Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected: Smitfraud, Virtumonde & Others


  • This topic is locked This topic is locked
20 replies to this topic

#1 Viridescence

Viridescence

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 30 October 2007 - 11:39 PM

Have been trying to get rid of these viruses/spyware for several days now with limited luck. Not sure what else I have besides those two, but my desktop is hijacked with fake antivirus warning, I cannot access the Task Manager and I am getting IE popups with fake antivirus ads and fake Windows Security Center popups.

I used Spybot Search & Destroy but after fixing, I couldn't get the Real-time Teatimer to stay off (even going into Advanced Mode) and am not versed enough to know what to deny when it pops up -- for all I knew, I was denying the deletion of spyware, etc. So I uninstalled it after fixing but the problems are still there. So frustrated I was thinking of reformatting and then I found this forum -- hope someone takes pity on me and can help! Thank you in advance and please excuse my illiteracy in this arena. I'm trying to learn now...

----------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:38:22 AM, on 10/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
c:\program files\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\AvltMain.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\WebProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\AvTask.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\avciman.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\psimreal.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.gmail.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\vvgeowbv.exe,C:\WINDOWS\system32\userinit.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BellSouthReportingAgent] "C:\Program Files\Common Files\Motive\McciBootStrapper.exe" /url="-url=file://C:\Program Files\Common Files\Motive\ReportAgent.html" /browsertype=CustomMSIE /browserpath="C:\Program Files\Common Files\Motive\MotiveBrowser.exe" /hidden
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{50-0D-DA-A5-ZN}] C:\DOCUME~1\Shanna\LOCALS~1\Temp\T0CHD001.exe CHD001
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISMPack6] "C:\Program Files\ISM2\ISMPack6.exe"
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/do...oad/tgctlsr.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instantservice.com/jars/customerxsigned40.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4047/ftp...23/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8850 bytes

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 31 October 2007 - 07:20 AM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Since you have mentioned your "illiteracy in this arena," I have tried to make these instructions as simple to follow as possible, but if at any point you do not understand or would like further clarification, please do not hesitate to ask.

Using My Computer, navigate to where you have HijackThis saved.
Right-click on the HijackThis.exe file.
Select "Rename", call it fluffybunny and press enter.
Use fluffybunny.exe from now on.

I would like you to run a new scan with the renamed file, posting the log in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 Viridescence

Viridescence
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 31 October 2007 - 05:30 PM

Thank you for you assistance, Charles. Maybe I should clarify: I'm generally pretty computer literate, but not so much in the area of dealing with viruses, spyware and related issues. So I appreciate your help.

I followed your instructions. When I went to run Hijack This, I got an error message stating that it could not access my hosts file and I would need to edit it manually by removing the Hijack This Reports and saving the file as "hosts." then rebooting. Did Panda keep HJT from accessing them? I continued with the scan and post the results here; I'll await your guidance as to whether I need to edit the hosts file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:25:53 PM, on 10/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft SQL Server\MSSQL$AEGDB\Binn\sqlservr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
c:\program files\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\WebProxy.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Trend Micro\HijackThis\fluffybunny.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.gmail.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\vvgeowbv.exe,C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {007814E7-7902-45DE-B8E2-A4B05B721FB8} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {3AD84E93-B094-4F1C-A6C6-6AA4C120AE51} - (no file)
O2 - BHO: (no name) - {4FAA40D8-E9A1-4AC7-8B44-ABB888A878AA} - (no file)
O2 - BHO: (no name) - {5659BCCC-DA99-4B5B-B847-AF5A8F0935CB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\JoiExpress\prpl_IePopupBlocker.dll (file missing)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {75EFBA42-B075-496D-99D4-AFDA7149E6C7} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {80C0145E-74AE-46D2-8BE3-22E866BD7B8A} - C:\Program Files\Outlook Express\hokemozylC:\DOCUME~1\Shanna\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O2 - BHO: (no name) - {86882CA4-BE70-4BCE-AEA5-CF40EB8E0BC3} - (no file)
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\jitjgbri.dll
O2 - BHO: (no name) - {8C19EE93-8302-4DAD-BA2F-7702396C1329} - (no file)
O2 - BHO: (no name) - {90014B7F-69F8-4380-89EB-F51D4873EA6E} - C:\WINDOWS\system32\pmnlm.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {9C8486F0-2AD5-4112-82B7-EE34A68C1FA9} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {A6E432B4-D4C2-43B3-BF55-C364F8F7362A} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {D2182D5B-4EBD-434C-9B7B-6002BA1415C4} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BellSouthReportingAgent] "C:\Program Files\Common Files\Motive\McciBootStrapper.exe" /url="-url=file://C:\Program Files\Common Files\Motive\ReportAgent.html" /browsertype=CustomMSIE /browserpath="C:\Program Files\Common Files\Motive\MotiveBrowser.exe" /hidden
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{50-0D-DA-A5-ZN}] C:\DOCUME~1\Shanna\LOCALS~1\Temp\T0CHD001.exe CHD001
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISMPack6] "C:\Program Files\ISM2\ISMPack6.exe"
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/do...oad/tgctlsr.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instantservice.com/jars/customerxsigned40.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4047/ftp...23/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O20 - Winlogon Notify: efcyaxw - C:\WINDOWS\
O20 - Winlogon Notify: jigqfpug - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11252 bytes

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 01 November 2007 - 04:14 PM

Hello again,
There are many thing that could be causing the hosts file problem, it could be Panda as you mentioned, or perhaps Ad-Aware. We'll see if the problem is solved by getting rid of the malware, and if not we'll set about tackling it.

Please download VundoFix to your Desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove.
VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please include VundoFix.txt and a new HijackThis log in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 Viridescence

Viridescence
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 02 November 2007 - 06:08 PM

Thank you, Charles.

Here is VundoFix.txt:

VundoFix V6.5.11

Checking Java version...

Scan started at 6:31:54 PM 11/2/2007

Listing files found while scanning....

C:\WINDOWS\system32\jitjgbri.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jitjgbri.dll
C:\WINDOWS\system32\jitjgbri.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.11

Checking Java version...

Scan started at 6:55:40 PM 11/2/2007

Listing files found while scanning....

No infected files were found.

