--r C:\Documents and Settings\Michael\Application Data\yahoo!
2007-10-07 17:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-10-07 17:53 87,608 ----a-w C:\Documents and Settings\Michael\Application Data\ezpinst.exe
2007-10-07 17:53 47,360 ----a-w C:\Documents and Settings\Michael\Application Data\pcouffin.sys
2007-10-07 17:53 --------- d-----w C:\Program Files\DVDFab Gold 3
2007-10-07 17:53 --------- d-----w C:\Documents and Settings\Michael\Application Data\Vso
2007-10-07 14:43 --------- d--h--r C:\Documents and Settings\Aarati\Application Data\yahoo!
2007-10-03 00:34 --------- d-----w C:\Program Files\MSN Messenger
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-19 11:39 94,552 ----a-w C:\Documents and Settings\Pa\Application Data\GDIPFONTCACHEV1.DAT
2007-08-08 22:00 94,552 ----a-w C:\Documents and Settings\Aarati\Application Data\GDIPFONTCACHEV1.DAT
2007-07-23 05:24 905 -c--a-w C:\Program Files\uninstal.log
2007-06-25 02:46 20 -c-h--w C:\Documents and Settings\All Users\Application Data\PKP_DLbz.DAT
2007-06-07 03:46 94,552 -c--a-w C:\Documents and Settings\Michael\Application Data\GDIPFONTCACHEV1.DAT
2007-06-07 03:24 20 -c-h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2007-06-07 03:24 20 -c-h--w C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT
2006-12-24 13:55 87,608 -c--a-w C:\Documents and Settings\Aarati\Application Data\ezpinst.exe
2006-12-24 13:54 47,360 -c--a-w C:\Documents and Settings\Aarati\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 13:16]
"POINTER"="point32.exe" []
"nwiz"="nwiz.exe" [2003-10-06 13:16 C:\WINDOWS\system32\nwiz.exe]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-11 18:33]
"MXO Auto Loader"="C:\WINDOWS\MXOALDR.EXE" [2003-04-07 17:09]
"MaxtorOneTouch"="C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe" [2003-05-21 14:30]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 11:38]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 17:44]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"NBJ"="C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe" [2005-10-11 17:25]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\Ahead\data\xtras\mssysmgr.exe" [2004-05-12 14:04]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservicesonce]
"washindex"=C:\Program Files\Washer\washidx.exe "Michael"

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
HotSync Manager.lnk - C:\Program Files\Sony Handheld\Hotsync.exe [2004-06-09 14:16:08]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2007-06-05 21:30:20]
NkvMon.exe.lnk - C:\Program Files\Nikon\NkView6\NkvMon.exe [2006-07-22 22:24:26]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Aarati^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=C:\Documents and Settings\Aarati\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=C:\WINDOWS\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Aarati^Start Menu^Programs^Startup^Skyscape smARTupdate.lnk]
path=C:\Documents and Settings\Aarati\Start Menu\Programs\Startup\Skyscape smARTupdate.lnk
backup=C:\WINDOWS\pss\Skyscape smARTupdate.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Michael^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=C:\Documents and Settings\Michael\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=C:\WINDOWS\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Omnipage]
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BthServ"=2 (0x2)

R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R2 BUFADPT;BUFADPT;\??\C:\WINDOWS\system32\BUFADPT.SYS
R2 TivoBeacon2;TiVo Beacon;"C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S3 cvspydr2;ColorVision Spyder 2;C:\WINDOWS\system32\DRIVERS\cvspydr2.sys
S3 dwusbdnt;dwusbdnt;C:\WINDOWS\system32\DRIVERS\dwusbdnt.sys

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-11-02 17:36:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-16 07:27:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-16 7:28:30
C:\ComboFix2.txt ... 2007-11-15 23:50
C:\ComboFix3.txt ... 2007-11-15 23:33
.
--- E O F ---



2. HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:06:20 AM, on 11/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\MXOALDR.EXE
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Ahead\Ahead\data\xtras\mssysmgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sony Handheld\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Michael\LOCALS~1\Temp\Rar$EX01.234\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.medscape.com/px/urlinfo
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Michael"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O16 - DPF: {D68DAEED-C2A6-4C6F-9365-4676B173D8EF} -
O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} (AMI DicomDir TreeView Control 2.1) - file://E:\CDVIEWER\CdViewer.cab
O17 - HKLM\System\CS4\Services\Tcpip\..\{27B519B1-9172-4676-BF66-6286E377E010}: NameServer = 129.105.49.1 165.124.49.21
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

--
End of file - 7177 bytes

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:16 PM

Posted 17 November 2007 - 01:12 AM

Hi mmoore4,

We are almost done. :wacko: Just a few minor things to clean up.