----------------------------------------

Same hosts file issue with HiJackThis. Here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:08:17 PM, on 11/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft SQL Server\MSSQL$AEGDB\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
c:\program files\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\WebProxy.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\fluffybunny.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\psimreal.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\avciman.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.gmail.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\vvgeowbv.exe,C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {007814E7-7902-45DE-B8E2-A4B05B721FB8} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {36409FBC-D23B-41EF-9CE2-022552D1CFC7} - C:\WINDOWS\system32\pmnlm.dll
O2 - BHO: (no name) - {3AD84E93-B094-4F1C-A6C6-6AA4C120AE51} - (no file)
O2 - BHO: (no name) - {4FAA40D8-E9A1-4AC7-8B44-ABB888A878AA} - (no file)
O2 - BHO: (no name) - {5659BCCC-DA99-4B5B-B847-AF5A8F0935CB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\JoiExpress\prpl_IePopupBlocker.dll (file missing)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {75EFBA42-B075-496D-99D4-AFDA7149E6C7} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: {e6bcb066-271e-da28-8e24-5037d902e608} - {806e209d-7305-42e8-82ad-e172660bcb6e} - C:\WINDOWS\system32\ceyebpeu.dll
O2 - BHO: (no name) - {80C0145E-74AE-46D2-8BE3-22E866BD7B8A} - C:\Program Files\Outlook Express\hokemozylC:\DOCUME~1\Shanna\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O2 - BHO: (no name) - {8C19EE93-8302-4DAD-BA2F-7702396C1329} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {9C8486F0-2AD5-4112-82B7-EE34A68C1FA9} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {A6E432B4-D4C2-43B3-BF55-C364F8F7362A} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {D2182D5B-4EBD-434C-9B7B-6002BA1415C4} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BellSouthReportingAgent] "C:\Program Files\Common Files\Motive\McciBootStrapper.exe" /url="-url=file://C:\Program Files\Common Files\Motive\ReportAgent.html" /browsertype=CustomMSIE /browserpath="C:\Program Files\Common Files\Motive\MotiveBrowser.exe" /hidden
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{50-0D-DA-A5-ZN}] C:\DOCUME~1\Shanna\LOCALS~1\Temp\T0CHD001.exe CHD001
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [b8950d0a] rundll32.exe "C:\WINDOWS\system32\lhjefoul.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISMPack6] "C:\Program Files\ISM2\ISMPack6.exe"
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/do...oad/tgctlsr.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instantservice.com/jars/customerxsigned40.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4047/ftp...23/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O20 - Winlogon Notify: efcyaxw - C:\WINDOWS\
O20 - Winlogon Notify: jigqfpug - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11408 bytes

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 03 November 2007 - 02:57 PM

Hello again Viridescence,
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\vvgeowbv.exe,C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {007814E7-7902-45DE-B8E2-A4B05B721FB8} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {36409FBC-D23B-41EF-9CE2-022552D1CFC7} - C:\WINDOWS\system32\pmnlm.dll
O2 - BHO: (no name) - {3AD84E93-B094-4F1C-A6C6-6AA4C120AE51} - (no file)
O2 - BHO: (no name) - {4FAA40D8-E9A1-4AC7-8B44-ABB888A878AA} - (no file)
O2 - BHO: (no name) - {5659BCCC-DA99-4B5B-B847-AF5A8F0935CB} - (no file)
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\JoiExpress\prpl_IePopupBlocker.dll (file missing)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {75EFBA42-B075-496D-99D4-AFDA7149E6C7} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: {e6bcb066-271e-da28-8e24-5037d902e608} - {806e209d-7305-42e8-82ad-e172660bcb6e} - C:\WINDOWS\system32\ceyebpeu.dll
O2 - BHO: (no name) - {80C0145E-74AE-46D2-8BE3-22E866BD7B8A} - C:\Program Files\Outlook Express\hokemozylC:\DOCUME~1\Shanna\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O2 - BHO: (no name) - {8C19EE93-8302-4DAD-BA2F-7702396C1329} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {9C8486F0-2AD5-4112-82B7-EE34A68C1FA9} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {A6E432B4-D4C2-43B3-BF55-C364F8F7362A} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {D2182D5B-4EBD-434C-9B7B-6002BA1415C4} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O4 - HKLM\..\Run: [{50-0D-DA-A5-ZN}] C:\DOCUME~1\Shanna\LOCALS~1\Temp\T0CHD001.exe CHD001
O4 - HKLM\..\Run: [b8950d0a] rundll32.exe "C:\WINDOWS\system32\lhjefoul.dll",b
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: efcyaxw - C:\WINDOWS\
O20 - Winlogon Notify: jigqfpug - C:\WINDOWS\


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Set your system to show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Next, please find and delete the following files (if present):

C:\WINDOWS\system32\vvgeowbv.exe
C:\WINDOWS\system32\lhjefoul.dll
C:\WINDOWS\system32\ldcore.dll

Reboot into Normal Mode again.

Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt. Post that in your next reply.

In your next post I'd like to see the Combofix log along with a brand new HijackThis log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 Viridescence

Viridescence
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 03 November 2007 - 06:01 PM

All directions followed. A few notes before I post the Combofix and HijackThis logs.


When I ran Combofix, I got the following:
swreg.exe Application Error
The instruction at "0x7c911e58" referenced memory at "0x006b0068". This memory could not be "read".

I clicked OK and the scan continued.

Also, I am still getting that hosts file issue with HijackThis.

Thanks!


Combofix log:

ComboFix 07-11-01.1 - Shanna 2007-11-03 17:24:03.1 - NTFSx86
Running from: C:\Documents and Settings\Shanna\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin2.zip
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\aconti.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\.exe
C:\WINDOWS\SYSTEM32\abvjexou.ini
C:\WINDOWS\SYSTEM32\bjwklugo.ini
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\edvgervh.dll
C:\WINDOWS\SYSTEM32\hvregvde.ini
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\SYSTEM32\mlnmp.bak1
C:\WINDOWS\SYSTEM32\mlnmp.bak2
C:\WINDOWS\SYSTEM32\mlnmp.ini
C:\WINDOWS\system32\nqrpeuuo.dll
C:\WINDOWS\system32\ogulkwjb.dll
C:\WINDOWS\system32\oTt08e
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmnlm.dll
C:\WINDOWS\SYSTEM32\pqstv.bak1
C:\WINDOWS\SYSTEM32\pqstv.ini
C:\WINDOWS\SYSTEM32\pqstv.ini2
C:\WINDOWS\SYSTEM32\pqstv.tmp
C:\WINDOWS\system32\rhmjqmxy.dll
C:\WINDOWS\system32\uoxejvba.dll
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\vxlnvtsy.dll
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\SYSTEM32\yxmqjmhr.ini
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-03 to 2007-11-03 )))))))))))))))))))))))))))))))
.

2007-11-03 17:18 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-03 16:49 81,472 --a------ C:\WINDOWS\SYSTEM32\rflepksy.dll
2007-11-03 16:46 87,616 --a------ C:\WINDOWS\SYSTEM32\uvhmqoav.dll
2007-11-02 18:49 82,496 --a------ C:\WINDOWS\SYSTEM32\ceyebpeu.dll
2007-11-02 18:44 24,576 --a------ C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
2007-11-02 18:31 <DIR> d-------- C:\VundoFix Backups
2007-10-31 00:17 13,880 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\COMFiltr.sys
2007-10-31 00:15 15,616 --a------ C:\WINDOWS\SYSTEM32\ace16win.dll
2007-10-31 00:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\sentinel
2007-10-31 00:09 225,404 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\APPFCONT.DAT
2007-10-31 00:09 83,640 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavdrv51.sys
2007-10-31 00:09 51,256 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\dsaflt.sys
2007-10-31 00:09 37,304 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\smsflt.sys
2007-10-31 00:09 30,648 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wnmflt.sys
2007-10-31 00:09 281 --a------ C:\WINDOWS\SYSTEM32\PavCPL.dat
2007-10-31 00:08 191,672 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\idsflt.sys
2007-10-31 00:07 <DIR> d-------- C:\WINDOWS\SYSTEM32\PAV
2007-10-31 00:07 132,920 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\NETFLTDI.SYS
2007-10-31 00:07 71,736 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\APPFLT.SYS
2007-10-31 00:07 22,072 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\fnetmon.sys
2007-10-31 00:06 <DIR> d-------- C:\Program Files\Panda Security
2007-10-31 00:06 292,144 --a------ C:\WINDOWS\SYSTEM32\PavSHook.dll
2007-10-31 00:06 161,328 --a------ C:\WINDOWS\SYSTEM32\TpUtil.dll
2007-10-31 00:06 142,128 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\netimflt.sys
2007-10-31 00:06 101,888 --a------ C:\WINDOWS\SYSTEM32\SYSTOOLS.DLL
2007-10-31 00:06 63,024 --a------ C:\WINDOWS\SYSTEM32\pavipc.dll
2007-10-31 00:06 50,736 --a------ C:\WINDOWS\SYSTEM32\avldr.dll
2007-10-31 00:06 24,760 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\cpoint.sys
2007-10-30 22:44 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2007-10-30 22:19 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-10-30 21:28 <DIR> d-------- C:\Documents and Settings\Shanna\Application Data\Uniblue
2007-10-30 21:27 <DIR> d-------- C:\Program Files\Uniblue
2007-10-30 19:50 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-10-28 03:28 <DIR> d-------- C:\Documents and Settings\Shanna\.housecall6.6
2007-10-28 03:22 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-10-28 03:15 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-10-28 01:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-28 00:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-27 23:57 <DIR> d-------- C:\Documents and Settings\Shanna\Application Data\SUPERAntiSpyware.com
2007-10-27 21:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-27 21:01 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-27 21:01 <DIR> d-------- C:\Documents and Settings\Jonathan\Application Data\SUPERAntiSpyware.com
2007-10-27 21:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-27 20:56 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-27 18:45 4 --a------ C:\WINDOWS\SYSTEM32\stfv.bin
2007-10-27 18:42 <DIR> d-------- C:\WINDOWS\SYSTEM32\acespy
2007-10-27 18:21 12 --a------ C:\WINDOWS\SYSTEM32\dpqaqlqx.bin
2007-10-27 18:20 41 --a------ C:\WINDOWS\plite731_uninstaller_.bat
2007-10-27 18:19 294,668 --a------ C:\WINDOWS\frexup3_exe.vir
2007-10-27 18:13 179 --a------ C:\WINDOWS\tsitra77.exe
2007-10-20 19:05 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-09 17:10 582,656 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-03 22:45 225,404 ----a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT.bck
2007-11-03 22:45 1,204 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG.bck
2007-11-03 22:45 1,204 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG
2007-11-03 19:07 --------- d-----w C:\Program Files\OpenOffice.org1.1.3
2007-10-31 03:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-30 23:16 --------- d-----w C:\Program Files\Google
2007-10-28 05:06 --------- d-----w C:\Program Files\Lavasoft
2007-10-28 05:04 --------- d-----w C:\Program Files\Java
2007-10-26 00:25 --------- d-----w C:\Program Files\Semagic
2007-10-20 23:04 --------- d-----w C:\Program Files\Real
2007-10-20 23:04 --------- d-----w C:\Program Files\Common Files\Real
2007-09-29 03:50 --------- d-----w C:\Documents and Settings\Shanna\Application Data\Move Networks
2007-09-28 16:13 --------- d-----w C:\Documents and Settings\Shanna\Application Data\acccore
2007-09-28 16:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-09-28 16:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-09-28 16:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-28 16:09 --------- d-----w C:\Program Files\Common Files\AOL
2007-09-28 16:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-09-26 19:35 --------- d-----w C:\Program Files\iTunes
2007-09-26 19:35 --------- d-----w C:\Program Files\iPod
2007-09-17 01:29 --------- d-----w C:\Program Files\MSN Apps
2007-09-17 01:25 --------- d-----w C:\Program Files\Dell
2007-09-17 01:04 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-09 01:45 --------- d-----w C:\Program Files\Apple Software Update
2007-09-06 17:28 30,336 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2005-12-19 18:28 5,604,970 ----a-w C:\Documents and Settings\Shanna\HCUpgrade3.1.exe
2004-08-28 21:34 5,082,708 ----a-w C:\Program Files\FirefoxSetup-0.9.3.exe
2004-08-28 21:20 563,560 ----a-w C:\Program Files\flashplayer7_winax.exe
2004-05-17 00:05 6,500,352 ----a-w C:\Program Files\FirefoxSetup-0.8.exe
2004-05-14 00:18 2,150,574 ----a-w C:\Program Files\aaw6181.exe
2004-05-07 19:28 584,610 ----a-w C:\Program Files\avw5c.exe
2004-04-07 17:11 467,985 ----a-w C:\Program Files\Semagic1410for2k.exe
2004-03-18 23:04 4,955,560 ----a-w C:\Program Files\SetupDl.EXE
2003-12-02 20:33 73,728 ----a-w C:\Program Files\SFTPSetup.exe
2003-12-02 05:22 494,510 ----a-w C:\Program Files\Semagic1387for2k.exe
1996-06-30 23:49 51 ----a-w C:\Program Files\SETUP.LST
1996-06-30 23:47 105,537 ----a-w C:\Program Files\AVPLAY.EX_
1996-06-22 22:36 13,497 ----a-w C:\Program Files\SETUP1.EX_
1996-06-22 22:22 24,586 ----a-w C:\Program Files\AVPLAY.HL_
1993-11-01 07:11 9,696 ----a-w C:\Program Files\VER.DL_
1993-11-01 07:11 54,547 ----a-w C:\Program Files\COMMDLG.DL_
1993-11-01 07:11 23,670 ----a-w C:\Program Files\DDEML.DL_
1993-08-23 16:32 19,056 ----a-w C:\Program Files\SETUP.EXE
1993-07-17 04:00 33,489 ----a-w C:\Program Files\THREED.VB_
1993-05-12 04:00 276,684 ----a-w C:\Program Files\VBRUN300.DL_
1993-04-28 04:00 10,865 ----a-w C:\Program Files\CMDIALOG.VB_
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22ee5d46-fcc3-4ea0-a890-7a81915be4cf}]
2007-11-03 16:49 81472 --a------ C:\WINDOWS\system32\rflepksy.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tgcmd"="C:\Program Files\Support.com\BellSouth\hcenter.exe" [2004-07-25 15:45]
"Y3yac2S"="" []
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36]
"BellSouthReportingAgent"="C:\Program Files\Common Files\Motive\McciBootStrapper.exe" [2004-06-25 14:14]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 10:00]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-20 19:04]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.exe" [2007-07-19 15:23]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"Aim6"="" []
"ISMPack6"="C:\Program Files\ISM2\ISMPack6.exe" []