C:\DOCUME~1\Michael\LOCALS~1\Temp\Rar$EX01.234\HijackThis.exe


You need to put HijackThis into its own folder, but not a temp folder. It won't save the backups if it is run from a temporary folder, and we will be deleting the temp folder.

Here is how to make a Hijackthis folder:

Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT". Now you have C:\HJT\ folder.
Put your hijackthis.exe there.
Please post a new log.


Also, I see you ran ComobFix three times. :thumbsup: Why did you do that?
Running it more times is NOT better.
I need to see the first report comboFix made, not the third one you posted.
That report does not show me what I want to see. :blink:

Please post this Combofix report C:\ComboFix3.txt , as it is the first run of ComboFix.

Edited by SifuMike, 17 November 2007 - 01:17 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 mmoore4

mmoore4
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 19 November 2007 - 11:06 PM

Sorry about that. I did not follow the directions EXACTLY the first time I ran combofix. I ran it again after a carefull re-reading of your instructions.

Here is the HJT log from the C: drive

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:23 PM, on 11/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\MXOALDR.EXE
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Ahead\Ahead\data\xtras\mssysmgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sony Handheld\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\Citrix\icaweb32\Wfcrun32.exe
C:\PROGRA~1\Citrix\icaweb32\WFICA32.EXE
C:\WINDOWS\system32\devldr32.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.medscape.com/px/urlinfo
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Michael"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1993962763-1645522239-1801674531-1005\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe (User 'Aarati')
O4 - HKUS\S-1-5-21-1993962763-1645522239-1801674531-1005\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe" (User 'Aarati')
O4 - HKUS\S-1-5-21-1993962763-1645522239-1801674531-1005\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer (User 'Aarati')
O4 - HKUS\S-1-5-21-1993962763-1645522239-1801674531-1005\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify (User 'Aarati')
O4 - HKUS\S-1-5-21-1993962763-1645522239-1801674531-1005\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry (User 'Aarati')
O4 - HKUS\S-1-5-21-1993962763-1645522239-1801674531-1005\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'Aarati')
O4 - HKUS\S-1-5-21-1993962763-1645522239-1801674531-1005\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Aarati')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O16 - DPF: {D68DAEED-C2A6-4C6F-9365-4676B173D8EF} -
O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} (AMI DicomDir TreeView Control 2.1) - file://E:\CDVIEWER\CdViewer.cab
O17 - HKLM\System\CS4\Services\Tcpip\..\{27B519B1-9172-4676-BF66-6286E377E010}: NameServer = 129.105.49.1 165.124.49.21
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

--
End of file - 8510 bytes

Here is the Combofix3 log:

ComboFix 07-11-08.1 - Michael 2007-11-15 23:27:37.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.121 [GMT -6:00]
Running from: C:\Documents and Settings\Michael\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1193182606.old
C:\Program Files\WinBudget\bin\crap.1193203585.old
C:\Program Files\WinBudget\bin\matrix.dat

.
((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 )))))))))))))))))))))))))))))))
.