C:\Documents and Settings\Jonathan\Start Menu\Programs\Startup\
OpenOffice.org 1.1.3.lnk - C:\Program Files\OpenOffice.org1.1.3\program\quickstart.exe [2004-09-10 02:10:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 02:22:40]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\vvgeowbv.exe,C:\\WINDOWS\\system32\\userinit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 20:02 50736 C:\WINDOWS\SYSTEM32\avldr.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmnlm.dll

R1 APPFLT;App Filter Plugin;\??\C:\WINDOWS\system32\Drivers\APPFLT.SYS
R1 DSAFLT;DSA Filter Plugin;\??\C:\WINDOWS\system32\Drivers\DSAFLT.SYS
R1 FNETMON;NetMon Filter Plugin;\??\C:\WINDOWS\system32\Drivers\fnetmon.SYS
R1 IDSFLT;Ids Filter Plugin;\??\C:\WINDOWS\system32\Drivers\IDSFLT.SYS
R1 NETFLTDI;Panda Net Driver [TDI Layer];\??\C:\WINDOWS\system32\Drivers\NETFLTDI.SYS
R1 SMSFLT;SMS Filter Plugin;\??\C:\WINDOWS\system32\Drivers\SMSFLT.SYS
R1 WNMFLT;Wifi Monitor Filter Plugin;\??\C:\WINDOWS\system32\Drivers\WNMFLT.SYS
R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\Drivers\cpoint.sys
R2 MSSQL$AEGDB;MSSQL$AEGDB;C:\Program Files\Microsoft SQL Server\MSSQL$AEGDB\Binn\sqlservr.exe -sAEGDB
R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys
R3 ComFiltr;Panda Anti-Dialer;\??\C:\WINDOWS\system32\DRIVERS\COMFiltr.sys
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys
R3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\system32\DRIVERS\KMW_SYS.sys
R3 NETIMFLT;PANDA NDIS IM Filter Miniport;C:\WINDOWS\system32\DRIVERS\netimflt.sys
R3 PavSRK.sys;PavSRK.sys;\??\C:\WINDOWS\system32\PavSRK.sys
R3 PavTPK.sys;PavTPK.sys;\??\C:\WINDOWS\system32\PavTPK.sys
S1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys
S2 PavProc;Panda Process Protection Driver;\??\C:\WINDOWS\system32\DRIVERS\PavProc.sys
S3 cel90xbe;cel90xbe;\??\C:\DOCUME~1\Jonathan\LOCALS~1\Temp\cel90xbe.sys
S3 SQLAgent$AEGDB;SQLAgent$AEGDB;C:\Program Files\Microsoft SQL Server\MSSQL$AEGDB\Binn\sqlagent.EXE -i AEGDB
S3 SSLDrv;SSL-VPN NetExtender Adapter;C:\WINDOWS\system32\DRIVERS\SSLDrv.sys
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-03 22:41:33 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-03 18:47:08
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwClose, ZwEnumerateValueKey, ZwQueryValueKey, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-03 18:55:04 - machine was rebooted
.
--- E O F ---
____________________________________________________________________________

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:57:13 PM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Microsoft SQL Server\MSSQL$AEGDB\Binn\sqlservr.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
c:\program files\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\ApvxdWin.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\WebProxy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\fluffybunny.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\avciman.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\psimreal.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.gmail.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: {fc4eb519-18a7-098a-0ae4-3ccf64d5ee22} - {22ee5d46-fcc3-4ea0-a890-7a81915be4cf} - C:\WINDOWS\system32\rflepksy.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BellSouthReportingAgent] "C:\Program Files\Common Files\Motive\McciBootStrapper.exe" /url="-url=file://C:\Program Files\Common Files\Motive\ReportAgent.html" /browsertype=CustomMSIE /browserpath="C:\Program Files\Common Files\Motive\MotiveBrowser.exe" /hidden
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISMPack6] "C:\Program Files\ISM2\ISMPack6.exe"
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/do...oad/tgctlsr.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instantservice.com/jars/customerxsigned40.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4047/ftp...23/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8695 bytes

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 04 November 2007 - 04:20 PM

Hello again,
Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

O2 - BHO: {fc4eb519-18a7-098a-0ae4-3ccf64d5ee22} - {22ee5d46-fcc3-4ea0-a890-7a81915be4cf} - C:\WINDOWS\system32\rflepksy.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

Open Notepad - don't use any other text editor or the script will fail.
Copy and paste the text in the quotebox below into the document:

File::
C:\WINDOWS\SYSTEM32\rflepksy.dll
C:\WINDOWS\SYSTEM32\uvhmqoav.dll
C:\WINDOWS\SYSTEM32\ceyebpeu.dll
C:\WINDOWS\SYSTEM32\ace16win.dll
C:\WINDOWS\SYSTEM32\dpqaqlqx.bin
C:\WINDOWS\plite731_uninstaller_.bat
C:\WINDOWS\frexup3_exe.vir
C:\WINDOWS\tsitra77.exe


Save this as textfile CFScript.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below:

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 Viridescence

Viridescence
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 04 November 2007 - 08:54 PM

Hi again, Charles. Ran the ComboFix again with the script you gave. Here is the log and the new Hijack This log. Thanks!

ComboFix 07-11-01.1 - Shanna 2007-11-04 18:39:42.3 - NTFSx86
Running from: C:\Documents and Settings\Shanna\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Shanna\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-04 to 2007-11-04 )))))))))))))))))))))))))))))))
.

2007-11-03 16:18 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-03 15:49 81,472 --a------ C:\WINDOWS\SYSTEM32\rflepksy.dll
2007-11-03 15:46 87,616 --a------ C:\WINDOWS\SYSTEM32\uvhmqoav.dll
2007-11-02 17:49 82,496 --a------ C:\WINDOWS\SYSTEM32\ceyebpeu.dll
2007-11-02 17:44 24,576 --a------ C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
2007-11-02 17:31 <DIR> d-------- C:\VundoFix Backups
2007-10-30 23:17 13,880 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\COMFiltr.sys
2007-10-30 23:15 15,616 --a------ C:\WINDOWS\SYSTEM32\ace16win.dll
2007-10-30 23:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\sentinel
2007-10-30 23:09 225,404 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\APPFCONT.DAT
2007-10-30 23:09 83,640 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavdrv51.sys
2007-10-30 23:09 51,256 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\dsaflt.sys
2007-10-30 23:09 37,304 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\smsflt.sys
2007-10-30 23:09 30,648 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wnmflt.sys
2007-10-30 23:09 281 --a------ C:\WINDOWS\SYSTEM32\PavCPL.dat
2007-10-30 23:08 191,672 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\idsflt.sys
2007-10-30 23:07 <DIR> d-------- C:\WINDOWS\SYSTEM32\PAV
2007-10-30 23:07 132,920 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\NETFLTDI.SYS
2007-10-30 23:07 71,736 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\APPFLT.SYS
2007-10-30 23:07 22,072 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\fnetmon.sys
2007-10-30 23:06 <DIR> d-------- C:\Program Files\Panda Security
2007-10-30 23:06 292,144 --a------ C:\WINDOWS\SYSTEM32\PavSHook.dll
2007-10-30 23:06 161,328 --a------ C:\WINDOWS\SYSTEM32\TpUtil.dll
2007-10-30 23:06 142,128 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\netimflt.sys
2007-10-30 23:06 101,888 --a------ C:\WINDOWS\SYSTEM32\SYSTOOLS.DLL
2007-10-30 23:06 63,024 --a------ C:\WINDOWS\SYSTEM32\pavipc.dll
2007-10-30 23:06 50,736 --a------ C:\WINDOWS\SYSTEM32\avldr.dll
2007-10-30 23:06 24,760 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\cpoint.sys
2007-10-30 21:44 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2007-10-30 21:19 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-10-30 20:28 <DIR> d-------- C:\Documents and Settings\Shanna\Application Data\Uniblue
2007-10-30 20:27 <DIR> d-------- C:\Program Files\Uniblue
2007-10-30 18:50 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-10-28 02:28 <DIR> d-------- C:\Documents and Settings\Shanna\.housecall6.6
2007-10-28 02:22 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-10-28 02:15 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-10-28 00:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-27 23:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-27 22:57 <DIR> d-------- C:\Documents and Settings\Shanna\Application Data\SUPERAntiSpyware.com
2007-10-27 20:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-27 20:01 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-27 20:01 <DIR> d-------- C:\Documents and Settings\Jonathan\Application Data\SUPERAntiSpyware.com
2007-10-27 20:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-27 19:56 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-27 17:45 4 --a------ C:\WINDOWS\SYSTEM32\stfv.bin
2007-10-27 17:42 <DIR> d-------- C:\WINDOWS\SYSTEM32\acespy
2007-10-27 17:21 12 --a------ C:\WINDOWS\SYSTEM32\dpqaqlqx.bin
2007-10-27 17:20 41 --a------ C:\WINDOWS\plite731_uninstaller_.bat
2007-10-27 17:19 294,668 --a------ C:\WINDOWS\frexup3_exe.vir
2007-10-27 17:13 179 --a------ C:\WINDOWS\tsitra77.exe
2007-10-20 18:05 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-09 16:10 582,656 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-04 17:39 --------- d-----w C:\Program Files\OpenOffice.org1.1.3
2007-11-04 17:07 225,404 ----a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT.bck
2007-11-04 17:07 1,204 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG.bck
2007-11-04 17:07 1,204 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG
2007-10-31 03:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-30 23:16 --------- d-----w C:\Program Files\Google
2007-10-28 05:06 --------- d-----w C:\Program Files\Lavasoft
2007-10-28 05:04 --------- d-----w C:\Program Files\Java
2007-10-26 00:25 --------- d-----w C:\Program Files\Semagic
2007-10-20 23:04 --------- d-----w C:\Program Files\Real
2007-10-20 23:04 --------- d-----w C:\Program Files\Common Files\Real
2007-09-29 03:50 --------- d-----w C:\Documents and Settings\Shanna\Application Data\Move Networks
2007-09-28 16:13 --------- d-----w C:\Documents and Settings\Shanna\Application Data\acccore
2007-09-28 16:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-09-28 16:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-09-28 16:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-28 16:09 --------- d-----w C:\Program Files\Common Files\AOL
2007-09-28 16:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-09-26 19:35 --------- d-----w C:\Program Files\iTunes
2007-09-26 19:35 --------- d-----w C:\Program Files\iPod
2007-09-17 01:29 --------- d-----w C:\Program Files\MSN Apps
2007-09-17 01:25 --------- d-----w C:\Program Files\Dell
2007-09-17 01:04 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-09 01:45 --------- d-----w C:\Program Files\Apple Software Update
2007-09-06 17:28 30,336 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2005-12-19 18:28 5,604,970 ----a-w C:\Documents and Settings\Shanna\HCUpgrade3.1.exe
2004-08-28 21:34 5,082,708 ----a-w C:\Program Files\FirefoxSetup-0.9.3.exe
2004-08-28 21:20 563,560 ----a-w C:\Program Files\flashplayer7_winax.exe
2004-05-17 00:05 6,500,352 ----a-w C:\Program Files\FirefoxSetup-0.8.exe
2004-05-14 00:18 2,150,574 ----a-w C:\Program Files\aaw6181.exe
2004-05-07 19:28 584,610 ----a-w C:\Program Files\avw5c.exe
2004-04-07 17:11 467,985 ----a-w C:\Program Files\Semagic1410for2k.exe
2004-03-18 23:04 4,955,560 ----a-w C:\Program Files\SetupDl.EXE
2003-12-02 20:33 73,728 ----a-w C:\Program Files\SFTPSetup.exe
2003-12-02 05:22 494,510 ----a-w C:\Program Files\Semagic1387for2k.exe
1996-06-30 23:49 51 ----a-w C:\Program Files\SETUP.LST
1996-06-30 23:47 105,537 ----a-w C:\Program Files\AVPLAY.EX_
1996-06-22 22:36 13,497 ----a-w C:\Program Files\SETUP1.EX_
1996-06-22 22:22 24,586 ----a-w C:\Program Files\AVPLAY.HL_
1993-11-01 07:11 9,696 ----a-w C:\Program Files\VER.DL_
1993-11-01 07:11 54,547 ----a-w C:\Program Files\COMMDLG.DL_
1993-11-01 07:11 23,670 ----a-w C:\Program Files\DDEML.DL_
1993-08-23 16:32 19,056 ----a-w C:\Program Files\SETUP.EXE
1993-07-17 04:00 33,489 ----a-w C:\Program Files\THREED.VB_
1993-05-12 04:00 276,684 ----a-w C:\Program Files\VBRUN300.DL_
1993-04-28 04:00 10,865 ----a-w C:\Program Files\CMDIALOG.VB_
.