2007-11-15 23:25 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-11 23:04 <DIR> d--h----- C:\WINDOWS\PIF
2007-11-11 17:41 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-11-11 17:41 118,784 --a------ C:\WINDOWS\MXOALDR.EXE
2007-11-10 21:38 <DIR> d-------- C:\Documents and Settings\Pa\Application Data\ScanSoft
2007-11-05 18:54 <DIR> d-------- C:\Program Files\Google
2007-10-23 23:16 94,480 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-23 23:15 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\HouseCall 6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-14 13:12 --------- d-----w C:\Program Files\Sony Handheld
2007-11-14 13:09 --------- d-----w C:\Program Files\Common Files\Skyscape
2007-11-12 05:02 --------- d-----w C:\Program Files\QuickTime
2007-11-12 05:02 --------- d-----w C:\Program Files\Navnt
2007-11-12 05:02 --------- d-----w C:\Program Files\iTunes
2007-11-12 00:42 --------- d-----w C:\Program Files\SpywareBlaster
2007-10-17 00:07 --------- d-----w C:\Documents and Settings\Aarati\Application Data\HP
2007-10-14 17:37 --------- d-----w C:\Documents and Settings\Aarati\Application Data\Image Zone Express
2007-10-08 01:25 --------- d-----w C:\Program Files\Yahoo!
2007-10-07 17:54 --------- d--h--r C:\Documents and Settings\Michael\Application Data\yahoo!
2007-10-07 17:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-10-07 17:53 87,608 ----a-w C:\Documents and Settings\Michael\Application Data\ezpinst.exe
2007-10-07 17:53 47,360 ----a-w C:\Documents and Settings\Michael\Application Data\pcouffin.sys
2007-10-07 17:53 --------- d-----w C:\Program Files\DVDFab Gold 3
2007-10-07 17:53 --------- d-----w C:\Documents and Settings\Michael\Application Data\Vso
2007-10-07 14:43 --------- d--h--r C:\Documents and Settings\Aarati\Application Data\yahoo!
2007-10-03 00:34 --------- d-----w C:\Program Files\MSN Messenger
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-19 11:39 94,552 ----a-w C:\Documents and Settings\Pa\Application Data\GDIPFONTCACHEV1.DAT
2007-08-08 22:00 94,552 ----a-w C:\Documents and Settings\Aarati\Application Data\GDIPFONTCACHEV1.DAT
2007-07-23 05:24 905 -c--a-w C:\Program Files\uninstal.log
2007-06-25 02:46 20 -c-h--w C:\Documents and Settings\All Users\Application Data\PKP_DLbz.DAT
2007-06-07 03:46 94,552 -c--a-w C:\Documents and Settings\Michael\Application Data\GDIPFONTCACHEV1.DAT
2007-06-07 03:24 20 -c-h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2007-06-07 03:24 20 -c-h--w C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT
2006-12-24 13:55 87,608 -c--a-w C:\Documents and Settings\Aarati\Application Data\ezpinst.exe
2006-12-24 13:54 47,360 -c--a-w C:\Documents and Settings\Aarati\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 13:16]
"POINTER"="point32.exe" []
"nwiz"="nwiz.exe" [2003-10-06 13:16 C:\WINDOWS\system32\nwiz.exe]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-11 18:33]
"MXO Auto Loader"="C:\WINDOWS\MXOALDR.EXE" [2003-04-07 17:09]
"MaxtorOneTouch"="C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe" [2003-05-21 14:30]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 11:38]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 17:44]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"NBJ"="C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe" [2005-10-11 17:25]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\Ahead\data\xtras\mssysmgr.exe" [2004-05-12 14:04]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservicesonce]
"washindex"=C:\Program Files\Washer\washidx.exe "Michael"

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
HotSync Manager.lnk - C:\Program Files\Sony Handheld\Hotsync.exe [2004-06-09 14:16:08]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2007-06-05 21:30:20]
NkvMon.exe.lnk - C:\Program Files\Nikon\NkView6\NkvMon.exe [2006-07-22 22:24:26]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Aarati^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=C:\Documents and Settings\Aarati\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=C:\WINDOWS\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Aarati^Start Menu^Programs^Startup^Skyscape smARTupdate.lnk]
path=C:\Documents and Settings\Aarati\Start Menu\Programs\Startup\Skyscape smARTupdate.lnk
backup=C:\WINDOWS\pss\Skyscape smARTupdate.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Michael^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=C:\Documents and Settings\Michael\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=C:\WINDOWS\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Omnipage]
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BthServ"=2 (0x2)

R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R2 BUFADPT;BUFADPT;\??\C:\WINDOWS\system32\BUFADPT.SYS
R2 TivoBeacon2;TiVo Beacon;"C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S3 cvspydr2;ColorVision Spyder 2;C:\WINDOWS\system32\DRIVERS\cvspydr2.sys
S3 dwusbdnt;dwusbdnt;C:\WINDOWS\system32\DRIVERS\dwusbdnt.sys

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-11-02 17:36:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 23:31:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-15 23:33:24
.
--- E O F ---

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:16 PM

Posted 19 November 2007 - 11:42 PM

Hi mmoore4,

Looks like we have all the malware off :thumbsup: , now we do some clean up.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of  Java Runtime Environment (JRE) 6 Update 3.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 3".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language  jre-6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.
*******************************************

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*******************************************
I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer during HijackThis Cleanup
When everything is done and your log is clean again, you can enable it again.


Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O16 - DPF: {D68DAEED-C2A6-4C6F-9365-4676B173D8EF} -


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
• Clean any others that you choose.

In the Applications Tab:
• Clean all including cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Finally, reboot your computer, post a new Hijackthis log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users