((((((((((((((((((((((((((((( snapshot@2007-11-03_18.52.11.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-29 22:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-29 23:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
- 2007-10-31 04:21:27 77,840 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2007-11-04 17:08:39 77,840 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2007-10-31 04:21:28 438,066 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2007-11-04 17:08:40 438,066 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
- 2007-07-22 22:39:27 279,552 ----a-w C:\WINDOWS\SYSTEM32\swreg.exe
+ 2007-07-22 23:39:27 279,552 ----a-w C:\WINDOWS\SYSTEM32\swreg.exe
+ 2007-11-04 17:02:16 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_394.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tgcmd"="C:\Program Files\Support.com\BellSouth\hcenter.exe" [2004-07-25 14:45]
"Y3yac2S"="" []
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 08:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 08:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 08:36]
"BellSouthReportingAgent"="C:\Program Files\Common Files\Motive\McciBootStrapper.exe" [2004-06-25 13:14]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 09:00]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-20 18:04]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.exe" [2007-07-19 14:23]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"Aim6"="" []
"ISMPack6"="C:\Program Files\ISM2\ISMPack6.exe" []

C:\Documents and Settings\Jonathan\Start Menu\Programs\Startup\
OpenOffice.org 1.1.3.lnk - C:\Program Files\OpenOffice.org1.1.3\program\quickstart.exe [2004-09-10 01:10:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 01:22:40]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 16:23:32]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\vvgeowbv.exe,C:\\WINDOWS\\system32\\userinit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 19:02 50736 C:\WINDOWS\SYSTEM32\avldr.dll

R1 APPFLT;App Filter Plugin;\??\C:\WINDOWS\system32\Drivers\APPFLT.SYS
R1 DSAFLT;DSA Filter Plugin;\??\C:\WINDOWS\system32\Drivers\DSAFLT.SYS
R1 FNETMON;NetMon Filter Plugin;\??\C:\WINDOWS\system32\Drivers\fnetmon.SYS
R1 IDSFLT;Ids Filter Plugin;\??\C:\WINDOWS\system32\Drivers\IDSFLT.SYS
R1 NETFLTDI;Panda Net Driver [TDI Layer];\??\C:\WINDOWS\system32\Drivers\NETFLTDI.SYS
R1 SMSFLT;SMS Filter Plugin;\??\C:\WINDOWS\system32\Drivers\SMSFLT.SYS
R1 WNMFLT;Wifi Monitor Filter Plugin;\??\C:\WINDOWS\system32\Drivers\WNMFLT.SYS
R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\Drivers\cpoint.sys
R2 MSSQL$AEGDB;MSSQL$AEGDB;C:\Program Files\Microsoft SQL Server\MSSQL$AEGDB\Binn\sqlservr.exe -sAEGDB
R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys
R3 ComFiltr;Panda Anti-Dialer;\??\C:\WINDOWS\system32\DRIVERS\COMFiltr.sys
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys
R3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\system32\DRIVERS\KMW_SYS.sys
R3 NETIMFLT;PANDA NDIS IM Filter Miniport;C:\WINDOWS\system32\DRIVERS\netimflt.sys
R3 PavSRK.sys;PavSRK.sys;\??\C:\WINDOWS\system32\PavSRK.sys
R3 PavTPK.sys;PavTPK.sys;\??\C:\WINDOWS\system32\PavTPK.sys
S1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys
S2 PavProc;Panda Process Protection Driver;\??\C:\WINDOWS\system32\DRIVERS\PavProc.sys
S3 cel90xbe;cel90xbe;\??\C:\DOCUME~1\Jonathan\LOCALS~1\Temp\cel90xbe.sys
S3 SQLAgent$AEGDB;SQLAgent$AEGDB;C:\Program Files\Microsoft SQL Server\MSSQL$AEGDB\Binn\sqlagent.EXE -i AEGDB
S3 SSLDrv;SSL-VPN NetExtender Adapter;C:\WINDOWS\system32\DRIVERS\SSLDrv.sys
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-03 22:41:33 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-04 18:51:03
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwClose, ZwEnumerateValueKey, ZwQueryValueKey, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-04 18:54:11
C:\ComboFix2.txt ... 2007-11-03 17:55
.
--- E O F ---
--------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:55:12 PM, on 11/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$AEGDB\Binn\sqlservr.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
c:\program files\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\WebProxy.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\fluffybunny.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\avciman.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\psimreal.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.gmail.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BellSouthReportingAgent] "C:\Program Files\Common Files\Motive\McciBootStrapper.exe" /url="-url=file://C:\Program Files\Common Files\Motive\ReportAgent.html" /browsertype=CustomMSIE /browserpath="C:\Program Files\Common Files\Motive\MotiveBrowser.exe" /hidden
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISMPack6] "C:\Program Files\ISM2\ISMPack6.exe"
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/do...oad/tgctlsr.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instantservice.com/jars/customerxsigned40.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4047/ftp...23/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8420 bytes

Edited by Viridescence, 04 November 2007 - 08:55 PM.


#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 06 November 2007 - 02:34 AM

It doesn't look like those files were deleted, so can you boot into Safe Mode and delte them yourself:

C:\WINDOWS\SYSTEM32\rflepksy.dll
C:\WINDOWS\SYSTEM32\uvhmqoav.dll
C:\WINDOWS\SYSTEM32\ceyebpeu.dll
C:\WINDOWS\SYSTEM32\ace16win.dll
C:\WINDOWS\SYSTEM32\dpqaqlqx.bin
C:\WINDOWS\plite731_uninstaller_.bat
C:\WINDOWS\frexup3_exe.vir
C:\WINDOWS\tsitra77.exe

Then I'd like a new Combofix log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#11 Viridescence

Viridescence
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 15 November 2007 - 09:07 PM

I apologize for the delay, Charles -- been too busy this past week. Here's the latest ComboFix log after deleting those files. Thanks!

ComboFix 07-11-08.1 - Shanna 2007-11-15 20:47:08.4 - NTFSx86
Running from: C:\Documents and Settings\Shanna\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 )))))))))))))))))))))))))))))))
.

2007-11-03 16:18 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-03 15:49 81,472 --a------ C:\WINDOWS\SYSTEM32\rflepksy.dll
2007-11-02 17:44 24,576 --a------ C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
2007-11-02 17:31 <DIR> d-------- C:\VundoFix Backups
2007-10-30 23:17 13,880 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\COMFiltr.sys
2007-10-30 23:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\sentinel
2007-10-30 23:09 227,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\APPFCONT.DAT
2007-10-30 23:09 83,640 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavdrv51.sys
2007-10-30 23:09 51,256 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\dsaflt.sys
2007-10-30 23:09 37,304 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\smsflt.sys
2007-10-30 23:09 30,648 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wnmflt.sys
2007-10-30 23:09 281 --a------ C:\WINDOWS\SYSTEM32\PavCPL.dat
2007-10-30 23:08 191,672 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\idsflt.sys
2007-10-30 23:07 <DIR> d-------- C:\WINDOWS\SYSTEM32\PAV
2007-10-30 23:07 132,920 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\NETFLTDI.SYS
2007-10-30 23:07 71,736 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\APPFLT.SYS
2007-10-30 23:07 22,072 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\fnetmon.sys
2007-10-30 23:06 <DIR> d-------- C:\Program Files\Panda Security
2007-10-30 23:06 292,144 --a------ C:\WINDOWS\SYSTEM32\PavSHook.dll
2007-10-30 23:06 161,328 --a------ C:\WINDOWS\SYSTEM32\TpUtil.dll
2007-10-30 23:06 142,128 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\netimflt.sys
2007-10-30 23:06 101,888 --a------ C:\WINDOWS\SYSTEM32\SYSTOOLS.DLL
2007-10-30 23:06 63,024 --a------ C:\WINDOWS\SYSTEM32\pavipc.dll
2007-10-30 23:06 50,736 --a------ C:\WINDOWS\SYSTEM32\avldr.dll
2007-10-30 23:06 24,760 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\cpoint.sys
2007-10-30 21:44 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2007-10-30 21:19 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-10-30 20:28 <DIR> d-------- C:\Documents and Settings\Shanna\Application Data\Uniblue
2007-10-30 20:27 <DIR> d-------- C:\Program Files\Uniblue
2007-10-30 18:50 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-10-28 02:28 <DIR> d-------- C:\Documents and Settings\Shanna\.housecall6.6
2007-10-28 02:22 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-10-28 02:15 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-10-28 00:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-27 23:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-27 22:57 <DIR> d-------- C:\Documents and Settings\Shanna\Application Data\SUPERAntiSpyware.com
2007-10-27 20:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-27 20:01 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-27 20:01 <DIR> d-------- C:\Documents and Settings\Jonathan\Application Data\SUPERAntiSpyware.com
2007-10-27 20:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-27 19:56 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-27 17:45 4 --a------ C:\WINDOWS\SYSTEM32\stfv.bin
2007-10-27 17:42 <DIR> d-------- C:\WINDOWS\SYSTEM32\acespy
2007-10-27 17:20 41 --a------ C:\WINDOWS\plite731_uninstaller_.bat
2007-10-20 18:05 <DIR> d-------- C:\Program Files\Common Files\xing shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-12 22:50 1,204 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG.bck
2007-11-12 22:50 1,204 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG
2007-11-12 22:50 --------- d-----w C:\Program Files\OpenOffice.org1.1.3
2007-11-12 03:07 227,576 ----a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT.bck
2007-10-31 03:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-30 23:16 --------- d-----w C:\Program Files\Google
2007-10-28 05:06 --------- d-----w C:\Program Files\Lavasoft
2007-10-28 05:04 --------- d-----w C:\Program Files\Java
2007-10-26 00:25 --------- d-----w C:\Program Files\Semagic
2007-10-20 23:04 --------- d-----w C:\Program Files\Real
2007-10-20 23:04 --------- d-----w C:\Program Files\Common Files\Real
2007-09-29 03:50 --------- d-----w C:\Documents and Settings\Shanna\Application Data\Move Networks
2007-09-28 16:13 --------- d-----w C:\Documents and Settings\Shanna\Application Data\acccore
2007-09-28 16:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-09-28 16:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-09-28 16:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-28 16:09 --------- d-----w C:\Program Files\Common Files\AOL
2007-09-28 16:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-09-26 19:35 --------- d-----w C:\Program Files\iTunes
2007-09-26 19:35 --------- d-----w C:\Program Files\iPod
2007-09-17 01:29 --------- d-----w C:\Program Files\MSN Apps
2007-09-17 01:25 --------- d-----w C:\Program Files\Dell
2007-09-17 01:04 --------- d-----w C:\Program Files\Common Files\Adobe
2005-12-19 18:28 5,604,970 ----a-w C:\Documents and Settings\Shanna\HCUpgrade3.1.exe
2004-08-28 21:34 5,082,708 ----a-w C:\Program Files\FirefoxSetup-0.9.3.exe
2004-08-28 21:20 563,560 ----a-w C:\Program Files\flashplayer7_winax.exe
2004-05-17 00:05 6,500,352 ----a-w C:\Program Files\FirefoxSetup-0.8.exe
2004-05-14 00:18 2,150,574 ----a-w C:\Program Files\aaw6181.exe
2004-05-07 19:28 584,610 ----a-w C:\Program Files\avw5c.exe
2004-04-07 17:11 467,985 ----a-w C:\Program Files\Semagic1410for2k.exe
2004-03-18 23:04 4,955,560 ----a-w C:\Program Files\SetupDl.EXE
2003-12-02 20:33 73,728 ----a-w C:\Program Files\SFTPSetup.exe
2003-12-02 05:22 494,510 ----a-w C:\Program Files\Semagic1387for2k.exe
1996-06-30 23:49 51 ----a-w C:\Program Files\SETUP.LST
1996-06-30 23:47 105,537 ----a-w C:\Program Files\AVPLAY.EX_
1996-06-22 22:36 13,497 ----a-w C:\Program Files\SETUP1.EX_
1996-06-22 22:22 24,586 ----a-w C:\Program Files\AVPLAY.HL_
1993-11-01 07:11 9,696 ----a-w C:\Program Files\VER.DL_
1993-11-01 07:11 54,547 ----a-w C:\Program Files\COMMDLG.DL_
1993-11-01 07:11 23,670 ----a-w C:\Program Files\DDEML.DL_
1993-08-23 16:32 19,056 ----a-w C:\Program Files\SETUP.EXE
1993-07-17 04:00 33,489 ----a-w C:\Program Files\THREED.VB_
1993-05-12 04:00 276,684 ----a-w C:\Program Files\VBRUN300.DL_
1993-04-28 04:00 10,865 ----a-w C:\Program Files\CMDIALOG.VB_
.

((((((((((((((((((((((((((((( snapshot@2007-11-03_18.52.11.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-29 22:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-29 23:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
- 2007-10-31 04:21:27 77,840 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2007-11-04 17:08:39 77,840 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2007-10-31 04:21:28 438,066 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2007-11-04 17:08:40 438,066 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
- 2007-07-22 22:39:27 279,552 ----a-w C:\WINDOWS\SYSTEM32\swreg.exe
+ 2007-07-22 23:39:27 279,552 ----a-w C:\WINDOWS\SYSTEM32\swreg.exe
+ 2007-11-16 01:37:47 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tgcmd"="C:\Program Files\Support.com\BellSouth\hcenter.exe" [2004-07-25 14:45]
"Y3yac2S"="" []
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 08:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 08:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 08:36]
"BellSouthReportingAgent"="C:\Program Files\Common Files\Motive\McciBootStrapper.exe" [2004-06-25 13:14]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 09:00]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-20 18:04]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.exe" [2007-07-19 14:23]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"Aim6"="" []
"ISMPack6"="C:\Program Files\ISM2\ISMPack6.exe" []

C:\Documents and Settings\Jonathan\Start Menu\Programs\Startup\
OpenOffice.org 1.1.3.lnk - C:\Program Files\OpenOffice.org1.1.3\program\quickstart.exe [2004-09-10 01:10:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 01:22:40]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 16:23:32]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\vvgeowbv.exe,C:\\WINDOWS\\system32\\userinit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 19:02 50736 C:\WINDOWS\SYSTEM32\avldr.dll

R1 APPFLT;App Filter Plugin;\??\C:\WINDOWS\system32\Drivers\APPFLT.SYS
R1 DSAFLT;DSA Filter Plugin;\??\C:\WINDOWS\system32\Drivers\DSAFLT.SYS
R1 FNETMON;NetMon Filter Plugin;\??\C:\WINDOWS\system32\Drivers\fnetmon.SYS
R1 IDSFLT;Ids Filter Plugin;\??\C:\WINDOWS\system32\Drivers\IDSFLT.SYS
R1 NETFLTDI;Panda Net Driver [TDI Layer];\??\C:\WINDOWS\system32\Drivers\NETFLTDI.SYS
R1 SMSFLT;SMS Filter Plugin;\??\C:\WINDOWS\system32\Drivers\SMSFLT.SYS
R1 WNMFLT;Wifi Monitor Filter Plugin;\??\C:\WINDOWS\system32\Drivers\WNMFLT.SYS
R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\Drivers\cpoint.sys
R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys
R3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\system32\DRIVERS\KMW_SYS.sys
R3 NETIMFLT;PANDA NDIS IM Filter Miniport;C:\WINDOWS\system32\DRIVERS\netimflt.sys
R3 PavSRK.sys;PavSRK.sys;\??\C:\WINDOWS\system32\PavSRK.sys
R3 PavTPK.sys;PavTPK.sys;\??\C:\WINDOWS\system32\PavTPK.sys
S1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys
S2 PavProc;Panda Process Protection Driver;\??\C:\WINDOWS\system32\DRIVERS\PavProc.sys
S3 cel90xbe;cel90xbe;\??\C:\DOCUME~1\Jonathan\LOCALS~1\Temp\cel90xbe.sys
S3 ComFiltr;Panda Anti-Dialer;\??\C:\WINDOWS\system32\DRIVERS\COMFiltr.sys
S3 SSLDrv;SSL-VPN NetExtender Adapter;C:\WINDOWS\system32\DRIVERS\SSLDrv.sys
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-03 22:41:33 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 20:58:27
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwClose, ZwEnumerateValueKey, ZwQueryValueKey, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-15 21:03:02
C:\ComboFix2.txt ... 2007-11-04 18:54
C:\ComboFix3.txt ... 2007-11-03 17:55
.
--- E O F ---

#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 17 November 2007 - 05:30 PM

Sorry, can I have a new HJT log too, please?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#13 Viridescence

Viridescence
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 17 November 2007 - 05:38 PM

Of course!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:27 PM, on 11/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\WebProxy.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Microsoft SQL Server\MSSQL$AEGDB\Binn\sqlservr.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
c:\program files\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\ApvxdWin.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\OpenOffice.org1.1.3\program\soffice.exe
C:\Program Files\Trend Micro\HijackThis\fluffybunny.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\avciman.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\psimreal.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.gmail.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BellSouthReportingAgent] "C:\Program Files\Common Files\Motive\McciBootStrapper.exe" /url="-url=file://C:\Program Files\Common Files\Motive\ReportAgent.html" /browsertype=CustomMSIE /browserpath="C:\Program Files\Common Files\Motive\MotiveBrowser.exe" /hidden
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISMPack6] "C:\Program Files\ISM2\ISMPack6.exe"
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/do...oad/tgctlsr.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instantservice.com/jars/customerxsigned40.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4047/ftp...23/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8338 bytes

#14 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 18 November 2007 - 02:42 PM

The following file needs deleting, use Safe Mode if necessary:

C:\WINDOWS\SYSTEM32\rflepksy.dll

Then I'd like some information about how things seem to be running now.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#15 Viridescence

Viridescence
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 18 November 2007 - 04:32 PM

Done.

It's running a little slow, but that's about it. I can change my desktop now and access task manager, no more random IE popups either. Thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users